Hardening of Network Devices ( Router & Switch)

 

Hardening Routers and Switches

Hardening is a term used for the protection of network equipment’s against attacks and vulnerabilities to mitigate security risks. Network security is the major concern of every enterprise, so network security experts highly recommend the proper hardening of every network device.

A proper network design and key management of the system functions are the profound features of a good network that make sure all security measures have been taken. The security checks are implemented layers-wise to ensure security at each layer. Router and Switches are the key devices in a network where hardening can be performed to block intruders accessing the network.

Hardening a Router

The below checklist can be used for making sure a router and connected networks are fully secure.

 

·         Creating a Complex Password

To limit the access of a router, a secure and complex password must be created for both console and remote management. Both two-factor authentications must be enabled with more than 8 digits alphanumeric passwords. It will make sure that configuration cannot be altered even if the device is somehow accessed 

·         Password Encryption

Normally passwords are stored in plain text in the running configuration of routers and when the configuration is collected for back up. Therefore it is highly recommended to use encryption of all service passwords in the device. 

·         Integration of Router with External AAA

The local users accessing the system must be authenticated via an AAA server for better security.  The centralized AAA server will be Authenticating, Accounting, and Authorizing users and all their activities will be recorded. Using AAA, we may enforce the desired security policies which every network device does not support. 

·         Limiting the Number of Failed Attempts

In the case where no AAA is integrated, we must enable a limited number of attempts to access the device against each user account. That will protect the hit and trial attempts to crack a password. 

·         Configuring Access Control List (ACL)

Configuring an ACL will block all undesired access attempts from unknown source IPs. Only limited IP subnets should be used to access the device.

·         Enabling Syslog Server

To record the activities performed on the router, syslog should be enabled as it will store large data for auditing the router and will generate incident alerts whenever the device is accessed.

·         Integration of Network Time Protocol Server (NTP)

NTP is integrated to check the timestamp of the activities that have been performed on the device. It is highly helpful in incident handling. 

·         Enabling SSH on Router

For remote management, we use either telnet or SSH protocol, telnet sends the data in plain text and passwords are readable, so it is recommended to enable SSH for encrypted text.

·         Updated Security Patches

Latest updates related to all security patches must be installed on the router and latest router IOS must be available where threats and bugs are mitigated. 

·         Shutting down unused Interfaces.

Shutting down the unused router interfaces will not allow to hack or telnet into the system.

If interfaces are not shut, local connectivity maybe established and DDOS attacks can be generated to confuse the router which may lead to rebooting of the system.  

·         Disabling Unused Functions

Unused features of the router should be blocked, like CDP or LLDP’s should be disabled for the unnecessary discovery of devices. 

Hardening a Switch

·         Creating a Complex Password

To limit the access of a switch, a secure and complex password must be created for both console and remote management. Both two-factor authentications must be enabled with more than 8 digits alphanumeric passwords. It will make sure that configuration cannot be altered even if the device is somehow accessed. 

·         Password Encryption

Normally passwords are stored in plain text in the running configuration of switches and when the configuration is collected for back up. Therefore it is highly recommended to use encryption of all service passwords in the device.

·         Enabling SSH on Switch

For remote management, we use either telnet or SSH protocol, telnet sends the data in plain text and passwords are readable, so it is recommended to enable SSH for encrypted text. 

·         Shutting down unused Interfaces.

Shutting down the unused router interfaces will not allow to hack or telnet into the system.If interfaces are not shut, local connectivity maybe established and DDOS attacks can be generated to confuse the router which may lead to rebooting of the system.  

·         Disabling Unused Functions

Unused features of the router should be blocked, like CDP or LLDP’s should be disabled for the unnecessary discovery of devices.

·         Management VLAN

Normally users keep Vlan1 as management VLAN, but it is highly recommended to change the VLAN to some other VLAN and a limited number of interfaces should be bind with it the VLAN.

·         Description of Interfaces

The description should be added to all user interfaces to know the usage of ports based on their function whether uplink or downlink.

·         Port Security

Port security should be enabled in the switch to avoid MAC addressing spoofing and limiting the access of hackers into the switch. 

·         Enabling STP

Enabling STP protocol will ensure that no loops are existing in the system that will protect the device from a deliberate broadcast storm generation and MAC poisoning.

·         SNMP Community

SNMP protocol is used for transferring stats to a server over the network and may have a risk of a critical network information hack. The community string must not be the default and should be set to read-only.