From a Network Engineer’s point of view this is exactly what is wrong with todays home networking methodology. Every night when I get home from work I follow the same rough routine. I plop down on the couch power on my laptop and connect to my home network via wireless. After doing so I check my connection logs for the day to my AP, my overall bandwidth usage via PRTG and my syslog server messages from my firewall. I do this to ensure that all is well on my little spoke of the internet. But I know for a fact that those of us who perform this little daily dance are in the minority. Instead what you get is scores of people purchasing wireless routers and just throwing them on their cable or DSL modem and going on with life, like they didn’t just leave their front door open with a big neon WELCOME HACKERS sign over it.
But whose fault is this really? I have been preaching to my bosses and fellow geeks for the past few years that vendors are dumbing down networking. This is good and bad I guess. Its good that is makes powerful networking tools like routers and firewalls available to the masses. It is also good for the small to mid size business that cannot afford a full time “Network Guy” or consultants like me for every little hiccup. What is bad, is that to create this level of adopt-ability for networking products vendors are required to make assumptions that are well suited for ease of use but not for security, not to mention that dumbing down networks could eventually lead to the demise of people like me.
These ease of use decisions include such items as default usernames and passwords for administrative access that works via wired, wireless and console connection (if it has a console), default SSID, default port settings, sometimes default UPnP enabled, and default wireless channels. These defaults lead the circumstances in “How I Hacked Your LinkSys Router Which You Probably Bought at Best Buy“. So the question becomes what do we do about these kind of problems. Vendors like Linksys have attempted to create solutions like one touch security, but I think we need to go further. Enterprise class IT solutions have long held a few basic principles;
1. A switch should work for basic data connectivity right out of the box, you plug it in to power plug clients into it and from a Layer 2 perspective it is ready to pass traffic.
2. Routers ship with all interfaces except the Console administratively shutdown. You must actively configure these interfaces and enable them in order to pass traffic. Once the basics of this are accomplished in then all traffic passes through unless otherwise defined through access control lists.
3. Firewalls ship with all interfaces except Console and Administration only ports shutdown. You must actively configure these interfaces and enable them in order to pass traffic. Unlike routers firewalls must have access policy define in order to pass traffic. By default firewalls use a trusted interface process for thier default access policy that looks like this.
INSIDE = Trusted = All traffic from inside this network can pass out and traffic requested from inside this network to another network can pass from outside this network to its requesting client. All unrequested traffic from another network is dropped.
DMZ = Less Trusted = All traffic destined to the INSIDE interface is dropped at the INSIDE interface. All traffic destined for the OUTSIDE interface is allowed out and requested traffic is allowed to return to its requesting client. All unrequested traffic from the INSIDE is allowed while unrequested traffic from the OUTSIDE is dropped.
OUTSIDE = Untrusted = All traffic from other interfaces is allowed out and requested traffic is allowed in to the requesting client. All unrequested traffic from the external networks is dropped.
Todays consumer class devices are a hybrid of all of these (Switches, Routers, Firewalls), as are many of the new class of professional and Enterprise class devices. In order to secure our homes, offices and even public networks as we move forward it is imperative that vendors look to their Enterprise roots require configuration more in depth than simply plugging the device in. My recommendations for such a configuration would be as follows;
1. Allow initial administrative sessions only from an “INSIDE” wired port.
2. Require that all default passwords be changed prior to enabling wireless and/or WAN (Internet) services.
3. All ports accept the “INSIDE” wired port administratively disabled.
4. All administration sessions should be required to be secure out of the box via HTTPS and/or SSH
5. No default SSID, require the user to name their SSID
6. Default Wireless Security settings for WPA-PSK (with randomly generated key already in place)
7. Random WPA key generation tool as part of the admin tool for the device (or a hotlink to https://www.grc.com/passwords.htm )
8. Cisco TAC like enviroment for Consumers, Including strong web documentation not only for a products basic capabilities but for everything it is made to do and strong phone support for a reasonable per incident cost.
If vendors would just look towards security and a strong GUI then we can eliminate problems like the one seen in “How I Hacked Your LinkSys Router Which You Probably Bought at Best Buy”. I have long felt that there is a HUGE market for someone to just deploy and secure robust home networks. But there really shouldn’t be. Consumers are paying vendors to watch their backs and provide solutions that will protect their families. Let us hope that the days of stories like “How I Hacked Your LinkSys Router Which You Probably Bought at Best Buy” will soon be a thing of the past.