Network security (101)

March 22, 2021 by

Kurt Ellzey

When we're building a network, the first time it comes online can always be a rush — seeing systems be detected, being able to make their way to your test sites of choice, and running a speed test to see just how fast your ISP's connection actually is. But while that is a great start, it is just that- a start.

There are dozens of considerations to factor in when we are conceptualizing, implementing and securing our networks, with a considerable amount of them having nothing to do with the massive amount of cable we just ran. There's a lot to get through in this article, so we're going to be hitting the high points here before diving into individual topics later on. This is Network Security (101).

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

Building the network

Network diagram

Planning out the structure of your network and how it interacts with the outside world, other locations and redundant solutions is the very first place that anyone should ever start to secure their network. As a rule, the earlier that a problem is discovered, the cheaper it is to fix and it doesn't get much cheaper than when everything is still on paper. Solutions for building a network diagram are all over the map from Whiteboards, to scraps of paper to flowcharts from programs such as Microsoft Visio. Retention of your diagram is vital though, so choosing a robust option or perhaps one that can be then transferred to a different storage method in the future would be preferred.

Physical security

The saying goes that if someone gets physical access to something, they own it. Locking down who has access to networking gear, servers, your demarc and more is CRITICAL to avoid potential security hazards. Depending on your environment, this may be just as simple as a locked closet all the way up to a man-trapped, retinal scan requiring, floor weight mapping, time locked, armor covered safe house.

Device updates

While user systems, servers and mobile devices have gotten considerably better about regularly updating their software and firmware, updating networking equipment is still by nature quite a manual process for many devices. Still, updating firmware and associated software packages can be considered mandatory to networking hardware to avoid potential hazards.

Disabling unused remote access methods

Once our setup is complete and fully up to date, we'll want to disable any access methods that we don't need for regular access or maintenance. This can include methods such as SSH, Telnet, TFTP- basically anything that the device supports that we don't need at that time.

Carving up the network

Subnetting

Subnetting grants additional addresses in your network. You can assign particular blocks of addresses based on function, location, department- anything that your organization requires. If you are able to lock down particular ip blocks to specific switches however, this means that you can tell at a glance if someone is attempting to use an address that is far outside of the standard usage.

Access control lists

What subnetting also allows however is the ability to lock down access to particular sections of the network. Say for example that you have users logging into your VPN being given addresses in a range of 192.168.4.x and you have your servers in 192.168.5.x. You could use an Access Control List (ACL) to forbid access to devices in 5.x from 4.x, thus closing a potential security threat.

Firewalls

In order to keep traffic down and possible threats from spreading from location to location, we could use Firewalls to block all non-essential ports both inside and outside our networks. Let's say for example that we wanted to force users to use SFTP to transfer large files instead of FTP. We could use a Firewall to block port 21 entirely, thus making it significantly more difficult to use the unsecure FTP protocol.

DMZ

The DMZ is the zone of zero trust between the wilds of the Internet and the internal network where some items must exist that talk to both the inside and the outside. This location requires some of the strongest security and monitoring that we have access to, since this is far and away the most likely place that an attack will come from. Anything that we can do that reduces the amount of connections that objects in this area have to the internal network is a major advantage.

Protect the servers and services

Encrypted protocols

Unsecured protocols such as http and ftp can be read as they go across the wire if someone is listening. This may not necessarily be an issue on our internal network, but we will want to avoid their use whenever possible as a rule.

Email security

The same thing goes for ways that email is accessed from our servers. We want to make sure that the server software we are using is up to date and using only best practices for secure access for email coming in and heading out of our network. We also want to make sure that users have access to tools showing them when particular messages may be suspect, as well as the education to understand what they are seeing.

Data loss prevention

Data Loss Prevention is equal parts specialized software, user education, blocking of removable data storage, limits on transmission of data, blocking of file sharing sites and blocking file transfer protocols wherever possible. While this may cause some complaints from users, it is far better to be safe rather than sorry when it comes to potential data leaks.

Software Allowlist

Most users will only use the same pieces of software on a regular basis. With that in mind, we can create a baseline of what applications we expect to see operating on the network. This way we can see if anything unexpected pops up on our radar and quickly get answers as to the who, why and how.

Secure the members

Strong password requirements

Strong passwords help prevent both random users from attempting to login as another user for curiosity's sake as well as keeps malicious users from easily being able to compromise user accounts. While this is another issue that users may not necessarily agree with, especially when combined with password retention and expiration rules, it is something that is necessary in the environment we find ourselves in.

Two factor authentication

Two Factor Authentication (2FA) is tremendously useful when securing user logons, but also for protecting physical access to high security areas. Requiring both a physical object such as a fingerprint or security card along with a PIN or other piece of information helps significantly to keep out potential threats as well as curious passers-by.

Least privilege

If a user account does get compromised however, either by a malicious user or something more automated, making sure that it cannot impact the entire network is critical. To that end, using Least Privilege is mandatory for this plus many more reasons besides.

Antivirus and malware protection

Malware from individual user systems can propagate out rapidly without protection. In situations such as a ransomware infection, this can be catastrophic on file servers if left unchecked. In situations like this then, prevention is absolutely the best form of medicine.

Maintenance mode

Mobile device management (MDM)

Mobile devices accessing company information have become the rule rather than the exception, especially when it comes to things like emails and file transfers. In order to protect both the network as well as those individual devices, Mobile Device Management can enforce best practices as well as remotely wipe those devices if they are lost or stolen.

Security information and event management (SIEM)

The good news: Most devices generate some form of log or alert when things don't work how they are supposed to. The bad news: we can be potentially talking about thousands of new log entries every minute when we consider our network as a whole. The solution? Combine them all together into one massive aggregator and have it filter out the noise to create a baseline so we then know what we actually need to address.

Behavioral analytics

As we have mentioned multiple times so far, being able to have a baseline for what happens regularly on your network can be a huge time saver and early warning system for when something out of the ordinary is happening. This can take a significant amount of time and effort, but when it's finished you have an extremely powerful tool for both security and executive purposes.

Scheduled cleanup

Many things generate trash as they are used. This can take forms such as junk files, log files, dust, grease, etc. In order to make sure our devices and environment are in the best shape they can be, we need to have regular cleanings occur both physically and virtually. This can also help to give us advanced warning about potential issues happening at our data center such as leaks, electrical issues and more.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

Conclusion

Network Security covers a massive amount of fields, and people handling it can wear half a dozen hats easily before it is finished. That being said however, the dividends it pays for both functionality and peace of mind repay themselves many times over. If we do our job, and do it well, we will see the number of all-hands and emergency events go down, while the reliability and consistency of our environment goes up.

Sources

https://docs.oracle.com/cd/A97335_02/apps.102/a86202/chap10.htm

https://www.comptia.org/content/guides/network-security-basics-definition-threats-and-solutions

https://www.itmanagerdaily.com/network-security-fundamentals/

https://www.cisco.com/c/en/us/products/security/what-is-network-security.html

https://www.juniper.net/us/en/products-services/what-is/network-security-management/

https://blog.eccouncil.org/how-to-identify-network-security-threats-and-vulnerabilities/