Basic Router Security and Access Control
Introduction
In the last few years, routers have increasingly become targets of malicious hackers attempting to launch distributed denial-of-service ( DDoS) and other attacks across the Internet. Having control of a router, especially one with high-speed links, provides an even greater opportunity for mischief than just controlling PCs. A hacker in control of your router can reconfigure the system and take over your entire autonomous system (AS). Hackers are often able to log in to and take over routers simply because of negligence on the part of a router administrator who doesn't implement basic security precautions, such as setting a password for the root account, or who uses a password that can easily be discovered, such as juniper, cisco, root, or admin. Given the increasing number of malicious attacks occurring on the Internet, it is vital for you to secure your router.
This chapter talks about how to configure router access, including setting up login accounts, and other basic security measures you should take to control access to the router and to protect your router from undesired access.
There is nothing complicated about what you need to do to protect your router. Basic router security consists of three components. Two of theselimiting physical access to your router and configuring the JUNOS software to minimize the vulnerability of your routerare under your control. Properly configuring the router to be as secure as possible, while at the same time ensuring that you don't misconfigure the router to increase its vulnerability to attack, is often called hardening the configuration. The third component of security is some of the default behaviors of the JUNOS software that help protect the router.
To limit physical access to your router, we strongly recommend keeping your router in an area that has restricted access, such as a room that is locked or has badge access, and then limiting the number of people who have access to that area. Anyone who can physically get to a router can do a lot of damage, from removing hardware or cables from the router to connecting a PC to the router's console port, which lets them gain access to the router as root and gives full access to and control of the router's configuration and files. You should also never leave a modem connected to the router's console port to ensure that no one can gain access this way.
In the basic router configuration that you set up (described in Recipe 1.1), the following default software behaviors are in place to protect the security of your router:
- Only console access to the router is enabled by default. Remote management access to the router and all management access protocols, including Telnet, FTP, and SSH (secure shell), are disabled. When you initially configure the router, you connect a terminal to the router's console port. After this, you want to keep the router in an area that has limited physical access, so you need to enable a way to remotely log in to the router. For the best security, you should enable only SSH access.
- The JUNOS software does not support the SNMP Set capability for editing configuration data, although it does support this capability for monitoring and troubleshooting the network. There are no known security issues associated with this. (You can configure the software to disable the SNMP Set capability.)
- The JUNOS software does not forward directed broadcast messages. ( Directed broadcasts are datagrams with a destination address of an IP subnetwork broadcast address.) Directed broadcasts are open to spoofing, which is used in DoS attacks.
- The JUNOS software ignores martian addresses that contain the following prefixes: 0.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24, 223.255.55.0/24, and 240.0.0.0/4. (Martian addresses are reserved host or network addresses about which all routing information should be ignored.) You may want to add other prefixes to the martian list, such as RFC 1918 address space and bogon prefixes (see Recipe 9.5).
A key to router security is controlling who can log in to the router and what they can do once they are logged in. For each user who is allowed to work on the router, you should create a login account that defines the user's login name and password and the class of operations that they can perform on the router.
Strategies for Choosing Passwords
Passwords for the root account and for user accounts are often the weakest links in router security. For root and for any user who can log in to the router, you should always set a password, and the password you choose should be a strong password, one that is hard to crack, not a weak one. You want to make it impossible for a person with malicious intentions to gain login access to your router, especially as root or any user who has root permission or who has permission to modify the router's configuration or any files on the router, or to shut down or reboot the router.
All JUNOS passwords are encrypted, but this means only that the password stored on the router or in a configuration file is stored in an encrypted form. Someone reading the configuration on the router won't be able to see the plain-text password, and if you copy the file over the network and someone sniffs the session, they won't see the passwords in the file. Even though the passwords are encrypted in the configuration, you should take care not to let them circulate. It's still possible to use programs such as crack to guess clear-text passwords, encrypt them, and compare them to a list of encrypted strings (although this is not the case with, for example, SSH public keys). For this reason, you always need to use strong passwords and prevent even encrypted versions of your passwords from falling into the wrong hands.
To understand what a strong password is, we should look first at what constitutes a weak password. It should go without saying, but bears repeating anyway, that the weakest password is no password at all. A number of groups that monitor network security still find routers that have no passwords set on them. Other weak passwords are those that are easy to guess and include common words such as the name of your router vendor (such as juniper), the string admin, using the username as the password (for example, username root, password root, or admin/admin), and using the string password or Password. Other guessable passwords are words or strings like your birthday, spouse's name, or the name of any person. Weak passwords are also those that are vulnerable to brute-force attacks, in which an automated program tries a large number of possible passwords, and to dictionary attacks, which are automated programs that try all words in a dictionary in an attempt to crack an account's password. Keep in mind that dictionaries for all languages are now available on the Internet, as are dictionaries specific to technical and other fields, so all words that might be present in them are weak passwords, even derivations that substitute numbers for letters.
A strong password is everything a weak password is not, and then some. It should include numbers, symbols, and a mix of uppercase and lowercase characters. Other suggestions are to pick a couple of letters from a phrase you know well or to pick some unrelated words and connect them into a single string with punctuation marks or other symbols. Remember that a strong password is a good password only if you can remember it without writing it down.
User Authentication
Each user must have a login account and password to be able to log in to the router. The JUNOS software supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+). With local password authentication, you set a password for each user in the router's configuration file. RADIUS and TACACS+ are centralized authentication databases for validating users who attempt to access the router using any access method. They are both distributed client/server systemsthe RADIUS and TACACS+ clients run on the router, and the server runs on a remote network system.
You can configure the router to be both a RADIUS and TACACS+ client and can also configure authentication passwords in the JUNOS configuration file. If you use multiple authentication methods, you can set the order in which the router tries the different authentication methods when verifying user access. If you do not set the order, the router uses the local password first.
Password Encryption
All passwords that you enter in a JUNOS configuration are encrypted. The JUNOS software supports several methods for securing passwords using encryption and hashing algorithms (encryption is a one-to-one mapping, so it's possible to decrypt, while hashing is a many-to-many mapping, so it's impossible to unhash):
SHA1
Secure Hash Algorithm 1 is the newest algorithm, developed in 1995. It is a secure hashing algorithm that produces a 160-bit message digest that is used as a signature for a message and that must be verified by the recipient. SHA1 is considered secure because it is computationally infeasible to find a message that corresponds to a given message digest or to find two different messages that produce the same message digest. Any change to a message in transit results in a different message digest, so the signature fails to verify. However, SHA1 has recently been proven not to be as strong as originally thought.
MD5
Message Digest 5, developed in 1991, is a message-hashing algorithm that takes a message of arbitrary length and produces a 128-bit hash function. When developed, it was thought to be computationally infeasible to produce two messages with the same message digest. The use of MD5 has recently been deprecated by the U.S. Department of Defense.
DES
Data Encryption Standard, an encryption algorithm developed in 1976, uses a 56-bit key. Many people never thought DES was very strong in the first place.
SSH
Secure shell, Version 1 ( RSA) and Version 2 ( DSA), is a security protocol that was originally developed with the Unix BSD software.
Even when you configure a plain-text password, the JUNOS software encrypts it immediately after you type it. Also, the software forces you to use a somewhat strong password, because the password must be at least six characters long and must include either a change of case or a special character.