Unlike small network in homes where security becomes the last thing to consider by mostly home users, network security in business class networks must be considered as serious tasks by the network administrators and IT managers. Network security can be achieved by implementing network security best practices including the security policy and following a defense in depth procedures. See also management of information security.
Network security best practices as a minimum should encompass physical access to critical assets; access controls over the switches and routers, VLANs support, encryptions, as well asrouter connections and packet filtering.
Implementing the network security best practices, you must identify all the components that must be addressed to deliver a secure network environment. The following lists best practices of the minimum requirements for network security:
- Physical Security: You must secure all physical access points and network equipmentsincluding network routers, server infrastructure, LAN Switches, and Satellite discs. Physical security is imperative in providing a solid foundation for all other security and is often overlooked. All networking infrastructure must be securely located and access only granted to authorized-personnel. Any device can be compromised if physical access is permitted.
- All the OSs and devices firmware must be patched regularly as soon as the patches are released by the Vendors. For Windows server, see also WSUS management system.
- All the networking devices including the routers, Switches, Access points, must be protected by assigning strong passwords. See also thebest practice in secure passwords.
- Allowing remote access to the network devices by using Telnet and SNMP must be restricted based on the IP address and granted to only authorized IT support personnel
- You should provide Logon banners such as Message of the Day (MOTD) for networking devices (such as Cisco routers, Switches) with legal warning message to any unauthorized users attempting to access the device. This is required to deter unauthorized access to these devices. See also Cisco device passwords.
- All the Telnet and Console on all networking devices must be configured with the Session timeouts limited to less than 10 minutes when unattended. This way you can prevent security breaches via unattended management terminals. Session timeouts can be used to close vacant management sessions.
- Providing passwords and community names on network devices must be strong enough consisting alphanumeric, character, and symbols.
- You should disabled all the management services such as SNMP if not required
- Internet and Wireless communications must be encrypted and the encryption keys must be regularly changed in a secure fashion to prevent eavesdropping and data manipulation based attacks. Wireless LAN connections must also be secured via encryption and preferably connected via firewalled network segment.
- Routers and firewalls that face the internet must be configured securely using packet filter (extended access-lists for Cisco devices). Routers should be configured securely to ensure only authorized business intended traffic flows exist. Access-lists must be used to restrict network traffic in environments where network security threats may exist. Packet filters should be used to prevent unauthorized access to key business resources, but should not stop registered network traffic. Packet filters (inbound extended access-list) as a minimum should be configured on perimeter routers to provide protection from the Internet (or other public networks).
- If security segregations for users and network resources are required, VLANs must be used. You can implement Layer 3 Switches tocontrol inter-VLAN traffic. Switches may use VLANs to define separate security boundaries based on groups of users or location settings. MAC-based port restrictions on LAN switches can be used to further restrict network access in hostile public access environments.
- To provide device access restriction for the computers in high risk public access environments, must use Switch-based port level security (MAC address security)
- To prevent 3rd party devices from route infecting the network, all dynamic protocols should only be enabled on router links, and should not be run on user access links.
- To ensure only valid routing sources exchange path updates, routing protocols should use a secure authentication mechanism (MD-5 hash) to protect routing update messages
- For all the key devices, access logging (and also packet logging if necessary) must be used to record device access and configuration changes
- Sensitive data traversing a public link such as the Internet must be encrypted using VPNs. Network device configuration over public links should also be encrypted.
Any public Internet connection must be secured with a perimeter router and a firewall. The router functions as a 1st level defensive packet screener and the firewall functions as a last-line of defense from the public network.
The figure below shows the conceptual connection diagram by deploying network security best practices.
By not following a basic security policy, unauthorized network access is possible. This includes access to sensitive resources that have a high security risk. Having a basic security policy on the network ensures that resources are not readily compromised. Network components such as switches and routers are core to the operational integrity of the network and as such should be adequately protected.