This is the second part of securing networks. Here we will describe practices to secure networks.
The first part is here –> Part 1
Steps to strong and secure your network
Segregate Your Network
Network segmentation involves dividing a network into separate zones or segments based on their function or needs, which can be done using routers, switches, or VLANs. This limits the damage of a compromise to a specific region, forcing attackers to either treat each segment as a separate network or attempt to jump between them. This increases the attacker’s workload and detection risk. Segmentation helps with data classification, protection, and monitoring, as different segments can have different security levels and data classification rules. An extreme form of segmentation is an air gap, where systems are physically disconnected from the network, providing strong malware protection. Virtualization is another method of network segmentation, which easily isolates virtual systems from the rest of the network, ensuring their independence.
Place Your Security Devices Correctly
To design an effective network segmentation strategy, key devices must be strategically placed. Firewalls should be placed at each junction of the network zone to protect each segment. Modern switches and routers can be configured to act as firewalls. An anti-DDoS device should be deployed at the network perimeter to mitigate attacks. A web filter proxy behind the main firewall facing the public network is recommended. Load balancers should be on the same network segment as the servers they are balancing, whether in the DMZ or private network. Port mirroring should often be used on switches to copy traffic for monitoring by IDS or IPS. Collectors or sensors must be present on each network segment for IDS or IPS to be effective. Network aggregation Switch placement depends on optimizing bandwidth for specific network clusters.
Use Network Address Translation
Network Address Translation (NAT) allows organizations to overcome the limited availability of IPv4 addresses. It converts private addresses used within an organization into public addresses for communication on the Internet. NAT works as a method of connecting multiple computers to the Internet using a single IP address. It works alongside firewalls to enhance the security of an organization’s internal network. Although hosts within the protected network can communicate with the outside world, external systems must pass through NAT boxes to reach internal networks. NAT helps preserve IP addresses, making it difficult for attackers to identify specific targets within the organization.
Don’t Disable Personal Firewalls
Personal firewalls are software-based firewalls that are installed on individual computers on a network. They work similar to larger border firewalls by filtering packets to prevent certain traffic from leaving or arriving at the system. While the need for personal firewalls is questionable in corporate networks with dedicated firewalls, internal attacks, often caused by viruses, cannot be prevented by border firewalls. These insider attacks are typical and different from Internet-based attacks Disabling Personal Firewall is not recommended; Instead, organizations should configure a standard personal firewall to suit their needs and export those settings to other personal firewalls on the network.
Use Centralized Logging and Immediate Log Analysis
The best practice is to record suspicious logins and computer events to detect anomalies and improve threat detection. By doing so, you can reconstruct attacks and take steps to improve security measures, and block future attacks. However, attackers can try to avoid detection and logging by targeting compromised computers and carefully monitoring system response. Their goal is to gain insight into system performance and avoid triggering alerts.
Use Web Domain Whitelisting for All Domains
Web domain whitelisting is an effective approach to enhance cybersecurity. Restricting users to approved websites, it reduces the risk of accessing untrusted sites and strengthens protection against initial web-based attacks. Additionally, it limits hackers’ communication options post-compromise, forcing them to resort to alternative protocols or attack the whitelisting system. Implementation of web filters enables the creation of access policies and monitoring of web activity, facilitating the enforcement of whitelisting measures. Overall, web domain whitelisting bolsters security by reducing the attack surface and restricting unauthorized communication channels.
Route Direct Internet Access from Workstations through a Proxy Server
Routing outbound web access through an authenticating server provides control and monitoring capabilities, ensuring human-driven connections. Reconfiguring the network initially may be necessary, but maintenance is minimal. User experience remains unaffected, reducing potential resistance. Operational security improves with centralized monitoring through a single device.
Use Honeypots and Honeynets
Honeypots and honeynets are deceptive systems designed to trap attackers. They attract attention by posing as attractive targets such as servers or network segments. The benefits include diverting attackers away from real systems and enabling extensive monitoring and logging. Honeypots collect substantial evidence to aid in investigations when attackers interact with them. Honeynets extend the concept to create entire fake network segments, including fake wireless access points, to further entice attackers.
Protect Your Network from Insider Threats
To combat insider threats, a comprehensive approach involving prevention and detection is critical. Prevention includes enforcing least-rights policies, restricting user access, hardening systems, employing anti-sniffing networks, and using strong authentication. Detection techniques include user and network monitoring, including the use of intrusion detection systems based on signatures, anomalies, behavior, or heuristics. Additionally, end users must receive adequate training to effectively recognize and respond to security threats such as phishing emails and attachments, as their compliance with security policies is essential.
Monitor and Baseline Network Protocols
Monitoring protocol types in the network is crucial to establishing baselines at both the organizational and user levels. Baselines should cover wired and wireless networks and include data collection from a variety of sources such as routers, switches, firewalls, wireless APs, sniffers, and dedicated collectors. Deviations from these baselines may indicate suspicious activity such as information tunneling or unauthorized use of software to transmit data to unknown destinations.
A VPN is a secure connection that allows private networks to connect over a public network such as the Internet It makes remote ends appear as if they are locally connected to the network VPNs require special hardware or software on servers and workstations. They use tunneling protocols such as L2TP, IPSec, or PPTP. VPNs increase security by encrypting data, which can slow down network speeds.
Use Multiple Vendors
To enhance cybersecurity, it is crucial to diversify both controls and vendors. Having different vendors for various security solutions such as antimalware software on computers, networks, and firewalls is recommended. Using products from the same vendor across these areas increases the likelihood of missing malware, as their detection algorithms are identical. Optimal protection is achieved by employing antimalware solutions from different vendors for each layer, reducing the chances of a specific malware piece being overlooked by all three products. Diversifying vendors and detection algorithms significantly lowers the risk of undetected threats.
Use Your Intrusion Detection System Properly
An IDS monitors network and host activity for abnormalities. It establishes a baseline of normal behavior and scans for any unusual patterns. When detected, as an increase in activity suggests an attack, it alerts the administrator. Administrators can then analyze the incident and respond immediately to mitigate any potential threats.
IDS (Intrusion Detection Systems) use attack signatures to compare activity and identify specific attack patterns. These attack signatures consist of characteristic features associated with specific attacks. This enables IDS to detect attacks, even if they do not deviate from your organization’s normal baseline activity. By analyzing these signatures, IDS can effectively identify and warn about potential threats, increasing overall security.
Automate Response to Attacks when Appropriate
Many network devices and software solutions can be configured to automatically take action when an alarm is triggered, which dramatically reduces response time. Here are the most common actions you can configure:
- Block IP address — Blocking the source IP address of the attack using an intrusion detection system (IDS) or firewall is a highly effective measure against spam and denial-of-service attacks. Nevertheless, it is worth noting that some attackers use IP address spoofing techniques during their attacks, which can block wrong addresses.
- Terminate Connections — Routers and firewalls can be configured to disrupt connections that an intruder maintains with a compromised system by targeting RESET TCP packets to the attacker.
Physically Secure Your Network Equipment
Physical controls should be in place and security personnel should ensure that equipment and data do not leave the building. Furthermore, direct access to network equipment for unauthorized personnel should be prohibited.