Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day: Remove Default Route

Published: 2006-08-02
Last Updated: 2006-08-02 13:38:46 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
This tip comes from Mark Goudie:

Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment. This practice enforces that gateways are used for all external communications.

Advantages

  1. Enforces the use of proxy gateways for external communications.
  2. Malicious packets can be dropped or sent to a centralised server for analysis.
  3. Reduces the potential impact of misconfigured software through enforcing no internet connectivity.
  4. Makes malware infection easy to spot (if analysing all dropped packets).
I'd recommend implementing this with a split DNS to increase the difficulty of malware "phoning home" as the internal network cannot resolve external addresses. The DNS server could be configured to log all unresolved addresses for further malware indication.

Note that the above tip does not ask you to remove the default route off your end systems (user workstations) - chances are that many services needed in a corporate environment (like financial news feeds) will need to have a default route on the workstation. But if, in your network core, you can get away with only advertising and routing those external networks that are actually needed, you have made a huge step to secure your network. As indicated above, the newly un-used "default route" should then be made to point to a "darknet" where you have nothing except logging and packet collection capability.

Keywords: ToD
0 comment(s)
Diary Archives