ROUTERS | HIPAA Security Implementation, Version 1.0

Routers are the first layer of a multiple-layer defense against intrusion and unauthorized access from outside the internal network. A Router provides security by allowing or denying traffic to or from a source or destination IP address and port, as found in the layer 3 IP header. To deny access to the inside by unwanted outside traffic, a Router can act as a packet filter to help protect a Firewall from attack, as well as taking some of the network load off of the Firewall, so that the Firewall does not have to inspect each and every packet that presents itself to the Router.

A Router should be placed on the outside 'border' or perimeter of a network and properly configured to routes packets through a network, to drop traffic to unknown destinations, and to block local broadcasts. Routers need to be specifically programmed for this mission for each network they are used on, because factory defaults are not sufficient. This security filtering is accomplished by the use of an Access Control List (ACL) which gives commands or 'rules' to the Router in its own internal OS language on what type of traffic to allow or deny, based upon IP address. This filtering can bet setup with 'standard' or 'extended' ACL commands to also check source and/or destination IP addresses. These extended ACLs can also deny or permit packets based upon packet header information, protocols or port number. Even with all this inspection going on, a Router will not act to 'tear down' a packet and inspect it for a dangerous payload. That is the job for a Firewall and will be discussed later.

Again, because each network is different, as well as each brand of Router, only general guidelines and 'best practices' can be encouraged here for use of ACLs, although the concepts and capabilities of all Routers should be similar. The concept is to deny what you know you want to deny, allowing only what you know you want to allow, then for good measure, deny everything else. These rules can be set using the standard ACLs, but only work by checking the source IP address. To deny traffic to specific destinations, extended ACLs must be used. An example would be for a network administrator to deny network users from accessing a Peer-to-Peer file sharing network, such as KaZaA, Morpheus, and others, by maintaining a list of IP addresses to be blocked. Default or other improper installation configurations on these P2P programs can open up a network to external access.

Instead of using a commonly-held philosophy of 'allow everything unless I specifically deny it', a network should be assessed to determine which ports on a Router will need to be opened, so that ports not in use can be closed. 'Deny all but what I specifically allow' would be a 'best practice' for the healthcare industry, as it is in the InfoSec community.

Another optional Router configuration is to setup 'stateful' packet filtering, which can be done using 'reflective' ACLs. In this type of filtering, the Router dynamically generates its own 'inbound' ACL in real time, based upon outbound connections that have been specifically permitted. Restrictions put in place on a Router should also deny 'spoofed' traffic from 'internal' or private addresses that could not possibly be coming from the Internet, as well as multicast traffic or packets from invalid addresses.

While this document is not meant to be an all-inclusive dialogue of Router configurations, the important thing to remember is that in a medical center or hospital environment, the protection of patient information is the key function of Information Systems security. There is nothing about securing a Router that is specific to the healthcare industry. The information being secured in most instances is 'protected health information', but no special Router configuration is required by HIPAA.

Secondarily, access to outside resources for the medical staff must be allowed for research and other patient care purposes. This may mean permitting, or not blocking access to, certain types of web sites that many companies would normally not allow staff access to, or would at least automatically filter the content of. It has been my experience that generic blocking of web sites based on content, such as nudity, is too confining in a clinical environment. Many research and clinical information sites show pictures of human bodies in various states of undress, as well as medical or physical conditions. Generic blocking of access based upon content is therefore too restrictive . However, specific filtering based upon known IP addresses which are used in an ACL to either allow or deny access to these types of web sites is much more appropriate in the medical world.

The actual assessment of Router security can be done by running penetration software such as 'Nmap', 'Nessus', 'Enum', 'Netcat' or other such programs. It is advisable to get written permission from medical center or hospital administration before attempting to 'hack' into any systems.

There are some final considerations for the secure use of a Router. Audit logs should be enabled and checked for signs of attempted or successful intrusion. The initial configuration of a Router usually requires direct connection in console mode, but after this setup, remote access can be allowed by a Telnet session or web-based interface. Neither of these are secure, especially when a public network is used, so a policy that continues use of the direct-connect console mode, or a 'ssh' secure shell interface would be preferred. Of course, the Router and other network equipment must be physically protected from hands-on intrusion.