Router security issues are making headlines more and more, threatening the safety of organizations, both small...
This year alone, several high-profile router security issues have been discovered. For example, DSL and wireless routers with numerous flaws were reported, which is seemingly inexcusable in 2015. In the DSL router finding, it was discovered that admin-level credentials were hard-coded and accessible via Telnet in routers from well-known companies such as ASUS and DIGICOM. In the wireless router finding, it was discovered that DNS exploits, cleartext transmission of firmware updates, and Web user session-related vulnerabilities in Belkin systems existed.
One might assume such vulnerabilities are isolated to the smallest of businesses, but that's not true. There are plenty of larger organizations that still use DSL connections for branch offices, specific manufacturing equipment, and -- especially -- guest wireless network access. I hate to think how many networks considered to be part of the "critical infrastructure" are accessible -- and exploitable -- via these means. Given the consistent findings of IT pros not knowing where their organizations' sensitive information resides, I'm willing to bet many such routers are not even accounted for, given their niche use and limited visibility.
In other news, Cisco enterprise network routers can get "infected" with the SYNful Knock malware. It was recently discovered that certain Cisco enterprise routers have a modified IOS image installed, which can lead to subsequent attacks. The risk may not be high for most organizations given that physical access and administrator credentials are required, but it can be problematic nonetheless. A tool called Synful Knock Scanner can be used to discover enterprise routers that may have been compromised.
As these recent vulnerabilities have demonstrated, enterprises can't take the security of these core network systems lightly.
However, the good news is that none of these router security issues are anything new. Instead, they're mere repetitions of basic security challenges that have been around for decades. Thankfully, we have security researchers out there working in our favor, uncovering and reporting on these issues, which allows organizations to plan accordingly and adjust their security strategies in order to prevent an attack. One of the interesting challenges organizations face with router security issues is that testing these systems is often inconsistent with the security assessments performed on other seemingly more critical systems, such as servers, Web applications and databases. I often see enterprise routers completely out of scope of external or internal penetration testing. In many cases, only simple vulnerability scans are run against routers without any manual analysis of network architecture, system configurations and the like. After all, "it's just a router."
To mitigate router security issues and ensure routers don't end up becoming one of the weakest links on the network, here are three key steps network and security managers must take:
- Take an inventory.
You can't secure what you don't acknowledge. Are you aware of every router on your network? Roll these systems into your ongoing system inventory so you can get specific vendor alerts to help you stay on top of the flaws.
Scan for vulnerabilities using traditional vulnerability scanners such as Nexpose or Qualys. But don't just skim over the top; look more deeply into router services that are running, especially Web interfaces. I often find relatively serious security flaws (i.e., cross-site scripting and open HTTP proxies) in routers by using Web vulnerability scanners such as the low-cost yet highly effective Netsparker or Acunetix Web Vulnerability Scanner. Also use tools such as NetScanTools Pro and Kali Linux (i.e., Cisco Global Exploiter) for more targeted testing of your routers. It's also critical to continually monitor routers for attacks and anomalous behavior. Proactive around-the-clock monitoring performed by a dedicated team or outsourced vendor is the best approach.
- Patch, replace or otherwise mitigate.
Roll routers into your enterprise's overall patch management program. Router patches tend to be slower to market and, of course, they're often more difficult to apply given network uptime requirements. If necessary, replace outdated routers that are no longer getting attention from the manufacturer. Figure out how to make it happen. If there are no other options, use security controls such as blocking ports/services with firewalls to minimize the risks.
The more time that passes, the more we're seeing that a well-run information security program is more than just written policies that mandate acceptable computer usage, strong passwords, software patching and the like. Every nook and cranny of the network must eventually be inspected and locked down. Whether it's a core router at the heart of the network or a sole DSL router at a remote facility, everything is fair game for attack. Therefore, network and security admins have to remain vigilant and look at all systems eventually -- ideally, sooner as opposed to later; even those boring old routers.
About the author: Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Principle Logic LLC, based in Atlanta.