One of the ongoing goals of operations security is to ensure that all systems have been hardened to the extent that is possible and still provide functionality. The hardening can be accomplished both on a physical and logical basis. From a logical perspective, this is accomplished if you do this:
Remove unnecessary applications.
Disable unnecessary services.
Block or disable unrequired ports.
Tightly control the connecting of external storage devices and media if it's allowed at all.
Best Practices For Network Hardening
Make sure to use the Secure version of SNMP. SNMPv3 supports strong authentication with confidentiality (encryption) and data integrity of messages via encryption between agents and managers. For this reason, you should always ensure that the version you are using is version 3.
Version 3 offers two methods of securing SNMP.
The Transport Security Model (TSM) component of SNMPv3 enables security to be applied at the Transport layer. Protocols used by the Transport Security Model, such as TLS, are based on asymmetric cryptography
RFC 3414 describes a user-based security model (USM)that provides message-based security and uses symmetric encryption along with usernames and passwords.
Routers running IPv6 use a Router Advertisement in neighbor discovery and solicitation; RA is use to keep routing tables updated in the network.
Capturing these packet types could reveal information about the routers and their neighbors. These packet types can also be spoofed as well. IPv6 Router Advertisement (RA) Guard is not yet a standard but a proposal on a method of allowing the network administrator to block or reject unwanted or rogue RA Guard messages that arrive at the network device platform.
RA Guardcompares configuration information on the switch with the information found in the received RA frame. Once the switch has validated the content of the RA (Router Advertisement) frame, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.
Port Security is a network hardening technique that can help prevent a hacker from disconnecting a device from the wall and using that port for access. While your unused ports should always be disabled, legitimate ports are always at danger of misuse this way. By limiting network access on a port to a single MAC address (or in the case of an IP phone, two), access by any other MAC address can be blocked.
Dynamic ARP inspection (DAI) is a feature that, when configured, uses the DHCP snooping to create an accurate database of IP address–to–MAC address mappings to verify the MAC address mappings of each frame going through the switch. In this way, any frames with incorrect or altered mappings are dropped by the switch, thus breaking any attacks depending on these bogus mappings. Because it uses the DHCP snooping database, the configuration of DHCP snooping is a prerequisite to enabling DAI.
Control Plane Policing is the act of placing heavy emphasis on safeguarding the management plane + control plane because it’s responsible for the configuration and monitoring of the device, as well how data is routed through the network. It’s of great importance to secure the Control Plane against any DDos/DoS attack that could inundate it.
Control Plane- all the functions and process that determine which path to use (such as LDP, Routing Protocols)
Management Plane - all the functions you use to control, configure, and monitor devices
Using QoS (Quality of Service) filter will ensure that Control Plane or Management Plane traffic will be prioritized over any other data.
Firewalling could be used as well to simultaneously prioritize Control Plane (Management Plane) traffic and block any unnecessary non-management.
Private VLANs are a VLAN type you can implement on a switch to segregate devices that reside in the same layer 3 network. The private VLAN (called secondary) is simply a subsection of the main VLAN (called primary)
Community Private VLANs can contain multiple devices that can talk to one another
Isolated Private VLANs are when single device can only talk to the switch.
Disable Unneeded SwitchportsAll unused ports on the switch should be disabled to prevent the connection of a rogue device into an unused wall outlet. Each switchport to which unused wall outlets are connected should be identified and disabled.
Disable Unneeded Network Services
Destination services and applications are specified in a packet in terms of a port number. When a device is open to receiving a connection to a service or application, it is said to be listening on the corresponding port. Therefore, closing or disabling a port eliminates the possibility of a malicious user connecting to that port and leveraging any weakness that may be known to be present with that service.
Change Default Passwords
Many network devices are configured with default administrator accounts and their default passwords. These accounts should be disabled and renamed if possible. At the very least, the passwords for these accounts should be changed from the default because they are well-known, available in documentation that comes with the product, and also widely available on the Internet.
DHCP snooping is a switch feature that can help to prevent your devices from communicating with illegitimate DHCP servers. When enabled, DHCP snooping allows responses to client requests from only DHCP servers located on trusted switch ports (which you define). When only ports where company DHCP servers are located are configured to be trusted, rogue DHCP servers will be unable to respond to client requests.
A rogue DHCP server is one not under your control that is giving out incompatible IP addresses.
Change Default VLAN
You can't change or even delete the default VLAN1; it is mandatory. The default VLAN is simply the VLAN to which all access ports are assigned to until they are explicitly placed in another VLAN. While you can't change the default VLAN, you can create a new VLAN and move all switch ports to that VLAN. Since VLAN1 is typically set as the default for most vendors, it becomes a well-known configuration for attackers to abuse.
