Nov 01 2006

IT Isn't Secure Right Out of the Box

Network devices of any kind are security holes. Reset default settings and put policies to work that will prevent laziness from turning your network's body armor into a sieve.

IT Isn't Secure Right Out of the BoxEven with a truckload of security gadgets, if you don’t bother to reset the defaults on your network devices, you’re leaving the front door open to intruders. Every network device — routers, wireless access points (WAPs), network printers — comes with defaults and preset accounts that can create unsuspected entry points to the network.

You have to have administrative access to a network device to configure it, but default user identification and password combos can be truly hazardous to your network’s security. Will the manufacturers stop supplying default accounts because they’re a potential risk? Probably not. The alternatives are to build in a timed account or to build the account into the configuration software. Both of these methods could improve security, but they’ll take a little more work, and it’s doubtful it will happen. Also, when you reset the device, it will receive defaults from its internal BIOS or ROM, which will reset the default account information as well.

Most devices come with preconfigured accounts that allow full access to the device via simple passwords such as “admin” or “password.” Secure your network by identifying these accounts and delete them entirely or change the passwords. Not all of these accounts are necessarily documented, so check the security bulletins on the product’s Web site.

It’s also a good idea to minimize the capabilities on all preconfigured accounts so that an intruder who finds the “admin” account won’t have network privileges. Another common default setting enables remote administration. You don’t need this feature unless you’re managing several remote networks. An intruder, however, needs only to add a port address to the Internet Protocol address to reach the router’s hidden administration pages.

Wise Choices

Unfortunately, WAPs make it easier for people to connect to your network, whether you want them to or not.

WAPs rarely come with any preconfigured security settings, leaving it up to you to pick the security options you need, says Bill Meixner, IT manager of East Hill Church in Portland, Ore. “WAPs have a default of no encryption almost across the board,” Meixner says. “It’s as if no one at the plant is giving thought to putting in a basic security portal, or even a difficult password.”

Although static wired equivalent privacy (WEP) is on most wireless networks, it’s not secure: You can crack static WEP encryption with a $30 sniffer and a data analyzer. Both fit in your pocket, making detecting networks and harvesting information a piece of cake. Dynamic WEP provides fair — but not great — security. Wi-Fi-protected access (WPA) typically requires upgrading to devices that are less than three years old. WPA2, which uses the government’s Advanced Encryption Standard, is twice as good.

The wireless device’s service set identifier (SSID) isn’t a security measure, but it can be a security black hole. Many people configure their WAPs to have the SSID clearly identify the company or home network, which can invite people to poke around your network by looking like a target of interest. Use a generic or nondescript SSID, such as “B2490” or “Lnet1.” Don’t worry about hiding the SSID either: The name shows up in the wireless packets, so you’re only making it a little harder on yourself and your users.

Other Hardware Holes

Routers and WAPs are not the only sources of security problems for network devices. Network printers aren’t just output devices; Web-accessible printers and copiers can be accessed and compromised from outside. Earlier this year, security holes were disclosed on several popular brands of printers and copiers that allowed unauthorized access to the network and monitoring of the information being printed. In one case, it was even possible to load and run programs on a copier behind the network firewall.

Bill Hull, network administrator for O’Neal, an architecture firm in Greer, S.C., points out that there are hidden security issues with many network printers and copiers. “We’ve got seven or eight very large copiers with a Linux operating system,” Hull says. “So despite the fact that you may have a policy of ‘no Linux,’ if you want a copier with those features, you’ve got to get one with Linux.”

Network-ready printers are usually preconfigured for Web access and Internet printing. Although these are powerful features, you should restrict them as much as is practical and, once again, change their default user IDs and passwords. Consider turning off file and printer sharing over Transport Control Protocol/IP and use the NetBIOS Extended User Interface instead, which provides a slightly more secure communications channel for the printer.




CEO takeaway
Obscurity does not equal security. If there’s a hole in your network, figure that someone eventually will find it and exploit it. Take these precautions:

• Eliminate default accounts. Look for default accounts such as “guest,” “admin” and “sysadmin.” Delete or disable them by reducing the security level.
• Set up strong passwords and passphrases for network devices and change them regularly.
• Upgrade your firmware regularly. Keep a list of your network hardware and visit the manufacturer’s Web site every month or so to check for firmware updates.