makspogonii - Fotolia
How to secure network devices in a hostile world
Find out how to secure network devices by locking down the biggest, riskiest holes to protect them from exploits long before some or all of the network crashes.
IT teams have understood and feared the impact of hackers and malware on computer systems for decades. Now, service providers and organizations operating their own networks are learning that network device security is subject to the same risks. The exploit of a hole in network security could bring down some or all of a network and even permit someone to spy on traffic or inject false data.
In today's world, where nation-states are regularly suspected of hacking and spying, it's important to know how to secure network devices. For any network operator, the first and most important step for network device security is to plug the holes that present the clearest risk. And those aren't even the exploit risks.
Network device hacking happens regularly on all kinds of network equipment vendors' devices. In most cases, the hacks fit into two categories -- spoofing control traffic and hacking network device management systems. If operators are worried about network security threats, they need to close these holes first.
Eliminate holes to secure network devices
IP networks exchange route information using control packets sent from device to device to advertise connectivity. Routing tables are built up from these exchanges, and if anyone introduces a false route advertisement, it can create inefficient or even invalid routes.
The Border Gateway Protocol (BGP) is the source of most of these hacks because it is the protocol used to advertise routes across different providers' networks. BGP is a complex framework, but it allows network operators to customize the routes they advertise and the sources they accept for other routes.
To secure network devices, first use BGP route control -- access control lists -- to nail down the route advertisements network operators can accept and publish. Second, use BGP monitoring to ensure something doesn't leak into the network due to a failure to properly set up routes.
Device management hacks are an even more insidious problem because they allow an intruder to change almost anything. In fact, they can sometimes cause network operators to lose control of their own network gear. Most routers will accept strong encryption of management links, so operators should use the strongest encryption available. In addition, they should eliminate any default ID and password combinations included for device setup as soon as a device is installed. This should be done in the lab, not in the live network.
Passwords for management systems should also be changed on a regular basis and include strong source identification of management packets. Generally, it's not wise to allow a packet targeting a management API to originate on the internet or on any of your VPN subnetworks where no management system instance should be installed.
Journaling is another critical step to secure network devices. All access to a management API should be journaled, and every change made to the configuration of any device should also be journaled in before-and-after form, with the source of the change clearly identified with both a username and IP address. It's fairly easy to use an API and reporting software to examine the patterns of management access in order to look for anything out of the ordinary.
Network element exploits
This takes us to the final class of hacks -- the exploits. An exploit is a defect in software that allows maverick code to be introduced into a network device. One common source of exploits is a buffer overrun, where a particular kind of message causes the buffer that holds it to be overrun, writing over whatever lies beyond it in memory. If that happens to be code, it's possible to include malware in the data message, then induce the code to run beyond the buffer. The bad code can then open a hole for more serious hacking.
Network devices are as vulnerable as computer systems are to exploits, and a number of widely publicized exploits of network elements have taken place within the last year. When exploits are discovered, the vendors fix them quickly, but not everyone applies the patches promptly. Never delay in applying these fixes because once you get malware into a network, it's difficult to be sure you've completely removed it. Exploits can open the door to widespread contamination of your management systems and other devices.
The recent focus in the area of exploit attacks has been the risk that a governmental agency would induce a device vendor to build in a backdoor that can be exploited at will. Such a move would enable the agency to break into a network and perform nearly any hostile function, from snooping through information to totally breaking the network itself. This is the issue that has generated debate over the security of Huawei network devices.
Deliberate backdoor exploits are exceptionally difficult to detect under the best of circumstances. Reviews of the source code of a device, for example, are hardly likely to find a well-constructed exploit.
It's even worse if the exploit is a combination of hardware or firmware and software. Many network devices include programmable custom chips, and these chips could include malware that can open a hole that device software would widen. While discussions about preventing backdoor exploits often include code reviews, they're not likely to work.
IT will never find a smart chip and software exploit by inspecting the code or the hardware. You can't set up a clean room and watch for aberrant behavior from a device because without the explicit stimulus the exploit is designed for, no such behavior will happen.
Even if service providers were to design monitoring procedures to detect a problem, what would they do if they found one other than taking the network down? The fact is that if a deliberately set backdoor in a network device seems to be a credible threat, the only way to avoid it is to ban the vendor. Every operator and national regulatory administration will have to decide whether they believe any such threat exists for each vendor they admit.
That's harder than it may seem. Apart from detection difficulties, it's hard to believe vendors would build in security flaws. In a politically charged world, it's even harder to get objective information on just how possible such a backdoor defect is. Every country sees its own industries as beyond reproach, yet most countries don't trust each other.
Still, risking an entire network is a problem many operators simply can't ignore. The best strategy is to deal with everything based on a hard assessment of the underlying reality of the risk, then reassess regularly to accommodate changes in conditions or international politics.