Search My Techie Guy

Monday, May 1, 2017

10 Good practices you should do as a network administrator to security harden your network devices


As a network administrator or engineer, here are 10 good practices that will help you strengthen the security of your network and network devices (routers, switches and firewalls):

1. Configure a warning banner that is displayed prior to login

A warning banner is the electronic equivalent of a “No Trespassing” sign. Although it doesn’t technically protect your device, having a warning banner could help your organization by serving as a reminder and even as a legal disclaimer.

2. Setup centralized authentication for all your networks devices

An example is TACACS (Terminal Access Controller Access Control System). Configuring TACACS will benefit your network in the following ways:
  • Simplifying user management; you only need to create the user account once and the same account can be allowed to access multiple devices via TACACS. This limits the number of local accounts on devices.
  • User activity logging and accounting; you will be able to see what commands your users are running on each network device.
3. Keep all your network devices OS update

To make sure you don't miss out on any security features released in new software, ensure to install and upgrade to the latest recommended operating system versions for your network devices.

4. Disable all unused network ports

It's a good practice to always disable unused network ports, this practice reduces the chances of an intruder gaining access to your internal network information even if they have gained physical access to the device.  

5. Configure "logout-on-disconnect" for all your devices console ports

Console ports a enabled by default on network devices and there are two main security concerns with console port access; unattended sessions and password recovery. Network devices tend to maintain console sessions active even when you disconnect the console cable. The log-out-on-disconnect option does exactly what it says. When the console cable is physically disconnected from the device that user session will be terminated.

6. Insist on using secure SNMP and that is; SNMPv2 and SNMPv3

Stay away from common SNMP community strings, your SNMP community strings should be difficult to guess and should follow a password complexity policy. Configure read-only access; use read-write only when required.

7. Implement a password complexity policy

That is; minimum password length, upper case, lower case and special characters. Use SHA1 for password storage and ensure the root account has been configured with a strong password.


8. Disable Insecure Access Services

Access services are considered insecure when communication to the device is NOT encrypted. Clear-text communications are susceptible to sniffing and man-in-the-middle attacks. Another security risk is IP spoofing, where an attacker could impersonate a trusted IP address for the purpose of executing commands.
Insecure access services include: 
  • Telnet
  • HTTP
  • FTP
  • rsh
  • rlogin
  • Finger
9. Enable Secure Access Services

Access services are considered secure when communication is encrypted and protected from snooping type attacks. Secure access services include:

SSH - Secure Shell is a network protocol that allows data to be exchanged between devices using a secure channel. SSH was designed as a replacement to the telnet and other insecure access protocols. Only use SSHv2 because there are inherent design flaws in SSHv1 which make it susceptible to man-in-the-middle attacks.

SFTP - Secure FTP. This is FTP raiding over SSL (Secure Sockets Layer)
SCP - Secure Copy Protocol 
HTTPS - Secure HTTP. This is HTTP raiding over SSL

10. Set connection-limit, rate-limit and idle-time-out

Connection-Limit; Limits the total number of connections to preserve resources and reduce the chance of Denial of Service (DoS).
Rate-Limit; Limits the number of logins per minute to preserve resources and reduce the chance of Denial of Service (DoS).
Idle-Time-Out; Disconnects all idle sessions after the idle-time value expires to preserve resources and reduce the chance of Denial of Service (DoS).

No comments: