For most enterprise LANs, routers have become one of the most important security devices in use. Generally speaking, most networks have a major access point. This is the "boundary router" that is usually used with a dedicated firewall.
With proper setup, edge routers are able to keep almost all the most stubborn bad guys out of the network. This kind of router can also allow good people to enter the network if you want. However, a router without proper setup is just a little better than having no security measures at all.
In the following guide, we will look at 9 convenient steps you can use to protect your network security. These steps will ensure that you have a brick wall that protects your network, rather than an open door.
1. Modify the default password!
According to Carnegie Mellon University’s CERT/CC (Computer Emergency Response Team/Control Center), 80% of security breakthroughs are caused by weak passwords. There is an extensive list of default passwords for most routers on the network. You can be sure that someone in some places will know your birthday. The website maintains a detailed list of available/unavailable passwords, as well as a password reliability test.
2. Turn off IP Directed Broadcast
Your server is very obedient. Let it do whatever it does, and no matter who sends the instructions. Smurf attack is a denial of service attack. In this kind of attack, the attacker uses a fake source address to send an "ICMP echo" request to your network broadcast address. This requires all hosts to respond to this broadcast request. This situation will at least reduce your network performance.
Refer to your router information file to learn how to turn off IP direct broadcast. For example, the command "Central(config)#no ip source-route" will close the IP direct broadcast address of the Cisco router.
3. If possible, turn off the router's HTTP settings
As briefly stated in Cisco's technical description, the identity protocol used by HTTP is equivalent to sending an unencrypted password to the entire network. Unfortunately, however, there is no valid provision in the HTTP protocol for verifying passwords or one-time passwords.
While this unencrypted password may be very convenient for you to set up your router from a remote location (such as at home), others can do what you can do. Especially if you are still using the default password! If you have to manage your router remotely, you must make sure to use SNMPv3 or above protocols as it supports stricter passwords.
4. Block ICMP ping request
The main purpose of ping is to identify the hosts currently in use. Therefore, ping is often used for reconnaissance activities before larger-scale collaborative attacks. By eliminating the ability of remote users to respond to ping requests, you can easily avoid unnoticed scanning activities or defend against "script kiddies" looking for easy targets.
Note that doing so does not actually protect your network from attacks, however, it will make it unlikely that you will be a target.
5. Turn off IP source routing
The IP protocol allows a host to specify the routing of packets through your network, rather than allowing network components to determine the optimal path. The legal application of this feature is to diagnose connection failures. However, this purpose is rarely used. The most commonly used purpose of this feature is to mirror your network for reconnaissance purposes, or to attackers seeking a backdoor in your private network. Unless this feature is specified to be used only for diagnosing failures, this feature should be turned off.
6. Determine your packet filtering requirements
There are two reasons to block the port. One of them is appropriate for your network based on your requirements for security levels.
For highly secure networks, especially when storing or retaining secret data, they usually require permission to be allowed before filtering. In this regulation, all ports and IP addresses must be blocked except for those required by network functions. For example, port 80 for web communication and port 110/25 for SMTP allow access from a specified address, while all other ports and addresses can be closed.
Most networks will enjoy an acceptable level of security by using a “filter by rejection request” scheme. When using this filtering policy, you can block ports and * horses that your network does not use or ports commonly used by reconnaissance activities to enhance the security of your network. For example, blocking port 139 and port 445 (TCP and UDP) will make it harder for hackers to carry out exhaustive attacks on your network. Blocking 31337 (TCP and UDP) ports will make Back Orifice *s harder to attack your network.
This work should be determined during the network planning stage, and the security level requirements should meet the needs of network users. Check out the list of these ports for the normal purpose of these ports.
7. Establish an address filtering policy that allows entry and out
Establish policies on your border router to filter security violations into and out of the network based on IP addresses. Except for special and unusual cases, all IP addresses that try to access the Internet from within your network should have an address assigned to your LAN. For example, the address 192.168.0.1 may be legal to access the Internet through this router. However, the address 216.239.55.99 is likely to be deceptive and part of an attack.
Instead, the source address of communications from outside the internet should not be part of your internal network. Therefore, the addresses of 192., 172. and other networks should be blocked.
Finally, all communications with source addresses or reserved and unroutable destination addresses should be allowed through this router. This includes loopback address 127.0.0.1 or class E address segment 240.0.0.0-254.255.255.255.255.
8. Keep the router physically secure
From the perspective of network sniffing, routers are safer than hubs. This is because the router intelligently routes data packets according to the IP address, while the hub plays data from all nodes. If a system connected to that hub puts its network adapter in a messy mode, they can receive and see all broadcasts, including passwords, POP3 communications, and web communications.
Then, it is important to make sure that physical access to your network devices is secure to prevent unauthorized sniffing devices such as laptops from being placed in your local subnet.
9. Take time to review security records
Reviewing your router records (via its built-in firewall functionality) is the most effective way to detect security incidents, both in the process of detecting ongoing attacks and future attack signs. Using the records of the network, you can also find * horses and spyware programs that are trying to establish external connections. Attentive security administrators can detect attacks from the "red code" and "Nimda" viruses before the virus spreader responds.
