Network security can seem like an overwhelming task, so we’ve put together a check list of 13 points to consider when securing your network; these can be tailored to suit your environment. We’ll be releasing them in small batches each day, so keep your eyes peeled!
Each point identifies an area of information security to focus on, together with some recommended practices and tips to help you achieve all round network security. These areas include:
- Provisioning Servers
- Deploying Workstations
- Network Equipment
- Vulnerability Scanning
- Remote Access
- Internet Access
- File Sharing
- Log Correlation
Don’t try and implement network security without a plan in the form of policies. Policies should be created, socialised, approved by management, implemented and then referenced when making security decisions.
Companies with more than two employees should have the following policies in place to help secure their network:
- Acceptable Use Policy
- Internet Access Policy
- Email and Communications Policy
- Network Security Policy
- Remote Access Policy
- BYOD Policy
- Encryption Policy
Your servers are where your organisations most valuable data is stored and should be protected from both internal and external threat. Create a server deployment checklist for your organisation and ensure each server is 100% compliant before it is deployed.
You should keep a list of all the servers on your network, with details such as name (naming your pc can save valuable time when identifying a server on you network); purpose; IP address; date of service; service tag; rack location or default host; operating system and contact responsible for the server, its maintenance and for investigating any anomalies associated with the server.
Additional points to check include:
- Check configurations have been created and applied correctly
- Assign a static IP address to all your servers and record them
- Ensure all patches are applied and added to patch management to ensure maintenance
- Install antivirus and check that it reports to the management console.
- Host instruction prevention should be configured in accordance with standards and report to management console.
- Software firewalls should be configured to permit required traffic for your network, including remote access, logging and monitoring and other services.
- Pick one remote access solution and stick to it, for example the built-in terminal services for Windows clients and SSH for everything else.
- Ensure all servers are connected to a UPS, and if you don’t use a generator, that they have the agent needed to gracefully shut down before the batteries are depleted.
- Unless there is good reason not to, all non-Windows servers should use DLAP to authenticate users against Active Directory.
- Rename the local administrator account and make sure you set a strong password.
- Using domain groups set group memberships and permissions
- Create as many OUs as you need to accommodate the different servers and set as mucj as possible using a GPO instead of the local security policy.
- If a server doesn’t need to run a particular server disable it.
- If you are going to use SNMP, make sure you configure your community strings, and restrict management access to your known systems
- Ensure all management, backup and logging agents are installed before the server is considered complete
- Back it up! If it was worth building, it is worth backing up!
- Run a full vulnerability scan on it before putting it in production to ensure nothing has been missed. Then schedule it for regular scanning.
Don’t overlook the importance of network security on your workstations. Whether it be a desktop in the office, a laptop or another mobile device, a workstation is a gateway into your network and should be as secure as possible.
No doubt your users will be running a number of programmes and accessing the internet, putting your workstations at much higher risk thank servers. As a result you should consider securing the following areas:
- Keep a List
As with your servers, keep a list of all your work stations, with details such as the name of the work station and who it has been issued to.
Patch all your workstations and ensure that all programmes and applications are fully up to date. To maintain this update your master image and ensure all workstations are connected to your patch management system.
- VPN/External Connectivity
If you allow devices to connect remotely to the corporate network, a firewall or host intrusion prevention is recommended. Check the configuration does not interfere with your management tasks, like pushing antivirus updates, checking logs, auditing software, etc.
When allowing remote access also ensure you pick one method and stick to it, banning all others.
- Removable Devices
We’d highly recommend encryption for all removable devices. This not only protects your workstations from viruses and malware, but protects the organisation in the event the device should get lost or stolen.
- Central Management
Manage your policies centrally, making sure employees set strong passwords and are correctly set up in the appropriate memberships and have the correct assigned permissions. Check all workstations report to your antivirus and patch management.
Once you think you’re all set, scan for vulnerabilities and find out! You should also schedule regular scans to stay on top of your network security
In addition to all the individual elements, it is critical you secure and maintain your network as a whole. Where possible use a centralised management console to manage and track all your assets; this will enable you to achieve consistency throughout your network security and save you time and money. Areas to concentrate on can be identified as follows:
- Similar to your servers and workstations, keep a list of all your network hardware, together with details such as device name, type, location, serial number, tag and responsible party
- Have a standard configuration for each type of device to help maintain consistency and easy management
- Assign static IP addresses to all management interface
- Patch your firmware (the OS on your network) and keep up to date on security updates for your hardware
- Use the most secure method available from your platform for remote access. This will probably be SSH Version 2 and if so you should disable telnet and SSH1
- Use TACACS+ or other remote management solution so that authorized users authenticate with unique credentials
- If you are going to use SNMP, change the default community strings and set authorized management stations. If you aren’t, turn it off
- Back up your configurations regularly and whenever you make changes
- Run a vulnerability scan across your whole network identify vulnerabilities
- Use VLANs to segregate traffic types, like workstations, servers, out of band management, backups, etc
- Set port restrictions to prevent users running promiscuous mode devices or connect hubs, or unmanaged switches
- Disable ports that are not assigned to specific devices
- ‘Deny All’ should be the default posture on all access lists – inbound and outbound
- Log and record all violations promptly and investigate alerts immediately
Only use secure routing protocols with authentication and only accept updates from known peers
Have you considered saving time and money by outsourcing IT support to manage your IT network security? This is something we can do and would be happy to discuss how we could support your business infrastructure.
