Reminded by the latest Cisco security alerts, many network managers do not realize that their routers can be the jump point to attack. Router operating systems are just as vulnerable to hacker mischief as network operating systems. Most medium- to small-sized companies do not employ router engineers, or outsource this function on a need-to-do basis. And because of this, network administrators and managers neither know enough nor have time to secure the router. Listed below are ten basic router security tips.
- Update your router's OS: Just like network operating systems, router operating systems need to be updated to correct programming oversights, flaws and buffer overflow issues. Always check with your router manufacturer for current updates and OS versions.
- Change the default password: As much as 80% of security incidents are caused by weak or default passwords (according to CERT at Carnegie Mellon University). Avoid using common passwords and use mixed case letters as a stronger password policy.
- Here is a link to common passwords used by computer administrators.
- Disable HTTP configuration and SNMP: The HTTP configuration part of your router may be easier to configure for a busy network admin, but it is also a security problem for routers. If your router has a command line configuration, disable the HTTP config mode and use it. If you are not using SNMP on your router, then there is no need to have it enabled. Cisco has a SNMP vulnerability with GRE tunnel attacks.
- Block ICMP ping requests: Ping and other ICMP functions are useful tools for both the network admin and the hacker. ICMP enabled on your router can be used by hacker to identify information to target your network for attack.
- Disable telnet use from the Internet: In most cases you do not need an active telnet session from an Internet interface. Access to your router's configuration is more secure if accessed internally.
- Disable IP directed broadcast: IP directed broadcast can allow Denial-of-Service (DOS) attacks on your equipment. A router's memory and CPU can be maxed out from too many requests, which can result in a buffer overflow entry.
- Disable IP source routing and IP redirects: Redirects allow packets to come in from one interface and leave by another. You don't want engineered packets to redirect to a private internal network.
- Packet filtering: Packet filtering routes only the types of packet you want to enter your network. Many companies only allow 80 (http) and 110/25 (e-mail). Additionally you can block and allow IP addresses and ranges.
- Review security logs: By simply taking the time to review your log files you will see obvious patterns of attack, and even vulnerabilities. You will be surprised to how much activity your router is subject to.
- Unnecessary services: Unnecessary services should always be disabled, whether they are on a router, server or workstation. By default, Cisco devices up through IOS version 11.3 offer the "small services," echo, chargen and discard. These services, especially their UDP versions, are infrequently used for legitimate purposes, but can be used to launch denial-of-service and other attacks that would otherwise be prevented by packet filtering.
This was first published in November 2005