How to secure switches and routers: security-in-depth philosophy marries traditional network security technologies with implementations. (Special Focus: local area networks).
Security should exist between each of a networks' seven layers (OSI Layers 1-7). A layered approach to network security allows the creation of multiple layers of defense around key assets. Many switches and routers come with a rich set of security features. Knowing what they are, why they should be activated, and how they should be deployed can result in security where a breech in one layer does not compromise the entire network.
Security-by-default is how switches and routers should be designed. They must be shipped from the factory in secure configurations. Only the configuration options that are required to get the unit operational should be active. All other options should be turned off. This reduces the number of exploitable options and eliminates the possibility of the administrator not knowing which default features need to be turned off.
Forced default passwords should change upon initial login. Password aging options and limits on the number of login attempts should be enforced. Passwords should be stored in encrypted format. Hidden accounts (e.g., maintenance accounts and backdoors) must not exist. The switches and routers must default to a secure state during a unit failure, a planned or unplanned power shutdown, during hot or cold boots, system rollovers, or software/firmware/hardware upgrades.
Devices must be able to recover automatically after these events without compromising security. For reliable logging and forensic details, network devices must be able to rely on a secure and accurate time source, like the network time protocol. Forcing the change of public simple network management protocol (SNMP) community string names is also a prudent policy.
WITHSTANDING DOS ATTACKS
To assist with availability, switches and routers should be able to withstand denial of service (DOS) attacks, and remain operational during a direct attack. Ideally, they should be able to take corrective action when attacked (i.e., block the source address and service port). Each event should result in an immediate response and create a secure log of the DoS activity. Switches and routers should also be designed to recognize and respond to worm attacks.
Vulnerabilities can surface in the code used in the switches and routers, such as FTP, HTTP, telnet or Secure Shell (SSH). To minimize the impact of such vulnerabilities, the switch and router vendor should have a proactive process to address the vulnerabilities as they are discovered and reported. The vulnerabilities must be defined, workaround or configuration details delineated, and patches/fixes planned, created, tested and deployed.
Role-based management gives each administrator the minimum level of permissions required to perform his responsibilities. It allows organizations to implement policies based on separation of duties, providing checks and balances within the realm of network administration.
Trusted host implementations can limit management access to the switches and routers. Administrative privilege can be granted to those management devices or trusted hosts that have been pre-authorized. For example, administrative control can be provided to specific IP addresses and specific TCP/ UDP services.
The best way to control the identity of the administrator and the privileges allocated to that individual is to authenticate an administrator prior to granting access. This can be done through authentication, authorization and accounting (AAA) servers, such as remote authentication dial-in user service (RADIUS), terminal access controller access control system+ (TACACS+) or lightweight directory access protocol (LDAP) directory servers. AAA servers can also be supplemented by strong authentication techniques.
ENCRYPTION FOR REMOTE ACCESS
In many cases, the router or switch that needs to be managed is remote from the actual administrator; often it is only accessible over public networks. To secure the management traffic between client/administrator and target network device, encrypting protocols are required. SSH is the de facto standard for all remote command line configurations and file transfers. For Web-based management, using secure socket layer (SSL) or transport layer security (TLS) secures HTTP traffic. LDAP is often the protocol of choice for policy communication, and SSL/TLS secures this traffic.
SNMP is used to discover, monitor and configure networking devices. The secure implementation of SNMP version 3 is essential to ensure confidential and authenticated communications.
Establishing a login control process minimizes the impact abnormal or repetitive access queries can have on the device. Controlling the number and frequency of unsuccessful login attempts minimizes processing overhead associated with servicing these attempts. The device receiving intrusive login attempts must be aware of and proactive at addressing port scans. Detailed logs associated with login attempts and port scans are paramount.
The security of the switch or router configuration file must be assured, and a baseline configuration file stored in a secure place. In case of corruption, the backup file can be retrieved, installed and activated-allowing the system to return to a known state.
Some switches integrate network-based intrusion detection. Others support network intrusion detection through port mirroring, allowing the LAN administrator to selectively monitor specific switch ports from intrusion-detection management consoles.
THE ROLE OF THE VIRTUAL LAN
A virtual local area network (VLAN) is a limited broadcast domain that dwells in the OSI data link layer (Layer 2). VLANs are comprised of groups of network computing devices, typically located on multiple LAN segments, possibly on one or more LAN switches, which are not constrained by their physical location. Each device communicates with other devices as if they are in the same LAN. VLANs allow the LAN administrator to break the network down into more manageable and better-performing entities, simplifying the process of adding, moving and changing devices, users and their privileges.
VLANs can be formed based on a variety of characteristics, including switch port, MAC address, IP address, protocol type, multicast-aware, DHCP-aware, 802.1Q tags and user identity. These characteristics can be deployed as standalone rules or combined.
Authenticated VLAN technology grants users access to one or more VLANs after the users go through an authentication process. Authenticated VLAN permissions are granted to the users, not the devices, and leverage common AAA systems like RADIUS and LDAP directory servers. Strong, two-factor authentication can be used for identity verification. Authenticated VLANs also provide campus-level security at the switch port, and integrated into a single sign-on process.
Firewalls also control access between networks; the most widely deployed are those embedded in traditional routers and multilayer switches, usually called access-control lists (ACLs). The main differences between firewall types is how deep they look into the packets, whether host-to-host communication is direct or via a proxy, and whether or not session-state information is maintained.
In controlling access between networks, router filtering policies can be based on source/destination switch slot or port, source/destination VLAN, source/destination IP address, and source/destination TCP and UDP ports, ICMP type, and/or source MAC. In some switches and routers, dynamic ACL rules can be created after a user goes through an authentication process--like an authenticated VLAN but at Layer 3. This is used when unknown source addresses require access to known, internal destinations.
Today's networks should be designed around a security-in-depth philosophy that employs multiple layers of security. By deploying switches and routers that implement best-security practices, organizations can couple these with traditional security technologies to create a stronger, layered security system.
For more information from Alcatel: www.rsleads.com/301cn-251
What are the top four network security areas your organization will address in 2003? Virus protection 48% Firewalls 45% LAN intrusion detection 41% Virtual private networks 26% * Percent of survey respondents Source: November 2002 Communications News security survey. Note: Table made from bar graph.
RELATED ARTICLE: Security resource.
Targeting senior corporate management and IT professionals, Security Provisioning: Managing Access in Extended Enterprises, by Yuri Pikover and Jeff Drake, reveals advantages, criteria and implementation considerations of using policy-based provisioning technology to control and monitor user access rights across an enterprise and beyond. The book provides a historical overview, as well as 10 real-world examples, www.isaca.org
Hayes manages security strategy and business development issues for Alcatel's e-business networking division. Calabasas, CA.
|Printer friendly Cite/link Email Feedback|
|Comment:||How to secure switches and routers: security-in-depth philosophy marries traditional network security technologies with implementations. (Special Focus: local area networks).|
|Date:||Jan 1, 2003|
|Previous Article:||Optical extends university LAN: Randy Anderson and Ann Agee selected an Ethernet solution to connect George Mason University's three campuses. (Cover...|
|Next Article:||Buyers Guide: the first portion of this Local Area Networks Buyers Guide, the Product Guide, lists the various in this products category, and the...|