Switches, hubs, and routers are main network hardware components, which act as a gateway for user communication to the outside world. They are the single point of failures, hence to avoid their compromise some common security measures are applied.
Steps to take for Network Hardware Security
- Disable telnet services, if remote administrative control not needed.
- Block or filter access to un-used sensitive ports.
- Use hardware provided session verifications or time-outs, as this prevents hackers from snooping sessions or hijacking.
- BIOS Passwords: Extra security layer to protect users from snooping, preventing malicious users from accessing system. Setup single-user password as default setup keys and password of nearly all manufacturers are well known. Security Issue: BIOS passwords get wiped out by shorting out the CMOS battery.
- Change defaults and set administrative, maintenance and user passwords to prevent attackers from gaining access. New passwords should differ from other administrative passwords on the network.
- Employ encryption to the router, which by default is disabled.
Network Hardware Security of some well-known devices
Compaq Netelligent Unmanaged Hub
It offers connectivity by creating mini LAN with two or more peripheral devices in medium and large businesses. At a very affordable price, with high performance and reliability LAN connectivity is provided. The devices have multicolored LED's indicating overall status including power, link, collision, port partition, and port traffic. It has network utilization monitor which indicates the network's performance for easy management and troubleshooting. Furthermore, designed to monitor and keep a hub operating near maximum efficiency.
- Ports: 8, 16
- Form: External, Uplink
- Ports: 8, 16
- Data Transfer Rate: 10 Mbps
- Data Link Protocol: Ethernet
- Compatibility: PC, Unix
- Status Indicators: Port status, link activity, collision status, backplane status, power
- Networking Type: Hub
- Connectivity Technology: Wired
- Compliant Standards: IEEE 802.3
- Remote Management Protocol: None
- Connectors: Interfaces1 x network host – Ethernet 10Base-2 – BNC female – 1, 1 x network host – Ethernet 10Base-T – RJ-45 female – 1, 8 x network node – Ethernet 10Base-T – RJ-45 female – 8
- Power Consumption: Operational6.5 Watt, SourceAC 110/220 V ± 10% ( 50/60 Hz )
- Supply Power adapter: external
Security Issue: The default password for superuser is well known, which is required to be changed.
Serves intelligent endpoint in a network requiring high performance, QoS, and enterprise-level security and management. Links wireless and wired voice and data networks in small and medium-size businesses with inexpensive convergence. All models equipped with copper and small form-factor pluggable Gigabit uplinks and clustered stacking capabilities, which allow clustered switches configurations up to 32 units.
- Flavors: PoE and non-PoE. The PoE capabilities provide inline power to attached devices, such as access points, VoIP phones, and IP security cameras.
- Ports: 9,18, 26
- Data Transfer Rate: Gigabit
- Compliant Standards: IEEE 802.3af
- Access Security: RADIUS Authenticated Device Access (RADA), a “Guest” VLAN feature, and Secure Shell Version 2 authentication and encryption measures.
- Interface: Supports command line, web-based administration, and SNMP management through tools such as the Enterprise Management System, Network Director and Network Supervisor
Security Issue: The maintenance login (debug) and password (synnet) is widely known for its various switches, CoreBuilder and SuperStack.
The Ericsson RAN Security solution provides built-in IPsec (Internet Protocol Security) protection through authentication and encryption for the broader network infrastructure. The solution comprises a Security Gateway, public key infrastructure systems, and certificate management.
Ericsson Security Manager provides unique policy-driven security orchestration and management coupled with its powerful analytics capabilities.
Security Issue: In Previous versions, Remote-Access Login Failure Vulnerability was there, which got fixed in recent Tigris OS 18.104.22.168 software release. The vulnerability allows remote users to send valid commands without authenticating them.
Security Issue: Lucent Ascend MAX Router 5.0 and earlier, Lucent Ascend Pipeline Router 6.0.2 and earlier and Lucent DSLTerminator allows remote attackers to obtain sensitive information such as hostname, MAC, and IP address of the Ethernet interface via a discard (UDP port 9) packet, which causes the device to leak the information in the response. Attackers can cause a denial of service with a malformed packet to the discard port, used by the Java Configurator tool.
Security Issue: It used hard-coded passwords, now widely distributed. Although, it enables the support team to access BreezeCOM equipment.
It's security integrated into the network and is a critical component of the Cisco Self-Defending Network. The software delivers a sophisticated set of security capabilities for a comprehensive, layered security approach throughout your network infrastructure.