T 3.64 Incorrect configuration of routers and switches

The configuration of active network components strongly depends on the purpose of the devices. In the following, some examples which could threaten the secure use of the devices are listed.

Operating system

Outdated or insecure versions of operating systems are often used on routers and switches. Relevant websites on the internet provide exploits to be downloaded in order to attack these devices for numerous versions of operating systems of different devices and manufacturers.

Password protection

Access to active network components is often protected insufficiently by passwords.

Administration accesses

Administration accesses are often freely accessible in practice. For example, no Access Control Lists (ACLs) have been established.

Remote access

Active network components normally offer a remote access option with the help of TELNET. When using TELNET, user name and password are transmitted in clear text.

Login banners

Login banners of active network components often provide information about the model and version number of the device.

Unnecessary network services

Frequently, routers and switches provide unnecessary network services that can be used by attackers to threaten the availability, integrity, or confidentiality of the components.

Interfaces

Unused interfaces on routers often are not disabled.

VLAN

Trunk ports may access all configured VLANs. This means that access to a trunk port will also allow access to all VLANs. Frequently, the trunking protocols on switches are not disabled on the end device ports. See also T 5.114 Misuse of spanning tree.

Routing protocols

Routing protocols without authentication procedures may threaten the confidentiality, availability, and integrity of complex networks.