Problem solve Get help with specific problems with your technologies, process and projects.

Hidden endpoints: Mitigating the threat of non-traditional network devices

Organizations have many safeguards in place for network-enabled devices like PCs and servers, but few realize the threat posed by non-traditional devices like printers, physical access devices and even vending machines. Endpoint security expert Mark Kadrich offers up some worst-case scenarios and explains how these and other endpoints can be protected.

More IP-enabled devices and bridges have hit the market in recent years. ... Such devices are becoming inviting new destinations for attackers.
Mark Kadrich,
In 2003, printers using Windows as the embedded OS were known to propagate Blaster, a worm that crippled hundreds of thousands of computers. Given the advancement of antimalware software and network intrusion detection and prevention (IDS/IPS) systems, one might assume that things have gotten better -- but one would be wrong.

More IP-enabled devices and bridges have hit the market in recent years, allowing just about any device, even if it only sports a lowly serial port, to gain access to an enterprise network. Such devices are becoming inviting new destinations for attackers who may have an interest in simply disrupting business within an organization, or perhaps pilfering sensitive data before it ever reaches the network.

The reality is, these devices exist on the network in large numbers today, and not only are there precious few safeguards for many of them, there's even less security awareness surrounding them. In this tip, we'll review some of the most notable non-traditional network endpoints, examine why they pose a risk, and discuss how to mitigate that risk.

Starting with the most (for now) ubiquitous of "hidden" devices on your network, we'll look at the humble IP printer. Many printers have multiple onboard interfaces, including HTTP and telnet. Default passwords are rarely changed since printers usually get expedited through the IT department on their way to the hungry group of users waiting to deplete the printer's toner.

Listen to this tip on your favorite MP3 player
Download the threat monitor podcast for July 3, 2008
Few realize how quickly one can wreak havoc on the local network by, for example, setting a printer's IP address to the gateway or DNS server. This opens the door for a denial-of-service attack. Although a similar process could be conducted via any old PC, most security administrators don't think about the printer being the culprit in such a way, since it doesn't have a keyboard.

Physical access devices
It's common today for physical access controls to be run over the enterprise network. One such vendor's marketing blurb highlights how the physical access gateway (PAG) can use power over Ethernet (PoE) to power badge readers and locks. The PAG also supports network discovery and boasts "ease of controllability" through a built-in Web server. These PAGs also have the ability to store up to 250,000 credentials in an "encrypted cache." Making matters worse, proximity card reader vendors are now using the network to upgrade and configure these devices. One vendor says that its product's operating parameters, such as "door open" time, are downloaded to the reader from a host computer. That means an attacker may be able to hack the doors from the safety of the lobby.

Web-based security cameras
Another interesting device is IP-based security cameras. These little darlings have been with us for a while and allow for cheap video surveillance. Unfortunately, some of these gems have built-in Web servers so that anyone can access the video from anywhere on the network. While vendors seem to think that it's a nice feature to enable anyone to access a security device, security pros probably disagree. It seems to me that if I could get on their network, I could see when the place was empty and safe to rob.

Here's your Twinkie…and a virus
And what is the newest threat to your network? Vending machines! There are companies that offer conversion kits that allow cash-only machines to accept credit cards, debit cards and new contactless cards!

For more information
Learn the best way to lock down USB devices.

Read more about the importance of SSL encryption between networks and iPhone endpoints.
Think about the ramifications -- such a machine could suddenly be susceptible to a man-in-the-middle attack, allowing an attacker to collect customers' credit card information. These devices lack any kind of software security check, and conversion vendors have been mum on any form of network access control (NAC).

For those that have to worry about retail networks, there are also point-of-sale machines to worry about, not to mention specialty devices such as pin vending machines, which sell pre-paid cell phones, cable TV subscriptions, concert tickets and debit cards, which all have GPRS, Wi-Fi and Ethernet connections to servers!

Security strategies for non-traditional network devices
So, what do you do to safeguard all of these devices? There are five key steps:

  • Modify the network security policy to address the problem. Many policies don't cover non-traditional devices. An enterprise security policy should address the use of the network as a carrier for these non-IT controlled devices, clearly delineating usage that is and isn't permitted.
  • Monitor the organization's purchasing requests. Of course, it's impossible to monitor all purchases, even under the best circumstances, but security teams can suggest a policy that passes all network-enabled and soon-to-be-purchased devices through a security review.
  • Conduct regular scans of the network and compare them to past history. New devices should be investigated and validated.
  • Properly configure any network connected device. Most devices are configured for easy installation, not security. Make sure that unused services are turned off and that access is limited to those that require it.
  • Interrogate non-traditional device vendors about their security testing process. If vendors can't or won't say how they test their devices, go to a trusted third party that specializes in providing such information.

Finally, please change the default passwords on all network-enabled devices! Also, make sure that unused protocols are disabled so that there aren't multiple ways to reconfigure the devices.

About the author:
Mark S. Kadrich is president and CEO of The Security Consortium, an independent product-testing and comparison group that offers in-depth reviews and evaluations of security products and vendors. A 20-year veteran of the information technology industry and a recognized expert on endpoint security, he authored the Addison-Wesley book Endpoint Security and is a noted industry speaker.

This was last published in July 2008

Dig Deeper on Endpoint protection and client security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.