HostedDB - Dedicated UNIX Servers

index_46
Router Security Configuration Guide UNCLASSIFIED 46 UNCLASSIFIED Version 1.0g 4.1.  Router Access Security This section discusses the various mechanisms used to protect the router itself.  These include physical access, user account protection, software protection, remote administration concerns, and configuration issues.  When thinking about the security of your network it is important to consider these issues for all your systems, where applicable, as well as to the routers. 4.1.1.    Physical Security Once an individual has physical access to a piece of networking equipment there is no way to stop them from modifying the system.  This problem is not only confined to network devices but is also true of computers and any other electrical or mechanical device.  It is always a matter of time and effort.  There are things that can be done to make this more difficult, but a knowledgeable attacker with access can never be completely defeated, only slowed down.  One of the best additions to the security features of a computer network is to limit access.  Network infrastructure components, like routers, are especially important because they are often used to protect segments of the network and can also be used for launching attacks against other network segments. Network equipment, especially routers and switches, should be located in a limited access area.  If possible, this area should only be accessible by personnel with administrative responsibilities for the router.  This area should be under some sort of supervision 24 hours a day and 7 days a week.  This can be accomplished through the use of guards, system personnel, or electronic monitoring.  In practice, physical security mechanisms and policies must not make access too difficult for authorized personnel, or they may find ways to circumvent the physical security precautions.    If remote administration is used to configure and control routers, then consider ways of protecting the machines used for remote administration, and the networks they use to communicate with the router.  Use access lists to limit remote administration access to hosts that enjoy reasonable physical security. To illustrate one reason why physical security is critical to overall router security, consider the password recovery procedure for Cisco routers.  This procedure is able to acquire full privileged (enable) access to a Cisco router without using a password.   The details of the procedure varies between router models, but always includes the following basic steps.  An administrator (or an attacker) can simply connect a terminal or computer to the console port and “Step 1 Configure the router to boot up without reading the configuration memory (NVRAM). This is sometimes called the test system mode. Step 2 Reboot the system.   Step 3 Access enable mode (which can be done without a password if you are in test system mode).