IT Isn't Secure Right Out of the Box
Even with a truckload of security gadgets, if you don’t bother to reset the defaults on your network devices, you’re leaving the front door open to intruders. Every network device — routers, wireless access points (WAPs), network printers — comes with defaults and preset accounts that can create unsuspected entry points to the network.
You have to have administrative access to a network device to configure it, but default user identification and password combos can be truly hazardous to your network’s security. Will the manufacturers stop supplying default accounts because they’re a potential risk? Probably not. The alternatives are to build in a timed account or to build the account into the configuration software. Both of these methods could improve security, but they’ll take a little more work, and it’s doubtful it will happen. Also, when you reset the device, it will receive defaults from its internal BIOS or ROM, which will reset the default account information as well.
Most devices come with preconfigured accounts that allow full access to the device via simple passwords such as “admin” or “password.” Secure your network by identifying these accounts and delete them entirely or change the passwords. Not all of these accounts are necessarily documented, so check the security bulletins on the product’s Web site.
It’s also a good idea to minimize the capabilities on all preconfigured accounts so that an intruder who finds the “admin” account won’t have network privileges. Another common default setting enables remote administration. You don’t need this feature unless you’re managing several remote networks. An intruder, however, needs only to add a port address to the Internet Protocol address to reach the router’s hidden administration pages.
Unfortunately, WAPs make it easier for people to connect to your network, whether you want them to or not.
WAPs rarely come with any preconfigured security settings, leaving it up to you to pick the security options you need, says Bill Meixner, IT manager of East Hill Church in Portland, Ore. “WAPs have a default of no encryption almost across the board,” Meixner says. “It’s as if no one at the plant is giving thought to putting in a basic security portal, or even a difficult password.”
Although static wired equivalent privacy (WEP) is on most wireless networks, it’s not secure: You can crack static WEP encryption with a $30 sniffer and a data analyzer. Both fit in your pocket, making detecting networks and harvesting information a piece of cake. Dynamic WEP provides fair — but not great — security. Wi-Fi-protected access (WPA) typically requires upgrading to devices that are less than three years old. WPA2, which uses the government’s Advanced Encryption Standard, is twice as good.
The wireless device’s service set identifier (SSID) isn’t a security measure, but it can be a security black hole. Many people configure their WAPs to have the SSID clearly identify the company or home network, which can invite people to poke around your network by looking like a target of interest. Use a generic or nondescript SSID, such as “B2490” or “Lnet1.” Don’t worry about hiding the SSID either: The name shows up in the wireless packets, so you’re only making it a little harder on yourself and your users.
Other Hardware Holes
Routers and WAPs are not the only sources of security problems for network devices. Network printers aren’t just output devices; Web-accessible printers and copiers can be accessed and compromised from outside. Earlier this year, security holes were disclosed on several popular brands of printers and copiers that allowed unauthorized access to the network and monitoring of the information being printed. In one case, it was even possible to load and run programs on a copier behind the network firewall.
Bill Hull, network administrator for O’Neal, an architecture firm in Greer, S.C., points out that there are hidden security issues with many network printers and copiers. “We’ve got seven or eight very large copiers with a Linux operating system,” Hull says. “So despite the fact that you may have a policy of ‘no Linux,’ if you want a copier with those features, you’ve got to get one with Linux.”
Network-ready printers are usually preconfigured for Web access and Internet printing. Although these are powerful features, you should restrict them as much as is practical and, once again, change their default user IDs and passwords. Consider turning off file and printer sharing over Transport Control Protocol/IP and use the NetBIOS Extended User Interface instead, which provides a slightly more secure communications channel for the printer.
• Have at least six upper or lowercase letters, numbers and special characters.
• Use the maximum number of allowable characters: A passphrase such as “Dadhad$a7shadsalad” may be easier to remember than “g8Qa3&uP,” and longer passwords are much harder to crack.
• Use special characters such as #, ! and ^, particularly as the first character, such as “%squid17Ink:” Most password crackers work through alphanumeric character combinations first when trying a brute-force crack, so a special character makes it that much harder to bust the password.
• Stand up to testing: You can check your passwords against a password cracker (there are many available on the Net) to see how well they withstand brute-force attacks. You may be surprised.
• Change regularly: If you need a strong but memorable password, think of a sentence that’s easy to remember, then take the first or last letter of each word and add capitals and numbers.
About half of all network devices have a default user ID of “admin” and a password such as “admin” or “password,” or none at all.
|D-Link||most devices||[nothing] or admin||admin or [nothing]|
|Linksys||most devices||admin or [nothing]||admin or [nothing]|
|Minolta QMS||Magicolor 3100||operator||[nothing]|
|Netgear||most devices||admin||admin or password|
|Xerox||Most printers/copiers||admin||Admin or 1111|