Your network infrastructure is easy to overlook, but also critical to secure and maintain. We’ll start with some recommendations for all Network Equipment, and then look at some platform specific recommendations.
Maintain a network hardware list that is similar to your server list, and includes:
Have a standard configuration for each type of device to help maintain consistency and ease management.
Assign static IP addresses to all management interfaces, add A records to DNS, and track everything in an IP Address Management (IPAM) solution.
Network hardware runs an operating system too, we just call it firmware. Keep up-to-date on patches and security updates for your hardware.
Use the most secure remote access method your platform offers. For most, that should be SSH version 2. Disable telnet and SSH 1, and make sure you set strong passwords on both the remote and local (serial or console) connections.
Use TACACS+ or other remote management solution so that authorized users authenticate with unique credentials.
If you are going to use SNMP, change the default community strings and set authorized
management stations. If you aren’t, turn it off.
Make sure you take regular backups of your configurations whenever you make a change,
and that you confirm you can restore them.
Include all your network gear in your regular vulnerability scans to catch any holes that crop up over time.
Use VLANs to segregate traffic types, like workstations, servers, out of band management, backups, etc.
Set port restrictions so that users cannot run promiscuous mode devices or connect hubs or unmanaged switches without prior authorization.
Ports that are not assigned to specific devices should be disabled, or set to a default guest network that cannot access the internal network. This prevents outside devices being able to jack in to your internal network from empty offices or unused cubicles.
"Deny AH’ should be the default posture on all access lists - inbound and outbound.
Log all violations and investigate alerts promptly.
These server deployment tips will go a long way in helping you secure your servers against all threats. Good luck in your continued fight to protect your company’s network from attack!