Problem solve Get help with specific problems with your technologies, process and projects.

Network Infrastructure is Critical

Network infrastructure is critical to our country and our businesses, and poor router security could have catastrophic consequences. Updating your router IOS is only the first step in ensuring a secure environment.

Two weeks ago researcher Michael Lynn disclosed the exploitation of a Cisco IOS vulnerability at the Black Hat conference in Las Vegas As this recent incident has reminded us, network infrastructure is critical to our country and our businesses, and poor router security could have catastrophic consequences. It also shows the vulnerability in a trend I've been predicting for years: running more applications on routers and switches.

You may or may not realize that unless you've disabled it (and depending on what version of IOS), your Cisco router (and most others) is running a Web server, an FTP server, a TFTP server, a telnet server, and a raft of others, plus listening for network protocol advertisements like OSPF "Hellos" or Spanning Tree's BPDUs. And Cisco's spiffy new AON stuff will be placing an unprecedented number of applications on the router.

What all this means of course, is that there are more lines of code running on the router to exploit, so it's more important than ever to secure your router. As the article states, imagine the consequences of a worm exploiting a bug to infect all your routers!

Something you might not have considered though, is the consequence of multi-function devices in your network architecture. For example, if you use a Cisco 6509 as a router/switch, and install a Firewall Services Module (FWSM) and configure the different zones as different VLANs on the 6509, then it's critical that you understand this: no matter how great the Adaptive Security Algorithm in the PIX/FWSM is, if somebody exploits a bug in the router to gain access to the exec prompt, they can route themselves around the firewall, bypassing all your protection entirely.

So the best way to protect yourself has always been to use multiple simple layers of protection:

  1. Keep up with Cisco's bug and patch releases and update your routers' Software as soon as possible.
  2. Don't forget to update the firmware too.
  3. Use Access-Control Lists to block all traffic to the router or switch console except for administrative access from a specific IP address.
  4. Restrict SNMP access to specific IP addresses.
  5. Turn off any unnecessary processes and protocols on your routers and switches.
  6. Place IDS at strategic locations in your network.
  7. Perform regular health checking to make sure the config hasn't changed since the last time YOU changed it, and check the logs regularly.


Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.


This was last published in August 2005

Dig Deeper on Network Hardware

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.