It’s a sad but common truth that not all network devices are built with security in mind. Some ship with default credentials like admin / admin, with SNMP set to public, or with operating systems that haven’t been updated in years.
As with any other device, it’s important to practice good hygiene when managing network devices. Good hygiene means things like keeping firmware up to date, changing credentials away from the defaults, and refreshing end-of-life hardware and software.
If you’re already doing these things, great! You get a well-deserved pat on the back. By following these simple guidelines, you’re already in the front half of the network management pack.
But what else can you, as a top-tier MSP, be doing to continually improve the security posture of your clients’ network infrastructure devices?
Here are some things to look at.
- Limit the IP ranges that can manage network infrastructure
Do your clients need direct access to switches or firewalls? How about the IP phone subnet? For nearly every partner I talk to the answer is a clear ‘no’.
Most network devices allow you to select management IPs or apply access control lists (ACLs) to services such as SNMP and SSH. Use this feature to restrict access to a couple of management servers you have on site.
This is especially important for perimeter devices. If you’ve enabled SSH access to a client’s firewall from the outside it’s critical that access is locked down. Be careful not to lock yourself out though.
- Use SNMPv3 throughout the network
SNMP has gone through a few iterations over the years. SNMPv2c, the most commonly used version, has been around for decades with little change. SNMPv3 is a great option for those looking to manage devices over SNMP while adding some security and encryption to that management.
Using SNMPv3 instead of v2c over public networks is obvious, but security-conscious service providers have increasingly been using SNMPv3 within private networks as well. That’s because v3 reduces the amount of management data traversing the network in clear text—in case someone is listening in who shouldn’t be.
- Rotate network device credentials
It’s that time of year: Time to change your client’s firewall password from Fall2018 to Winter2019, am I right?
While some may rightfully question your choice of passwords, good on you to rotate your credentials on a quarterly basis. We typically see service providers rotating network device credentials at least annually.
Already rotating regularly? You’re well ahead of the curve.
Credential rotation isn’t on your regular calendar yet? Start the habit now by setting a recurring ticket in your PSA.
- Disable unused network ports
Helpful employees, malicious actors, shadow IT—these are all people who would love to plug something into an open Ethernet port on your client’s switch. Trouble is, they can cause a broad range of issues from broadcast storms to security breaches and unsanctioned hardware on your network.
If you have extra ports on routers, switches, and firewalls after completing the initial configuration, disable them. If they’re ever needed again, you can log back in and re-enable them.
- Secure SSH on network devices
First of all, thank you for having SSH configured and not Telnet. (You do have Telnet disabled, right?)
There are a few things to consider when securing SSH.
- Disable SSHv1. Version 2 is newer and more secure.
- Enable an idle timeout so that any idle sessions are closed down.
- Ensure the network device software is up to date. Many network devices use OpenSSH, and over the past few years there have been many OpenSSH bugs identified and fixes put in place.
- Bonus! Add a warning banner
Consider implementing a warning banner sanctioned by the client’s legal team that users will see when they log in. While this won’t prevent access and won’t stop malicious actors, it may give an accidental hacker second thoughts.
It’s important to keep in mind that the steps to implement each of these recommendations will be different between network device vendors. You may also find that some of the settings discussed aren’t available on your network equipment. That’s OK—implement what you can and manage the risk around the others.
Achieving a secure network is a constantly moving target. If you’re not being proactive and continually re-evaluating and managing the risks, you’ll be behind before you know it.