Regular scanning is essential to maintain network security and should be carried out regularly and results compared. Configure your vulnerability scanning application to scan all of your internal and external environments on a regular basis. Keep an eye on the results and monitor for any rouge or unmanaged devices.
If you do not have existing software to carry this out, we would be happy to speak with you and recommend something to suit your infrastructure and requirements.
In addition our Certified Ethical Hackers are able to perform vulnerability testing on both your internal and external networks, producing a full report and recommendations. We also offer penetration testing and web application testing.
We’ve already said if it is worth building it is worth backing up, so back it up! In the event of a disaster could your business still function without any data? How much would it costs in downtime and to rebuild your network?
There are many types of backup available to suit all environment, but they are all pointless unless you check you really are backing up and that the backup can be restored.
If you are using tapes ensure that the backup is stored in a safe secure offsite location and where possible use encryption.
If you do not currently have any back up in place, or you would like to review the best backup solution for your business, we would be happy to discuss the options available with you and how we may be able to assist.
You’ve invested your time and money in securing the rest of your network, now it’s time to secure the method in which people use to access it.
First thing first, if you are going to allow remote access pick a method and stick to it – block all other methods.
If connecting via the internet, secure your users by tunnelling all traffic through a VPN only. Further secure this by only allowing access via two factor authentication, in the form of a token or app.
Perform regular audits on your chosen method of remote access, carrying out spot checks to detect any unusual patterns and monitor traffic.
You’ve secured your hardware and software, now it is time to secure your wireless. We’d recommend focusing on the following tips to help you achieve a higher level of security for your wireless:
- Use an SSID that cannot be easily associated with your company, and suppress the broadcast of that SSID
- Use 802.1x for authentication to your wireless network so only approved devices can connect
- Use the strongest encryption you possibly can. Never use WEP and if you really have to then set up a dedicated SSID for only those devices using a firewall so they can only connect to the central software over the required port and nothing else.
- Create a policy for BYOD, even if it us just to prohibit users from bringing in their own devices or connecting over the VPN. Alternatively, if you can, we’d recommend MDM for BYOD to allow you to manage and secure all said devices
Everyone is aware of the dangers emails can contain, including viruses or other malware. Protect your users and network by applying the following measures to your emails:
Deploy an email filtering solution to both your inbound and outbound messages. Spam emails can be a problem for any business and being inundated with spam emails could mean you miss the important ones.
- Ensure that your edge devices will reject directory harvest attempts
- Deploy mail filtering software that protects users from the full range of email threats, including malware, phishing and spam.
Spam filtering is included within every support contract we offer.
Implementing an internet monitoring solution will allow you to provide all your users with secure internet access.
To achieve we’d recommend the following:
Use filter lists that support your company’s acceptable use policy
- Scan all content for malware, whether that is file downloads, streaming media, or simply scripts contained in web pages.
- Deploy bandwidth restrictions
- Block outbound traffic which could violate policy
If you are unsure how to implement these recommendations we’d be happy to discuss applications which may assist you, or how we may be able to manage this for you.
Securing your files is extremely important – you have already invested the time in making them after all. Enable your employees to securely share files by following these steps:
Remove the ‘Everyone’ group from legacy shares and the ‘Authenticated Users’ group from newer shares. These are default permissions are usually too permissive, so set more restrictive permissions.
- Always assign permissions using the concept of “least privilege”. “Need access” should translate to “read only” and “full control” should only ever be granted to admins
- Never assign permissions to individual users; only use domain groups
- If you have a file system that tempts you to use “Deny Access” to fix a problem you are probably doing something wrong. Reconsider your directory structure and the higher level permissions, and move that special case file or directory somewhere else to avoid using Deny Access.
Checking the log of each server on your network could take a fair bit of time and could allow for human error. Use a logging solution which collectively gathers information from all of your servers and compares the results.
For more information regarding Log Correlation click here, or give us a call on 0845 380 2202.
Use a form central management for all systems, to include workstations, servers and your network. This will allow you to easily manage and implement policies efficiently and effectively, saving you time and money. Centralised management of all your assets will also allow you to identify anomalies and deal with threats before any damage is caused.
If you would like any advice on the contents of this checklist the options available to help secure your network please give us a call on 0845 370 2202 or email us at [email protected]