Securing a network is not a simple thing to do. There are always new vulnerabilities and fresh adversaries. Accordingly, the methods for securing devices change and new security features are released. To help you keep up, this article shares the latest network security best practices.
The National Security Agency (NSA) in March released a Cybersecurity Technical Report offering Network Infrastructure Security Guidance. The NSA noted, “All networks are at risk of compromise, especially if devices are not properly configured and maintained.”
The agency cautions securing your network devices, applications, and information against adversarial techniques requires dedication to overall network security and protection of individual network devices. To that end, here are eight network security best practices.
The surface area for attackers is expanding. Businesses are only adding devices and applications to the network. At the same time, remote users continue to want continued access to systems, services, application programming interfaces, data and processes. They want it anywhere, anytime, and from any Internet connected device as well.
Amping up user authorization, Zero Trust Network Access replaces “excessive implicit trust” with “explicit identity-based trust.” Since its creation in 2010, ZTNA has been used to improve flexibility, agility and scalability of access while moving away from the automatic trust of anything inside or outside the network perimeter. Instead, ZTNA verifies anything and everything trying to access that system.
With Zero Trust it doesn’t matter what IP address or device someone is using, that individual user must first be authenticated before access is granted. Verification involves technologies such as multifactor authentication, analytics, scoring and file system permissions to quickly and consistently validate connections between users, data, and resources.
Our AccessEnforcer meets the need for ZTNA with Gatekeeper. Requiring multifactor authentication of users, Gatekeeper also helps you empower security response and provides the data needed to analyze user behaviors and detect and mitigate threats
Multiple defensive layers can be used to defend against threats and protect network resources. The NSA recommends:
Monitor and restrict inbound and outbound traffic with AccessEnforcer. Not only does our platform provide firewall network protection, but it also actively logs and tracks access information. AccessEnforcer examines the content of every packet for malicious content before it enters the network. Plus, our VPN unlimited provides fast and secure connections to your remote network.
With the Geo Fence feature, businesses can set specific rules to allow or block traffic from selected countries and benefit from detailed alerts for monitoring, troubleshooting, and tightening the configuration.
Outdated hardware and software puts the network at risk. Regular, consistent maintenance helps ensure network security. The NSA recommends:
AccessEnforcer makes this even easier with automatic updates ensuring your network stays secure long after installation. Our updates include new defensive measures, enhanced functionality, and software patching.
Make things more challenging for adversaries by setting up managed administrative access to devices. The NSA recommends centralized Authentication, authorization, and accounting (AAA) servers to assist with detection and prevention of adversary activities. This approach:
It all supports least privilege access, which gives a person the lowest privilege level needed to fulfill their responsibilities. The NSA also calls for limiting authentication attempts to prevent brute force attacks.
AccessEnforcer takes AAA to the next level with our Community Shield delivering automated, correlated shared defense, prevention and detection. Our collective network defense automatically blocks any network traffic, inbound or outbound, with suspicious and malicious IP addresses detected by any AccessEnforcer device.
You’ve heard this one before! The NSA observes, "Local accounts are vital to the management of network devices.” To secure them, the NSA recommends:
Considering the ubiquity of this advice, Calyptix has ensured password change processes remain seamless with AccessEnforcer.
Logging is critical to identify malicious activity. That’s why the NSA calls for enabling logging, establishing centralized remote log servers, capturing necessary log information, and synchronizing clocks.
Community Shield recognizes that small organizations can’t do it all alone. Logs from all AccessEnforcers are used to detect incidents and block inbound and outbound communications with suspicious and malicious iP addresses. Our users also receive automated, correlated insights on active cyber threats.
Network services including SSH, Hypertext Transfer Protocol (HTTP), and
File Transfer Protocol (FTP) help administrators, but they can also be useful for adversaries too. The NSA suggests:
AccessEnforcer can streamline this too. Our graphic interface allows technicians to configure and monitor the network with clicks instead of code.
Improper router configuration or the dynamic routing protocols used to populate the routing table could allow malicious abuse. The NSA notes an adversary could “redirect packets to a different destination, allowing sensitive data to be collected, manipulated, or discarded, which would violate confidentiality, integrity, or availability.”
Disabling IP source routing, enabling unicast reverse-path forwarding (uRPF) and routing authentication can all help prevent route manipulation. By disabling dynamic trunking, port monitoring, unused ports, proxy Address Resolution Protocol (Proxy ARP), and default VLAN and enabling port security you can prevent an adversary from performing exploitation attempts against your network.
The extensive tracking, monitoring, and logging of AccessEnforcer can help you identify router and port concerns sooner too.
Defending your network against adversarial threats takes work, a lot of it. These network security best practices can secure and better protect your network to lower the risk of compromise.
You don’t have to do it all alone. With AccessEnforcer, backed by our unbeatable support by US-based engineers who actually answer the phone and solve your problem, you can benefit from all the tools you need to design, implement and maintain a secure network.