Is your router a threat to your client’s security?
Fri 20 May 2016
It was recently revealed that the majority of home routers operate with decades-old security vulnerabilities. Many of these routers are operating with outdated software from the moment their users open the box, and even once they’re updated, there’s a good chance things still aren’t entirely secure. Some don’t even have a patching process in place at all – the manufacturer simply hurled them out into the wild, saddled with severe, known flaws in their firmware.
You might be wondering what this has to do with MSPs.
A few things. First, consider that the software liability model of enterprise is inarguably broken – something which often extends to the manufacturers of networking hardware such as routers and switches. Generally speaking, many vendors are unwilling to shoulder the cost of a security failure, even if there’s a clear indication it was their software that caused it.
Next, consider that there exists no definitive way to determine which routers are subject to bugs like NetUSB, so it’s not just a consumer flaw.
That’s why you need to be careful what company you purchase your networking infrastructure from. It might be tempting to choose a lesser-known manufacturer over a company such as Juniper Networks, but it might also leave you with egg on your face. That isn’t to say Juniper’s products are 100% secure, mind you. They aren’t.
Your router isn’t just a potential threat because it can be used as an attack vector, either. Depending on how you’ve configured things, it could also be the sole linchpin holding up an entire house of cards. If the router fails or is brought offline by an attack, there goes your network – that might sound absurd, but that’s exactly what happened to UK Broadband provider BT.
In other words, with an improperly secured or configured router, your clients could be looking at anything from unscheduled downtime to compromised information. Not really something you want associated with your reputation, is it? At any rate, that’s enough unpleasantness.
Let’s talk solutions. What exactly can you do to ensure your router doesn’t threaten your security, or that of your clients?
Alright. That’s a lot of unpleasantness to take in. Let’s talk solutions – what exactly can you do to ensure your router doesn’t threaten your security, or the security of your clients?
Perform regular security audits, including penetration and vulnerability tests. Make sure you include every element of your networking infrastructure in these audits – especially your routing infrastructure.
Manually ensure you’ve always got the latest firmware installed on all of your hardware – you can’t always rely on the manufacturers to provide you with available patches. Test your router (or routers) for vulnerabilities through methods like LAN testing and WAN testing (tests are detailed here). Examine your networking architecture, and ask yourself what might happen if one of your routers failed. If an entire segment of your network would fail with it, you need more redundancy.
At the end of the day, your router is like anything else in your business – it’s a potential point of failure and a potential vulnerability. If you want to do right by your clients, it’s essential that you understand that fact, and take the necessary steps to secure it. Otherwise, you’ll only have yourself to blame if someone uses it for an attack.
Tim Mullahy is the General Manager at Liberty Center One, a new breed of data center located in Royal Oak, MI. Liberty can host any customer solution regardless of space, power, or networking/bandwidth requirements.