Wired Network
The following security guidelines address the high-level needs of network environments. These security measures are most critical for Internet and DMZ environments, but also should be applied to general internal network environments. These security measures should be applied in conjunction with the system and application level hardening guidelines.
- Ensure that all border routers and switches have hardened configurations.
- Implement layered network security controls such as firewalls, host and/or network intrusion detection, twofactor authentication, VPNs, antivirus and content control gateways, etc.
- Do not rely solely on IP address-based access control measures.
- Do not rely solely on a firewall implementation as your form of security measure.
- Do not rely heavily on system dual network interface control design measures for DMZ systems.
- Ensure that remote access dial-up modems use secondary security controls such as two-factor authentication or dial-back.
- Enable auditing and logging on all operationally critical systems and process logs centrally in near real time.
- Ensure that critical systems are time synched for potential incident response (IR) events.
- Ensure that internal/intranet email is encrypted.
- Ensure that any intranet as well as Internet remote administration is encrypted with such things as SRP and/or SSH.
- Ensure that two-factor authentication is implemented for system administration as much as possible.
- Ensure that operational environments are properly compartmentalized to segregate services. Where possible, use gateway choke points for administrative entry into operational DMZ environments. Apply to all critical operational functions such as VPNs, RAS, web servers, application servers, database servers, email servers, domain controllers, file servers, etc.
- Ensure that a split DNS architecture is implemented as possible.
- Ensure that dangerous file attachments are stripped from email at border gateways.
- Ensure that administrative passwords are not being used across multiple technology platforms and/or operational environments, for example, router, to Windows, to UNIX; web servers, to domain controllers, to firewalls.
- Ensure that mail relays and DNS zone transfers are being properly controlled.
- Ensure that the operational environment-routers/switches, firewalls, servers, etc.-have patches maintained diligently!
- Ensure that all unused services for that environment are screened at border routers and further controlled at firewalls.
- Ensure that outbound network traffic is also diligently controlled and screened to let through only what is required. This principle is critical for DMZ environments. For example, there is no reason to allow port 80 from your production web server.
- Ensure that the number of administrative-level accounts and groups is limited to what is operationally necessary.
- Ensure that databases on the internal/intranet are not being utilized by external customers as well.
- Ensure that extra attention is paid to not allowing access to NetBIOS (139 and 445), Telnet, NFS/NIS, miscellaneous RPC, TFTP, SNMP, and remote access services from the Internet border and possibly within the DMZ as well.
- Ensure that company job postings do not specifically detail network and software technology used.
- Ensure that technical and administrative staff do not post to newsgroups with network environment or operational information.
- Ensure that system and application banners are properly disabled or modified.
- Make use of load balancers as security screens for web traffic as well.
- Implement proxy and reverse proxies for primary service traffic such as HTTP, FTP, SMTP.
- Conduct external as well as internal network security assessments using free or paid vulnerability scanning tools.