Most of our network equipment these days is racked and stacked in secure raised-floor datacenters, where we don't have to worry about it that much, but we all have to contend with routers and switches in small offices. Here are a few ideas to head off common security issues:
- Put a password on the console port. This is often skipped when the device is physically inaccessible to anyone outside the network team, but remote offices are obviously vulnerable to unauthorized console port access. And if they can reach that port and cycle the power, they own the box and the config, and probably your passwords as well.
- Secure the box in a wall-mount enclosure if possible. Many new devices, including Cisco's 3750 series of switches have a wonderful button on the front that allows you to reset the config to factory default without having to go through the trouble of twiddling bits in the config-register. Nice feature for a datacenter, but you don't want to be recovering from that remotely. The only thing worse is simple theft, where they walk off with the router or switch entirely. Wall-mount enclosures (locked of course) will also solve this problem.
- If you can't afford or find an actual enclosure, at a minimum, consider a cable lock like the kind commonly used for laptops. Many routers and switches have the little security hole those cable locks fit into. And if they don't, there's usually a vent-hole you can use in a pinch.
- Log configuration commands to a remote server. Don't trust the local log on the remote router or switch.
- Remember that a lack of physical security in remote offices means it's much more vulnerable to sniffer or "man-in-the-middle" attacks because the cabling is exposed. Log up/down events on the link between your router and switch in remote offices. You might even want to enable traps for these events to notify your network management system. (Although I'm not sure how useful this will really turn out to be, many new switches are sporting Time-Domain Reflectometers on all the ports and it might be capable of detecting a change in cable length indicative of someone making unauthorized changes. When you initially implement the remote site, consider taking a survey on all the ports and record the cable lengths. Periodically check these numbers again to see if there are any changes.)
- Disable CDP, disable any unused ports, and if there's only one switch in the office, consider disabling Spanning Tree so it can't be used to reroute traffic.
Obviously, many of these suggestions aren't appropriate for every environment. For example, don't disable CDP if you're doing PoE or voice VLANs. This should get you thinking about some special security issues you might have.
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.