CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.1  Devices

If We Buy It, Will It Protect Us? 1 2 3 3.1.3  Switches

Security Issues with Routers

Routers communicate using special protocols known as “routing protocols”, which include standard protocols like RIP, RIPv2, OSPF, BGP and vendor-defined protocols like Cisco’s IGRP. These protocols, like many other Internet protocols, have security vulnerabilities, particularly in the area of spoofing. For example, RIP (v1) can be easily spoofed because its messages are not authenticated, so anyone can send update messages via RIP; RIPv2 relies on optional clear text authentication, transmitting passwords across the network where they can be intercepted and used in later spoofing attacks. Even OSPF can be spoofed if the protocol is not used in cryptographic authentication mode. Once you’ve succeeded in spoofing a router message, you can do a number of things, like redirect switched network traffic to other segments so that it can be sniffed, create a “black hole” denial of service attack by advertising a non-existent router with a priority route for all traffic, etc. Generally, the stronger the protocol’s authentication is, the less vulnerable it is to spoofing. Of course, this implies that those with access to router passwords maintain their confidentiality. In keeping with the evolution of the Internet, later protocols tend to incorporate better authentication than earlier ones. When you have a choice, opt for these newer protocols like OSPF, and use the authentication features they provide.

Like firewalls, routers are implemented substantially in software, and from time to time, security issues are found in that software. Therefore, the guidelines we offered for firewalls also apply to routers – watch for software updates and install them when they are available, subscribe to vendor security bulletin lists and other security discussion lists.

Also, similar to firewalls, routers can be challenging to configure properly. Be sure that your network administrators with router configuration responsibility have been trained on proper techniques, and possibly even certified by your router’s vendor as having satisfactory knowledge of router administration. Also make sure that you have changed all default passwords. You should turn off SNMP unless you know that your device is not vulnerable to recent SNMP issues, and if you don’t turn off SNMP, remember to change the SNMP community name.

Reasons you want your routers to be secure include the fact that a compromised router can help someone mask their identity, create sniffing situations and just in general cause packet-routing chaos by changing access control lists, NAT settings, static routes between networks and subnets (which can facilitate MITM attacks), etc.²⁷⁰

If We Buy It, Will It Protect Us? 1 2 3 3.1.3  Switches