Securing the network infrastructure

Security maintenance is key to limiting the possibility of publicly known vulnerabilities being present on an organisation’s hardware and software. Security maintenance should be performed on a regular basis to ensure devices continue to operate securely. Key activities include:

• Verifying software and configuration integrity
  The NSA recommends verifying the integrity of operating system files installed and running on devices by comparing the cryptographic hash of the file with the known good hash published by the vendor. 

• Maintain proper file system and boot management
• Maintain up-to-date software and operating systems
  Maintaining up-to-date operating systems and stable software protects against critical vulnerabilities and security issues that have been identified and fixed in newer releases. 
• Stay current with vendor-supported hardware
  Vendors eventually stop supporting specific hardware platforms and, if a failure occurs, these end-of-life devices cannot be serviced.

The implementation of centralised Authentication, Authorisation and Accounting (AAA) servers and their proper configuration makes your environment more challenging for an adversary to compromise since credentials are not stored directly on devices. This can be achieved by:

• Implementing centralised servers
  The NSA recommends implementing at least two AAA servers on the network to ensure availability, and assist with detection and prevention of adversary activities.

• Configuring authentication
  All devices should be configured to use centralised servers for AAA services first, and local administrator accounts as a backup method only if all the centralised servers are unavailable.

• Configure authorisation
  The NSA recommends adequately restricting what legitimate administrators are authorised to execute to prevent an adversary from performing unauthorised actions with a compromised account. 

• Configure accounting
  System configuration changes should be centrally recorded, and a process must be implemented to periodically review these records to detect potential malicious activities. 

• Apply principle of least privilege
  Many common tasks do not require privileged level access, such as viewing status of network interfaces or reviewing routing tables. To implement least privilege, administrators should initially login with the lowest privilege level necessary. This provides an additional layer of security that an adversary must circumvent to fully compromise a device. It also prevents administrators from inadvertently making configuration changes to a device. 

• Limit authentication attempts
  Limiting the number of authentication attempts and introducing a login delay prevents an adversary from performing brute force password cracking against a device in an attempt to obtain access.

The NSA provides detailed guidance on the best ways to manage and store credentials such as usernames, passwords. The guidelines here primarily focus on local accounts and passwords which may be required should a centralised AAA solution fail:

• Use unique usernames and account settings

• Change default passwords

• Remove unnecessary accounts

• Employ individual accounts to enforce accountability

• Store passwords with secure algorithms

• Create strong passwords

Logging and monitoring provides administrators with visibility into network security events. This allows  them to review event information for suspicious activity and investigate any security incidents. Logging should be enabled on all (or critical) network devices, with the generated logs being shipped to a centralised remote log server. 

This information needs to be cleaned to ensure that any unnecessary information does not prevent critical data from being identified. It is also important to synchronise device clocks as this is critical to ensure log message timestamps can be easily correlated across geographically dispersed time zones, and used to collectively trace a network incident from one device to another. The NSA recommends that each device and the remote log servers use at least two trustworthy and reliable time servers to ensure accuracy and availability of information. Internal time servers should be established as the primary source for all devices, which should subsequently synchronise with authoritative external sources.

The NSA showcases numerous ways administrators can secure a network. This includes:

• Disabling of clear text administration services

• Ensuring adequate encryption strength

• Utilisation of secure protocols

• Limiting access to services

• Setting acceptable timeout periods

• Enabling TCP keep-alive

• Disabling outbound connections

• Removing SNMP read-write community strings

• Disabling unnecessary network services and discovery protocols

Routing is critical to forwarding data between computers and networks. Improper configuration of routing devices could allow adversaries to redirect data to a different destination and therefore allow sensitive data to be collected and stolen. Key items to keep in mind when configuring routing devices include:

• Disabling IP source routing
  Along with IP address spoofing, an adversary can use the IP source routing feature to successfully bypass ACLs and other network restrictions, essentially choosing its own network path. 

• Enable unicast reverse-path forwarding (uRPF)
  This is a method of protection against IP spoofing that instructs a router to examine both the source and destination addresses in the packet.

• Enable routing authentication
  To control the flow of traffic, an adversary may inject, modify, or corrupt the routing information sent and received by neighbouring devices. To prevent route manipulation, routing authentication should be enabled to ensure the routing information received from neighbouring devices has not been manipulated by an untrusted source.

The interface ports of network switches physically connect workstations, servers, and other devices to the network - In order to exploit such interfaces an adversary must obtain physical access to the network or use a system or communication method which is already established onto the network. Properly configured interface ports can prevent an adversary from performing exploitation attempts against the network. Key configurations include:

• Disabling dynamic trunking
• Enabling port security
• Disabling default VLAN
• Disabling unused ports
• Disabling port monitoring
• Disabling proxy Address Resolution Protocol (ARP)