5.3.4 Adhere to the steps to harden a router. ( Determine your packet…
5.3.4 Adhere to the steps to harden a router.
For most enterprise LANs, the router has become one of the most critical security appliances in use. Configured properly, it can keep all but the most determined bad guys out, and if you want, it can even keep the good guys in. But an improperly configured router is only marginally better than having no security in place at all. This expert tip presents nine easy steps that you can take to ensure that your router is adequately protected.
In the following tip, nine easy steps that you can take to ensure that you have a brick wall protecting your network and not an open door.
Disable IP directed broadcasts
Your router is obedient. It will do what it's told, no matter who's doing the telling. A Smurf attack is a version of a Denial of Service (DOS) attack in which an attacker sends an ICMP echo request to your network's broadcast address using a spoofed source address. This causes all the hosts to respond to the broadcast request, which will slow down your network
Disable HTTP configuration for the router, if possible
As outlined in a Cisco Tech Note, "The authentication protocol used for HTTP is equivalent to sending a cleartext password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords."
Change the default password!
According to CERT/CC at Carnegie Mellon University, 80% of security incidents are caused by weak passwords. Extensive lists of default passwords are available online for most routers, and you can be sure that someone, somewhere knows your birthday. SecurityStats.com maintains a thorough do/don't list for passwords, as well as a password strength test.
Disable IP source routing
The IP protocol allows a host to specify the packet's route through your network, instead of allowing the network components to determine the best path. The only legitimate use that you may come across for this feature is to troubleshoot connections, but this is rare. It's far more common to be used to map your network for reconnaissance purposes, or when an attacker is attempting to locate a backdoor into your private network. Unless specifically needed for troubleshooting, this feature should be disabled.
Determine your packet filtering needs
There are two philosophies to blocking ports, and which one is appropriate for your network depends on the level of security that you require.
80 for web traffic and 110/25 for SMTP can be allowed to come from a dedicated address, while all other ports and addresses can be disabled.
Block ICMP ping requests
The primary purpose of a ping request is to identify hosts that are currently active. As such, it is often used as part of reconnaissance activity preceding a larger, more coordinated attack. By removing a remote user's ability to receive a response from a ping request, you are more likely to be passed over by unattended scans or from "script kiddies," who generally will look for an easier target.
Establish Ingress and Egress address filtering policies.
Establish policies on your border router to filter security violations both outbound (egress) and inbound (ingress) based on IP address. Except for unique and unusual cases, all IP addresses that are attempting to access the Internet from inside of your network should bear an address that is assigned to your LAN. For instance, 192.168.0.1 may have a legitimate need to access the Internet through the router, but 22.214.171.124 is most likely to be spoofed, and part of an attack.
Maintain physical security of the router
A router is much more secure than a hub, especially from network sniffing. This is because a router intelligently routes packets based on IP destination, where a hub broadcasts the data to all nodes. If one system that is connected to that hub places their network adapter in promiscuous mode, they are able to receive and view all broadcasts, including passwords, POP3 traffic and web traffic.
Take the time to review the security logs
Reviewing your router's logs (via its built-in firewall functions) is often the most effective way to identify security incidents, both in-progress attacks and indicators of upcoming attacks. Using outbound logs, you can also identify Trojans and spyware programs that are attempting to establish an outbound connection. Attentive security administrators were able to identify the Code Red and Nimda attacks before antivirus publishers were able to react.