Tuesday, September 16, 2014

Secure the Router - Part 1


YOUR ROUTER, able to TELNET via INTERNET?
READ THIS BEFORE YOU SLEEP


Some enterprise routers are open to telnet from internet. (from interface with public ip)
The possible reason is the implementer do not have sufficient security knowledge.
This mean someone can easily attack the router and take control.
When the router is compromised the whole LAN network is vulnerable, because the attack is expendable to other network devices by using the router's LAN ip. (LAN ip = trusted ip)

The best practice is DO NOT allow the management plane via public facing interfaces.

If remote access via public ip is a must, use SSH and lock down the source public ip address.

The following Cisco script is one of the mitigation techniques from those attacks.

!define the access-list
!in this example only 1 host is allowed for telnet session
# access-list 1 permit 10.10.10.10  (public or private ip)
access-list 1 deny any

!apply the access-list in line vty
# line vty 0 4
# access-class 1 in
# transport input ssh 
# exec-timeout 5 0
# login local
# end



Notes:
Attack = brute-force attack/ dictionary attack ...
LAN ip = trusted ip
other network devices = core_switch / access_switch / routers/ servers / ...

No comments:

Post a Comment