A secure network infrastructure is critical

Your network infrastructure is easy to overlook, but also critical to secure and maintain. We’ll start with some recommendations for all Network Equipment and then look at some platform specific recommendations.

1. Network Hardware List

Maintain a network hardware list that is similar to your server list, and includes:

• device name and type,
• location,
• serial number,
• service tag,
• responsible party.

2. Network Configuration

Have a standard configuration for each type of device to help maintain consistency and ease management.

3. IPAM

Assign static IP addresses to all management interfaces, add A records to DNS, and track everything in an IP Address Management (IPAM) solution.

4. Patching

Network hardware runs an operating system too, we just call it firmware. Keep up-to-date on patches and security updates for your hardware.

5. Remote Access

Use the most secure remote access method your platform offers. For most, that should be SSH version 2. Disable telnet and SSH 1, and make sure you set strong passwords on both the remote and local (serial or console) connections.

6. Unique Credentials

Use TACACS+ or other remote management solution so that authorized users authenticate with unique credentials.

7. SNMP Configured

If you are going to use SNMP, change the default community strings and set authorized
management stations. If you aren’t, turn it off.

8. Backup / Stores

Make sure you take regular backups of your configurations whenever you make a change,
and that you confirm you can restore them.

9. Vulnerability Scan

Include all your network gear in your regular vulnerability scans to catch any holes that crop up over time.

 
Looking at Switchs

• VLANS

Use VLANs to segregate traffic types, like workstations, servers, out of band management, backups, etc.

• Promiscuous Devices and Hubs

Set port restrictions so that users cannot run promiscuous mode devices or connect hubs or unmanaged switches without prior authorization.

• Disabled Ports

Ports that are not assigned to specific devices should be disabled, or set to a default guest network that cannot access the internal network. This prevents outside devices being able to jack in to your internal network from empty offices or unused cubicles.

Looking at Firewalls

• Explicit Perment, Implicit Denies

"Deny AH’ should be the default posture on all access lists - inbound and outbound.

• Logging and Alerts

Log all violations and investigate alerts promptly.

 

Looking at Routers

• Routing Protocol : Use only secure routing protocols that use authentication, and only accept updates from known peers on your borders. 

 

These server deployment tips will go a long way in helping you secure your servers against all threats. Good luck in your continued fight to protect your company’s network from attack!

Interested in learning more?

Get our free guide on how to prevent IP blacklisting. Read Guide Today.

 

TitanHQ makes your network safer. We believe that you should have easy to use, but robust and effective email and web security tools - that hide complexity without compromising functionality. Talk to a TitanHQ security expert today to discover how we can protect your network. Talk to us.