NET.3.1

NET.3.1 Routers and Switches

Q: NET.3.1.A1 Secure Basic Configuration of a Router or Switch (B)

Details zur Anforderung NET.3.1.A1 Secure Basic Configuration of a Router or Switch (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A2 DISCONTINUED (B)

Details zur Anforderung NET.3.1.A2 DISCONTINUED (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A3 DISCONTINUED (B)

Details zur Anforderung NET.3.1.A3 DISCONTINUED (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A4 Protection of Administration Interfaces (B)

Details zur Anforderung NET.3.1.A4 Protection of Administration Interfaces (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A5 Protection Against Fragmentation Attacks (B)

Details zur Anforderung NET.3.1.A5 Protection Against Fragmentation Attacks (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A6 Emergency Access to Routers and Switches (B)

Details zur Anforderung NET.3.1.A6 Emergency Access to Routers and Switches (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A7 Logging at Routers and Switches (B)

Details zur Anforderung NET.3.1.A7 Logging at Routers and Switches (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A8 Regular Data Backup (B)

Details zur Anforderung NET.3.1.A8 Regular Data Backup (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A9 Operational Documentation (B)

Details zur Anforderung NET.3.1.A9 Operational Documentation (B) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Q: NET.3.1.A10 Creation of a Security Policy (S)

Details zur Anforderung NET.3.1.A10 Creation of a Security Policy (S) finden Sie in der vollstaendigen Beschreibung auf dieser Seite.

Routers and switches form the backbone of today's data networks. A failure of one or more of these devices can lead to the complete standstill of the entire IT infrastructure...

Description

Introduction

Routers and switches form the backbone of today’s data networks. A failure of one or more of these devices can lead to the complete standstill of the entire IT infrastructure. They must therefore be specially secured.

Routers operate at OSI layer 3 (network layer) and forward data packets based on the destination IP address in the IP header. Routers are capable of connecting networks with different topologies. They are used to segment local networks or to connect local networks via wide-area networks. A router identifies an appropriate connection between the source system or source network and the destination system or destination network. In most cases, this is done by forwarding the data packets to the next router.

Switches originally operated at OSI layer 2, but are now available with different functions. Companies usually mark devices with the OSI layer that is supported. This gave rise to the terms Layer 2, Layer 3, and Layer 4 switch, although Layer 3 and Layer 4 switches are already functionally routers. The originally different functions of switches and routers are thus often combined on one device today.

Objective

The building block describes how routers and switches can be used securely.

Scope and Modeling

The building block NET.3.1 Routers and Switches is to be applied to every router and switch used in the information domain.

A large selection of different routers and switches from various manufacturers is available on the market. The building block does not describe specific requirements for particular products. It is kept as independent of individual products as possible.

Due to the merging of the functions of routers and switches, the majority of requirements can be applied to both routers and switches. The present building block largely does not distinguish between the types of devices.

Today, almost all operating systems of servers and clients also offer routing functionality. This building block does not specify requirements for activated routing functions in server and client operating systems.

Furthermore, aspects of infrastructure security are not listed in this building block, such as appropriate placement, power supply, or cabling. Security requirements on these topics are found in the respective building blocks of layer INF Infrastructure.

This building block does not describe requirements for securing virtual routers and switches. Likewise, any firewall functions of routers and switches are not addressed. For this, building block NET.3.2 Firewall must additionally be implemented. Some aspects of network design and management are also relevant for the use of routers and switches and are mentioned within the respective requirements. Further information for the setup, design, and management of a network can be found in building blocks NET.1.1 Network Architecture and Design and NET.1.2 Network Management respectively.

Routers and switches SHOULD generally be taken into account when the building blocks ORP.4 Identity and Access Management, OPS.1.1.3 Patch and Change Management, CON.3 Data Backup Concept, and OPS.1.1.2 Proper IT Administration are implemented.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.3.1 Routers and Switches.

Distributed Denial of Service (DDoS)

In a DDoS attack on a protected network—e.g., via TCP SYN flooding or UDP packet storm—the router can fail due to the large number of network connections that must be processed. This can cause certain services in the local area network (LAN) to become unavailable or the entire LAN to fail.

Manipulation

If attackers succeed in gaining unauthorized access to a router or switch, they can reconfigure the devices or start additional services. The configuration can, for example, be changed so that services, clients, or entire network segments are blocked. At the same time, network traffic at the switch can be intercepted, read, or manipulated.

Incorrect Configuration of a Router or Switch

Routers and switches are delivered with a default configuration in which many services are activated. Also, login banners, for example, reveal the model and version number of the device. If routers and switches are used productively with insecure factory settings, unauthorized access to them is easier. In the worst case, internal services are thereby accessible to attackers.

Incorrect Planning and Design

Many institutions plan and design the use of routers and switches incorrectly. Among other things, devices that are not adequately dimensioned are procured—e.g., regarding the number of ports or performance. As a result, a router or switch may already be overloaded when it is first deployed. Services or entire networks may thus be inaccessible, and the error must be corrected at great expense.

