IT teams have understood and feared the impact of hackers and malware on IT systems for decades. Today, service providers and organizations operating their own networks are learning that the security of network devices is subject to the same risks. Exploiting a loophole in network security could bring down all or part of a network and even allow someone to spy on traffic or inject fake data.
In today’s world, where nation states are regularly suspected hacking and spying, it is important to know how to secure network devices. For any network operator, the first and most important step to network device security is to plug the holes that present the clearest risk. And these are not even the risks of exploitation.
Hacking of network devices occurs regularly on all types of devices from network equipment vendors. In most cases, hacks fall into two categories — identity theft controlling traffic and hacking network device management systems. If carriers are concerned about network security threats, they must first close those loopholes.
Eliminate Holes to Secure Network Devices
IP networks exchange route information using control packets sent from device to device to advertise connectivity. Routing tables are built from these exchanges, and if someone introduces a false route advertisement, it can create inefficient or even invalid routes.
The Border Gateway Protocol (BGP) is the source of most of these hacks because it is the protocol used to advertise routes on the networks of different providers. BGP is a complex framework, but it allows network operators to customize the routes they advertise and the sources they accept for other routes.
To secure network devices, first use BGP Route Control (Access Control Lists) to define route advertisements that network operators can accept and advertise. Second, use BGP snooping to make sure something isn’t leaking into the network due to a inability to configure routes correctly.
Device management hacks are an even more insidious problem because they allow an intruder to change almost anything. In fact, they can sometimes cause network operators to lose control of their own network equipment. Most routers support strong encryption for management links, so operators should use the strongest encryption available. Additionally, they should eliminate all default ID and password combinations included for device configuration as soon as a device is installed. This should be done in the lab, not in the live network.
Management system passwords should also be changed regularly and include strong identification of the source of management packets. Generally, it is not a good idea to allow a packet targeting a management API to come from the internet or from one of your VPN subnets where no management system instance should be installed.
Logging is another critical step in securing network devices. All access to a management API must be logged, and every change made to the configuration of any device must also be logged in a before-and-after form, with the source of the change clearly identified by both username and password. IP adress. It’s easy enough to use an API and reporting software to examine management access patterns to look for anything out of the ordinary.
Network element exploits
This brings us to the last class of hacks – exploits. An exploit is a software defect that allows nonconforming code to be introduced into a network device. A common source of exploits is a buffer overflow, where a particular type of message causes the buffer that contains it to overflow, writing over whatever is beyond it in memory. If it’s code, it’s possible to include malware in the data message and then trick the code into executing beyond the buffer. The wrong code can then open a gap for more serious hacking.
Network devices are as vulnerable as computer systems to exploits, and a number of network element exploits have taken place over the past year. When exploits are discovered, vendors patch them quickly, but not everyone applies patches quickly. Never delay applying these fixes, because once you introduce malware into a network, it’s hard to be sure you’ve completely removed it. Exploits can open the door to widespread contamination of your management systems and other devices.
The recent focus in the area of exploit attacks has been the risk of a government agency tricking a device vendor into integrating a backdoor that can be exploited at will. Such a move would allow the agency to break into a network and perform almost any hostile function, from spying on information to completely disrupting the network itself. This is the question that sparked the debate on the Huawei network device security.
Deliberate backdoor exploits are exceptionally difficult to detect at the best of times. Reviews of a device’s source code, for example, are unlikely to find a well-constructed exploit.
It’s even worse if the exploit is a combination of hardware or firmware and software. Many network devices include custom programmable chips, and these chips may include malware that could open a hole that the device’s software would expand. Although backdoor exploit prevention discussions often include code reviews, they probably won’t work.
IT will never find a smart chip and software exploit by inspecting code or hardware. You cannot set up a clean room and monitor aberrant device behavior because without the explicit stimulus the exploit is designed for, no such behavior will occur.
Even if service providers had to devise monitoring procedures to detect a problem, what would they do if they found another one but shut down the network? The thing is, if a backdoor deliberately installed in a network device seems like a credible threat, the only way to avoid it is to ban the provider. Each operator and national regulatory authority will have to decide whether they believe such a threat exists for each supplier they admit.
It’s harder than it looks. Apart from the difficulties of detection, it is difficult to believe that the suppliers would integrate security vulnerabilities. In a politically charged world, it is even more difficult to obtain objective information on the possibility of such a backdoor defect. Each country considers its own industries to be beyond reproach, but most countries do not trust each other.
Yet risking an entire network is a problem that many carriers simply cannot ignore. The best strategy is to manage everything based on a rigorous assessment of the underlying reality of risk, then reassess regularly to adapt to changing conditions or international policy.