As part of our extensive penetration testing experience, MTI has identified the eight most common attack vectors found through regular testing. Every organisation today has an IT infrastructure of some kind that supports the operations of a company and processes its data, from basic internet-facing services, such as email and websites to segregated internal networks, VLAN’s and site-to-site VPN’s.
A typical network for an organisation will typically use the following technologies, each with their own set of unique threats as per the diagram below:
As part of our Penetration Testing blog-series, MTI has examined the various vulnerabilities along with the appropriate remediation to the threat.
Vulnerability #7: Routers, Switches & Firewalls
Routers, switches and firewalls, collectively known as Network Infrastructure Devices, are the most important elements of any network. In terms of security, they should be the most hardened devices, however, due to their importance, administrators are seldom inclined to update them to ensure they do not inadvertently affect any network uptime.
As well as configuring the devices correctly, their placement is of equal importance to ensure the network topology and design is resilient and can withstand sophisticated attacks; a well-configured firewall in the wrong place can negate the security it is meant to offer.
During our Penetration Tests, it is extremely common to find VLANs have been configured correctly on a switch, a router correctly implements inter-VLAN routing but the administrator has neglected to implement any Access Controls on the router to limit who can access a VLAN; therefore, any user with knowledge of the right IP address can access hosts in another VLAN as if they were all on the same LAN segment.
These are some of the common misconfigurations and threats concerning network infrastructure devices:
A well-configured router should not expose any type of administration interface to the internet or an untrusted network for any reason. It is not uncommon during an external penetration test for our testing teams to find Telnet, SSH, HTTP, HTTPS and/or SNMP exposed to anyone on the Internet. All of these services are vulnerable to various attacks such as traffic interception, password guessing and even known authentication bypass vulnerabilities.
If an attacker gains access to a device then they could grant themselves full access to other network segments, upload a custom firmware image to the router that copies the traffic and forwards it to an attacker-controlled host or even reconfigure it to cause a denial of service condition.
If no administration servers are accessible then it is very hard, if not impossible to compromise the device. If the configuration of your system allows an administration interface to be exposed to the Internet, then it is very likely that a working practice is incorrect and needs to be addressed; however, if this is unavoidable, then access should be confined to a VPN and relevant source IP restrictions put in place.
Most devices support two methods of authentication, local accounts and a TACACS+/ RADIUS type login that uses an authentication server. The main difference between the two is that local accounts cannot usually be locked out and are less inclined to have the password changed regularly. They also commonly become shared accounts across several people, which reduces any auditing and accountability.
When using TACACS+ a user’s Active Directory account is normally used, which then benefits from all the password security present for the networks, such as password strength, expiry and lockout protections. This makes it much harder for an attacker to gain access to a user’s account via a password attack unless the user has chosen a weak password.
Most routers do not have an automatic update facility or an incremental patching ability, so require a full firmware image to be obtained and applied to the device, which invariably means the device needs to be taken offline for a short period of time. This deters administrators from wanting to do the update and can also cause any Change Control boards to not authorise the change.
Vendors also compound this issue by limiting access to new firmware images to only customers who have paid for a valid support contract. Arguably, updating network infrastructure devices, especially Internet-facing ones are of more importance, or at least of equal importance, as updating servers and workstations and it is imperative that a method of updating them regularly is in place and all people involved in a Change Control board understand the importance of this task.
Penetration Testing for Routers, Switches & Firewalls
Network infrastructure devices should be reviewed by a combination of several tests:
External Penetration Test
- Manual and Automated Configuration Reviews
- Firewall Ruleset Reviews
- Network Topology Reviews
- VLAN Hopping Tests
- Network Segregation Tests
Each test on its own can help identify certain vulnerabilities but combined they present a robust and complete test profile.
An external test will identify any administration services that are exposed to the internet, the configuration review can assess internal facing services and how the device is configured in general, the ACL review can check if any weak, duplicate, contradictory and incorrect ACLs are present, the topology review will check the placement of the devices to ensure they are offering the protection they are intended to, the VLAN hopping test will review how any VLANs have been implemented and the segregation test will check that any network segments that should not be able to access each other are configured correctly.
We strongly advise that these tests are incorporated into any Penetration Testing scope as invariably all other network security is built around the assumption that these areas have been correctly implemented. Learn more about MTI’s testing services here.