Control access to network assets : an essential part in Cybersecurity program

One of the biggest vulnerabilities in today’s networks is the weak security surrounding the network devices themselves. Many organizations ensure excellent security for their servers and applications but leave communicating network devices with rudimentary security. The list of network attacks is very long, and most of them exploit the lack of strong access control to routers, firewalls, or probes. This article presents a three-step strategy to prevent unauthorized access to network components, and to be in line with the organization's security policy.

1. Centralize the authentication

In complex and large environments, it is hard to manage accounts configured on each network device. by exceeding a dozen of switches, routers, loadbalancers and firewalls, Placing all user information in all devices and then keeping that information up-to-date is an administrative nightmare.

Centralized authentication servers supporting AAA solve the problem. AAA is an abbreviation of Authentication, Authorization, and Accounting. Any network administrator would suggest TACACS+ for this purpose. But actually, there's a more common protocol that puts TACACS+ behind the scene: RADIUS (RFC 2865).

The first step is then to install an authentication server that supports radius. But, it is not the only requirement.

The server should be synchronized with a network equipment database. Every database entry should be uniquely identified so that no shadow device can request the server. A shared secret key is configured to encrypt authentication communications between server and device. The key needs to be complex and periodically changed to avoid password based attacks. 

But, in large enterprise networks, centralization may become problematic. Sometimes, this external authentication method fails. In order to ensure the availability of accessing network equipment, two recommendations are valuables:

• Use redundant radius proxies and put them in different network areas, it reduces dependency on the central authentication server.
• Configure timeout of the external authentication request and fail back to a local account. It is useful to keep the device always reachable in case of crash.

As far as the authentication server is in place, how to control who access to which device? How to ensure that only authorized users have the adequate rights to login to the desired equipment?

2. Make it part of the organization IAM

IAM is an acronym for Identity Access Management. It is a framework of processes, policies, and technologies that manages identities and access to resources of an organization. The network authentication server needs to be part of the enterprise IAM. It should be connected to a central userID repository in order to get the identity of the requester. A Role-based model should be globally defined in order to ensure proper authorization mechanisms.

To implement these requirements, the authentication server should be able to:

• Request the enterprise directory Service to verify and authenticate the identity of users. This will help to implement Single sign-on and multi factor authentication.
• Define different authorization policies: for example, read-write for network admins, read-only for NOC teams, limited commands for scripts and network monitoring tools.
• Assign the corresponding authorization profile depending on the user's role defined in the IAM.
• Synchronize with users’ database in order to add, delete or update subjects, groups, roles and attributes needed to grant access and determine rights.

These functionalities should be embedded and fully automated to ensure that employee lifecycle processes (from provisioning, role change and termination) are fully taken into consideration.  

    However, although mechanisms and technologies described above would enforce access management to network assets, it's not enough! Even by centralizing the authentication and authorization process, and keeping them based on the enterprise IAM, there's one more big hole in the process.

3. Secure local accounts

What about accounts configured locally on the devices? Do they really need to be secured? If yes, how to secure them?

This type of account should be addressed for the following reasons:

1. They are usually build-in : you cannot delete or deactivate them (like root for F5 BIG IP, admin for cisco switches)

2. They are necessary : you need backup account locally on the equipment in case the authentication server is down

3. They are shared: you don't know who owns or knows password of such accounts.

Securing such accounts is not the easiest stage. In addition to some technical challenges to be solved, it is more about changing work habits of network administrators and putting in place procedures and instructions that may seem to be complex from a different point of view.

First of all, there's a need to create an inventory containing all accounts configured locally on the devices. This inventory should be periodically updated to monitor their evolution.

The second step consists in identifying the accounts that are necessary to be present. All other accounts not included in the baseline, should be deleted.

After performing the cleanup, it is necessary to control access and usage of the remaining legitimate accounts. The best way is to secure their password by applying the following requirements:

• Passwords should to be stored into a secure repository, like password managers.
• Access rules to repository should follow the same authorization model defined previously and synchronize with IAM controls.
• Password policy rules should be applied like complexity and periodic change using connectors that automates the storage and change process.

Thus, by implementing such controls, internal and external access to the network is more secured, fully controlled and well managed.

In an era where passwords are easily hacked, where breaches occur every day, where security incidents becomes more harmful, a network component that holds the foundation of any IT infrastructure needs to be secured. Controlling access to network assets becomes an integral part of the Cybersecurity program. The strategy explained in this article is a way among others on how to manage access to those critical resources.