if you're a network administrator then you're probably using snmp or the simple network management protocol to be able to query and receive information about the infrastructure devices that are on your network this could be monitoring things like servers switches firewalls routers or anything else that may be connected to the network unfortunately not all versions of snmp provide the best security for example snmp version 1 and snmp version 2 communicate over the network in the clear there's no encryption built into either of those snmp versions if you're using snmp then you should be using snmp version 3. with version 3 we added encrypted communication so that everything sent across the network would be private and secure unfortunately not all devices support snmp version 3 so check the documentation with your devices to see what options might be available for you another useful network hardening technique is to protect your ipv6 router advertisements we do this by using something called router advertisement or ra guard this particular hardening technique focuses on the router advertisements that are sent with ipv6 router solicitations are sent by devices on the network and if a router sees that solicitation it will send back a router advertisement the security concern comes from this router advertisement normally it would come from a local router that's on your subnet but an attacker could pretend to be a router thereby introducing the ability to perform on path attacks or denial of service many switches have the ability to turn on router advertisement guard where they will validate all of the router advertisements through the use of these ra guard policies you can be assured that the devices on your network would only be receiving router advertisements from legitimate routers another useful security technique on your switches is the use of port security port security prevents unauthorized users from connecting to a switch and gaining access to the rest of the network this would be based on the source mac address seen by a particular interface on a switch and if that mac address doesn't match the configuration that you have previously configured on that switch then you can make a decision on what you would like to do with that traffic for example you would set a configuration on your switch that would configure a maximum number of source mac addresses on a particular interface normally when a person is working on the network they would be connected using that mac address but if someone else came along and disconnected that user and plugged in their own device a new mac address would be introduced to that interface the switch then monitors how many different mac addresses have been seen on a particular physical interface and if that number is exceeded you can choose to disable that interface or send an alert to the administrator in previous videos we've discussed how arp spoofing could be used to circumvent existing security and create on path attacks there is a way to prevent this in the switch by using dai or dynamic arp inspection this adds additional monitoring to the network and adds to the security that normally is not included with the address resolution protocol dynamic arp inspection starts with creating a map of all of the devices on your network and what their ip addresses might be it's able to collect this information by using something called dhcp snooping where it examines all of the dhcp communication and begins building a chart on what ip addresses are assigned to what mac addresses the switch sees all of this arp communication and can then decide based on the existing chart whether a particular arp is legitimate or not and if that arp request doesn't match what's already in the switch the switch can discard any invalid arp requests or responses on many of our modern network infrastructure devices we have different planes of operation the plane of the device that handles the forwarding of traffic is considered to be the data plane inside of the device is a management plane that allows us to configure the device we often refer to this as the control plane since the control plane is responsible for the configuration and the monitoring of this device it's a very important plane to secure we need to make sure that we're protected against denial of service or someone performing reconnaissance we also might want to configure quality of service on our network so that management traffic to the control plane has priority over any other types of traffic we could also do some firewalling so that not only are we prioritizing the management traffic we're also blocking any non-management traffic so if you know that all of your control plane traffic is going to be ssh communication you can disable all other control plane traffic that is non-ssh and to protect against denial of service or other types of traffic flows being sent to the management plane you can rate limit any of the traffic that is sent directly to that management port on the switch if you've ever connected to a public wi-fi hotspot you may have noticed that you have access to the internet but you don't have access to the other devices that might be on that same wireless network this probably means that the network administrator for this device has configured port isolation which limits or prevents any type of communication between the different devices on that switch or access point even if all of the devices are in the same vlan if you've turned on port isolation there's no way to communicate between any of those devices you might also see this at home you'll notice that your home network can communicate to the internet but you're not able to communicate to other homes in your neighborhood or perhaps you're in a hotel room and your hotel room can communicate to the internet but you can't communicate with any of the other devices in that hotel another important best practice when you're trying to harden a network is to administratively disable any interfaces that are not currently in use this prevents someone from walking into a conference room or a