A few simple yet apparently often overlooked security measures for equipment that lives on an untrusted network.
Apparently there are quite a few people who have some network equipment connected to the public network, there are quite a few sites with ‘secure template’ pages one of the better being the Cymru Secure IOS Template, another for JunOS written by another Team Cymru team member Secure JunOS Template is also quite nice. I like these, but they are long and involved. A short summary of any of these would be the following steps:
- pick strong passwords, hint ‘cisco’ is not considered ‘strong’, for the last-resort password choice
- chose strong SNMP community string(s)
- limit access via telnet/ssh to the device
- limit snmp access to the device
- set the device to log to a remote syslog server
- set the device to get it’s time synced from some authoritative source
- consider using radius or tacacs for authentication, authorization, accounting (AAA) there really is no substitute for having logs of what happened on your device while you slept
- if possible limit other protocols’ access to your device
This is really just a primer, but this should keep people from abusing the device too badly.