4.3 Network Security Features (PDF)

Summary

This document provides a comprehensive overview of network security features. It discusses device hardening, network access control, and key management, along with practical examples.

Full Transcript

Given a Scenario, Apply Network Security Features,
Defense Techniques, and Solutions - GuidesDigest
Training

Chapter 4: Network Security

In the face of evolving cyber threats, the implementation of robust network security features and
defense techniques is critical for protecting network resources and data. This chapter outlines
effective strategies for device hardening, network access control, key management, enforcing
security rules, and defining secure zones within the network infrastructure.

4.3.1 Device Hardening
Device hardening involves a series of actions taken to make network devices more secure by default,
addressing vulnerabilities inherent in the standard configuration and operation of hardware and
software.

Disable Unused Ports and Services
Many network devices and servers come with a variety of services and ports open by default. Not all
these services and ports are necessary for every organization’s operations, and leaving them active
can expose the network to unnecessary risk.

Impact: Unused open ports and services can act as entry points for attackers, allowing them
to exploit vulnerabilities associated with those services or to conduct reconnaissance activities
to gather information about the network.
Implementation Strategy:
◦ Inventory and Assessment: Begin by conducting a thorough inventory of all network
devices and the services running on them. Use tools like Nmap for port scanning and
service identification.
◦ Policy Definition: Establish a policy that defines necessary services and acceptable
open ports based on the role of the device within the network.
◦ Service and Port Deactivation: Systematically disable all services and ports not
explicitly required by the device’s operational role. For example, disable Telnet and SSH
on network switches if remote management is not needed.
◦ Regular Review and Auditing: Implement a schedule for regular reviews and audits
of service and port configurations to ensure compliance with the policy and adapt to
changing network requirements.

Change Default Passwords
Network devices often come with preset, manufacturer-default passwords, which can be easily
discovered through manuals or online resources. These default credentials pose a significant
security risk if not changed.

Impact: Default passwords are among the first vectors attackers exploit to gain unauthorized
access to devices. Once inside, they can alter configurations, disrupt operations, or use the
 device as a launchpad for further attacks.
Implementation Strategy:
◦ Comprehensive Password Policy: Develop a robust password policy that specifies
complexity requirements, rotation frequency, and unique password use across devices.
◦ Initial Setup Process: Incorporate the changing of default passwords into the initial
setup process for any new device added to the network. Ensure that passwords are
complex and adhere to the organization’s password policy.
◦ Use of Password Managers: To manage the complexity and quantity of passwords,
employ a secure password manager capable of generating and storing complex
passwords.
◦ Regular Password Changes and Audits: Schedule regular password changes and
audits to identify any devices using default or weak passwords, reinforcing the security
posture continuously.

4.3.2 Network access control (NAC)
NAC policies enforce device compliance and access permissions, managing device access to
networks based on each device’s adherence to security policies. Effective NAC implementation
protects against unauthorized access and limits potential damage from compromised devices.

Port Security
Port security restricts input to a network interface by limiting the MAC addresses allowed to send
traffic through a switch port.

Implementation: Administrators configure a switch port to accept traffic from a set number
of known MAC addresses and block others, preventing unauthorized network access. For
example, on a Cisco switch, port security can be configured using the command switchport
port-security followed by specific parameters like maximum (the number of MAC addresses
allowed) and violation (the action taken when a violation occurs).
Impact: Enhances physical security by ensuring only pre-authorized devices can access the
network through specific ports. It effectively mitigates the risk of rogue device connections.

802.1X
802.1X provides a mechanism for network authentication, offering a way to centralize user or
device authentication prior to granting access to the network. It’s particularly useful in wireless
networks but applies to wired networks as well.

Implementation: Involves three primary components: the supplicant (client device), the
authenticator (network switch or wireless access point), and the authentication server
(RADIUS server). The authentication server validates users or devices against a database
before network access is granted. Configuration includes setting up a RADIUS server with
user/device credentials and configuring network devices to authenticate via this server.
Impact: Significantly strengthens network security by ensuring only authenticated users and
devices can access network resources, providing protection against unauthorized access
attempts.

MAC Filtering
MAC filtering allows network access based on the physical hardware address of a device, known as
the MAC address.

Implementation: Network administrators create a list of allowed MAC addresses in the
network device’s configuration, permitting only devices with those addresses to connect. This
method is commonly used in wireless networks, where the access point denies entry to any
device not on the allowed list.
Impact: While MAC filtering can help control access, it is less secure than other methods due
to the ease with which MAC addresses can be spoofed. However, it offers a basic level of
access control that can deter casual unauthorized access.

4.3.3 Key Management
Key management encompasses the procedures and mechanisms for handling cryptographic keys,
including their generation, exchange, storage, use, and replacement.

Best Practices: Utilize a centralized Key Management System (KMS) to automate the
lifecycle management of cryptographic keys. Ensure keys are stored securely, using hardware
security modules (HSMs) when possible. Implement regular key rotations and revoke keys
that are no longer in use or are compromised.
Impact: Effective key management ensures the confidentiality and integrity of encrypted
data, preventing unauthorized access and facilitating secure communication across the
network.

