Network Security Best Practices

Aug 9, 2024

Network Security and Management Techniques

SNMP (Simple Network Management Protocol)

  • Used for: Querying and receiving information from network infrastructure devices (servers, switches, firewalls, routers, etc.)
  • Versions:
    • SNMP v1 & v2: Communicate without encryption (security risk)
    • SNMP v3: Includes encrypted communications (recommended for security)
  • Recommendation: Use SNMP v3 if supported by devices

IPv6 Router Advertisements

  • Technique: Router Advertisement (RA) Guard
  • Function: Protects against malicious RA from attackers posing as routers
  • Benefit: Ensures only legitimate routers' advertisements are accepted
  • Implementation: Often available as a feature on switches

Switch Security Techniques

Port Security

  • Purpose: Prevents unauthorized access based on MAC address
  • Mechanism: Limits the number of MAC addresses per interface, disables or alerts on exceeding the limit

Dynamic ARP Inspection (DAI)

  • Purpose: Prevents ARP spoofing attacks
  • Function: Uses DHCP snooping to map IP addresses to MAC addresses
  • Benefit: Filters invalid ARP packets

Control Plane Protection

  • Purpose: Secures the management plane of a device
  • Techniques:
    • Quality of Service (QoS): Prioritizes management traffic
    • Firewalling: Blocks non-management traffic
    • Rate Limiting: Protects against denial-of-service (DoS) attacks

Port Isolation

  • Purpose: Prevents devices on the same network from communicating with each other (e.g., public Wi-Fi)

Disabling Unused Interfaces

  • Purpose: Prevent unauthorized physical network access
  • Advanced Technique: Implement Network Access Control (e.g., 802.1X)

Closing Unnecessary Ports

  • Purpose: Minimizes potential attack surfaces
  • Method: Use firewalls to control access
  • Tool: Port scanners (e.g., Nmap) to verify open ports

Managing Default Credentials

  • Importance: Prevents unauthorized administrative access
  • Recommendation: Change default passwords and create strong, complex passwords

DHCP Snooping

  • Purpose: Adds security to DHCP by tracking IP/MAC address assignments
  • Benefit: Filters out invalid DHCP traffic

VLAN Configuration

  • Best Practice: Separate management traffic from user traffic; use a dead-end VLAN for unused ports

Firmware and Patching

  • Importance: Keeps devices secure and up-to-date
  • Challenges: Upgrading may cause issues; keep a library of firmware versions
  • Types of Updates:
    • Regular: Monthly or as needed
    • Emergency: For zero-day vulnerabilities

Role-Based Access Control (RBAC)

  • Purpose: Limits access to device features based on roles
  • Implementation: Create roles for different user levels (e.g., admin, help desk)
  • Access Control Lists (ACLs): Restrict access based on IP, port, etc.

Firewall Rules and Implicit Deny

  • Function: Controls traffic flow based on rules
  • Typical Configuration:
    • Allow rules: Specified for services (e.g., SSH, HTTP, HTTPS)
    • Explicit Deny: Logs and blocks all other traffic