Snapshot of a Secure Network
Table 15.3 provides a snapshot of the characteristics of a secure network. The security settings are abstracted from industry security experts and real-world applications in secure deployments. You can use the snapshot as a reference point when evaluating your own solution.
| Component | Characteristic |
|---|---|
| Router | |
| Patches and Updates | Router operating system is patched with up-to-date software. |
| Protocols | Unused protocols and ports are blocked. Ingress and egress filtering is implemented. ICMP traffic is screened from the internal network. TTL expired messages with values of 1 or 0 are blocked (route tracing is disabled). Directed broadcast traffic is not forwarded. Large ping packets are screened. Routing Information Protocol (RIP) packets, if used, are blocked at the outermost router. |
| Administrative access | Unused management interfaces on the router are disabled. A strong administration password policy is enforced. Static routing is used. Web- facing administration is disabled. |
| Services | Unused services are disabled (for example bootps and Finger ). |
| Auditing and logging | Logging is enabled for all denied traffic. Logs are centrally stored and secured. Auditing against the logs for unusual patterns is in place. Intrusion detection IDS is in place to identify and notify of an active attack. |
| Firewall | |
| Patches and updates | Firewall software and OS are patched with latest security updates. |
| Filters | Packet filtering policy blocks all but required traffic in both directions. Application-specific filters are in place to restrict unnecessary traffic. |
| Logging and auditing | All permitted traffic is logged. Denied traffic is logged. Logs are cycled with a frequency that allows quick data analysis. All devices on the network are synchronized to a common time source. |
| Perimeter networks | Perimeter network is in place if multiple networks require access to servers. Firewall is placed between untrusted networks. |
| Switch | |
| Patches and updates | Latest security patches are tested and installed or the threat from known vulnerabilities is mitigated. |
| VLANs | Make sure VLANs are not overused or overly trusted. Insecure defaults All factory passwords are changed. Minimal administrative interfaces are available. Access controls are configured to secure SNMP community strings. Services Unused services are disabled. |
| Encryption | Switched traffic is encrypted. |
| Other | |
| Log synchronization | All clocks on devices with logging capabilities are synchronized. |
| Administrative access to the network | TACACS or RADIUS is used to authenticate administrative users. |
| Network ACLs | The network is structured so ACLs can be placed on hosts and networks. |
EAN: 2147483647
Pages: 613
- Step 1.1 Install OpenSSH to Replace the Remote Access Protocols with Encrypted Versions
- Step 1.2 Install SSH Windows Clients to Access Remote Machines Securely
- Step 2.1 Use the OpenSSH Tool Suite to Replace Clear-Text Programs
- Step 4.1 Authentication with Public Keys
- Step 6.2 Using Port Forwarding Within PuTTY to Read Your E-mail Securely