There are many different ways to harden devices from security exploits. In this video, you’ll learn about upgrading firmware, patch management, file hashing, and much more.
<< Previous Video: Vulnerabilities and Exploits Next: Mitigation Techniques >>
As a network administrator, you’ll be connecting switches, routers, firewalls, and many other devices to the network. In this video, we’ll look at different ways that you can harden those systems and make them more secure. When you first plug-in a router, a switch, a firewall, or any of these other network devices, there is usually a default username and password that you can use to gain access to that system. These default credentials are well known.
For example, you can go to a website like RouterPasswords.com that list all of these different models of devices and they provide the username and the password for all of these different systems. These default user names and passwords are usually providing full control or administrator access to these systems. So if you don’t change these defaults, you’ll find that someone else will come along and try to see if those defaults are available. You could unintentionally be providing administrator access to these new devices that you’re adding to the network.
If you do change the password from the defaults, you want to be sure to use a password that isn’t completely obvious. There are very common passwords that people tend to use and the bad guys know to try those passwords first. You want to avoid passwords such as password, or ninja, or football. Those are three of the most popular passwords you’ll find on any system.
And there are a number of databases on the internet where you can download the most popular passwords that people are using. So a bad guy can run through the first 1,000 or 10,000 most popular passwords to see if it happens to match the one that you’ve chosen for that device.
But I think most network administrators are already familiar with this problem. So you’re probably not using one of these very common passwords. Make sure you’re not using something that can be found in the dictionary and make sure it’s something that’s very unique that wouldn’t be found anywhere else.
Many of these routers, switches, and firewalls that we’re adding to a network are not using a traditional operating system. These aren’t running a Windows or Linux operating system underneath and if need to upgrade those systems, we’re usually having to perform an upgrade to the firmware of the system. If you are planning to upgrade the firmware, make sure you check with the manufacturer that you’re using a version of firmware that does not have any known vulnerabilities.
Sometimes you may find yourself upgrading to a version of firmware that already has another upgrade available to solve some of these security problems. And although we’re often upgrading this firmware to solve problems that we’re having on the system, the new firmware could introduce an entirely new set of issues. So it’s always good to keep backups of all your previous firmware versions so that if you run into problems, you can easily downgrade to the previous revision.
Although many of these infrastructure devices you’re using have their own operating systems, you probably still have management workstations and sims that are running Windows, Linux, or something else that’s very common. For those operating systems, we want to be sure to provide all of the latest patches. This will not only keep your system more stable, but it will, of course, provide security patches for any known vulnerabilities. Sometimes in Windows, for example, you can get a service pack that would update a large number of patches at once and you want to be sure to keep up with the monthly updates that Microsoft provides where all of the latest security patches are made available.
Sometimes security patches may be released outside of that normal monthly cycle. These out-of-band updates usually are very important security issues that need to be resolved. So make sure you’re on the notification list and that you’re made aware whenever any of these out-of-band updates are made available.
A hash is a short string of text that’s created by running an algorithm against a data source. We call this short string of text a message digest. If we change anything with the original data, the message digest will also change. Another important characteristic of the hash is that the message digest is unique to the data. We know that if the data changes, that the message digest will change, but we also know that no other combination of data will create the same message digest.
This allows us to perform some integrity checks of data that we may have downloaded. For example, you can go to the Ubuntu site and download this Linux distribution. And on the Ubuntu site, they provide the name of the file that you’re downloading and a hash that’s associated with that file. You can then download that file, run the same hashing algorithm on your computer, and compare it to what’s posted on the website. If those values are identical, then you know that you’ve downloaded an exact duplicate of what exists on the website.
One way to avoid all vulnerabilities that may be associated with a particular service on your computer is to simply disable that service. If a 0-day vulnerability was to appear, it would not be able to execute on your computer because that service is not running on your computer. Unfortunately, it may be difficult to determine which services are unnecessary and which services must be running on your system. For example, Windows 7 includes 130 services by default, and you can see the over 240 services that are available in Windows 10. That means you may have to do a bit of research to determine which of these services can be permanently disabled.
You may be able to find websites that document exactly what these services are doing, but you may have to perform some trial and error to see if turning off a particular service will affect the operation of that particular system. Sometimes you’ll know which services can be disabled by the name. For example, you may be using your system as a management workstation and you may find that any services associated with the Xbox Live can automatically be disabled. But other services may not be completely obvious. For example, remote registry or secondary login may be necessary for the services and applications to run properly on this computer.