Additionally, generally, the router is located at the edge of your network and allows you to see all communications in and out of your network.
With proper setup, edge routers are able to keep almost all the most stubborn bad guys out of the network. This kind of router can also allow good people to enter the network if you want. However, a router without proper setup is just a little better than having no security measures at all.
In the following guide, we will look at 9 convenient steps you can use to protect your network security. These steps will ensure that you have a brick wall that protects your network, rather than an open door.
1. Modify the default password!
According to Carnegie Mellon University’s CERT/CC (Computer Emergency Response Team/Control Center), 80% of security breakthroughs are caused by weak passwords. There is an extensive list of default passwords for most routers on the network. You can be sure that someone in some places will know your birthday. The website maintains a detailed list of available/unavailable passwords, as well as a password reliability test.
2. Turn off IP Directed Broadcast
Your server is very obedient. Let it do whatever it does, and no matter who sends the instructions. Smurf attack is a denial of service attack. In this kind of attack, the attacker uses a fake source address to send an "ICMP echo" request to your network broadcast address. This requires all hosts to respond to this broadcast request. This situation will at least reduce your network performance.
Refer to your router information file to learn how to turn off IP direct broadcast. For example, the command "Central(config)#no ip source-route" will close the IP direct broadcast address of the Cisco router.
3. If possible, turn off the router's HTTP settings
As briefly stated in Cisco's technical description, the identity protocol used by HTTP is equivalent to sending an unencrypted password to the entire network. Unfortunately, however, there is no valid provision in the HTTP protocol for verifying passwords or one-time passwords.
While this unencrypted password may be very convenient for you to set up your router from a remote location (such as at home), others can do what you can do. Especially if you are still using the default password! If you have to manage your router remotely, you must make sure to use SNMPv3 or above protocols as it supports stricter passwords.
4. Block ICMP ping request
The main purpose of ping is to identify the hosts currently in use. Therefore, ping is often used for reconnaissance activities before larger-scale collaborative attacks. By eliminating the ability of remote users to respond to ping requests, you can easily avoid unnoticed scanning activities or defend against "script kiddies" looking for easy targets.
Note that doing so does not actually protect your network from attacks, however, it will make it unlikely that you will be a target.
5. Turn off IP source routing
The IP protocol allows a host to specify the routing of packets through your network, rather than allowing network components to determine the optimal path. The legal application of this feature is to diagnose connection failures. However, this purpose is rarely used. The most commonly used purpose of this feature is to mirror your network for reconnaissance purposes, or to attackers seeking a backdoor in your private network. Unless this feature is specified to be used only for diagnosing failures, this feature should be turned off.
6. Determine your packet filtering requirements
There are two reasons to block the port. One of them is appropriate for your network based on your requirements for security levels.
For highly secure networks, especially when storing or retaining secret data, they usually require permission to be allowed before filtering. In this regulation, all ports and IP addresses must be blocked except for those required by network functions. For example, port 80 for web communication and port 110/25 for SMTP allow access from a specified address, while all other ports and addresses can be closed.
Most networks will enjoy an acceptable level of security by using a “filter by rejection request” scheme. When using this filtering policy, you can block ports and * horses that your network does not use or ports commonly used by reconnaissance activities to enhance the security of your network. For example, blocking port 139 and port 445 (TCP and UDP) will make it harder for hackers to carry out exhaustive attacks on your network. Blocking 31337 (TCP and UDP) ports will make Back Orifice *s harder to attack your network.
This work should be determined during the network planning stage, and the security level requirements should meet the needs of network users. Check out the list of these ports for the normal purpose of these ports.
7. Establish an address filtering policy that allows entry and out
Establish policies on your border router to filter security violations into and out of the network based on IP addresses. Except for special and unusual cases, all IP addresses that try to access the Internet from within your network should have an address assigned to your LAN. For example, the address 192.168.0.1 may be legal to access the Internet through this router. However, the address 216.239.55.99 is likely to be deceptive and part of an attack.
Instead, the source address of communications from outside the internet should not be part of your internal network. Therefore, the addresses of 192., 172. and other networks should be blocked.
Finally, all communications with source addresses or reserved and unroutable destination addresses should be allowed through this router. This includes loopback address 127.0.0.1 or class E address segment 240.0.0.0-254.255.255.255.255.
8. Keep the router physically secure
From the perspective of network sniffing, routers are safer than hubs. This is because the router intelligently routes data packets according to the IP address, while the hub plays data from all nodes. If a system connected to that hub puts its network adapter in a messy mode, they can receive and see all broadcasts, including passwords, POP3 communications, and web communications.
Then, it is important to make sure that physical access to your network devices is secure to prevent unauthorized sniffing devices such as laptops from being placed in your local subnet.
9. Take time to review security records
Reviewing your router records (via its built-in firewall functionality) is the most effective way to detect security incidents, both in the process of detecting ongoing attacks and future attack signs. Using the records of the network, you can also find * horses and spyware programs that are trying to establish external connections. Attentive security administrators can detect attacks from the "red code" and "Nimda" viruses before the virus spreader responds.
Additionally, generally, the router is located at the edge of your network and allows you to see all communications in and out of your network.