When it comes to an enterprise's network, routers are at the top of the food chain. Clients request information, servers provide information, and switches connect clients and servers together. But routers run the network.
The security you add when managing routers can make the difference between providing a functional and responsive network or an isolated intranet that provides services to no one. Let's look at some steps you can take to maintain router security.
Managing your routers starts with how you configure them. If you don't have a baseline document that details your routers' configurations, you need to create one.
If you need some help, check out the National Security Agency's guidelines. These guides are comprehensive and provide an excellent starting point.
Establishing and documenting a router's configuration brings you to the first crucial step in securely managing that configuration: Loading and storing the initial baseline configuration in a secure manner is essential.
Ideally, you should perform the initial configuration from the console and store it on a network drive. Most important, do not store it on the local drive of a laptop! Portable computing devices (i.e., laptops, PDAs, memory sticks, etc.) have a way of getting lost or stolen, which can compromise the integrity and functionality of your entire network.
After you've loaded the configuration, your next step is to synchronize the running configuration with the startup configuration. But don't think you're finished once the router is up and running on the network — you need to maintain that configuration and make changes periodically.
Some administrators like to make changes online, while others prefer making changes offline and then uploading the configuration. Both have their benefits.
When making online changes, you can get immediate feedback as well as syntax checking. For example, the router will alert you if you misspell a command. In addition, if you make a change that causes problems with your network, you'll generally know right away.
On the other hand, if you make offline changes, you have the opportunity to add comments and use router configuration editors. However, this method provides no syntax checking or feedback on changes.
If you decide to use the offline approach, make sure you use a secure method of configuration delivery. Trivial File Transfer Protocol (TFTP) is not a recommended method for delivery as it provides no security for connection or delivery of your configuration. File Transfer Protocol (FTP) — as long as you configure a username and password — or Secure Copy Protocol (SCP) are the most secure methods of delivering a new configuration.
Regardless of how you manage the updates of your router configurations, it's essential that you save each configuration change and document all modifications. This enables you and others to better understand the changes and review them if something goes awry.
Data has a way of walking out the front door and ending up in the wrong hands. To prevent such an event, never store router configurations on portable media. Instead, keep your configurations safely behind a folder secured with the proper permissions on a network drive.
Worried about security issues? Who isn't? Automatically sign up for our free IT Security newsletter, delivered every Tuesday and Friday, and get hands-on advice for locking down your systems.