Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ADSL Router / Cable Modem / Home Wireless AP Hardening in 5 Steps

Published: 2008-04-11
Last Updated: 2008-04-11 19:58:32 UTC
by John Bambenek (Version: 1)
1 comment(s)

Last month, we discussed the possibility of a D-Link Router worm for consumer network hardware.  While there were particular problems with D-Link, there are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration.  Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):

1) Change the default passwords, preferably to a strong password (at least 8 characters the include upper/lower case, numbers, special characters). Many of these devices ship with a password of "password" or "admin" and that is just asking for someone to kick over your router.

2) Disable remote administration. Administration of your router / access point should be "local only", namely, there is no reason to let people from another country access to your network hardware. If you need to make changes, you should be local to the device (i.e. physically connected, internal side of the network, etc).

3) Update the firmware. Believe it or not, consumer network hardware needs to be patched also. Check the support site of the vendor of the device when you get it and check for an update. Sign up for e-mail alerts for updates, if available, or check back on a regular basis for updates.

4) Disable unused services. Many of these devices are "feature rich" and enable these features by default even though 95% of users will never use them. Turn of SNMP, UPNP, "DMZ" features, etc. SNMP, particularly, allows someone to grab all the device settings of your device especially if the community string is "public" (and by default, 99% of the time it is). This is big and likely will lead to the largest amount of exploitation, namely, open SNMP that gives away all your settings to the world on request.

5) Change the default settings of the device. All vendors tend to use the same set of default settings for their devices, such as IP addresses of the internal network. Change these settings to something that makes sense for what you are trying to do. Changing default settings for wireless is also important, especially doing WPA2 authentication and not WEP. Hardening access points is its own topic though as well.

6) (Okay there is more than 5), Submit your logs to DShield. Here is a nice guide on how to accomplish sending your logs from these kind of devices to us. The more submitters we have, the more complete picture of what is going on and the better intelligence we have to share with you. Especially in the consumer ISP space, there is lots of action that would be helpful for us to see.

--
John Bambenek / bambenek [at] gmail {dot} com

1 comment(s)
Diary Archives