break room plugging into the network and gaining access to the internal network many organizations take it a step further and implement network access control using 802.1x this means that users would need valid authentication before they were ever able to communicate on that network every service running on a system that needs to be accessed over the network will have an open port every open tcp or udp port on this device is a potential security concern so we want to be sure to close all unnecessary ports and only leave the tcp and udp ports open that need access to those services you would commonly control this access with a firewall either a next generation firewall that's on the network or perhaps also a firewall built into the operating system on that server you also want to be sure that any unknown services or services that may have been previously installed have been either disabled or filtered from any network communication when someone implements a new network service but they're not quite sure which port number should be open they may configure a security policy in a firewall to allow port 0 through port 65535 effectively allowing access to every port number on that device from a security perspective you only want to enable the ports that are necessary for that application to work so you may want to use a port scanner such as nmap to see exactly what ports are open on that device and limit your access controls and firewall rules to only those ports if you've ever installed a new access point a new switch a new router or any other new device to the network you know that there is a default set of credentials that's used for your initial login sometimes these usernames and passwords are administrator and admin or simply admin and admin this gives a remote user administrative access to this device allowing them to make any change they would like to the configuration of that system so of course it would be important to change the password to something that would not be available to others or to create a separate account for the administrator and disable the default account on that system if you want to see what the default authentication might be for some of your devices you can find a number of resources on the internet such as routerpasswords.com if you're planning to change the password on one of these devices we need to make sure the password is something that is difficult for someone else to know you want to have what's called a strong password which is one that adds so much complexity that it's not something that's easily discovered your focus should be on increasing the entropy of that password entropy is a measure of how unpredictable a particular value might be so you don't want to use single words or obvious passwords like the name of your dog and you want to mix uppercase lowercase and perhaps add other characters into the password you also want to be careful with replacing certain characters for example replacing an o with a zero or replacing the letter t with a number seven because attackers already know that these techniques are in use and they're already planning their brute force software to take those into account these days we tend to create passwords that are eight characters or longer and very often you can choose a phrase or set of words to make your password even stronger one of the challenges we have with the dhcp or the dynamic host configuration protocol is that there's no security built in to the dhcp specification we can add additional security in our switches by enabling dhcp snooping this allows us to track ip addresses and mac addresses on this layer 2 device the switch would effectively become a dhcp firewall you would configure the switch to trust routers switches dhcp servers and anything else that is legitimately handing out dhcp responses you would not want to have the switch trust any of the other devices on your network such as other computers or devices that could be turned in to unofficial dhcp servers with dhcp snooping your switch is always examining the dhcp conversations and it's building its own table as to what ip addresses are associated with which mac address is on that switch this allows the switch to filter out any traffic that doesn't match that list of pre-assigned dhcp assignments this allows the switch to filter out any traffic that doesn't match this predefined list of ip addresses and mac addresses so if someone tries to statically assign an ip address on their system it would be filtered by the switch or if an attacker tries to create their own dhcp server or send an invalid traffic pattern all of that communication will be automatically filtered by dhcp snooping if you look at the configuration of a switch you would find that all access ports which are all devices that are not trunk interfaces are assigned to a specific vlan this means the user connecting on that physical interface on the switch will be added to the vlan associated with that port if we look at this vlan configuration on my network you can see there are a number of interfaces 24 fast ethernet interfaces and two gig interfaces all of those interfaces are configured with the default vlan which is vlam1 if i connect the device to fast ethernet port 0 14 and turn it on it will automatically be part of vlan 1. one of the challenges with having users on a default vlan is that there might be other administrative traffic on that vlan as well for example control plane access or management of the switch might occur on the default vlan from a security best practice we don't want to have our users on the same vlan that's used by our management traffic so we might want to have a separate vlan created on that switch that's just for our management communication we also might want to configure our switch so that any of these interfaces that currently don't have anything connected to them don't have a connection into the default vlan instead we might want to create a dead end vlan or an impasse vlan and assign any unused interfaces to the dead end vlan this way if someone does find their way onto that interface