Over the past couple of months both Cisco and Juniper have had major vulnerabilities in their operating systems that allowed for remote execution of code, access to networking and the ability to decrypt encrypted traffic. While incidents like these should not change network security fundamentals, as pointed out in a recent blog post on the Juniper vulnerability, you must make sure to keep your devices up to date and included in vulnerability management. Attackers are going after them for a reason and they’re too important to be left unprotected.
Yet, many companies don’t take vulnerability management against network equipment seriously. Since there aren’t frequent updates to the code, or vulnerabilities coming out, they think that they’re safe to exclude them from the program, or at the very least not scan them on a frequent basis. These are both areas that need to be improved. Here are 5 things you can do to tighten up the vulnerability management of your networking gear:
- Scan, Scan, Scan – It seems that many people don’t want to scan these devices, because they’re critical to the network. If they were to go down there would be major outages, etc. Well, the rule of thumb when doing vulnerability management – when someone says it’s too important to scan, that’s the place that needs it’s the most. Set a schedule that will allow you to scan all the networking devices in your network without causing an outage (work it out with your networking team). You might want to scan the perimeter routers more frequently than the internal routers, or vice versa – that’s up to you. What matters most is that you’re scanning them based on a scheduled frequency.
- Credentialed Scans – Not only should you be scanning on a schedule, but you should be scanning these devices via credentialed access to the systems. If you’re going to scan them without credentials you will only have a minimal view into the vulnerabilities that are running on these devices. In order to scan properly there should be a scanning account created that allows the vulnerability scanner direct access to the device itself. Many vulnerability management solutions will pull config files, updates, etc. and these can be used to drill down into the risk of the networking gear. There are normally only a few commands that would need to be run and these particular commands can be limited to the vulnerability management account only in order to limit access.
- Adhering to a Standard – After you have set up a scanning routine and schedule configured, the next step is to create a baseline. These baselines can be based off compliance, like PCI, or best practices, like NIST, but whatever happens you must have a standard to give guidance to all teams involved. Of course you can change or update the standard, but it’s helpful to have something to follow and have everyone agree on it upfront. A baseline also helps with providing some insight into what you’re trying to achieve.
- Review the Reports – When the scans are complete, it’s a good idea to review them in detail with all the teams involved. There are going to be findings that might seem very urgent, but when speaking with the networking team they can provide insight as to why the risk is not critical, or why, from a security standpoint, some urgent changes need to be made. Without the security and networking teams coming together remediation will come to a standstill. But with cooperation, progress in fixing the problems will occur expeditiously.
- Metrics and Alerts – Just like with any vulnerability management program, vulnerability data, the systems affected and the remediation time of the vulnerability should be reviewed regularly. High risk assets, such as perimeter routers or network gear in the DMZ, should be treated with a higher priority. If these systems are deemed insecure, but too old to update, this vulnerability report will be helpful for creating a case to have them replaced. Also, setting up a method to be alerted of urgent vulnerabilities is very important. You need to always be kept well-informed of what’s occurring in the wild and get alerts (e.g. Cisco, Juniper, Palo or CheckPoint email security alerts) as soon as they’re released. What you want is to be able to show specific improvements using metrics, while at the same time get notified of threats as soon as possible.
So yes, network vulnerabilities do matter and we’re seeing that they’re actively being utilized by cyber criminals. So don’t be complacent, or drawn into a false sense of security. Since there aren’t as many vulnerabilities for networking systems, it doesn’t mean they’re not important. In fact these vulnerabilities could be much more of a risk for your organization than many other types of attacks.
Subscribe to Blog
Receive notifications of new posts by email.