Incompatible Active Network Components

Compatibility problems can arise in particular when existing networks are expanded with active network components from other manufacturers, or when networks are operated with network components from different manufacturers. If active network components with different implementations of the same communication protocol are operated together in a network, individual sub-areas of the network, certain services, or even the entire network can fail.

MAC Flooding

In MAC flooding, attackers send many requests with alternating source MAC addresses to a switch. As soon as the switch has reached the limits of the MAC addresses it can store, it starts sending all requests to all IT systems in the network. This allows attackers to view network traffic.

Spanning Tree Attacks

In spanning tree attacks, attackers send so-called Bridge Protocol Data Units (BPDUs) with the aim of causing switches to regard their own (malicious) switch as the root bridge. As a result, network traffic is redirected via the attackers’ switch so that they can intercept all information sent through it. Consequently, they can initiate DDoS attacks and force the network to rebuild the spanning tree topology through false BPDUs, which can cause the network to fail.

GARP Attacks

In Gratuitous ARP (GARP) attacks, attackers send unsolicited ARP replies to specific victims or to all IT systems in the same subnet. In this forged ARP reply, attackers enter their MAC address as the assignment for a foreign IP address and cause the victim to change its ARP table so that network traffic is now sent to the attackers rather than to the valid destination. This allows them to intercept or manipulate communication between victims.

Requirements

The following are the specific requirements of building block NET.3.1 Routers and Switches. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.

Responsibilities	Roles
Primarily responsible	IT Operations
Additional responsibilities	None

Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled with priority for this building block.

NET.3.1.A1 Secure Basic Configuration of a Router or Switch (B)

Before a router or switch is used, it MUST be securely configured. All configuration changes SHOULD be documented in a comprehensible manner. The integrity of the configuration files MUST be protected in an appropriate manner. Before access passwords are stored, they MUST be secured using a contemporary cryptographic method.

Routers and switches MUST be configured so that only absolutely necessary services, protocols, and functional extensions are used. Unnecessary services, protocols, and functional extensions MUST be deactivated or completely uninstalled. Likewise, unused interfaces on routers and switches MUST be deactivated. Unused network ports MUST be deactivated where possible or at least assigned to a specially established Unassigned VLAN.

If functional extensions are used, the security policies of the institution MUST continue to be fulfilled. It SHOULD also be justified and documented why such extensions are deployed.

Information about the internal configuration and operating state MUST be concealed from the outside. Unnecessary information services MUST be deactivated.

NET.3.1.A2 DISCONTINUED (B)

This requirement has been discontinued.

NET.3.1.A3 DISCONTINUED (B)

This requirement has been discontinued.

NET.3.1.A4 Protection of Administration Interfaces (B)

All administration and management access to routers and switches MUST be restricted to individual source IP addresses or address ranges. It MUST be ensured that administration interfaces cannot be accessed directly from untrusted networks.

To administer or monitor routers and switches, appropriately encrypted protocols SHOULD be used. If unencrypted protocols are used nonetheless, a dedicated administration network (out-of-band management) MUST be used for administration. The management interfaces and the administration connections MUST be protected by a separate firewall. Appropriate time restrictions—e.g., timeouts—MUST be specified for the interfaces.

All services not required for the management interface MUST be deactivated. If a network component has a dedicated hardware interface, unauthorized access to it MUST be prevented in an appropriate manner.

NET.3.1.A5 Protection Against Fragmentation Attacks (B)

At the router and Layer 3 switch, protective mechanisms MUST be activated to defend against IPv4 and IPv6 fragmentation attacks.

NET.3.1.A6 Emergency Access to Routers and Switches (B)

Administrators MUST always be able to access routers and switches directly so that they can continue to be administered locally even when the entire network fails.

NET.3.1.A7 Logging at Routers and Switches (B)

A router or switch MUST be configured to log, among other things, the following events:

configuration changes (automatically where possible),
reboot,
system errors,
status changes per interface, system, and network segment, and
login errors.

NET.3.1.A8 Regular Data Backup (B)

The configuration files of routers and switches MUST be backed up regularly. Backup copies MUST be stored so that they can be accessed in an emergency.

NET.3.1.A9 Operational Documentation (B)

The most important operational tasks of a router or switch MUST be appropriately documented. All configuration changes and security-relevant tasks SHOULD be documented. The documentation SHOULD be protected against unauthorized access.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

NET.3.1.A10 Creation of a Security Policy (S)

Based on the institution’s general security policy, a specific security policy SHOULD be created. The security policy SHOULD describe in a comprehensible manner requirements and specifications for how routers and switches can be operated securely. The policy SHOULD be known to all administrators and fundamental to their work. If the policy is changed or if deviations from defined requirements occur, this SHOULD be coordinated with the ISO and documented. It SHOULD be regularly checked whether the policy is still correctly implemented. The results SHOULD be appropriately documented.

NET.3.1.A11 Procurement of a Router or Switch (S)

Before routers or switches are procured, a requirements list SHOULD be created based on the security policy, by which products available on the market can be evaluated. Care SHOULD be taken that the security level sought by the institution can be achieved with the devices to be procured. The requirements from the security policy SHOULD therefore form the basis for procurement.

