Installing networks and making sure they’re able to communicate and talk to each other is the end of it for a network administrator. There are some guidelines that many admins neglect, which exposes the network and makes them vulnerable to attacks. In this section I’ll try to cover some of these guidelines. These guideline can be used as a general security guidelines and not just network security.
Firewalls, proxies, routers, IDPSs (IDS/IPS), antivirus, and more are example of rule-based security devices. Rule-based managements is a method of controlling the network activity via the use of rule-based devices. Each rule can either be explicit allow or deny.
When managing rule-based systems a white or black lists can be used, using a blacklist that contains all possible bad event that could happen to a network or a system can be very difficult, challenging and time consuming if not impossible task to achieve. Therefore using whitelists of wanted traffic and then denying the rest is much easier and more effective way of managing rule-based devices. It’s even a good way to keep out unknown attacks (zero-day attacks) that are still unknown or their identifying characteristics are still unknown (no signatures are available to identify them).
Firewall rules should also be applied in the same way discussed above. The way these rules work is as follows:
- When traffic passes to the firewall the rules mechanism checks to see if there is a match. This happens in line by line bases.
- If there is a match then it will perform the actions specified by the rule (allow/deny/log…)
- If there isn’t a match then it will go to the next line on list.
- This will continue until it reaches the end of the list, where it will either allow or deny.
If the firewall rule is configured to deny everything else and only allow certain traffic this will act as the whitelist discussed above. What this means is, have all the rules for the wanted traffic at the top of the list and then at the end have an explicit deny, which will deny everything else except the traffic that matches one of the rules at the top will be allowed.
As you’ll probably recall from the Network Plus page (you can view it by clicking the networking tap above) a VLAN or a Virtual LAN is a way to logically separate or segment networks according to functions (departments) and I mentioned that this is configured using membership and I also mentioned that this membership can be either by IP and Protocol, MAC addresses or port memberships. VLANs are applied at the switches, by default these switches are configured to assign all of its ports to VLAN number 1. Creating VLANs can improve the management of traffic, security and performance.
A note to be made here, do not get mixed up here; when I talk about segmentation here, I don’t mean the same as a router, where by a router segments networks as the network layer using IP addresses. A VLAN however segments the network logically at the data link layer. Also note that some routing is also required to route traffic between VLANs.
A good practice when talking about VLANs is to deny everything by default and only allow what is accepted. For example you’ll probably allow the staff VLAN to route to many different VLANs on the network, however you could also have a separate VLAN for sensitive area and deny everyone to access it except those part of the sensitive area VLAN. So again here we using the deny everything and everyone and only allow those accepted rule discussed previously.
Configuring Routers Securely
When configuring routers there are four guidelines to follow:
- Set a good encrypted router admin password
- Configure the router to ignore or deny ICMP type 5 messages.
- Use routing protocols that require secure authenticated and encrypted routing data
- Set all the IP addresses of trusted routers and preconfigure them and deny the rest.
Access Control Lists (ACLs)
ACLs are basically lists of what is and what isn’t allowed on the network, which is similar to the rules discussed previously and the same guidelines should be followed (deny by default and accept by exception).
Imagine being able to tell a device if a client connects to one of its ports then check if they’re authenticated and valid clients if not than shut down that port and create an alert, well this is exactly what we mean by port security. It is in its basic forms a way of physically securing the network.
If the attacker is able to get access to the building by either social engineering (tail gating) or the attacker is an insider and they can get physical access to the switch, what they can do is plug into one of it ports or even plug into the mirror or monitor port and gain unauthorised access. Ports security prevents that by actually authentication and allows access or shuts down the port depending on whether the user is authenticated or not. Touching the surface of this topic we have three components working here; a supplicant a (software in the clients computer), the switch and authentication server. The client doesn’t communicate with the server at all, it basically communicate with the switch and the switch passes that on to the authentication server; the server asks for authentication details via the switch, where if supplied by the client and successfully authenticated by the server the client is granted access otherwise the port is closed.
This is in its simplest form; port security can also be applied logically to services to prevent port scanning or knocking usually used by attackers to check for open services. This is usually performed by the IDS/IPS or firewall not the switch.