Patch and Firmware Management is also equally important in the network hardening process.
Sometimes aRoll back is necessary whenever the newer driver available is causing issues on your system.
Firmware Updates are much more infrequent than other types of updates, so it's easy to forget about them. Firmware updates are designed to increase the functionality of a device. pdating firmware is a process sometimes called flashing, in which the old firmware instructions are overwritten by the new ones
Driver Updatesneed to stay current as well. This will make sure your peripheral devices maintain constant communication with your machine.
Access Control Lists are a list of rules that specifies which users or systems are granted or denied access to a particular object or system resource , typically used in firewalls. Access control lists are also installed in routers or switches, where they act as filters, managing which traffic can access the network.
Role-based access control (RBAC) is commonly used in networks to simplify the process of assigning new users the permission required to perform a job role. In this arrangement, users are organized by job role into security groups, which are then granted the rights and permissions required to perform that job.
RBAC is only as successful as the organization policies designed to support it. Poor policies can result in the proliferation of unnecessary roles, creating an administrative nightmare for the person managing user access
Firewall Rules are very important. If the access control lists are misconfigured on a firewall, the damage will fall into one of three categories:
Traffic is allowed that shouldn't be allowed.
Traffic that should be allowed is blocked.
No traffic is allowed at all.
In many cases the traffic type is specified in terms of a port number, it is critical to know the port numbers of the traffic you are dealing with.
When developing access control rules for firewalls there are two basic approaches.
Explicit Deny Using this approach, all traffic is allowed unless it is specially (explicitly) denied with a rule. This is also referred to as Blacklistingin that you are creating a blacklist of denied traffic. The issue with this approach is that you must identify all possible malicious traffic, which can be overwhelming.
Implicit DenyWith this approach, all traffic is denied unless it is specifically or implicitly allowed by a rule. This is also called Whitelisting in that you are creating a whitelist of allowed traffic with the denial of all other traffic. Many consider this to be the more secure approach. You need only identify what is required traffic, a much more manageable effort than identifying all possible malicious traffic.
Wireless Security
Mac FilteringClient MAC addresses can be statically typed into each access point, allowing MAC filtering, and any frames that show up to the AP without a known MAC address in the filter table will be denied access.
Typically used when you have a small number of wireless clients and you don’t want to deploy an encryption-based access method.
Antenna Placement The security aspect of antenna placement is also critical. Since you cannot prevent the capture of wireless frames being broadcast by the AP, limiting the exposed areas of the broadcast signal helps to limit eavesdropping.
Power Levelsare used to expand and contract the size of the cell around the AP. While this is an available option, keep in mind that as you raise and lower the power, you are expanding and contracting the signal in all directions. In some cases, there is a need to reshape the cell rather than expand or contract it. You can reshape the cell by using Directional Antennas.
Wireless Client Isolationprevents wireless stations within an SSID from communicating directly with one another or with any devices on the wired network to which the wireless network might be connected. This can only be configured on the Internet.
Guest Network IsolationWhen enabled it creates two networks in one. One, the guest network, has client isolation in effect and has access only to the Internet. The second serves as the regular WLAN. Guests who join the guest Wi-Fi network are confined to an entirely separate network and given Internet access, but they can't communicate with the main wired network or the primary wireless network.
Preshared Keys (PSKs)The PSK verifies users via a password or identifying code (also called a passphrase) on both the client machine and the access point. A client gains access to the network only if its password matches the access point's password. The PSK also provides keying material that TKIP or Advanced Encryption Standard (AES) uses to generate an encryption key for each packet of transmitted data.
Extensible Authentication Protocol (EAP)is used on encrypted networks to provide a secure way to send identifying information to provide network authentication. It isn’t a single method but an authentication framework that enhances the existing wireless 802.1X framework
Geofencing can be used to restrict or allow features when the device is in a particular area.The process of defining the area in which an operation can be performed by using global positioning system (GPS) or radio frequency identification (RFID) to define a geographic boundary. An example of usage involves a location-aware device of a location-based service (LBS) user entering or exiting a geofence. This activity could trigger an alert to the device's user as well as messaging the geofence operator.
Ex. Camera on a work phone may work only when outside of the office; Or only allow authentication when the device is in a certain area.
Captive PortalThis is a web page to which users are directed when they attempt to connect to a WLAN. This web page may ask for network credentials, or in the case of a guest network such as at a coffee shop, hotel, or airport, it may only ask for agreement to the usage policy of the guest network.
IoT Devices are also easy recruits to a botnet, which is a group of systems that an attacker controls and directs to foist a DoS attack. Consider using VLANs and other forms of segmentation to prevent this. The role an IoT device will play is that of a zombie. IoT device weren’t built with security in mind.