NET.3.1.A12 Creation of a Configuration Checklist for Routers and Switches (S)

A configuration checklist SHOULD be created by which the most important security-relevant settings on routers and switches can be checked. Since the secure configuration depends heavily on the purpose of use, the different requirements of the devices SHOULD be taken into account in the configuration checklist.

NET.3.1.A13 Administration via a Separate Management Network (S)

Routers and switches SHOULD be administered exclusively via a separate management network (out-of-band management). Any administration interface via the actual data network (in-band) that may be present SHOULD be deactivated. The available security mechanisms of the management protocols used for authentication, integrity protection, and encryption SHOULD be activated. All insecure management protocols SHOULD be deactivated.

NET.3.1.A14 Protection Against Misuse of ICMP Messages (S)

The protocols ICMP and ICMPv6 SHOULD be filtered restrictively.

NET.3.1.A15 Bogon and Spoofing Filtering (S)

It SHOULD be prevented that attackers can penetrate routers and switches using forged, reserved, or not yet assigned IP addresses.

NET.3.1.A16 Protection Against “IPv6 Routing Header Type 0” Attacks (S)

When using IPv6, mechanisms SHOULD be used that detect and prevent attacks on the routing header of type 0.

NET.3.1.A17 Protection Against DoS and DDoS Attacks (S)

Mechanisms SHOULD be used that detect and defend against high-volume attacks and TCP state exhaustion attacks.

NET.3.1.A18 Establishment of Access Control Lists (S)

Access to routers and switches SHOULD be defined using access control lists (ACLs). In the ACL, it SHOULD be established based on the institution’s security policy which IT systems or networks may access a router or switch and by which method. In the absence of specific rules, the more restrictive allowlist approach SHOULD generally be preferred.

NET.3.1.A19 Securing Switch Ports (S)

The ports of a switch SHOULD be protected against unauthorized access.

NET.3.1.A20 Security Aspects of Routing Protocols (S)

Routers SHOULD authenticate themselves when exchanging routing information or sending updates to routing tables. ONLY routing protocols that support this SHOULD be used.

Dynamic routing protocols SHOULD ONLY be used in secure networks. They MUST NOT be used in demilitarized zones (DMZs). Static routes SHOULD instead be entered in DMZs.

NET.3.1.A21 Identity and Access Management in the Network Infrastructure (S)

Routers and switches SHOULD be connected to a central identity and access management system.

NET.3.1.A22 Emergency Preparedness for Routers and Switches (S)

It SHOULD be planned and prepared what errors could be diagnosed on routers or switches in an emergency. It SHOULD also be planned and prepared how the identified errors can be resolved. Corresponding action instructions SHOULD be defined for typical failure scenarios and updated at regular intervals.

Emergency plans for routers and switches SHOULD be coordinated with the overarching fault and emergency preparedness. Emergency plans SHOULD be aligned with the general emergency preparedness concept. It SHOULD be ensured that emergency preparedness documentation and the action instructions it contains are available in paper form. The procedure described in the emergency preparedness SHOULD be regularly practiced.

NET.3.1.A23 Revision and Penetration Tests (S)

Routers and switches SHOULD be regularly checked for known security problems. Regular revisions SHOULD also be conducted. Among other things, it SHOULD be checked whether the actual state corresponds to the defined secure basic configuration. The results SHOULD be documented in a comprehensible manner and compared with the target state. Deviations SHOULD be investigated.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.

NET.3.1.A24 Use of Network Access Control (H)

Port-based access control SHOULD be implemented according to IEEE 802.1X based on EAP-TLS. NO implementation according to IEEE 802.1x-2001 and IEEE 802.1x-2004 SHOULD be made.

NET.3.1.A25 Extended Integrity Protection for Configuration Files (H)

If a router or switch crashes, it SHOULD be ensured that no old or faulty configurations (including ACLs) are used during restoration or restart.

NET.3.1.A26 High Availability (H)

Implementation of a high availability solution SHOULD NOT hinder the operation of routers and switches or their security functions, nor reduce the security level. Routers and switches SHOULD be designed redundantly. Care SHOULD be taken to ensure that the institution’s security policy is maintained.

NET.3.1.A27 Bandwidth Management for Critical Applications and Services (H)

Routers and switches SHOULD contain and use functions that can identify applications and prioritize bandwidth.

NET.3.1.A28 Use of Certified Products (H)

Routers and switches with a security evaluation according to Common Criteria SHOULD be used, at least at level EAL4.

Additional Information

Good to Know

The BSI has published further information on security for routers and switches in the BSI Internet Security Standards (ISi series).

The Institute of Electrical and Electronics Engineers (IEEE) has published in its standards series the standards IEEE 802.1Q “IEEE Standard for Local and Metropolitan Area Networks - Bridges and Bridged Networks” and IEEE 802.1AE “IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security.”

In the Requests for Comments (RFC), RFC 6165 “Extensions to IS-IS for Layer-2 Systems” and RFC 7348 “Virtual Extensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks” provide further information on routers and switches.