SANS Critical IT Security Controls #4: Secure Configurations for Network Devices

Network configuration includes the configuration of all network devices such as firewalls, routers and switches. Often times, an initially secure network configuration becomes somewhat insecure over time, as occasional configuration changes are made to the network to accommodate temporary needs. Attackers can gain access to a vulnerable network component to gain access to the entire system at large. Attackers usually use a compromised component to act as a trusted component, so they can gain access to other secure critical network components.

To secure your networks proactively, the first step is to conduct an internal audit of your network, whether aided by your own staff or by an external IT auditor. You aren’t really auditing stuff such as who owns a network component here. Rather, your goal is to check how well your current network components such as firewalls, routers and switches are configured. You check the current configuration against the recommended latest best practices for each of the network components — you may very well be surprised by what you’ll find during such an audit. In addition, put in place a strong change control policy to prevent unauthorized or undocumented configuration changes to the network.

You must also implement ingress and egress filtering to allow only officially approved ports and protocols. Firewalls, routers and intrusion prevention systems must strictly block all unauthorized ports and protocols. A sound testing of the network protection features must be very high on any enterprise security administrator’s list. You must frequently schedule a test of the intrusion prevention systems, firewalls, router access controls lists and other deny/allow mechanisms by simulating a heavy test workload that includes both legitimate traffic along with disallowed traffic. Look into deploying all network filtering components with the capability to filter IPv6 traffic. Network zoning and the use of real two-factor authentication (password and a token or biometric device) also go a long way towards strengthening your network against attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *