Router Security

Part three of a continuing series on network security for physical security professionals

The Role of Routers
Routers are a key network device. They handle sending data packets between two or more networks, such as LANs (local area networks), WANs (wide area networks) or an ISP’s (Internet service provider’s) network. Routers are fundamental to the operation of the Internet and other complex networks such as enterprise-wide corporate networks. Most security system networks, especially those connected to corporate networks, are dependent upon the continuing correct operation of one or more routers.

Routers forward data packets based on (a) the information in the data packet headers (equivalent to the sender’s name and address and recipient’s name and address for a letter sent through the post office) and (b) the information in the routers’ database, called a routing table, which contains the locations (network addresses) of other network devices and the most efficient network routes to them. Its routing table is how a router determines where to send a data packet next.

Routers that are connected together regularly share data with each other in order to their routing tables current. Network protocols called router protocols are used for this information exchange. Routing Information Protocol (RIP) is one such protocol. Which specific protocol is used depends upon the types of networks being connected by the routers, and how the networks are intended to talk to each other according to the plans of the network designers.

Due to the critical role that routers play, it is paramount to establish good security for routers.

Security for Routers
Securing a router requires controlling physical access to the router, and also preventing unauthorized logical access to the router. Logical access refers to logging on to the router’s user interface with a name and password (remember that routers are computers), which allows the logged on operator to make changes to how the router will operate.

To achieve the availability objective of CIA, physical security for a router involves more than just controlling physical access to the room or to the equipment rack in which the router resides. The room must be free of electrostatic or magnetic interference. Its temperature and humidity must be controlled. An uninterruptible power supply should be installed along with providing emergency power connections. For some installations, protection against lightning must also be installed.

Supporting both availability and integrity, routers must be properly set up and then monitored to ensure that their configurations do not change. There are software applications and third-party services for monitoring the configuration of network routers (as well as other network equipment).

How involved can configuring a router be? The routers used in today’s corporate networks contain a myriad of features. The National Security Agency has written a 300-page guide to securely configuring routers. (Search Google for NSA “Router Security Configuration Guide” 1.1c.) These 300 pages deal only with the security aspects of router setup, not with how to configure the router for the kind of network traffic to be supported, such as Voice over IP traffic or streaming corporate video. The configuration of routers and other network devices is much more involved than configuring access card readers or DVRs. All the devices of the network must be set up to work together to support the kinds of network traffic intended from one end of the network to the other.

A router is similar to many computers in that it has many features enabled by default. Many of these features are unnecessary and may be used by an attacker for information gathering or for exploitation. Just as default names and passwords in a router should be changed, unnecessary features enabled by default should be disabled in router configuration. Additionally, routers should only be managed via an encrypted connection. Router operating system software must be updated when necessary to fix known vulnerabilities. Corporate IT departments should have detailed standards describing the security requirements for routers.

This article examined security measures to protect routers themselves; the next article will take a closer look at the how some of the features in routers can be used to control access, resist attacks, shield other network components and protect the integrity and confidentiality of network traffic.

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS).

Jim Litchko, CISSP-ISSEP, CAP, CMAS, is a senior information systems security author and strategic advisor. He has over twenty-five years experience assessing and developing information technology (IT) security solutions. He has held senior executive positions and advised executives at several of the largest commercial IT security companies. During his twenty-year Navy career as a surface warfare and cryptographic officer, he lead efforts supporting military actions in the Atlantic, Pacific, European, Mediterranean, African, and Middle East Theaters of Operations. Since 1988, he has been an instructor for computer and network security at Johns Hopkins University, the MIS Training Institute, and the National Cryptologic School. Mr. Litchko has authored or co-authored the following books: KNOW Your Life, KNOW IT Security, KNOW Cyber Risk, and Cyber Threat Levels Response Handbook. He has over 20 years experience providing management, business development, and strategic planning support for corporate executives.