A secure network infrastructure is critical for organizations, and that requires keeping close track of what’s going on with routers, switches and other network devices. You need to be able to quickly detect and investigate threats to your perimeter security, such as unauthorized changes to configurations, suspicious logon attempts and scanning threats. For example, failing to detect improper changes to the configurations of your network device in a timely manner will leave your network susceptible to attackers breaking in to your network and even gaining control over it.
In this blog post, I share the top 4 issues that network device auditing can help solve and offer a 3-step procedure for getting started with auditing your network devices effectively.
Top 4 security issues for network devices
Issue # 1: Misconfigured devices
Improper configuration changes are one of the key threats associated with network devices. A single improper change can weaken your perimeter security, raise concerns during regulatory audits and even cause costly outages that can bring your business to a standstill. For example, a misconfigured firewall can give attackers easy access to your network, which could lead to lasting damage to your organization.
Auditing of network devices combined with alerting capabilities will give you the insight and control you need. By enabling you to quickly spot improper configuration changes and understand who changed what, auditing enables better user accountability and helps you detect potential security incidents before they cause real trouble.
Most attempts to log on to a network device are valid actions by network administrators — but some are not. Inability to promptly detect suspicious logon attempts leaves your organization vulnerable to attackers trying to hack their way to your network. Therefore, you need to be alerted immediately about unusual events, such as a device being accessed by an admin on a holiday or outside of business hours, failed logon attempts, and the modification of access rights, so IT personnel can take action to prevent a security compromise.
Having network device monitoring and alerting in place is also essential for compliance audits, so you can provide evidence that you keep a close watch on privileged users and their activities on your devices (e.g., who is logging in and how often).
Issue # 3: VPN logons
Many organizations implement virtual private network (VPN) access to improve the security of remote connections, but there are many associated risks that should not be overlooked. Practice shows that VPNs are not 100% secure and any VPN connection is a risk. Ideally, rights to access network resources via VPN are granted only after proper approvals and users are able to access only those assets they need to do their jobs. In reality, VPN connections can usually be used by anyone in the organization without any approvals.
Therefore, you need to be able to spot threats, such as a user connecting via public Wi-Fi (since someone might steal their credentials) and a user who doesn’t usually work with VPN suddenly beginning to use it (which can be a sign that a user has lost their device and someone else is trying to log in using it). Carefully monitoring your network devices and keeping track of each VPN logon attempt will help you quickly understand who tried to access your network devices, the IP address each authentication attempt was made from and the cause of each failed VPN logon.
Issue #4: Scanning threats
Network scanning is not inherently a hostile process, but hackers often use it to learn about a network’s structure and behavior to execute attack on the network. If you don’t monitor your network devices for scanning threats, you might miss improper activities until a data breach occurs and your sensitive data is compromised.
Network device monitoring and alerting will help you proactively defend your network against scanning threats by answering questions such as which host and subnet were scanned, which IP address the scanning was initiated from, and how many scanning attempts were made.
Case study: Security flaws in D-Link network devices leave users open to attacks
Experience demonstrates that many security incidents begin with attacks on network devices. Therefore, any vulnerabilities in these devices represent a major risk for an organization’s systems and data. One example is a major security flaw in D-Link devices that was discovered in 2016 by researchers from the security startup firm Senrio. They reported that a stack overflow issue in a Wi-Fi enabled camera, D-Link DCS-930L, allowed them to silently change the administrator password for the web-based management interface. This vulnerability could have been used by attackers to overwrite administrator passwords and install malware on the devices. In response to the report, D-Link promised to release a firmware update for DCS-930L to fix the vulnerability and began testing the flaw’s impact on its other models.
This was not the last time that D-Link failed to discover serious vulnerabilities in its devices by themselves. In 2018, a researcher from Silesian University of Technology in Poland reported that eight D-Link router models in the company’s small/home office “DWR” range are vulnerable to complete takeover. This time, D-link said that are going to patch only two of the eight impacted devices; the others will no longer be supported.
Getting started with network device auditing
Three basic steps will help you get started with proper network infrastructure monitoring. These are general recommendations that should be tailored to the needs of your organization; you need to know your IT environment and business processes well to audit your network devices in the most effective manner.
- Regularly assess risks and perform penetration tests.
You need to understand your attack surface area and detect vulnerabilities that could put you at risk. Regular risk assessments will help a great deal here but, ideally, you should also perform regular penetration testing to identify flaws in your network devices before hackers can discover and exploit them.
- Determine which devices you need to audit.
There is no definitive list of network devices that you need to audit; it will depend on the specifics of your business, your industry, and the size and architecture of your network. I definitely recommend you monitor the devices that are responsible for the most critical assets in your organization, as well as all internet-connected devices.
- Determine the frequency of auditing.
One of the common questions is how often you need to audit your network devices. No compliance standard defines a specific timeframe for network device auditing, and practice shows that it depends on the nature of your business and the complexity of your network infrastructure. One common guideline is to conduct monthly checks of the overall state of your network devices and ensure you get immediate alerts on suspicious activities that might pose threat to your network environment, such as a change to a device’s configuration.