S 4.202 Secure basic network configuration of routers and switches
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
Remote access
Telnet is often offered as a standard method for the administration of active network components over the network. In many cases, administration via SNMP or access over an HTTP interface is also available. These protocols all have the disadvantage that both the user name and password, as well as the user data are transmitted over the network in clear text (see also T 2.87 Use of insecure protocols in public networks).
For this reason, it is necessary to set up a separate administration network (out-of-band management) for administration purposes or to only use protocols that support secure authentication and encrypted transmission (for example ssh2).
If SNMP will be used outside of the organisation's own administration network, only SNMPv3 should be used.
Authentication server
In large networks, routers and switches should be configured to use one-time passwords for the use of authentication servers, if possible. Examples of such protocols include RADIUS and TACACS+. Additional aspects are described in S 4.204 Secure administration of routers and switches.
Management interface and administration network
Some devices offer the ability to configure a user-defined logical interface for administration (management interface). For switches, this interface should be assigned to a separate VLAN which is used exclusively for administrative purposes (out-of-band management) and which only contains the management interfaces. In the case of routers, ACLs should be configured so that access to the management interface is allowed from the management station using defined protocols. All services not needed by the management interface should be disabled.
Additional information on the configuration of an administration network (out-of-band management) is described in S 4.204 Secure administration of routers and switches.
Disabling unneeded network services
Manufacturers of active network components often place the highest priority on making it as easy as possible to install, operate, and configure their components. For this reason, numerous services are enabled in the default configurations. Only those services necessary for operation should be enabled. Unneeded services on routers and switches must be disabled because they pose a high risk.
The settings for the services listed in the following table often apply to the entire system and not explicitly to individual interfaces/ports of the devices. In general, these services must not be accessible from insecure networks. This must be ensured using corresponding access control lists.
The following table lists a number of services that are usually available on active network components. A recommendation is provided for each service suggesting the normal procedure for handling the service.
| Service | Description |
|---|---|
| FINGER | The finger service displays the users currently logged in to a device. It is of no practical use and should be disabled. |
| BOOTP | Some routers and switches support BOOTP (the bootstrap protocol) when used as servers and as clients. This makes it possible for other components to boot these devices. BOOTP does not provide any functions for authentication or encryption and should be disabled. |
| HTTP | A large number of routers and switches can be administered using HTTP.This service should always be disabled in public networks and should only be used in isolated administration networks. |
| SNMP | SNMP is an administration and network management protocol. The security functions provided in SNMPv2 and lower are inadequate. SNMPv3 offers stronger authentication and encryption options.This service should only be used in isolated administration networks. SNMPv1 and SNMPv2 must never be used outside of isolated administration networks. |
| TELNET | Telnet is often used as a standard administration interface for routers and switches.This service should be replaced by SSH (see below). In public networks, Telnet must not be used for the administration of active network components. |
| NTP | The Network Time Protocol NTP is used to synchronise the system time. Some routers and switches may also act as a time server for other devices. NTP does not offer any security functionality and should not be used in public networks for this reason. An internal NTP server should be installed that can then be addressed over an administration network. |
| DNS | Some routers and switches provide a name resolution function for DNS clients, for example in the context of logging. Name resolution is normally not necessary for active network components and does not offer any real benefits. For this reason, DNS should be disabled. |
| CDP | CDP is a proprietary layer 2 protocol used between Cisco routers and switches. It should at least be disabled on terminal ports. |
| TFTP | Some routers and switches support booting from a TFTP server. TFTP does not offer any security mechanisms. This function should only be used when an internal TFTP server is installed in an isolated administration network. |
| SSH1 | SSH1 is an old version of the Secure Shell protocol that has several security gaps. For this reason, it should not be used. If a device only offers SSH1, the device should only be accessed over an isolated administration network. |
| SSH2 | SSH2 is a secure substitute for Telnet for the administration of routers and switches over public networks. In spite of this, it is also recommended to protect the SSH access using corresponding ACLs. |
Table: Services of active network components
The following settings should also be considered on switch interfaces, and especially on the interfaces of routers used in public networks.
