Network Configuration Weakness

As network devices become increasingly complex, the knowledge base required to configure systems correctly increases, too. This complexity represents more of an issue in smaller organizations in which a single administrator might be responsible for the LAN, WAN, servers, and workstations. In any organization, the most effective way to overcome network and system configuration issues is to establish and enforce a standardized baseline for all configurations. Configuration weaknesses normally fall into one of the following categories:

• Misconfigured equipment A simple misconfiguration can cause severe security issues.

Whether the error is caused through lack of knowledge of the system or a lack of attention to detail, the result might be an open vulnerability that leaves the system or network exposed to security threats and potential damage. Some areas of networking that are most susceptible to configuration errors are the firewall settings, access lists, Simple Network Management Protocol (SNMP) settings, and routing protocols.

• Weak or exposed passwords Passwords that are too short, are easily guessed, or consist of common words make it easy for an intruder to gain access to company resources, networks, and data. A "strong" password should consist of at least eight characters and should include uppercase and lowercase letters, as well as numbers and special characters. Additionally, using the default password or administrator accounts is an especially poor practice. It is also important that users do not create a password that is too complex to remember. In such a scenario, users tend to write down their password on a stickie note, defeating the purpose of the password in the first place, and affix it to their monitor. One common method for creating and remembering passwords is the "vanity plate" method: Think of a word or phrase and convert it into the characters used on a vanity license plate, then change the case of a letter or two, and substitute one or more numbers for letters. Here is an example: In Virginia, for instance, a Honda owner is apparently not fond of mayonnaise. The Honda owner's license plate reads IH8 Mayo. You can drop in an underscore and an exclamation point and you get IH8_Mayo!. Not too fancy and easy to remember. Another password technique that poses a risk is the use of "common accounts" shared by many users. Common accounts prevent accurate accounting of which actions were taken by specific users and make it impossible to determine (to a legal standard) whether a specific user is responsible for a specific action.

• Misconfigured Internet services Java applets, JavaScript, File Transfer Protocol (FTP) security settings, and Internet Protocol (IP) can all be configured in ways that are considered unsafe. Knowing exactly which services are required and which services are running ensures that Internet services do not create potential network security breaches.

• Using default settings The default settings of many products are designed to assist in device configuration and production environment placement. One of the most common default settings is the default password, or the lack of a password by default. Other examples of default configuration settings include the following:

- The default filters for the Cisco 3000 series VPN concentrators are insufficient protection for use in a production network.

- By default, no access lists limit Telnet access on Cisco routers; if Telnet is enabled, you must ensure the access is limited to authorized source addresses only (from your management network).

These are just two examples of how default settings prove insufficient for production use.

0 0

Post a comment