In my last article I covered some places that you can find good best practice guides as well as some of the organizations that provide these guides. In this second part of Security on a Budget I’ll go over some good networking practices that you may not currently be doing. I can not stress how important best practices are, especially in security. These security holes are some of the first things that criminal attackers will look for, and what will show up as high risk on a vulnerability assessment. Unfortunately they are also common practice on many types and sizes of networks. There always comes a point when a business has to take calculated risks. But sometimes you don’t even have a way of calculating the risks because of so many unknowns. Rest assured all best practices mentioned here should be adhered to.
The first thing I’ll go over is network segmentation. Having a broad flat network without any physical firewall separation is a bad practice, and fixing it is relatively cheap to accomplish. Not only should you put firewalls in place between your internet facing devices/servers (DMZ), but also between key portions of your network, can create a good security posture if implemented correctly. One of the best ways to implement a firewall in an already existing environment is to put the firewall inline so it can see all the traffic, and then start creating restrictive rules. The least privilege is always a best practice. This step allows only the devices that are authorized to pass network traffic to certain points. Along with the addition of firewalls one can segment with vlans as well. Vlan1, the default vlan, should not be a production vlan. Different types of devices can also be segmented off into their own vlans with access lists between them. While access lists are very helpful and also free, they should be used in addition to the firewalls.
Something that is free and very easy to accomplish, is turning on port security as well as disabling switch ports that are not in use. Port security, when enabled, will automatically disable a switch port if one device is unplugged and replaced with another. These both prevent malicious people or potentially infected devices from being plugged into your network without the proper security scanning and vetting. It is a good security measure to perform virus and vulnerability scans on equipment before it is attached to your network. I have seen on multiple occasions, computers or equipment ship from a vendor already infected with malware and viruses. A tool that can help out with streamlining changes such as this is Rancid. Rancid (http://www.shrubbery.net/rancid/) can not only save backups of your switch and router configuration, but it can also push changes such as this to cut down on time spent logging into each device and manually typing out commands. Automation tools like this can be extremely powerful and should be used on a test environment if you are unsure of the effects.
Another piece of free software is Netdisco (http://www.netdisco.org). You can download it as a virtual machine and there is little setup needed to get it up and working in your environment. It is a network reporting tool that will keep track of all MAC addresses, IP addresses, Vlans, manufacturers, and the like on your local area network. It is all web based and very easy to use and gather reports from. It will also let you know what versions of firmware are on your switching and routing infrastructure. Speaking of firmware, updating the firmware on all infrastructure devices is also best practice. As well as changing default snmp community strings, setting your idle timeouts, and creating complex passwords. An authentication manager such as TACACS+ can provide you with centralized authentication if your hardware supports it.
No comments:
Post a Comment