Although “Who Are You?” was an extremely popular question asked by Pete Townshend of The Who in 1978, it is an even more important question asked by network and security administrators. Authentication and Authorization of user logins is vital for all devices but are especially important for network devices due to their significance. Imagine the power a hacker would have with access to a central switch or router with the ability to monitor and possibly manipulate network traffic.
In Alert (TA18-106A), “Legitimate user masquerade is the primary method by which these cyber actors exploit targeted network devices. In some cases, the actors use brute-force attacks to obtain Telnet and SSH login credentials. However, for the most part, cyber actors are able to easily obtain legitimate credentials, which they then use to access routers. Organizations that permit default or commonly used passwords, have weak password policies, or permit passwords that can be derived from credential-harvesting activities, allow cyber actors to easily guess or access legitimate user credentials. Cyber actors can also access legitimate credentials by extracting password hash values from configurations sent by owners and operators across the Internet or by SNMP and SMI scanning.
Armed with the legitimate credentials, cyber actors can authenticate into the device as a privileged user via remote management services such as Telnet, SSH, or the web management interface.”
The use of AAA protocols like RADIUS and TACACS+, along with restricting logins from specific IP Addresses, provides login protection, even if a hacker attempts to masquerade with legitimate user credentials. For example, restricting login access to SSH and only allowing SSH connections from a small set of IP addresses, greatly reduces the attack service for masquerading logins. Then, using a AAA protocol to control and monitor logins, network security will have strong confidence in who is accessing key network devices.
But how does network security apply the above controls in the DMZ without also having to manage a significant number of firewall rules? Enter the Tavve ZoneRanger. The use of ZoneRanger allows network security to proxy RADIUS or TACACS+ requests and responses securely to authentication servers residing in the corporate network through a single port in the DMZ firewall. Along with proxying AAA protocols, ZoneRanger proxies SSH connections from inside the corporate network to DMZ devices. This gives network security complete control over which IP Addresses have SSH access to DMZ devices. Although the security team will be hard at work, they will not have to be asking themselves “Who can it be now?” like Men At Work from 1982.
For more information contact Tavve Systems at 919-460-1789.