Hardening your network infrastructure is a process, not a task. It is something that, once started, does not end. You must remain constantly vigilant to the threats against your network and continuously undertake actions to prevent any compromises. Because of the scale of the undertaking, hardening your network infrastructure is not an endeavor you should undertake lightly. Depending on the size and complexity of your environment, you might spend weeks or even months planning before you make any changes. At the same time, if you are looking at how to harden your network, you probably recognize that you have security issues that need to be addressed, even if you aren t sure exactly what those issues are or how to fix them. This can put you in a bind in that you may have issues that really need to be addressed immediately, before the full-scale hardening process begins. So what are some things you should do immediately, right now, without any hesitation? I m glad you asked. Chapter 1 looks at six things you should do right now, before you do anything else.
There are many tasks you can perform as part of the systematic hardening process. These are all generally big-ticket items ”for example, hardening your routers and switches or implementing DMZs and perimeter network devices. These tasks take time, sometimes months from the initial planning and design phase to the implementation. Although all these tasks are necessary, you should undertake six tasks, in particular, before you do anything else on your network. I consider these six tasks to be the biggest impact undertakings you should evaluate. At the same time, I don t want to mislead you into thinking, OK, if I do these six things, I am probably pretty safe. You aren t. However, what you will have is an excellent foundation from which to start the systematic hardening process of your network infrastructure. This foundation consists of the following elements:
Review your network design. If you don t know what your network design looks like, how your devices are interconnected , how the data flows in your enterprise, you will never be able to successfully protect your network. The first step to hardening your network is to understand it.
Implement a firewall. If you don t have a firewall, stop reading this book right now and go buy or build one and implement it on your network. I m deadly serious here. You can pick this book back up afterward and continue where you left off. Implementing a firewall has the most impact of any task you can perform for hardening your network infrastructure because it allows you to define a perimeter.
Implement access control lists (ACLs). You should be restricting and controlling all traffic entering and exiting your network from the outside world. At the same time, you should be restricting traffic between internal network segments. If there isn t a business justification for the traffic, block it. You should be filtering traffic with ACLs not only on your external firewalls and routers, but on your internal firewalls and routers as well.
Turn off unnecessary features and services. Although traditionally the realm of servers and applications, unnecessary services equally plague your network infrastructure devices. If you don t have a reason to be running a particular service on your network equipment, don t do it.
Implement virus protection. Today s worms and viruses, though directed at applications and computers, have the uncanny side effect of often causing Distributed Denial of Service (DDoS) attacks against routers and switches because of how they attempt to replicate. The easiest way to protect against these kinds of attacks is to ensure that every system from Windows to Unix, desktop to server, runs virus protection. Don t forget to implement virus protection on your gateway devices, such as SMTP gateways, to prevent e-mail “based viruses and worms as well.
Secure your wireless connections. Wireless connectivity presents a unique problem to securing your network. If you aren t sure why you are running wireless, turn it off. Revisit the issue once you know why you are implementing a wireless network. If you have to run wireless, ensure that you implement encryption and authentication to prevent unauthorized users from connecting and/or intercepting and reading your wireless communications.