N2.1 Description

Network devices, such as routers and switches, often have a reputation for security and stability. Additionally, network-accessible devices such as printers and fax machines are often considered inherently secure. Very often, both classes of devices are omitted from security policies and audits.

Because of the unique role these devices play in network infrastructure, they often have default configurations that emphasize ease of use and configuration, rather than security. This section discusses the common insecurities present in many default configurations of network and network-accessible devices.

N2.2 Common Default Configuration Issues

N2.2.1 Default SNMP Community Strings

Default and often a hard-coded community string continues to be an issue with networking products. This year Cisco IOS versions 12.2 through 12.4 before 20060920 used by certain Cisco devices and a 3Com switch were found vulnerable to this issue.

Example CVEs: CVE-2006-4950, CVE-2006-5382

N2.2.2 Default Accounts, Passwords, Encryption Keys, and Tokens

Many devices are configured with default passwords and other authentication tokens. These often allow complete administrative access to the device. In the case of wireless devices, default encryption keys can make traffic monitoring and sniffing trivially easy.

Example CVEs: CVE-2006-0789, CVE-2006-0834, CVE-2006-3287

N2.2.3 Unnecessary Services

Many devices are configured to run other services in addition to those necessary for the business purpose of the device. For example, many printers provide both HTTP and FTP printing interfaces. These interfaces are often enabled by default. Unnecessary services provide potential security holes, and make logging and administration more difficult.


N2.2.4 Unencrypted and Unauthenticated Administration Protocols

Devices are often administered via protocols that do not support encryption or authentication. HTTP and telnet administration interfaces transmit all information in the clear, and TFTP transmits all information in the clear and does not support authentication. Protocols that support encryption and authentication, such as HTTPS and SCP should be used whenever possible.

N2.3 Vulnerabilities in Printers

Devices such as printers, fax machines, and scanners often contain the configuration weaknesses described above. These devices often go unpatched and can present a significant security risk to an organization.

Example CVEs: CVE-2006-0788, CVE-2006-2108