Router Security

This is the third article of a series whose purpose is to provide experienced physical security practitioners with a comfortable familiarity with key aspects of computer and network security.

Network devices in standalone security networks have not always been sufficiently protected. One way to address network security for a physical security system is to enlist the help of the IT department in designing and managing the security system’s network according to corporate network standards. In many organizations, this is a mandate for security systems that will be connected to the corporate network. It can help facilitate collaboration along that line to have a basic understanding about the work that IT does to protect network devices.

This article examines security for routers, whose function is to forward network data packets on from one network to a neighboring network, or between several interconnected networks.

Network Devices
The previous article introduced these concepts:

• Network Devices (such as switches and routers) have the primary function of managing network traffic. This means forwarding valid traffic to the appropriate next destination in the network, or not forwarding it if the traffic does not belong (such as not sending traffic for Accounting Department computers to Engineering Department computers).

• Network Management refers to the activities, methods, procedures and tools for the operation, administration, maintenance and configuration of the network equipment.

Network devices (such as switches and routers) handle the communication between computing devices (such as servers and PCs). In this article series, we use the term “computing devices” instead of “computers” because, as explained in the first article of the series, all devices on a network are computers. They have memory, processor chips, receive and send data, and take programmed actions on the data they send and receive. Instead of calling the devices “computers,” we name them based on the roles that they perform: PC, server, router, switch, firewall, and so on.
Safeguarding information involves protective measures for all of the computing devices and network devices that process, transmit or hold the information.

Information Security and CIA
Information security is concerned with three objectives regarding information, no matter what form the information takes on (physical, electronic, or human memory):

• Confidentiality: Allowing only the authorized individuals or computer systems to access the data;
• Integrity: Ensuring that information is not altered in transmission from source to destination, and that data is correct and up-to-date; and
• Availability: Making sure that information is available when needed.

These objectives are commonly referred to by the names of their initials “CIA” and sometimes as the “CIA triad” or “CIA principle.” Achieving these objectives requires both physical security and IT security (also known as computer and network security). For example, failure to provide physical access control for a network closet containing network equipment may lead to problems with all three CIA objectives. Availability can be impacted by damage to or destruction of equipment. Unauthorized access to the equipment, may result in data being copied or diverted, possibly resulting in a loss of confidentiality. IT security examines threats against computing and network devices, including routers, by how the threats could impact CIA.

The Role of Routers
Routers are a key network device. They handle sending data packets between two or more networks, such as LANs (local area networks), WANs (wide area networks) or an ISP’s (Internet service provider’s) network. Routers are fundamental to the operation of the Internet and other complex networks such as enterprise-wide corporate networks. Most security system networks, especially those connected to corporate networks, are dependent upon the continuing correct operation of one or more routers.

Routers forward data packets based on (a) the information in the data packet headers (equivalent to the sender’s name and address and recipient’s name and address for a letter sent through the post office) and (b) the information in the routers’ database, called a routing table, which contains the locations (network addresses) of other network devices and the most efficient network routes to them. Its routing table is how a router determines where to send a data packet next.

Routers that are connected together regularly share data with each other in order to their routing tables current. Network protocols called router protocols are used for this information exchange. Routing Information Protocol (RIP) is one such protocol. Which specific protocol is used depends upon the types of networks being connected by the routers, and how the networks are intended to talk to each other according to the plans of the network designers.

Due to the critical role that routers play, it is paramount to establish good security for routers.

Security for Routers
Securing a router requires controlling physical access to the router, and also preventing unauthorized logical access to the router. Logical access refers to logging on to the router’s user interface with a name and password (remember that routers are computers), which allows the logged on operator to make changes to how the router will operate.

To achieve the availability objective of CIA, physical security for a router involves more than just controlling physical access to the room or to the equipment rack in which the router resides. The room must be free of electrostatic or magnetic interference. Its temperature and humidity must be controlled. An uninterruptible power supply should be installed along with providing emergency power connections. For some installations, protection against lightning must also be installed.

Supporting both availability and integrity, routers must be properly set up and then monitored to ensure that their configurations do not change. There are software applications and third-party services for monitoring the configuration of network routers (as well as other network equipment).

How involved can configuring a router be? The routers used in today’s corporate networks contain a myriad of features. The National Security Agency has written a 300-page guide to securely configuring routers. (Search Google for NSA “Router Security Configuration Guide” 1.1c.) These 300 pages deal only with the security aspects of router setup, not with how to configure the router for the kind of network traffic to be supported, such as Voice over IP traffic or streaming corporate video. The configuration of routers and other network devices is much more involved than configuring access card readers or DVRs. All the devices of the network must be set up to work together to support the kinds of network traffic intended from one end of the network to the other.

A router is similar to many computers in that it has many features enabled by default. Many of these features are unnecessary and may be used by an attacker for information gathering or for exploitation. Just as default names and passwords in a router should be changed, unnecessary features enabled by default should be disabled in router configuration. Additionally, routers should only be managed via an encrypted connection. Router operating system software must be updated when necessary to fix known vulnerabilities. Corporate IT departments should have detailed standards describing the security requirements for routers.

This article examined security measures to protect routers themselves; the next article will take a closer look at the how some of the features in routers can be used to control access, resist attacks, shield other network components and protect the integrity and confidentiality of network traffic.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS).

Jim Litchko, CISSP-ISSEP, CAP, CMAS, is a senior information systems security author and strategic advisor. He has over twenty-five years experience assessing and developing information technology (IT) security solutions. He has held senior executive positions and advised executives at several of the largest commercial IT security companies. During his twenty-year Navy career as a surface warfare and cryptographic officer, he lead efforts supporting military actions in the Atlantic, Pacific, European, Mediterranean, African, and Middle East Theaters of Operations. Since 1988, he has been an instructor for computer and network security at Johns Hopkins University, the MIS Training Institute, and the National Cryptologic School. Mr. Litchko has authored or co-authored the following books: KNOW Your Life, KNOW IT Security, KNOW Cyber Risk, and Cyber Threat Levels Response Handbook. He has over 20 years experience providing management, business development, and strategic planning support for corporate executives.