However, it is not possible to specify a general approach, and the following only provides recommendations for various aspects instead. If these recommendations are not followed in certain cases, it should always be clear why they were not followed.
| Service | Description, setting |
|---|---|
| IP source routing | This function allows an IP packet to specify the route to its destination. This function is used in a number of attacks. For this reason, this function should be disabled. |
| IP directed broadcast | This service can be exploited for DOS attacks. For this reason, this function should be disabled. |
| ICMP redirects | This ICMP function can be used to obtain information about networks. For this reason, this function should be disabled on the external interfaces of routers at a minimum. |
| ICMP unreachable notifications | This ICMP function can be used to obtain information about networks. For this reason, this function should be disabled on the external interfaces of routers at a minimum. |
| ICMP mask reply | This ICMP function can be used to obtain information about networks. For this reason, this function should be disabled on the external interfaces of routers at a minimum. |
Table: Service settings
Anti-spoofing
Border routers are used to connect internal networks to external networks. Security safeguards that prevent IP spoofing should be implemented on border routers (see also T 5.48 IP spoofing). This can be accomplished by configuring corresponding ACLs, for example. The following is one possible approach:
- On the external interfaces, packets whose sender IP address is located in the internal network are blocked.
- On the internal interfaces, packets whose sender IP address is not located in the internal network are blocked.
In the case of packets blocked due to the second rule, it is recommended to log the action taken accordingly and, if necessary, report the event to the administrator responsible. The fact that a station in the internal network is obviously sending forged packets is a clear indication that either the configuration is incorrect or that there may even be a security problem.
Loopback interface
Some router models (for example those from Cisco) offer the ability to set up a loopback interface. The IP address assigned to the loopback interface can be used by the router as a source address for protocols such as Syslog and NTP or for important administration services. This can provide better protection for the router because the source address in the IP packet is always the IP address of the loopback interface.
Routing protocols
Only those routing protocols that support encrypted authentication should be used. Dynamic routing protocols must not be used in demilitarised zones, and static routes should be entered instead.
The use of routing protocols should also be protected by configuring ACLs. More information on this subject can be found in S 5.112 Security aspects of routing protocols.
Access control lists
The use of access control lists (ACLs) to restrict access to routers and to cross-network packet filtering is described in S 5.112 Security aspects of routing protocols.
Spanning Tree
The Spanning Tree Protocol (STP, IEEE 802.1d) is used by switches and bridges to avoid the formation of loops in OSI layer 2 in a network. BPDUs (Bridge Protocol Data Units) are sent out to determine the root bridge (based on the MAC address and priority) when starting the system and when changes are made to the topography. This protocol does not offer any form of authentication. For this reason, STP should be disabled on all terminal ports at a minimum. A single, unique root bridge must be specified in the configuration.
VLANs and trunking
Trunking allows extending of VLANs across several switches. Trunking is controlled using the IEEE 802.1q standard or using one of the various proprietary trunking protocols. In this case, a physical port (trunk port) is reserved on each switch for inter-switch communication. This logical connection between the switches is referred to as a trunk.
Trunk ports can access all VLANs. This means that access to a trunk port will also allow access to all VLANs of this trunk. However, some devices also offer the ability to restrict access to a trunk port to certain VLANs (referred to as "VLAN pruning"). If a switch offers such functionality, it is recommended to use it. Trunking should be disabled if possible on terminal ports.
The default VLAN must not be used as a productive VLAN.
If the proprietary Cisco protocol VTP (VLAN Trunking Protocol) is used, it is essential to use the authentication functionality supported by VTP.
Free ports
A separate VLAN ("unassigned VLAN") should be set up for unused ports. If possible, though, the unused ports should be completely disabled since the VLAN port allocation only provides minimal additional security.
If it is desired to reserve certain ports to connect various devices, it is recommended to implement a security mechanism for these ports that only allows access to the network after logging in.
Access protection of this type can be implemented using the IEEE 802.1x standard, for example. The 802.1x standard is now supported by numerous switches and by most computer operating systems. Furthermore, there are also a number of (sometimes proprietary) solutions that authenticate the terminal devices for the active network components based on their MAC address or using other mechanisms before granting access to the network.
Review questions:
- Are routers and switches only administered using trustworthy paths?
- If SNMP is used outside of the administration network: Is SNMPv3 used for the routers and switches?
- Have the services available on the routers and switches been limited to the required services?
- Has it been ensured that only those routing protocols that support encrypted authentication are used?
- Are dynamic routing protocols dispensed with in demilitarised zones and are static routes used instead?
- Are the routing protocols protected additionally by creating ACLs?
- Has the Spanning Tree Protocol been disabled on the terminal ports of the switches?
- Has an unambiguous root bridge been defined in the configuration of the switches when using the Spanning Tree Protocol?
- Is VLAN pruning used, if possible, in order to limit the access of a trunk port to certain VLANs?
- Has VLAN trunking been disabled on the terminal ports?
- Has it been ensured that default VLAN is not used for a productive VLAN?
- If the VLAN Trunking Protocol (VTP) is used: Is the authentication supported by VTP used?