One very easy place for the bad guys to gather information is from the airwaves. Our wireless networks are putting a lot of information over the air and it’s very easy to use a network analyzer to be able to see what’s going on across the network. This means you could be at an industry event or a coffee shop, using the wireless network, and someone may be able to gather information from the traffic flows coming from your computer.
That’s why it’s very common for someone outside of the building to use a VPN that will encrypt all of the information going to and from their computer. Or you may want to make sure that your browser is always using HTTPS, or that your email client is always communicating to the email server over an encrypted channel.
Here’s an example of the information that could be gathered from any 802.11 network. This is a forum that I’m entering that has a username and password and I’m doing this in a browser over HTTP. That means the communication is not going to be encrypted by default. And you can see on this particular form that’s in this web browser, that there is a password option. And in this password, I put my password in which is super secret.
You can see that the protocol decode provides you with exactly the information that I put into that protected password field. Even though it was a field full of asterisks on my screen, the protocol analyzer was able to see everything going across the network. If I perform exactly the same login, but I tell my browser to use HTTPS instead of HTTP, I’ll still see the packets as they’re going across the network. But as you can see from this protocol decode, all of the application data is encrypted. So even if somebody was able to capture this data, they would not be able to see my password.
If you don’t have a VPN connection and you want to be sure that all of your traffic is going to be encrypted, then you should make sure your applications are using secure protocols. For example, instead of using Telnet, you’ll want to use SSH, or Secure Shell, which allows you to perform a terminal, but in an encrypted form. Or if you’re transferring files, make sure you’re using SFTP, which is the secure file transfer protocol over SSH, instead of using something that’s not encrypted such as FTP.
SNMP is a very common protocol used to query routers switches, servers, and other infrastructure devices. So if you want to make sure all of that data is encrypted, you’ll want to use SNMP version 3 instead of version 1 or 2. We’ve already seen the differences in using HTTP versus HTTPS. When you’re using HTTPS, you’re using TLS or SSL. This is transport layer security or secure sockets layer and that will make sure that all of this browser-based communication will all be encrypted.
And ultimately, you may want to create a VPN connection and simply send all of the traffic through. It’s common to have VPNs that may run using SSL or TLS, but we can also have VPN using IPsec, or internet protocol security, that will encrypt all layer 3 traffic going through that encrypted tunnel. To be able to send traffic over these encrypted channels, there’s always going to be an encryption key that’s used.
If you’re using HTTPS, or SSH, or almost any other encryption mechanism, this key will be able to encrypt that data, and on the other end, decrypt the information so that it can be seen by the other device. These encryption keys are usually managed on these servers and clients. So for example, SSL or TLS keys for HTTPS are usually stored on the web server itself. And the same applies for SSH keys you may be using for an encrypted terminal connection.
That’s why it’s important to protect these keys. We want to be sure that nobody else gains access to these keys or they could potentially decrypt this information that they may have gathered over an encrypted channel. Sometimes these infrastructure devices and web services may ship to you with a default key. So you want to be sure that that key is changed. Usually you’re prompted during the installation process to build your own key. But it’s useful to have a formal policy and set of procedures in place that will always make sure that a device is always given a unique key for your organization.
Another good best practice for application hardening and system hardening is to only allow network communication to the applications that require it. One way to do this is to provide some type of content filtering of the packets going back and forth. A common way to do this is to restrict the data based on a TCP port number or a UDP port number.
This way, another application couldn’t suddenly be installed in your system and be able to communicate over a port number that you’re not using. It’s very common to add this network filtering on a system using the personal firewall or software-based firewall that’s already installed in that operating system. Or you may have an appliance that’s on the network and examining all traffic going through to be able to make these filtering decisions for all devices.
If you’re managing a large number of switches or routers, one of the things you can do to prevent unauthorized access is to disable any interfaces that aren’t currently in use. So if you have conference rooms or break rooms that don’t need to have access to the switch, it’s a good best practice to disable them and prevent anyone from walking into that conference room and gaining access to your network. This means you may have to do a little bit of research to determine what interfaces on that particular switch should be enabled and which should be disabled.
And you may have additional administration as new devices are added to the network and other devices are removed from the network to make sure that all of these disabled ports remain up-to-date. And of course, you can take advantage of network access control. This is 802.1x and it allows you to require authentication from a user before they ever gain access to any interfaces on your switch.