Secure configurations for network devices such as firewalls routers and switches
I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here. Show
This control includes seven (7) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 control and seven (7) IG2 controls. This means that, at a minimum, we want to:
By this point in your CIS CSC journey, this control should feel like a layup. The identification, testing, and deployment of secure configurations and patches for servers, workstations, and mobile devices was handled way back in CIS CSC #2 & CIS CSC #3. Network devices are (usually) not making the headlines as targets of attack, but when they are the impact is massive. This was evicted most recently by the pulse VPN attacks. Many of these devices are not exposed to the public internet, so the attack surface for these devices is much smaller. The exception to that rule being your perimeter firewalls. Standardization will be your friend here. Having standard builds for each device type will be easier to manage if the number of device types is kept small. Many of the device manufacturers will have their own utility for managing the devices, which can make configuration management easier. The tools listed below are more useful in performing the initial scans to build the security baseline, then perform periodic tests to identify and correct any configuration drift. I am a big fan of Nipper for performing the device configuration reviews. The video below demonstrates the paid version, which is very reasonably priced. The configuration review will identify software vulnerabilities, as well as configuration weaknesses (such as the CIS Benchmarks). Relevant News Stories
Relevant ToolsCommercialOpen-Source & “Freemium”Cisco Prime InfrastructureNipper-NGNetwork Configuration Manager (Solarwinds)RANCIDFireMonNipper Studio (Titania)TufinTripwire EnterpriseFirewall Analyzer and FireFlow (Algosec)The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #11 page here. The security of network devices like firewalls, routers and switches, and proxy servers is extremely important to the success of any organization. Without good security measures in place, you risk significant breaches of data, loss of data, productivity interruptions, and reputational damage. Following the above practices, including the use of high-quality tools such as SolarWinds Network Configuration Manager, is key to maintaining your network device security, which in turn supports the health and safety of your network as a whole. Network infrastructure devices are often easy targets for attackers. Many of these devices are not maintained at the same security level as general-purpose desktops and servers, but there are steps users and network administrators can take to better secure their network infrastructure. Network infrastructure devices are the components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks. These devices are ideal targets for malicious cyber actors because most or all organizational and customer traffic must pass through them.
Organizations and individuals that use legacy, unencrypted protocols to manage hosts and services make successful credential harvesting easy for malicious cyber actors. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network. What security threats are associated with network infrastructure devices?Network infrastructure devices are often easy targets for attackers. Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:
How can you improve the security of network infrastructure devices?The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and network administrators to implement the following recommendations to better secure their network infrastructure:
Segment and Segregate Networks and FunctionsSecurity architects must consider the overall infrastructure layout, including segmentation and segregation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network. Physical Separation of Sensitive InformationTraditional network devices, such as routers, can separate Local Area Network (LAN) segments. Organizations can place routers between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access. Recommendations
Virtual Separation of Sensitive InformationAs technologies change, new strategies are developed to improve information technology efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. Virtual segmentation uses the same design principles as physical segmentation but requires no additional hardware. Existing technologies can be used to prevent an intruder from breaching other internal network segments. Recommendations
Limit Unnecessary Lateral CommunicationsAllowing unfiltered peer-to-peer communications, including workstation-to-workstation, creates serious vulnerabilities and can allow a network intruder’s access to spread easily to multiple systems. Once an intruder establishes an effective beachhead within the network, unfiltered lateral communications allow the intruder to create backdoors throughout the network. Backdoors help the intruder maintain persistence within the network and hinder defenders’ efforts to contain and eradicate the intruder. Recommendations
Harden Network DevicesA fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of guidance to administrators—including benchmarks and best practices—on how to harden network devices. Administrators should implement the following recommendations in conjunction with laws, regulations, site security policies, standards, and industry best practices. Recommendations
Secure Access to Infrastructure DevicesAdministrative privileges can be granted to allow users access to resources that are not widely available. Limiting administrative privileges for infrastructure devices is crucial to security because intruders can exploit administrative privileges that are improperly authorized, granted widely, or not closely audited. Adversaries can use compromised privileges to traverse a network, expand access, and take full control of the infrastructure backbone. Organizations can mitigate unauthorized infrastructure access by implementing secure access policies and procedures. Recommendations
Perform Out-of-Band ManagementOoB management uses alternate communications paths to remotely manage network infrastructure devices. These dedicated communications paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can perform corrective actions without allowing the adversary (even one who has already compromised a portion of the network) to observe these changes. OoB management can be implemented physically, virtually, or through a hybrid of the two. Although building additional physical network infrastructure can be expensive to implement and maintain, it is the most secure option for network managers to adopt. Virtual implementation is less costly but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option. Recommendations
Validate Integrity of Hardware and SoftwareProducts purchased through unauthorized channels are often known as counterfeit, secondary, or gray market devices. Numerous media reports have described the introduction of gray market hardware and software into the marketplace. Illegitimate hardware and software present a serious risk to users’ information and the overall integrity of the network environment. Gray market products can introduce risks to the network because they have not been thoroughly tested to meet quality standards. Purchasing products from the secondary market carries the risk of acquiring counterfeit, stolen, or second-hand devices because of supply chain breaches. Furthermore, breaches in the supply chain provide an opportunity for malicious software and hardware to be installed on the equipment. Compromised hardware or software can affect network performance and compromise the confidentiality, integrity, or availability of network assets. Finally, unauthorized or malicious software can be loaded onto a device after it is in operational use, so organizations should check the integrity of software on a regular basis. What is secure network configuration?Secure configuration refers to security measures that are implemented when building and installing computers and network devices to reduce unnecessary cyber vulnerabilities. Security misconfigurations are one of the most common gaps that criminal hackers look to exploit.
How would you secure the network devices?How can you improve the security of network infrastructure devices?. Segment and segregate networks and functions.. Limit unnecessary lateral communications.. Harden network devices.. Secure access to infrastructure devices.. Perform out-of-band (OoB) network management.. Validate integrity of hardware and software.. What is network infrastructure security?Network Infrastructure Security, typically applied to enterprise IT environments, is a process of protecting the underlying networking infrastructure by installing preventative measures to deny unauthorized access, modification, deletion, and theft of resources and data.
|