S 2.283 Software maintenance on routers and switches

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Any operation of software requires regular checks and maintenance of the operating system and the configuration. Routers and switches must not be excluded from this, for example in order to allow for functional extensions, to eliminate software errors, and to increase performance and security.

Here, it must be taken into consideration that in practice maintaining the operating system of routers and switches often requires complete replacement of the operating system software. In many cases, it is not possible to install updates and patches. As for all changes to the configuration, due diligence must be exerted, since improper performance may have adverse effects on the function and the security of the devices. In this respect, careful planning of a change always also includes a fall-back strategy.

Installation of new software

The following items must be taken into account when preparing updates:

• A suitable time window must be designed. The time required should not be underestimated and sufficient downtime should be planned as a precaution.
• The release notes of the new release attached by the manufacturer must be read carefully.
• For new software versions, individual features may no longer be contained or work improperly. The default settings may also change from time to time.
• New versions of the program and particularly of an operating system must be tested carefully before commissioning in order to ensure full functionality.
• New programs or operating systems may have less performance, for example due to additional features or increased memory consumption. This may cause problems if a router or switch was already operated at the utilisation limit prior to the update.

Many manufacturers offer configuration tools for planning the extension. These allow planning of a configuration and selection of the required hardware components such as interfaces and memories based on the device used.

The following steps should be taken into consideration when performing updates:

• Procurement of the update from a trustworthy source. Normally, updates should only be obtained from the manufacturer. If the manufacturer provides checksums for the updates or digitally signs the update packs, the checksums or signatures should be checked (see also S 2.273 Prompt installation of security-relevant patches and updates and S 4.177 Assuring the integrity and authenticity of software packages).
• Checking the integrity and functionality of the update
• Disconnecting the device from the productive network or disabling all interfaces
• If possible, backing up the existing configuration and the operating system
• Installing the update
• Testing
• Re-activation of the device in the network

Changing the configuration

Changes to the configuration may be both performed directly on the device at the system console (online) and on a separate management computer with a corresponding configuration program or a text editor (offline). Both approaches entail advantages and disadvantages, but offline configuration should be preferred in general.

The online configuration can normally only be performed with low levels of convenience and without the help of tools; comments cannot be inserted at all times, for example However, the syntax is checked promptly.

If configuration files are created offline, there are normally more convenient tools available and comments can be inserted. The disadvantage of this approach is that passwords must often be entered in clear text into the configuration files. Since the passwords in the configuration file - and therefore also during transmission via the network to the device, unless an encrypted connection is used - can be read, they should be changed immediately upon installation of the configuration file. Another option is to set the passwords online and to subsequently read out the configuration including the encrypted passwords.

In order to ensure that the current configuration is read after a boot procedure from the memory, the changed configuration must be stored after it has been loaded to the device.

For some devices, configuration files for central administration may also be stored to separate servers and loaded there. This may be performed both manually and automatically - for example during the booting procedure. This way, changes can be distributed automatically to the devices. However, loading during booting procedure is not recommendable due to the possibility of deliberate disturbance, its susceptibility to errors, and the caused network load, and is used only rarely. On the other hand, the configuration files should be backed up and administered by a central server of this kind.

In any case, the administration computer that is used to perform the offline configuration and/or to store the configuration data must be protected specifically against unauthorised access.

Review questions:

• Have maintenance windows been defined for installing updates to the routers and switches?
• Are the updates for routers and switches tested before productive use?
• Are the updates procured only from trustworthy sources?
• Are the update checksums compared and/or the digital signatures checked, if provided by the manufacturer?
• Has it been ensured that the routers and switches concerned are disconnected from the productive network during the update?