Your network system is only as strong as its weakest router.

Wayne Epperson correspondent HostingTech | wepperson@hostingtech.com

The quietly confident, 24-year-old Chris Wilson has faced some tough challenges in and around his home base, west of Philadelphia. He is a no-nonsense hombre, and he can spot your weakness before you can say "intrusion detection." Wilson is head of the security services division for WorldNet Technology Consultants (www.wtci.net), and his specialty is network penetration testing, an audit of a company's perimeter security. So take it seriously when he says one of his favorite vulnerabilities is your edge router.

"Everyone forgets about them," Wilson says of the routers. "All of the clients that have used us for a perimeter audit may be rock-solid from the firewall forward, but there is always something open on the router that should be closed. It's the device sitting out there that everyone forgets about."

Wilson gave as an example a WorldNet attack on a financial institution's network that was successful because the router had been deployed improperly. It was not password-protected, and the intrusion led to deeper access into the company's data.

When Wilson cracks into a router, sometimes he is able to change routes and route packets to places they should not go, "maybe route them back to us or route them somewhere else, which would cause a denial of service on their end," Wilson says.

Wilson adds that some name-brand routers allow Web-based configuration, and by using combinations of building commands (e.g., ping and others that have the power of outputting data) a malicious person can potentially take over the router and "tell that router to send information in a flood sort of way to another site." A single router might not cause extensive damage, he says, but if several routers were involved, the result could be a distributed denial of service attack.

Hacked routers on the rise
It was an increase in such reports of routers being used in denial of service attacks that got the attention of the security watchdog group CERT (www.cert.org) at Carnegie Mellon University. Members of the CERT incident response team collaborated with outside experts to write a white paper outlining "Trends in Denial of Service Attack Technology."

Kevin Houle, coauthor of the paper, says reports sent to CERT indicate routers are being used as launch points for denial of service attacks, as platforms for scanning activity, and as proxy points for obfuscating connections to IRC (Internet Relay Chat) networks.

"Intruders continue to compromise routers, particularly routers deployed with passwords that have not been changed from the vendor-supplied default," Houle says.

Routers are attractive targets for hackers because they are part of the network infrastructure, but they are often less protected by security policies and monitoring technology, Houle says.

The CERT paper reports "an imminent and real threat, with a potentially high impact," exists with the potential for routers being used on direct attacks against the routing protocols that connect the networks comprising the Internet.

On the issue of router vulnerabilities, Chuck Adams, general manager of security at NetSolve (www.netsolve.com), in Austin, Texas, has some long-standing, close knowledge of the subject.

Adams, who was a member of the elite Cisco Secure Consulting group before joining NetSolve last July, says, "The biggest vulnerability, based on my 15 years in the information security assessment industry, is authentication. I don't know how many routers in the world one can telnet to, straight across the Internet, and log in with the password of Cisco123, assuming it's a Cisco router."

It should come as little surprise that the culprit is not manufacturers like Cisco.

It'll never happen to me
It is not the technology that has the inherent weakness, "it's the management process around the technology that doesn't have security-injected paranoia," Adams says. "You assume you are not a target. You assume no one can do this; therefore, there is no reason to put any extra effort or diligence in managing it."

Wilson of WorldNet says he, too, sees companies in denial about being an attack risk: "People say, 'We are so small,' or, 'Our location is here in Rinky Dink, Pennsylvania; nobody cares about us.' And that is just not the case."

Bob Sensenig, vice president of sales at WorldNet, says the company's security engineers constantly search websites to find the latest and greatest hacking techniques to utilize when "we go into hosting companies or corporate accounts and do vulnerability testing to make sure they are secure from outside hackers."

Peter Perchansky, president of We Manage Servers (www.wemanageservers.com), says the managed services and managed security his company provides to hosting companies and Internet datacenter clients is on the server level.

"We work with companies like WorldNet, where they take the perimeter and we take inside the fence. We make sure all operating systems and application patches are up to date," Perchansky says. "When you look at nimda, Code Red, and similar worms and viruses that are out there - and nimda simulates a denial of service attack by consumption of resources - a lot of those worms and viruses were 100 percent preventable by the application of patches."

Perchansky says even though a hacker may exploit perimeter technologies to get into a network, We Manage Servers believes in starting off with a secure foundation, through the proactive application of patches and making sure all unnecessary services are turned off.

In nearly all of the security audits performed by WorldNet engineers, Sensenig says they find that an intrusion detection system (IDS) should be installed on the network. They recommend several offerings, from industry-leading products to basic economy versions. If the companies are not large enough to have their own 2437 monitoring staff, the IDS can be set up to report back to WorldNet's management console, where engineers can decipher any suspicious signatures and take quick action in the event of an attack.

Up the creek without a paddle?
In the opinion of the hired hacker, Chris Wilson, there is no way a company can prevent a distributed denial of service attack. As he says, "If you are targeted, there's nothing you can do." The only proactive steps are to make sure the Web server or services that may be targeted are running on systems that have enough computing muscle to handle thousands of connections simultaneously without dying and to have a close working relationship with your ISP, Wilson says.

"If you are under an attack, the best thing you can do is gather information about it and contact your ISP, and the trick is to cut the attack as far up your pipeline as you can," Wilson says.

Wilson says an attack might look like this: "They might be doing distributed denial of service, which is yielding maybe 4 Mbps of traffic coming into your network, and you only have a T1 connection [1.54 Mbps]. If your ISP is a high-enough tier that they have an OC3 [155 Mbps] connection to the Internet, you can contact them and ask that they block the ports going to your T1. All of a sudden, your pipe is no longer flooded."

Even if a company blocks an attack at the firewall, attackers can flood the pipe and legitimate customers will not be able to access the network, Wilson says. "So what we are talking about is using routers in that perspective, using them to launch denial of service attacks."

NetSolve's Adams says that although security technologies are great, "if you don't monitor security devices to detect security events, it's pretty useless. It's another router, another network device." NetSolve, which provides remote management to clients globally, applies a real-time response mechanism to security alarms received automatically in its Austin management center.

"We can implement an access control list or shun the IP address of an attack when it starts to propagate, thereby reducing the effects of the attack," Adams says.

In the world of network attacks, hackers will continue trying to compromise routers, and "it is important to include router security as your security planning evolves to ensure your routing infrastructure is protected from intrusion," says Houle of CERT.

Human error
Security planning sometimes evolves the easy way, sometimes the hard way. Wilson recalls a horror story about a project that almost went bad.