S 2.284 Secure withdrawal from operation of routers and switches
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Configuration files and log files stored on active network components contain a wealth of information about the network, the infrastructure, the organisation and possibly also about individuals in the organisation. When a device is passed to an outside party (for example, returned to the manufacturer or the service company for the replacement of parts under warranty, or sold to a possible purchaser), this information can be analysed.
For example, the following information can be extracted from configuration files:
- the protocols used (especially routing protocols), IP addresses and subnets
- VLAN configuration
- access control lists
- passwords and SNMP community strings
- name and contact data for the administrator (banner)
Due to the sensitivity of this information, care should be taken to ensure that prior to withdrawing a device from operation or replacing defective or outdated devices, the files are deleted or rendered unreadable. The procedure greatly depends on the manufacturer of the device. The security policy for routers and switches should set out the responsibilities in this area.
Many devices support the function of the "factory reset". With a command or by activating a switch, the components are reset to the default factory settings. However, it should be kept in mind that such resets do not necessarily reset all the settings stored to the original condition. It is therefore imperative that the devices are checked afterwards. On other devices, configuration files can be completely deleted using appropriate commands or can be overwritten with different files. If the devices used do not have any of the functionality mentioned, then it is necessary to perform a reconfiguration on an individual basis or to physically destroy the memory.
Sometimes log files that are stored on devices can similarly be deleted or overwritten by the "factory reset" function. However, this should be viewed as the exception rather than the rule. Frequently a log file can be deleted with an appropriate command. Before withdrawing a device from operation, particular care should therefore be taken to ensure that it does not still contain any log files. If the devices used do not have any of the functionality mentioned, it may be necessary to physically destroy the memory.
Often, routers and switches carry external labels containing IP addresses, host names or other technical information. These labels should also be removed prior to disposal.
Review questions:
- Has it been ensured that prior to replacing or withdrawing routers or switches from operation the stored data is securely deleted?
- Are the responsibilities for securely withdrawing routers and switches from operation defined in the security policy?
- Is complete physical destruction of the memory ensured if secure deletion of the data on the routers and switches is not possible?
- Are labels containing IP addresses or host names, for example on the outside of the routers and switches, removed prior to disposal?