Network Security 101: 8 Best Practices

Securing a network is not a simple thing to do. There are always new vulnerabilities and fresh adversaries. Accordingly, the methods for securing devices change and new security features are released. To help you keep up, this article shares the latest network security best practices.

The National Security Agency (NSA) in March released a Cybersecurity Technical Report offering Network Infrastructure Security Guidance. The NSA noted, “All networks are at risk of compromise, especially if devices are not properly configured and maintained.”

The agency cautions securing your network devices, applications, and information against adversarial techniques requires dedication to overall network security and protection of individual network devices. To that end, here are eight network security best practices.

#1 Implement Zero Trust

The surface area for attackers is expanding. Businesses are only adding devices and applications to the network. At the same time, remote users continue to want continued access to systems, services, application programming interfaces, data and processes. They want it anywhere, anytime, and from any Internet connected device as well.

Amping up user authorization, Zero Trust Network Access replaces “excessive implicit trust” with “explicit identity-based trust.” Since its creation in 2010, ZTNA has been used to improve flexibility, agility and scalability of access while moving away from the automatic trust of anything inside or outside the network perimeter. Instead, ZTNA verifies anything and everything trying to access that system.

With Zero Trust it doesn’t matter what IP address or device someone is using, that individual user must first be authenticated before access is granted. Verification involves technologies such as multifactor authentication, analytics, scoring and file system permissions to quickly and consistently validate connections between users, data, and resources.

Our AccessEnforcer meets the need for ZTNA with Gatekeeper. Requiring multifactor authentication of users, Gatekeeper also helps you empower security response and provides the data needed to analyze user behaviors and detect and mitigate threats

#2 Apply multiple layers of defense

Multiple defensive layers can be used to defend against threats and protect network resources. The NSA recommends:

  • Installing perimeter and internal defense devices
  • Grouping similar network systems
  • Removing backdoor connections
  • Utilizing strict perimeter access controls
  • Implementing a network access control (NAC) solution
  • Limiting and encrypting virtual private networks (VPNs)

Monitor and restrict inbound and outbound traffic with AccessEnforcer. Not only does our platform provide firewall network protection, but it also actively logs and tracks access information. AccessEnforcer examines the content of every packet for malicious content before it enters the network. Plus, our VPN unlimited provides fast and secure connections to your remote network.

With the Geo Fence feature, businesses can set specific rules to allow or block traffic from selected countries and benefit from detailed alerts for monitoring, troubleshooting, and tightening the configuration.

#3 Upgrade hardware and software regularly

Outdated hardware and software puts the network at risk. Regular, consistent maintenance helps ensure network security. The NSA recommends:

  • Verifying software and configuration integrity
  • Maintaining proper file system and boot management
  • Keeping software and operating systems up to date
  • Staying current with vendor-supported hardware

AccessEnforcer makes this even easier with automatic updates ensuring your network stays secure long after installation. Our updates include new defensive measures, enhanced functionality, and software patching.

#4 Control access

Make things more challenging for adversaries by setting up managed administrative access to devices. The NSA recommends centralized Authentication, authorization, and accounting (AAA) servers to assist with detection and prevention of adversary activities. This approach:

  • Authenticates the identity of a user or entity
  • Authorizes the authenticated user to access a specific resource or perform a specific action
  • Accounts for all actions that authenticated user takes

It all supports least privilege access, which gives a person the lowest privilege level needed to fulfill their responsibilities. The NSA also calls for limiting authentication attempts to prevent brute force attacks.

AccessEnforcer takes AAA to the next level with our Community Shield delivering automated, correlated shared defense, prevention and detection. Our collective network defense automatically blocks any network traffic, inbound or outbound, with suspicious and malicious IP addresses detected by any AccessEnforcer device.

#5 Create unique local accounts with complex passwords

You’ve heard this one before! The NSA observes, "Local accounts are vital to the management of network devices.” To secure them, the NSA recommends:

  • Using unique usernames and account settings
  • Changing default passwords
  • Removing unnecessary accounts
  • Employing individual accounts
  • Store passwords with secure algorithms
  • Creating strong and unique passwords

Considering the ubiquity of this advice, Calyptix has ensured password change processes remain seamless with AccessEnforcer.

#6  Enable and configure logging

Logging is critical to identify malicious activity. That’s why the NSA calls for enabling logging, establishing centralized remote log servers, capturing necessary log information, and synchronizing clocks.

Community Shield recognizes that small organizations can’t do it all alone. Logs from all AccessEnforcers are used to detect incidents and block inbound and outbound communications with suspicious and malicious iP addresses. Our users also receive automated, correlated insights on active cyber threats.

#7 Protect your network management tools

Network services including SSH, Hypertext Transfer Protocol (HTTP), and

File Transfer Protocol (FTP) help administrators, but they can also be useful for adversaries too. The NSA suggests:

  • Disabling clear text administration services
  • Ensuring adequate encryption strength
  • Utilizing secure protocols
  • Limiting access to services
  • Setting acceptable timeout periods for idle connections
  • Enabling Transmission Control Protocol (TCP) keep-alive
  • Disabling outbound connections
  • Removing SNMP read-write community strings
  • Disabling unnecessary networks
  • Disabling unnecessary network services
  • Disabling discovery protocols on specific interfaces
  • Properly enabling remote network administration services

AccessEnforcer can streamline this too. Our graphic interface allows technicians to configure and monitor the network with clicks instead of code.

#8 Configure routers and interface ports with care

Improper router configuration or the dynamic routing protocols used to populate the routing table could allow malicious abuse. The NSA notes an adversary could “redirect packets to a different destination, allowing sensitive data to be collected, manipulated, or discarded, which would violate confidentiality, integrity, or availability.”

Disabling IP source routing, enabling unicast reverse-path forwarding (uRPF) and routing authentication can all help prevent route manipulation. By disabling dynamic trunking, port monitoring, unused ports, proxy Address Resolution Protocol (Proxy ARP), and default VLAN and enabling port security you can prevent an adversary from performing exploitation attempts against your network.

The extensive tracking, monitoring, and logging of AccessEnforcer can help you identify router and port concerns sooner too.

Lower your network security risk

Defending your network against adversarial threats takes work, a lot of it. These network security best practices can secure and better protect your network to lower the risk of compromise.

You don’t have to do it all alone. With AccessEnforcer, backed by our unbeatable support by US-based engineers who actually answer the phone and solve your problem, you can benefit from all the tools you need to design, implement and maintain a secure network.

Written by Calyptix

 - May 13, 2022

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram