Are Consumer Networking Products Threatening Business Security?

Security challenges are on the rise and a disproportionate amount of time and money is being spent to counter the intrusions and risks that lurk behind every door. While businesses may rely on enterprise-class networking security from companies like Cisco Systems, Fortinet, Checkpoint Systems or Palo Alto Networks, it is consumer products from the likes of Asus, D-Link, Linksys, Netgear or TRENDnet that could still have an unintended impact on a company’s networks and bottom line. Through the increase in employee mobility, it is inevitable that that these inexpensive consumer products are more likely to rub shoulders with your industrial-strength enterprise equipment, potentially putting your networks and business at risk.

router-2

Over a beer with a friend who is state network auditor, the mention of risk from consumer networking products on government systems made her roll her eyes in disgust. Behind the failure to remove remote access from ex-employees, the problems from end user PCs outside of the firewall was a close runner up in terms of vulnerability.

The combination of insecure products, lack of security awareness, need for convenience and general end user laziness has brought us to the point of more than 1/3 of the worldwide PCs infected with viruses and malware – and this is only one step from your data center. (Lest we lay all of the blame at the feet of end users, according to Cisco Systems Annual Security Report, more than 1/3 of all respondents do not categorize their data center security as “the most up to date.”)

Default Security Leaves Holes Open

When devices like consumer routers are difficult to setup or configure, end users tend to rely on either the default options or leave security turned off altogether, making their homes and systems insecure. This allows viruses, malware and other security risks flow in, but that is John Q. Public’s problem, right? Well, not if John Q. Public happens to be your marketing manager and likes to work from home over the secure Virtual Private Network (VPN) that you have provided your employees for flexibility and to squeeze a little more productivity out of them. The VPN creates a secure and encrypted tunnel that lets the employees in, but, if not configured properly or not maintained diligently, this could allow in all of their malware and viruses as well. On top of that, if their system is compromised by a hacker, that person could potentially gain access to your network via a remote connection (similar to the breach that Target suffered.)

When security is difficult to understand and implement, we can end up with bad people being able to get into a consumer’s home network by utilizing the highly technical exploit called “username:admin, password:<blank>” which is how I was able to access my neighbor’s network through their Arris cable modem (before I changed it for them.) Even those consumers that are actually knowledgeable about networking might not be out of the woods as popular VPN services that consumers may utilize for home use might also be vulnerable as well.

Having tested a variety of consumer devices that all ended up being sent back because I found the overall performance to be lackluster (a story for another day), I found that the security settings for almost all were confusing and inconsistent. With each I was able to set up the router with absolutely no security. Occasionally I would receive a notice that this was “not secure” but never once saw “this will allow someone to empty your bank account” or a similar warning that might be more meaningful to the typical consumer.

Cable Modems Are Part of the Problem

Businesses typically deal with a knowledgeable VAR or integrator for their network equipment. But consumers who don’t know a subnet from a gateway (like my neighbors) will typically rely on their ISP. As opposed to the advice a VAR or integrator can provide, a cable company worker won’t discuss anything outside of their own equipment, often leading customers into buying new equipment, even if a firmware update or some troubleshooting would have solved the issue. Networking equipment rarely “wears out”, as evidenced by my still-running 8-year-old D-Link routers.

While cable modems (from companies like Arris) have evolved from the standalone boxes of the past into multifunction devices that now even include routing and Wi-Fi, unfortunately not not all of these multiple functions is handled very well. “Bridged mode” is typically the best solution for those that want better functionality and security (which is how my neighbor’s cable guy said he runs his as well), but that is not for the typical consumer. A secure VPN tunnel connected through an insecure cable modem is hardly a secure option.

So, What Can Be Done?

Companies, vendors and consumers all have a role here.

Vendors of consumer network products (like D-Link, Linksys and Netgear for instance), need to make security easier to enable and stronger. When 67% of users don’t change their passwords after security events, the factory default should be stronger, not blank, “password” or “admin.” For the future, bringing Network Function Virtualization (NFV) down to consumer devices would allow for a VPN gateway that could live in a separate virtual machine from a consumer internet gateway, potentially allowing an employer to even push down policies to individual user devices before allowing them to connect to the corporate VPN.

For companies that allow VPN access, even though you are using industrial-strength products from Cisco Systems or Checkpoint Systems, consider providing a standard consumer-grade router with the security pre-enabled to your employees. This may seem expensive on the surface but it can help reduce the variability of incoming lines and push some additional security measures. Also check your users’ equipment. Every incoming connection has an IP, so periodically poll those IPs for security gaps. An employee’s network connection to the company should be treated just like a corporate network endpoint, because, over a VPN, that is what it is.

Finally, consumers need to take security seriously; an extra 15 minutes setting up that shiny new toy can save a lot of hassle down the road – and possibly even keep your bank account from being emptied one day.