Home > Networking Channel Project Guides > Network Administration Services > Network Security > Ten quick router security tips
Project Guides: Network Administration Services:
EMAIL THIS
 START   INSTALLATION AND CONFIGURATION   TESTING AND TROUBLESHOOTING   DOCUMENTATION   UPGRADING AND PATCHING   SECURITY   
Network Security

<< PREVIOUS | NEXT >>: Nagios: Configuration and integration advice
 TIPS & NEWSLETTERS TOPICS 

ROUTING AND SWITCHING

Ten quick router security tips


Doug Chick
11.18.2005
Rating: -4.20- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Reminded by the latest Cisco security alerts, many network managers do not realize that their routers can be the jump point to attack. Router operating systems are just as vulnerable to hacker mischief as network operating systems. Most medium- to small-sized companies do not employ router engineers, or outsource this function on a need-to-do basis. And because of this, network administrators and managers neither know enough nor have time to secure the router. Listed below are ten basic router security tips.

  1. Update your router's OS: Just like network operating systems, router operating systems need to be updated to correct programming oversights, flaws and buffer overflow issues. Always check with your router manufacturer for current updates and OS versions.

  2. Change the default password: As much as 80% of security incidents are caused by weak or default passwords (according to CERT at Carnegie Mellon University). Avoid using common passwords and use mixed case letters as a stronger password policy. Here is a link to common passwords used by computer administrators.

  3. Disable HTTP configuration and SNMP: The HTTP configuration part of your router may be easier to configure for a busy network admin, but it is also a security problem for routers. If your router has a command line configuration, disable the HTTP config mode and use it. If you are not using SNMP on your router, then there is no need to have it enabled. Cisco has a SNMP vulnerability with GRE tunnel attacks.

  4. Block ICMP ping requests: Ping and other ICMP functions are useful tools for both the network admin and the hacker. ICMP enabled on your router can be used by hacker to identify information to target your network for attack.

  5. Disable telnet use from the Internet: In most cases you do not need an active telnet session from an Internet interface. Access to your router's configuration is more secure if accessed internally.

  6. Disable IP directed broadcast: IP directed broadcast can allow Denial-of-Service (DOS) attacks on your equipment. A router's memory and CPU can be maxed out from too many requests, which can result in a buffer overflow entry.

  7. Disable IP source routing and IP redirects: Redirects allow packets to come in from one interface and leave by another. You don't want engineered packets to redirect to a private internal network.

  8. Packet filtering: Packet filtering routes only the types of packet you want to enter your network. Many companies only allow 80 (http) and 110/25 (e-mail). Additionally you can block and allow IP addresses and ranges.

  9. Review security logs: By simply taking the time to review your log files you will see obvious patterns of attack, and even vulnerabilities. You will be surprised to how much activity your router is subject to.

  10. Unnecessary services: Unnecessary services should always be disabled, whether they are on a router, server or workstation. By default, Cisco devices up through IOS version 11.3 offer the "small services," echo, chargen and discard. These services, especially their UDP versions, are infrequently used for legitimate purposes, but can be used to launch denial-of-service and other attacks that would otherwise be prevented by packet filtering.
TheNetworkAdministrator.com is crammed full of humor, articles about working in the computer industry and tech news updated on the hour. The site discusses issues from the effects of overseas outsourcing to silly things like what a network administrator can do with pesky end-users and a nine-pound ping hammer. You will discover the most popular tools used by hackers, interviews from people that help drive the Internet and questions answered by The Fix-it-Fairy. Click here.

Rate this Tip
To rate tips, you must be a member of SearchNetworking.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


<< PREVIOUS | NEXT >>: Nagios: Configuration and integration advice
VIEW ALL IN THIS CATEGORY

RELATED CONTENT
Routing and Switching
Routing with NAT traversal and UPnP
Secure Cisco routers against IOS flaw attack
Configure WAN protocols on a Layer 3 switch
How routers work
Network summarization -- Supernetting and wildcard masks
Routing: Five common, easily avoided errors
Router Expert: Building a WLAN proxy server, implementing ASR
Router Expert: Building a WLAN proxy server, implementing WPAD
Cisco IOS IP routing -- dynamic routing
Cisco IOS IP routing: Static routes

Router and Switch Management
How many more users will 802.11n wireless access points support?
How to connect wireless networks for printing capabilities
How can I prevent collisions on my network?
How to upgrade an Input/Output Supervisor (IOS) router
Inter-VLAN routing with a LAN and WAN on a single router
Troubleshooting IP Routing -- 'CCNA Official Exam Certification Library, 3rd Edition,' Chapter 7
How can I load balance between DSLs and LLs?
How can I configure 10 VLANs with 5 unmanaged switches?
Cisco's ISR inches the company toward openness
How do I configure two leased lines in one router?

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
32-bit IP addressing  (SearchNetworking.com)
autotrunking  (SearchNetworking.com)
delay-tolerant network  (SearchNetworking.com)
Internet Routing in Space (IRIS)  (SearchNetworking.com)
logical router  (SearchNetworking.com)
routing table  (SearchNetworking.com)
subnet  (SearchNetworking.com)
subnet mask  (SearchNetworking.com)
virtual routing and forwarding  (SearchNetworking.com)
weighted fair queueing  (SearchNetworking.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Networking Solutions for Business
IT Management Solutions and Services Directory.
HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersNetworking Product Trials
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2000 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts