There has been a lot of talk lately about security in network equipment such as switches, routers and OLTs GPON. Every day, threats, attacks or attempted attacks are more present or closer to the structures of ISPs.
This situation is a recurrent problem in providers, who suffer from the affectation of their traffic or from improper access, blocking or deleting all equipment configurations. Once a week, we receive at least one help request from our tech support.
Denial of service or DoS (Denial of Service) is a technique whereby an attacker uses network-connected equipment to take a service, a computer, or an Internet-connected network out of operation. When used in a coordinated and distributed manner, that is, when a set of equipment is used in the attack, it is called Distributed Denial of Service (DDoS) Attack.
The most common attacks are based on three points:
Volume: They are the most applied, as they direct true requests to a DNS, NTP and SNMP server through a false IP address;
Protocols: Consumes real equipment resources and is measured in packets per second;
Application: They originate from true requests and the objective is to crash the web server, or VoIP, for example.
The idea of this article is not to bring miraculous solutions or that will make you never receive an attack attempt, but to bring good practices that can help you in your day-to-day. It is recommended to seek information about attack mitigation and there are companies specialized in this segment.
“But I, as an Internet Provider, what can I do to start protecting myself? How can I minimize the risks?”
Check out the items we'll cover in this article:
Importance of keeping equipment up to date
Date and time
Enable SNMPv3 and Remove the “Public” Community
Distinct Users and with Least Privileges According to Role or Hierarchy
RADIUS or TACACS+
Define which IP addresses can access the equipment
Bandwidth Control Policies
Packet storms: Storm-control
Shall we go to them?
Also watch the playlist detailing these 11 points:
1. Importance of keeping equipment up to date
Equipment manufacturers always seek to implement protections in their firmware versions, whether aimed at possible DoS or DDoS attacks, security flaws or even bug fixes. Periodically check what your manufacturer has added to new firmwares.
Whenever Datacom releases a new firmware, it brings the information in a document called release notes and details everything that was implemented or fixed. It is worth checking. Ah! We also periodically implement suggestions originated from our customers.
Therefore, as a good practice we recommend always keeping your equipment in the latest version.
Release notes and firmware for Datacom products can be found on our self-service portal, DmSupport.
2. Disable Telnet
Disable Telnet, this type of communication takes place in clear text mode, prefer to use access via SSH – Security Socket Shell, where there is encryption. Some malicious person could be analyzing your network traffic and verifying all the settings, user and passwords that you send to your equipment.
Then use only access to equipment via SSH.
Example of analysis of a telnet access
3. Date and time
No leaving the equipment with that 1970 standard!! Updated date and time are very important for analyzing the LOGs and possible alarms of the equipment. Don't leave this setting for later, act before something happens.
The configuration is very smooth and you can direct to an SNTP server – Simple Network Time Protocol. If this server offers authentication, using a password, even better.
SNTP communication takes place based on UDP protocol, on port 123. And doing a quick Google search, you will notice that this type of service can receive attacks by flooding UDP packets. Stay tuned!
4. Enable SNMPv3 and Remove the “Public” Community
SNMP – Simple Network Management Protocol is a widely used network management standard in TCP/IP networks. It is an application layer protocol that makes it possible to manage the network regarding its performance and any problems in real time, its specification can be obtained from RFC 1157. The purpose of SNMP is to transport the management information of network assets through UDP ports 161 and 162.
Prefer to use SNMPv3, which is the latest version of SNMP, supporting full SHA and MD5 security and authentication. Version 2 of the protocol is the most used and has improved protocol handling compared to version 1, but both are vulnerable when compared to version 3, as they use community strings in plain text.
It is very important that you change the “public” community or remove your configuration from the equipment. Use specific communities for reading and reading and writing. Setup is simple and will keep your equipment better protected.
5. Distinct Users and with minimum privileges according to their role or hierarchy
Don't be tempted to leave the standard user of the equipment. Attackers will always try to access the most common default users such as: admin, administrator, root, guest, monitor, user and others.
At this point, we would like to highlight our line of equipment with the DmOS operating system, which follow the highest standards of software development and which allow you, who manage a network, to flexibilize the most diverse configurations.
With that in mind, we deliver you a fully scalable system so that any type of configuration is possible, regardless of the size, scenario or need of your network. By default, the DmOS platform comes completely “clean”, where you will put good security recommendations into practice.
You will be able to consult or verify the undue access attempts through the equipment LOGs, something similar to the one shown below.
In the image above, 2,298 access attempts were verified only on 05/25/2020. Of course, this equipment has a valid IP and there is no firewall in the environment where it is installed. Here, it is worth reflecting, is it really necessary to have a public IP for equipment management? What would be the damage that the attacker could have done if the login and password were with the famous “admin”?
