When you look at the threat landscape today and the organizations that have experienced a data breach (Target, Home Depot, Arby’s), they all have a common denominator – they were all compliant. They had been checking the boxes like they were asked to do. So, when it seems that compliance isn’t enough, how can we ensure that we are secure? Organizations today should use these examples as motivation to focus on maintaining a secure environment. If you’re secure, compliance will always fall into place. However, just because you’re compliant, doesn’t necessarily mean you’re secure. Let’s start the conversation by discussing best practices for managing our firewalls and routers, and essentially our networking gear as a whole. When it comes to managing firewall and router security, we will be focusing on three main areas: physical devices, running operating systems, and secure traffic rules.
Managing the Security of Physical Devices
Managing the security of a device goes much further than the device itself. Here are several elements of physical device management:
- Establish a formal change control program. We, as an organization, need to be aware of any changes made to a system, whether it’s making a change to the Access Control List (ACL), installing a new operating system, or installing a new device. This program needs to be defined and documented in the policies and procedures.
- Assign responsibility for the management of devices. Is someone with a trained eye and the proper credentials reviewing your firewall and router configurations? Are you monitoring whether your operating system is current and not susceptible to known vulnerabilities?
- Define acceptable use policies and procedures for your assets. Are the rules you’ve established appropriate and required for your business? Are they secure? Those managing your assets should have training in that particular area and it must be necessary for them to perform their business function.
- Define acceptable technologies and acceptable locations to place them in. We wouldn’t want to put a wireless device or wireless access point in the core of our environment and it not be protected. Established policies that define where it is appropriate to put a firewall or router is critical for managing the security of physical devices.
- Perform periodic review of the configurations. As the industry changes, so does the risk posture. We need to constantly evaluate these network devices including the firewall, router, switches, and wireless access points (WAP) as the risks change on a daily basis.
- Ensure that devices are physically secured from unauthorized access. It’s important to ensure that we’re physically securing these devices from any and all unauthorized access. If a hacker can get physical access to a device, it’s game over. At that point, they will have the ability to reset usernames and passwords, and gain physical and logical access to your assets.
- Secure the cables that connect in to and out of devices. Securing the cables that connect devices to and from the network is important to prevent unauthorized access such as port sniffing or a similar malicious attack. Be sure your controls that you have in place take into account securing these cables.
- Limit the ability to directly console the devices. With a network device, there are multiple ways to gain access. We need to make sure that anyone who needs access to certain assets to perform their job has access, but everyone else should be denied access. Access controls are essential for limiting people outside, or within, the organization from accessing your assets that has no business doing so.
- Minimize out-of-bound access points. Minimize any unnecessary exposure to assets by limiting out-of-bound access points. Logging and monitoring traffic can help you know exactly who is accessing your network and what they’re doing.
Managing Operating System Security
When it comes to managing your firewall and router, it’s critical that you are properly managing your operating system. Here are several musts when it comes to managing operating system security.
- Limit logical access. When looking at the operating system, we must limit logical access by including a policy of least privilege.
- Maintain a detailed set of hardening standards. This is a critical practice. Organizations must maintain a set of hardening standards, regardless of the organization’s size. It may be helpful to understand that the industry has already vetted the types of hardening controls that you should apply to your organization, so you don’t have to start from scratch. Ask yourself, “are my firewalls and routers up to standard?” A review of your firewall and router configurations should include reviewing standards such as NIST, SANS, NSA, etc.
- Configure logging. From an audit perspective, we see this missing a lot in different environments. Your organization should be able to identify when any administrative changes have been made in order to determine if something is a security incident, or appropriate use.
- Change the defaults. Always change vendor defaults. This means passwords and SNPA community strings should be set to complex values. Passwords should be at least 13 characters in length, both alpha and numeric, including both upper and lowercase. Password recovery should be disabled and the maximum log in attempts should be no more than three.
- Ensure strong encryption. There are numerous encryption protocols that are no longer considered secure. If you don’t know what your supporting, chances are you are supporting an insecure version. Disable web based management if you aren’t using it, and if you are, validate that the certificate is strong and accepted (TLS v1.2). Disable telnet or clear text protocols and use SSH v3 where possible. It’s also best practice to establish a VPN.
- Keep it updated. Update and patch your router and firewall with your operating system on a regular basis. You don’t always need to update your router and firewall just because there is a new operating system available, however, if the OS you’re running is found to have vulnerabilities, you should. Also, be sure to include all networking devices into your patching schedule.
- Establish remote access console timeout. 15 minutes or less is a best practice when it comes to locking your workstation. This helps to prevent someone from performing malicious behavior on your machine when you are away from your desk.
- Configure NTP. As part of your logging infrastructure, you should have your devices set up and configured to support NTP.
- Establish log-on banner. As auditors, we rarely see this as a requirement, however this is a strong suggestion to be considered. There have been legal cases in the US in the past where a hacker gained access to a router and was found “not guilty” because the organization that was hacked did not have a banner visible that said, “If you are not authorized to access this site, you are trespassing and should disconnect immediately”.
- Disable unused interfaces. Any unused interfaces should be disabled or removed. This minimizes your vulnerabilities and scope, and can keep someone from using that additional interface for a malicious attack.
- Ensure that downloaded images are authentic. When you go to upload a new operating system, validate that the OS you’ve downloaded is authentic and hasn’t been compromised.
- Restrict ICMP from untrusted interfaces. Restrict inbound and outbound ICMP from untrusted interfaces to minimize the ability for attack.
- Enable anti-spoofing rules. Be sure to have anti-spoofing rules that prevents hackers from spoofing their source address to look like it’s coming from your internal address and allowing your firewall and router to pass that address.
Maintaining Secure Traffic Rules
Lastly, let’s talk about maintaining secure traffic rules in and out of your environment.
- Maintain a list of approved ports and services. Management should always oversee the traffic that is allowed in and out of your environment.
- Limit inbound traffic (from the Internet to the DMZ). This is a standard best practice, and the best way to monitor who is able to access your environment. Open ports that aren’t used only become a liability.
- Limit outbound traffic to only that which is needed. In the event that a hacker successfully entered your environment, setting up policies that limit outbound traffic can help to prevent the data that a hacker can take from your environment.
- “Any” based rules should not be used. Rules should be as prescriptive as necessary to securely shape the traffic.
- Systems that interact with sensitive information should have rules explicitly defined to limit the exposure. Any system storing sensitive data should have very strict rules established that limit all access to protect this data as securely as possible.
Creating a security-minded culture at your organization should supersede any boxes you are checking for the sake of compliance. Beginning with managing firewall and router security is a good starting point. For additional information on best practices for managing firewall and router security at your organization, visit the Center for Internet Security (CIS) or contact us today.