Five Best Practices for Securing Network Device Management Functions
Network devices like routers, switches, firewalls and load balancers are the backbone of your network. They provide connectivity between your users and services and must support each other. You cannot have a network without users and services, and you cannot connect your users to their services without a network. As a result, network devices are prime targets for hackers looking to snoop on sensitive data or disrupt your services to cause you financial loss or harm your reputation.
When it comes to securing management functions on your network device, it is important to weigh the value of the security with how it impacts overall ease of management, erring toward ensuring that your devices are configured securely. This post provides best practice guidance around five areas that administrators can follow to effectively secure network devices and limit their exposure to hacks:
- Securing administrative access to the network device with strong authentication and authorization that can be audited
- Securing management protocols
- Securing control plane protocols
- Disabling unnecessary services
- Remotely monitoring the network device
Also, it should be noted that many network vendors release hardening guides for each of their platforms that provide in-depth recommendations on each protocol the device may run. Leveraging those guides in addition to the best practice guidelines provided in this post will enable you to further secure your network devices.
Best Practice #1: Securing Administrative Access
Regardless of the size of your organization, it is important to ensure that access to, and changes on, your network devices are attributable to a specific individual or system (in the case of service accounts). While the option of creating a shared user account (e.g., the “admin” username) might be the easy option, a shared local credential on a network device should only ever be used when a remote AAA server is not reachable and should only be known by a few critical people in your IT organization, such as managers.
Using a remote AAA server and a protocol such as TACACS+, RADIUS or LDAP allows specific logins and changes to be attributed to an ID that only a single individual or system uses. These systems provide the ability to enable granular control over what tasks an ID can perform on your network devices, as well as logging capabilities that enable you to audit those tasks. Roles should be assigned in a fashion that limit an ID specifically to the tasks for which it is intended to be used. For example, a service account used to back up the configuration should have read-only access to the configuration and nothing more, a junior engineer should have the ability to view status information for troubleshooting and perform specific types of changes, and so on.
Best Practice #2: Securing Management Protocols
Network devices run a broad range of management protocols that permit administrative access, supportive functions like SNMP, and discovery protocols like CDP and LLDP. Security best practices for such protocols are as follows:
- Ensuring that administrative access is permitted only from trusted hosts on the network will lower security exposure. By having redundant security zones/DMZs where management stations are located, you can configure a network device to only permit remote management access from those zones on the management protocols you want to enable (e.g., SSH, HTTP/S, REST, etc.). By not allowing any and all hosts on your network to remotely access a particular network device, the attack surface of that device is reduced.
- SNMP is a common management protocol used by monitoring platforms to obtain data from, and to configure, your network device. However, versions of SNMP earlier than SNMP Version 3 are insecure as authentication information and data sent via such earlier versions are sent in clear text, often only being secured through an ACL associated with the SNMP process. SNMP Version 3 should be used as it provides mechanisms to ensure that only approved management platforms/users can communicate with the device (using authentication), and that data cannot be modified (integrity) or read (encryption) in transit.
- Malicious actors can use information disclosed by your network device to identify how that device may be susceptible to attacks. Protocols such as Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) are often used for exchanging information between connected devices, allowing the network device to adjust features based on the information received. However, CDP and LLDP can also result in information leakage if enabled on devices and interfaces that connect to untrusted segments of the network. By configuring CDP and LLDP explicitly on the interfaces that they are required for and only to trusted hosts, you can limit the ability for your network device to be profiled.
Best Practice #3: Securing Control Plane Protocols
Control plane protocols are what enable a network device to service the traffic that is traversing the device. Examples of these are ARP, routing protocols (e.g., BGP, OSPF, etc.) and spanning-tree. These protocols are often the target of denial-of-service (DoS) attacks which can disrupt your business. If your control plane protocols become unstable, the result will be poor performance or complete loss of connectivity between your users and the services critical to your business.
Understanding each protocol and how to secure them will help reduce the ability of a malicious actor to disrupt services provided by your network devices. Examples are dynamic ARP inspection to avoid poisoning of ARP caches, enabling authentication of routing protocol neighbors, and BPDU protection on switchports that should only connect to devices not needing to communicate with spanning-tree.
In addition to security configurations associated with control plane protocol, many network devices provide a means for control plane policing/protection (CoPP/CPPr), usually with these features being enabled with default values that should work in most cases. This allows a network device to filter incoming control plane protocol messages and limit the rate at which these messages can come in, thus preventing a protocol process and the management plane CPU from becoming overwhelmed and susceptible to a DOS attack.
Best Practice #4: Disabling Unnecessary Services
Any function/protocol that a network device is running is an attack vector for a hacker. Many devices have default functions that are enabled out of the box but which may not be necessary for you to run. An example of this would be smart install / zero touch provisioning (ZTP) services which are enabled by default. If your deployment strategy does not rely on ZTP, the feature should be disabled immediately.
Each software version for your network device may have different default services enabled, so it is important to review those services when identifying which software version to run. Identifying which are necessary and which should be disabled will help secure your network device.
Best Practice #5: Monitoring Your Network Device
Finally, both manual and automated monitoring of your network device is critical. By manually checking for new software releases or security advisory notifications on a regular basis and reacting accordingly, you can keep your device up to date with the latest recommended software versions and configurations. This will reduce the odds of your device coming under attack.
Automated monitoring of your network devices is an important function as well. It should be done with the use of an IT management platform that is effectively secured. Such management platforms will alert you to abnormalities with your network devices, allowing an administrator to react and implement a workaround to restore any affected services, then implement any permanent fixes to bring the device back into service. These management platforms are also prime targets for hackers – check out our blog post “Four Best Practices for Securing Your IT Management Platform From a Senior Engineer” for best practice guidance around four areas that administrators can follow to effectively secure IT management platforms and limit their exposure to hacks.
This blog post was authored by Brian Yaklin, a senior member of Optanix’s route/switch engineering team. It is part of a series of posts by Optanix engineers focusing on the importance of security in the IT management space.