Determining access to the routers by administrators is an important issue.
There are two types of access: local and remote. Local access usually involves a
direct connection to a console port on the router with a dumb terminal or a
laptop computer. Remote access typically involves allowing telnet or SNMP
connections to the router from some computer on the same subnet or a different
subnet.
It is recommended to only allow local access because during remote access all
telnet passwords or SNMP community strings are sent in the clear to the router.
If an attacker can collect network traffic during remote access then he can
capture passwords or community strings. However, there are some options if
remote access is required.
- Establish a dedicated management network. The management network
should include only identified administration hosts and a spare interface on
each router. - Another method is to encrypt all traffic between the administrator’s
computer and the router. In either case a packet filter can be
configured to only allow the identified administration hosts access to the
router.
In addition to how administrators access the router, there may be a need to
have more than one level of administrator, or more than one administrative role.
Define clearly the capabilities of each level or role in the router security
policy. For example, one role might be “network manager”, and administrators
authorized to assume that role may be able to view and modify the configuration
settings and interface parameters.
Another role might be “operators”, administrators authorized to assume that
role might be authorized only to clear connections and counters. In general, it
is best to keep the number of fully privileged administrators to a minimum.
Periodically the router will require updates to be loaded for either the
operating system or the configuration file. These updates are necessary for one
or more of the following reasons: to fix known security vulnerabilities, to
support new features that allow more advanced security policies or to improve
performance.
Before updating, the administrator should complete some checks. Determine the
memory required for the update, and if necessary install additional memory. Set
up and test file transfer capability between the administrator’s host and the
router. Schedule the required downtime (usually after regular business hours)
for the router to perform the update.
After obtaining an update from the router vendor (and verifying its
integrity), the administrator should follow procedures similar to the following.
Shut down or disconnect the interfaces on the router. Back up the current
operating system and the current configuration file to the administrator’s
computer.
Load the update for either the operating system or for the configuration
file. Perform tests to confirm that the update works properly. If the tests are
successful then restore or reconnect the interfaces on the router. If the tests
are not successful then back out the update.
Logging on a router offers several benefits. Using the information in a log,
the administrator can tell whether the router is working properly or whether it
has been compromised. In some cases, it can show what types of probes or attacks
are being attempted against the router or the protected network.
Configuring logging on the router should be done carefully. Send the router
logs to designated a log host, which is a dedicated computer whose only job is
to store logs. The log host should be connected to a trusted or protected
network, or an isolated and dedicated router interface. Harden the log host by
removing all unnecessary services and accounts.
Set the level of logging on the router to one that meets the needs of the
security policy, and expect to modify the log settings as the network evolves.
The logging level may need to be modified based on how much of the log
information is useful. Two areas that should be logged are:
- matches to filter rules that deny access, and
- changes to the router configuration.
The most important thing to remember about logging is that logs must be
reviewed regularly. By checking over the logs periodically, you can gain a
feeling for the normal behavior of your network. A sound understanding of normal
operation and its reflection in the logs will help you to identify abnormal or
attack conditions.
Accurate timestamps are important to logging. All routers are capable of
maintaining their own time-of-day, but this is usually not sufficient. Instead,
direct the router to at least two different reliable time servers to ensure
accuracy and availability of time information.
Direct the logging host to the reliable time servers. Include a timestamp in
each log message. This will allow you to trace network attacks more credibly.
Finally, consider also sending the logs to write-once media or a dedicated
printer to deal with worst case scenarios (e.g. compromise of the log host).