Someone once told me, In order to know where you are going, you have to know where you came from. This is true for hardening your network infrastructure. In order to effectively protect your resources, you must know how your network is designed. You must know how your routers are interconnected , where your network ingress points are, where your various resources are located, and so on. Only once you know this information can you effectively protect those resources. In addition, if your network does become compromised, knowing how everything is connected will help you in determining how to recover from it or how to isolate the problem to specific network segments. At the same time, I m not proposing that the first thing you should do is redesign you network. Remember, we are looking at things you can do right now to make an immediate impact on the security of your network.
Because every network is different, it is impossible for me to provide you a comprehensive review of a network design. I can, however, provide you with 21 questions you should be asking as you review your network design. These questions will help you better understand where and how your network can be hardened .
Where are your Internet connections? Today s networks commonly have multiple Internet connections. Review your network design and identify all your Internet connections. These can range from your enterprise Internet connection to a backup/redundant connection for your company, all the way down to a DSL or cable modem connection used as a temporary backup exclusively for your sales force. Be prepared to locate surprises , such as unauthorized connections to your network in executive suites. Identify these ingress points because those are where you will implement your firewalls.
Where are your external connections? External connections range from traditional frame relay and ATM connections to dedicated serial T1/T3 lines to the Internet connections addressed previously. They are typically used to connect remote offices or external business partners . These are all potential ingress points on your network. Consequently, you need to implement firewalls at those connections as well as potentially employ encryption for the data traversing them.
What networks/subnets are you using? Identify the IP addressing scheme and the location of all your subnets. Are you using dynamic addressing products and protocols such as VitalQIP and DHCP? DHCP networks, although they provide significant ease of resource addressing, create a security issue. Anyone can connect to your DHCP network and immediately begin attempting to gain access to your network resources by exploiting weak security that might exist elsewhere on your network.
What routing protocols are you employing ? The routing protocols you use will identify the methods you can implement to protect those protocols. The steps you take to harden Routing Information Protocol (RIP), for example, are not necessarily the same as the steps to harden Open Shortest Path First (OSPF). Are you redistributing routes between protocols? Knowing what protocols you are running, where they are running, and how they are configured will dictate how to harden the protocols.
Are you running Spanning Tree Protocol? Spanning Tree Protocol, like your routing protocols, contains a tremendous amount of information about your network that any hacker would give his two front teeth to get. Identify where you are running Spanning Tree Protocol so that you can decide whether you need to be running it in that location.
Where is your Intrusion Detection/Protection System (IDS/IPS) located? You need to know what you are monitoring for and where you are monitoring. Are you only monitoring with network-based intrusion detection systems (NIDSs) or are you also using host-based intrusion detections systems (HIDSs)? Where are you performing these functions, and more important, where are you not?
Where are you performing content filtering? Knowing where and how you are performing content filtering is critical in preventing web-based exploits from entering your network. This is commonly done at your Internet connections, but it might make sense for you to do this in other locations, such as between extranet partners.
I worked at a company that implemented content filtering at their primary Internet connection, but somehow overlooked implementing it at their backup/secondary Internet connections. One day their primary Internet connection failed, and everything failed over to the secondary location in another state, as designed. Unfortunately, because they were not performing content filtering on that connection, this failover exposed them not only to inappropriate work content but also to malicious code and websites . Although this situation was quickly remedied, had they reviewed their network design at some point, they would have recognized that they had overlooked content filtering on their backup connections and prevented this entire situation.
Are you implementing NAT, and where are you implementing NAT? Network Address Translation (NAT) is commonly implemented at your Internet connections; however, with growth and acquisitions, companies are using NAT on their internal network segments more and more. NAT can present problems with IPsec encryption as well as increased network complexity. Knowing where you are implementing NAT can illustrate areas of your network that you need to keep an eye on, in particular, to make sure NAT is working securely and properly.
What VLANs are in use? Virtual Local Area Networks (VLANs) can be a saving grace to large networks, making it much easier to logically separate resources. At the same time, VLANs can dramatically increase the complexity of a network, consequently allowing security problems to be hidden by the complexities of the VLAN. A common example of this is having VLANs for networks of different security levels (that is, inside and outside or inside and DMZ) running on the same switch fabric. This is a bad thing because switches have historically shown a propensity to allow traffic to traverse between VLANs when it shouldn t. Knowing where you have VLANs will help you harden those VLANs.
Where are your server resources located? If your server resources are located on a dedicated subnet away from your users, it s much easier to implement ACLs or similar filters to protect those resources. Knowing where your critical server resources are located will allow you to strategize a method to protect those resources.
Do you provide VPN/remote access connectivity? VPN/remote access connectivity is one of the biggest threats to your network s security posture . This is due in large part to the fact that you rarely have control of the equipment that is connecting via your VPN connections. Employee s home networks are rarely protected as they should be, and when those systems connect via VPN to your corporate network, it becomes susceptible to compromise. Knowing where your VPN/remote access connectivity occurs allows you to focus on where to protect against remote exploits.
What vendor s equipment are you using? Different vendors are susceptible to different exploits. Likewise, different vendors implement different methods to secure their equipment. Knowing what vendor s equipment you have on your network will allow you to develop a reasonable policy for hardening that equipment.
What network devices are you using? Routers require different security measures than switches do. Switches require different security measures than hubs do. By identifying the devices employed on your network, you can develop a security policy that addresses the specific issues of each device type on your network.
What are your device naming conventions? Although a relatively mundane item, device naming conventions can be a real problem in large environments where you need to figure out what a device is or where it might be located by name alone. Using names of fish and trees , as one company I worked at did, serves only to make identifying where a problem or security issue is occurring much more difficult than it needs to be. At the same time, using names that lead people to critical or sensitive servers or resources can also be an issue. You need to strike a balance between function and anonymity.
What circuit types do you employ? Point-to-point connections and frame relay connections require different methods of hardening. Identifying the various circuit types you are using will allow you to define a policy that doesn t overlook a circuit type.
What network protocols and standards are in use? Are you using Hot-Swap Router Protocol (HSRP)? What about Data-Link Switching (DLSw)? Do you still need to run Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)? By examining the network protocols and standards in use on your network, you can identify security issues unique to each protocol or standard.
Do you have dedicated management segments? Using dedicated management segments is one of the best methods to protect your devices from remote management exploits. Where are these segments, and most important, who has access to them? Knowing this information will help ensure that people do not inadvertently gain management access to your equipment.
Where are your critical segments? Backbone connections, critical Line of Business (LOB) segments, human resources (HR) segments, and so on, need to be identified so that you can ensure not only that the data on those segments is protected, but that those segments are reliable and redundant. Connections between subnets and segments ”particularly critical subnets and segments ”represent locations where filtering and access lists should be implemented to protect those subnets and segments.
What kind of AAA mechanism are you using on your network? Are you using common passwords (for example, enable secret passwords) or are you performing user -based authentication? Do you have RADIUS or TACACS+ for authentication, authorization, and accounting?
What kind of enterprise monitoring/management products are you using? Many management protocols such as SNMP and Syslog transmit their data in an unencrypted and therefore insecure fashion. Identifying what management products you are using, where they are located, and what devices they communicate with will allow you to determine the most effective method for securing the traffic.
Where are your wireless connections? Wireless represents a significant security issue on a corporate network. Know where you have wireless access points set up so that you can identify and secure that access.