Admins, Don’t “Default” on Your Security Obligations
by Scott Hogg, on Feb 7, 2018 12:30:58 PM
Any network administrator worth his/her salt knows to change the default password on a router during its initial configuration, or you leave your network open to outside attack. Fortunately, these passwords are easy enough to change. But there's another potential path to attack that many admins don't address. It’s not so easy to mitigate, but it is very doable.
Many enterprise networks have a static or dynamically-learned default route that leads directly to the Internet from every system on the internal network. In general, default routes serve a good purpose. According to Cisco, "Default routes are used to direct packets addressed to networks not explicitly listed in the routing table. Default routes are invaluable in topologies where learning all the more specific networks is not desirable, as in case of stub networks, or not feasible due to limited system resources such as memory and processing power."
But these “Gateways of Last Resort” open the door to malware and data breaches when a network employs an Internet perimeter firewall performing port address translation (PAT) with a default policy that allows access the Internet. Even though these nodes are on internal networks, malware can still reach these internal systems. Once the host is infected, the malware then, like E.T., “phones home” to download/drop more malicious software on the host and then reach out to attacker command-and-control networks via the default route.
You may be thinking, “But our business relies on accessing the Internet, we don’t have a choice.”
Yes, it’s true that most businesses and business functions these days do rely on Internet access, but there are a number of internal systems that do not need it. For example, building automation systems, video surveillance systems, badge access systems, and data center power and cooling equipment don’t necessarily need to make outbound connections to the Internet. If you have sensitive internal applications that should only be reachable by internal resources, they don’t need a default route. And, believe it or not, it is possible to keep your systems patched and up-to-date without direct access to the Internet on every system.
While removing the default route isn’t as easy as changing the password on a new router, there are a number of methods to help you create a functional and secure environment without using a default route.
You’ll find more details in my Network World article, “How to Eliminate the Default Route for Greater Security.” Feel free to reach out with questions after reading it.