Ah! And each user with their correct access privileges! It is not necessary that all equipment users can configure them completely, first-level attendants generally have restricted access to visualization commands, the “shows”. Only network administrators who need to configure settings should have such access.
Set up strong passwords, no birthdays or sequence numbers, they are easier to identify and there are lists that can be found on the Internet with the most common passwords.
6. RADIUS or TACACS+
RADIUS and TACACS+ protocols are commonly used to provide Authentication, Authorization and Accounting (AAA) services on network devices.
RADIUS is designed to authenticate remote dial-up users to a network and TACACS+ for administrator access to network devices.
The main difference between RADIUS and TACACS+ is that TACACS+ separates the authorization functionality, where RADIUS combines authentication and authorization.
Exploring the three "As", we have:
Authentication | Authentication – Verifies and confirms the user's identity. Who is the user?
Authorization | Authorization – Defines the privileges and restrictions of the user, that is, allows the execution or not of an operation on the equipment. What can the user do?
Accounting | Accounting(Audit) – Collects information about the behavior of users and how they consume network resources. What did the user do?
The use of these protocols facilitates the administration of users who will or may have access to the equipment, in addition to adding security to the access control of the equipment.
With the use of centralized access servers, in just one place you will configure all the people who will access the equipment, avoiding individual and manual configuration. Not to mention, you provider, you know that there is a certain rotation of technicians, and when one of them leaves, it will be necessary to access equipment by equipment to remove access, wouldn't it be easier and faster to do this in just one place?
Since this server is configured on a Linux platform and on the Internet, you can find several tutorials that cover its implementation and use. It's worth doing some research.
7. Define which IP addresses can have access to the equipment
Don't let any IP or network access your equipment, check which addresses really need access and create filters or access control lists. Prevent your equipment from being exposed and vulnerable.
In addition to the controls that can be performed on the permissions for IP addresses, we can guide you in creating rules that filter traffic by IP address or source/destination port for applications that are actually running or being used in your structure, such as OSPF, BGP, MPLS/LDP and others. Here at Datacom we have examples of configurations for our equipment that can help you in this task.
You can choose to configure:
Blacklist: Here, we assume that you will input the information you want to block in the first instance. Access that does not meet the created rule will be released.
Whitelist: For this configuration you need to know everything you want to release and enter it explicitly, from protocols to IP addresses. Access that does not meet this rule will be summarily denied/discarded.
There is no right or wrong way, but the one that best fits your scenario or concept of operation.
For a whitelist, we insert all protocols that will be released, plus SSH access over the 10.0.0.0/24 network. Any other type of access or protocol that is not allowed will be blocked (deny rule).
If it is a blacklist, in the following example we have the access allowed for SSH and ICMP for the 10.0.0.0/24 network, consequently blocking access to the others. All protocols are allowed (permit rule at end of ACL).
Implement mechanisms that prevent packets with source addresses from leaving a private network that are not part of one of your internal network address blocks.
Stay tuned and protect yourself! Count on us, we are here to carry out this activity together.
Make sure that the equipment is generating LOGs, whether for direct query via the command line (CLI) or sending it to syslog servers, making the query and analysis with filters directly through the application of your choice.
Analyze your network's inbound and outbound traffic, check for unauthorized access attempts or leaks of important data. Create a routine for regular audits.
9. Bandwidth Control Policies
Perform bandwidth control on VLANs or IP addresses destined for equipment management, thus, possible attacks through ICMP, the famous Ping of death or packet storm can be reduced.
Interfaces aimed at customers or those who carry out the transport must contain bandwidth limitation or restriction, according to the contracted service.
10. Packet storms: Storm-control
The storm-control functionality, when enabled, prevents an interface from receiving a storm of unknown unicast (DLF), broadcast and multicast packets by monitoring incoming packets and comparing against configured parameters.
If the number of packets received is greater than the configured capacity, they will be discarded. This technique imposes a limit on packets entering the interface.
11. Backup of Settings
Last but not least: create a backup routine for ALL your equipment settings! Either storing the configuration in available memories within the devices or transferred to a server via TFTP or SCP.
Performing this procedure in case of intrusion, disaster or loss of settings will reduce your downtime. Ah! You can also configure this task to run automatically. If in doubt, consult your equipment's quick setup guide or open a support ticket with us.
Bearing in mind that Datacom has a complete structure at its headquarters where on-site training is offered (check availability with the commercial team due to the pandemic scenario), as well as an online training platform (DATACOM EAD). During training, it will be possible to perform configurations of various topologies and application scenarios, in addition to being able to count on the help of our professionals in a series of best practices that will help a lot in the operation of your network.