S 4.201 Secure basic local configuration of routers and switches

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

All configuration work on routers and switches must be performed according to the security policy drawn up (see S 2.279 Drawing up a security policy for routers and switches) and documented and annotated as described in S 2.281 Documentation of the system configuration of routers and switches.

Operating system

Since routers and switches have a particularly large number of communication partners and therefore potential attackers due to their use in the network, special care must be taken when selecting, configuring, and maintaining the operating system.

It is important to first obtain an overview of the functions offered and required. The goal during the selection process is to operate a version with the highest possible stability. It must be taken into account in this case that the number of attack possibilities (exploits) generally increases with the age of a release. However, a very new release (especially one with completely new functions) may also contain inadequacies or new errors.

When in doubt, it is usually better to use an older version as long as this version still meets the functional requirements. However, the most recent security patches available for this version absolutely must be installed (see also S 2.273 Prompt installation of security-relevant patches and updates). Versions the manufacturer no longer provides security patches for should not be used.

Basic offline configuration

Before a router or switch is connected to the production network, a secure basic configuration must be established. Many devices are delivered by the manufacturer with a default configuration first and foremost set up for fast start-up and the widest possible range of functionality, but with practically no security mechanisms enabled. For this reason, the default settings and the basic configuration must be checked offline or in a specifically protected test network set up especially for this purpose.

It is often possible to specify the configuration on a management computer using corresponding programs and then transfer it to the new device using a memory card, for example. If the only way available to transfer the configuration is to transmit it over a network, the transfer should only be performed in the test or administration network.

When configuring the system, it must be taken into account that not every administration or configuration tool (console, web interface, external configuration program) will display all relevant information under some circumstances.

For example, it may happen that the system commands used to display a router or switch configuration do not show all parameters. For this reason, it is important to be able to check the available documentation to see if all relevant parameters were set properly.

It is recommended to divide the basic configuration procedure into the following two steps:

• Local configuration: Examination and modification of the configuration parameters referring to the device itself (for example user accounts or roles, passwords, log files, console access settings, serial interface settings, etc.). The corresponding steps are described below.
• Network configuration: Examination and modification of the configuration parameters referring to the function of the device in the network (for example services and protocols, configuration of access control lists (ACLs), VLANs, etc.). The corresponding steps are described in S 4.202 Secure basic network configuration of routers and switches.

User accounts and passwords

The capabilities for configuring users and roles and for assigning authorisations may differ significantly from manufacturer to manufacturer (and sometimes even between individual devices or software releases). For this reason, it is recommended to draw up a detailed concept for the respective devices according to the rights and role concept designed for the administration of the active network components.

Routers and switches from some manufacturers (e.g. Cisco) are delivered ex factory with several user accounts possessing different levels of authorisation for administration purposes. Other devices are delivered with just a single user account for administration purposes. Default user accounts generally have well-known default user names and passwords, and some administration accounts are not even assigned a default password. Lists of manufacturer-specific default accounts and passwords can be downloaded from relevant websites.

When a device is operated for the first time, these default user accounts must be changed, if possible. In any case, though, the passwords for the default accounts must be changed. Unused user accounts must be deactivated.

After that, the planned user accounts and roles must be set up according to the rights and roles concept.

Unfortunately, numerous active network components store passwords in clear text in the configuration files. If this is the case, it is particularly important to protect the configuration files against unauthorised access. If it is possible to store passwords in encrypted form, the passwords should be encrypted wherever this is possible. Additional aspects are described in S 1.43 Secure installation of active network components, S 4.204 Secure administration of routers and switches, and S 6.91 Data backup and recovery on routers and switches.

Login banners

On most devices, a relatively detailed login message is displayed when a user logs in. This login message often contains information (for example the model or version number, software release number, or patch level) that a potential attacker could use to his/her advantage.

If the device allows the default login message to be changed, it should be replaced by a modified version which does not any internal information. The model and version number of the device and the version number of the operating system must not be displayed in the login banner under any circumstances. The following information should be displayed on the device instead when a user logs in:

• Access is only allowed for authorised personnel.
• All work must be performed in accordance with the security policy.
• The device is integrated into central control mechanisms, for example in a network management system (NMS) to record and detect violations of the security policy.
• Violations of the security policy will be punished by disciplinary / legal action.

Logging

Security safeguards relating to logging on network components and the integration of time and date information with the help of NTP are described in S 4.205 Logging on routers and switches.

Interfaces

Unused interfaces on routers must be disabled. On switches, all unused ports should either be disabled or assigned to an "Unassigned VLAN" set up especially for this purpose.

Backing up the configuration

The configuration files of the basic configuration form the basis for further, additional configuration. It is recommended to create backup copies of the default configuration files supplied with the device, as well as of the files containing the results of the basic configuration process.

Additional aspects relating to the backup of configuration files are described in S 6.91 Data backup and recovery on routers and switches.

Review questions:

• Are configuration changes to routers and switches performed in accordance with the existing security policy and documented in such a way that configuration changes are traceable?
• Do the manufacturers provide security patches for all routers and switches used and are these patches installed?
• Are the default settings of the routers and switches checked before operation in the production network and equipped with a secure basic configuration?
• Is the basic configuration of routers and switches performed offline and/or only in a subnet specifically established for this and particularly protected?
• Are there device-specific concepts for establishing the specified role and rights concept?
• Have the passwords of the default accounts on the routers and switches been changed and to they correspond to the security policies of the organisation?
• Have unneeded user accounts on the routers and switches been disabled?
• If the passwords on routers and switches are stored in clear text in the configuration files: Are the configuration files particularly protected against unauthorised access?
• Are the passwords stored in encrypted form on the routers and switches, if possible?
• Have the default login registrations on the routers and switches been replaced by an adapted version, if possible, so that no conclusion can be drawn regarding the versions used?
• Are unused interfaces on routers and switches disabled or assigned to a dedicated "Unassigned-VLAN"?
• Are backups performed both before and after successful basic configuration?