4.3.4 Security Rules
Access Control List (ACL)
ACLs are a set of rules that control network traffic and limit access to and from network resources
based on IP addresses, protocols, and port numbers.

Implementation: Configure ACLs on network devices, such as routers and firewalls, to
permit or deny traffic based on specific criteria. For instance, an ACL can be set up to block
incoming HTTP requests from a known malicious IP address while allowing all other traffic.
Impact: ACLs provide a granular level of security by controlling access to network resources,
effectively preventing unauthorized access and mitigating potential attacks.

Uniform Resource Locator (URL) Filtering
URL filtering restricts web access based on URLs, preventing users from accessing specific websites
deemed harmful or not in compliance with organizational policies.

Implementation: URL filtering can be enforced through network security appliances or
cloud-based services. Policies can be configured to block access to categories of websites, such
as social media, adult content, or sites known for malware distribution.
Impact: Enhances security by reducing the risk of malware infection from malicious sites
and improves productivity by limiting access to non-business related websites.

Content Filtering
Content filtering examines the content being transmitted through the network and blocks data
matching specific criteria, such as known malware signatures or sensitive information.
 Implementation: Deploy content filtering solutions at the network perimeter and on
endpoints. These solutions can inspect email attachments, web downloads, and other data
entering or leaving the network, blocking harmful or sensitive content.
Impact: Protects against malware, data exfiltration, and policy violations by inspecting and
controlling the content users can send and receive.

4.3.5 Zones
Trusted vs. Untrusted
Networks are segmented into zones based on trust levels. Trusted zones are protected segments
where sensitive data and critical resources reside. Untrusted zones typically include external
networks, such as the internet.

Implementation: Use firewalls to create boundaries between trusted and untrusted zones,
applying strict rules to control traffic between them.

Screened Subnet (DMZ)
A screened subnet, or Demilitarized Zone (DMZ), is a network segment that acts as a buffer zone
between the public internet (untrusted) and the internal network (trusted). It hosts public-facing
services, such as web and email servers, isolating them from the internal network.

Implementation: Configure a firewall with three interfaces: one connected to the internal
network, one to the internet, and one to the DMZ. Apply policies that strictly control traffic
between these zones.
Impact: The DMZ provides an additional layer of security, isolating external-facing services
from the internal network and reducing the risk of an attacker reaching sensitive internal
resources.

4.3.6 Summary
Effective device hardening is an ongoing process that plays a critical role in securing the network
infrastructure. Disabling unused ports and services, along with changing default passwords, are
foundational steps that significantly reduce the vulnerability of network devices to unauthorized
access and exploitation.

NAC is an essential aspect of network security, providing a foundational layer that ensures only
authorized and compliant devices can access the network. Through mechanisms like port security,
802.1X, and MAC filtering, networks can significantly reduce the risk of unauthorized access and
potential security breaches.

The deployment of key management strategies, enforcement of detailed security rules, and strategic
zoning of the network landscape are indispensable components of a comprehensive network
security framework. These measures collectively fortify the network against unauthorized access,
data breaches, and other cyber threats.

4.3.7 Key Points
Reducing the attack surface through careful management of ports and services directly
 contributes to a more secure network environment.
Strong, unique passwords are essential for protecting devices from unauthorized access,
making the changing of default passwords a critical security measure.
Port security and 802.1X are powerful tools for enforcing network access policies, offering
robust methods to ensure that only authorized devices connect to the network.
MAC filtering provides a basic level of access control but should be supplemented with
stronger security measures due to vulnerabilities like MAC address spoofing.
Key Management is crucial for securing cryptographic keys which are the foundation of data
encryption and secure communications.
Security Rules, including ACLs, URL, and content filtering, are vital for regulating access to
network resources and controlling the flow of data.
Zones create segregated areas within the network to enhance security by controlling access
between trusted and untrusted environments.

4.3.8 Practical Exercises
1. Port and Service Reduction Exercise: Identify and disable unnecessary services on a
server within a controlled lab environment. Use a port scanner to verify that only necessary
ports are open post-configuration.
2. Password Policy Implementation: Develop and implement a password policy for
network devices. Practice changing default passwords on a range of devices, documenting the
process for operational compliance.
3. Configure Port Security: On a managed switch, enable port security on a port, set the
maximum number of MAC addresses, and specify a violation mode. Test the configuration by
attempting to connect with unauthorized devices.
4. Implement 802.1X Authentication: Set up a RADIUS server and configure a wireless
access point to use 802.1X authentication. Experiment with connecting both authorized and
unauthorized devices.
5. Apply MAC Filtering on a Wireless Network: Configure a wireless access point with
MAC filtering, adding authorized devices to the allow list. Observe the behavior when
attempting connections from both allowed and disallowed devices.
6. Key Management Exercise: Simulate the process of generating, distributing, and rotating
encryption keys within an organization. Include steps for securely archiving and revoking
keys.
7. Implementing ACLs: Create an ACL on a router to block specific traffic while allowing
others. Test the ACL to ensure it behaves as expected.
8. Setting up a DMZ: Design and configure a DMZ for a fictional organization, including
configuring firewall rules to control traffic between the internet, the DMZ, and the internal
network.