they plug in their device and try to gain access to the network they'll find they're on a vlan that goes nowhere if you look in the internals of your switches and routers and other network devices you'll find that they're not using a traditional operating system normally there's not linux windows or some other os running on those devices instead they're running their own type of firmware and occasionally there will be a need to upgrade the firmware on those devices so that system is always up to date this usually happens when there's some type of security vulnerability associated with that firmware so you have to upgrade to the latest version to be able to patch that hole unfortunately the upgrade process doesn't always go as planned and sometimes upgrading firmware can introduce other bugs or other problems and you may need to downgrade that firmware after identifying those problems unfortunately it's not always easy to find one of those older versions of firmware so you want to be sure to keep a library of all of your devices and all of the firmware that's running on those devices this will allow you to move to any particular firmware version at any time especially if you run into a problem this idea of patching a system should not be a surprise it should be part of the normal procedures that you go through you want to be sure that you're able to keep up with the latest version so that your systems are not only stable but you fix any security problems that may be introduced in the current version some manufacturers will create service packs where you can introduce or install many different patches all at one time or you may just want to install patches as they're updated every month sometimes a manufacturer will introduce patches outside of this normal scope especially if it's an emergency or a zero day attack and they may create an out-of-band update and require you to update as soon as possible as a network administrator you need full and complete access to your switches routers and other infrastructure devices but you may want to have other individuals in the organization with their own access to this device but you may not want to give them administrative access perhaps you only want them to be able to view statistics on that device or to view the logs on that device in those cases you may want to configure role-based access so you can create one role for administrators in a different role for the help desk or management you may find that the switches routers firewalls and other devices you're using do allow the configuration of specific roles so you could create an administrative group a help desk group and an it management group within your device and then assign users to each of those groups you would then specify what those groups are able to access and what parts of that system those groups would not be able to access for example the help desk may be able to view statistics and an api access group may not be able to log in interactively you could even take this a step further by creating a set of access control lists or acls this would allow or disallow access to this system based on a number of tuples these would be groupings of categories that might include source ip addresses destination ip addresses port numbers or anything else you can use to make a decision on whether traffic should be allowed or denied maybe you'd like to restrict access to a particular switch or router based on a series of ip addresses maybe you know that the network administrative team is on a very specific vlan or set of ip address ranges and you might want to prevent all access to that device if they don't come from that specific range you obviously want to be careful when configuring these because if you're outside of your local vlan and you need access to this device you might be locked out of your own equipment you want to be sure that the access control lists are strong enough to prevent unauthorized use but still allow you to be able to manage those devices one type of access control list is a firewall rule we may want to allow or disallow traffic through our network based on a series of rules that we can add to our firewall this list of rules is followed one at a time and if the traffic matches that particular rule then it follows the disposition that's in the action column when you get to the bottom of the list on most firewalls there is an implicit deny which means if none of these rules match when you get to the bottom of the rule list that traffic is automatically dropped these implicit denies are commonly not logged in a system that's why you'll find many firewall administrators who add one final rule at the bottom that is in any ip to any ip over any port number in any protocol will automatically be denied which is effectively the same thing as an implicit deny except we are explicitly creating this deny rule most firewalls are configured to log anything that's in the world base so by adding this explicit deny to the bottom of the list we can log any traffic that doesn't match any of the rules inside of our firewall this is a very simple rule base for a layer 4 firewall the rules have a rule number a remote ip address a remote port number a local port number a protocol and an action to follow let's look at this first rule of the firewall we can see that any remote ip and any remote port can communicate to a local port 22 over tcp and that traffic would be allowed since we know that tcp port 22 is for ssh traffic then this rule was probably set up to allow inbound ssh rule number two is configured to allow any remote ip address over any remote port number to communicate to a local device over port 80 using tcp that traffic would be allowed tcp port 80 is commonly used by http so this would allow traffic to a web server we have a rule right after that one that includes tcp port 443 which would be the https traffic to that web server and the last rule is an explicit deny this means if traffic does not match anything in rule number one number two or number three we will deny that traffic and log it in the firewall you