Network Hardening

The discussions up to this point have dealt with how to establish security baselines and update operating systems. We also briefly discussed file systems. This section deals with keeping your network devices up to date. The routers, gateways, firewalls, and other devices that actually run the network are also vulnerable to attack.

In the following sections, we will look at how to update and configure your network devices.

Network Device Updates

The software for devices such as routers, switches, and gateways should also be kept up to date. These devices usually contain a ROM-based operating system and applications. They may also utilize floppy drives and CD drives that you can use to update their software.

Routers are your front line of defense against external attacks. New exploits and methods to attack network devices are being introduced as quickly as new features. Fortunately, most network devices have a very limited scope of function, unlike general-purpose servers. This narrow scope allows manufacturers to improve network device security rather quickly. Many of these devices contain proprietary operating systems to manage the functions in the router. Devices such as hubs and switches are generally preconfigured out of the box, though some higher-end switches allow configuration options to be established.

Firewalls, on the other hand, provide the primary screening of network traffic once the data has passed through the router. Firewalls are constantly being upgraded to allow increased sophistication and capability.

Routers have become increasingly complex, as have firewalls and other devices in your network. If they are not kept up to date, they will become vulnerable to new attacks or exploits. Make sure that you visit the manufacturers' websites for the devices in your network and periodically apply the updates that they publish.

Many of the newer routers also allow features to be expanded and added. Some of these features deal with security and access. You want to make sure that your network is kept up to date. Network device manufacturers upgrade the functionality of their equipment to deal with new threats and protocols on a regular basis. These upgrades are sometimes free. When a new option is released, an entire upgrade of the firmware may be needed. If an upgrade is needed, you will be charged for this upgrade in most cases.

Many router manufacturers provide service for their routers à la carte. These manufacturers allow the buyer to mix and match the specific protocols, capabilities, and functionality to the mission the equipment is being used to accomplish. In some cases, the basic router may only cost $1,000, and the upgrades and features packs to add additional features may cost thousands more. The advantage of this is that customers can configure equipment with only the options they need, and they can upgrade at a later time when they need to do so.

Configuring Network Devices

Many ISPs and other providers will work with you to install and configure the features you need for your network. These features can usually be implemented using either a web-based interface or a terminal-based interface. Proper configuration of these devices is essential to ensure that your network operates smoothly and efficiently. Routers, in particular, have a large number of configuration options, including basic firewall and security support. Several network device manufacturers, such as Cisco, offer certification and training programs on them.

Note 

The Cisco CCNP certification is considered one of the most difficult certifications in the industry. Not only are candidates required to take tests similar to the Server+ exam, they are also required to demonstrate hands-on troubleshooting in a lab setting.

Several network product manufacturers are introducing preconfigured firewalls to customers. These firewalls are being referred to as appliances. These appliances, like any other computer system, will require updates and maintenance. This technology promises to make networks easier to protect. You will be able to buy a firewall appliance that can be simply plugged in and turned on. This will allow firewall systems, which are complex, to be easily installed and maintained in smaller networks.

The two most essential operational aspects of network device hardening involve ensuring your network devices run only necessary protocols, services, and access control lists. The next two sections describe these capabilities from a security perspective.

Enabling and Disabling Services and Protocols

Many routers offer the ability to provide DHCP, packet filtering, service protocol configuration options, and other services for use in a network. Make sure your router is configured to allow only the protocols and services you will need for your network. Leaving additional network services enabled may cause difficulties and can create vulnerabilities in your network. As much as possible, configure your network devices as restrictively as you can. This additional layer of security costs you nothing, and it makes it that much harder for an intruder to penetrate your system.

Access Control Lists

Access Control Lists (ACL) enable devices in your network to ignore requests from specified users or systems, or to grant certain network capabilities to them. You may find that a certain IP address is constantly scanning your network. You can block this IP address from your network. If you block it at the router, the IP address will be automatically rejected anytime the IP address in question attempts to utilize your network.

ACLs allow a stronger set of access controls to be established in your network. The basic process of ACL control allows the administrator to design and adapt the network to deal with specific security threats.

start sidebar
Real World Scenario: Does Anybody Really Like Spam?

You have been observing repeated attempts by a TCP/IP address to connect to your e-mail server. These failed connection attempts appear in your e-mail system logs. They continually attempt to access Port 25. Should you be concerned?

E-mail servers are being inundated by automated systems that attempt to use them to send electronic junk mail, also known as spam. Most newer e-mail servers have implemented measures to prevent this. However, you know that threats are becoming increasingly more sophisticated. You may be able to reduce these attempts to access your system by entering the TCP/IP addresses in your router's ACL Deny list. This would cause your router to ignore connection requests from these IP addresses, effectively improving your security.

end sidebar



CompTIA Security+ Study Guide. Exam SY0-101
Security+ Study Guide
ISBN: 078214098X
EAN: 2147483647
Year: 2006
Pages: 167

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net