In my last post I wrote about a breach in security at Europol. A network engineer stored a backup of device configurations on his private NAS, which wasn't protected and publicly accessible from the Internet. The configurations contain the passwords for the devices. The focus of my last post was on the general lack of security implemented by users, but that was not what shocked me the most about this incident. What I found disturbing was, that devices are configured with a standard user and password.
I've seen this in networks countless times, every device is configured with the same standard user and password. When someone needs access to the devices, they are given the username and password and security is left to the integrity of individuals. It seems to be the general rule, that networks are configured this way.
This is wrong in so many ways. What happens, when a user no longer should have access to the devices? This can happen either when the user no longer is employed by the company or is assigned a different job role within the company. What if an external consultant needs access to a single device? He will now have the password for all devices and have access even when he isn't working as a consultant for the company any more.
Some people argue, that their devices are only accessible from within their network and that they have protected the network with a firewall. This doesn't prevent an employee, who changes roles within the company, from keeping their access or sharing it with other employees. It does not prevent an external consultant from gaining access to all devices. Nor does it keep track of who logged in to a device or changed its configuration.
Have you ever thought about what to do, if the password is compromised? How many devices do you need to log into to change it. How do you know, that you didn't miss a device? How will you redistribute the new password to all the users, who needs access?
What about the firewall protecting your network? How do you log into that? Does it also use a standard user? Maybe it's a different one and the passwords are only known to a select few, but that doesn't change the fundamentals of the problem.
You wouldn't implement a standard user on your computers, why would you do it on your network devices?
The solution to this is extremely simple and virtually free. Just like computers authenticate against Active Directory or LDAP, almost all network devices support a central authentication service, normally RADIUS or TACACS+. With an authentication server, every user gets his own username and password. You can group users to limit access to certain parts of your devices and limit access to certain devices. When user access rights change or a user no longer should have access to the network, it is simple to change or delete the user on the server so that the changes immediately take effect in the network. When users have individual logins, you can keep track of which users log in to what devices and of the changes they make.
While there are commercial servers available, both RADIUS and TACACS+ servers can be downloaded and used for free. FreeRADIUS is, as the name implies, a free RADIUS server, it even comes with the Dialup Admin web interface for easy administration. The TACACS+ deamon from Shrubbery Networks is a free TACACS+ server. Neither of these are resource intensive, so you don't need a dedicated server to run them.
The short time you invest in setting up proper authentication for your network devices, will be repaid with peace of mind and easy administration.
No comments:
Post a Comment