Related
Recommended

Practical Security Steps for Every Network Engineer

eyvonne.sharp
2 minute read time

IT organizations manage security in different ways. Some companies have formalized security teams with board-level interest. In these companies, the security team will have firm policies and procedures that apply to network gear. Some organizations appoint a manager or director to be responsible for security with less high-level accountability. Smaller IT shops have less formal security organizations with little security-related accountability. The security guidance a network engineer receives from within their IT organization can vary widely across the industry. Regardless of the direction a network engineer receives from internal security teams, there are reasonable steps he or she can take to protect and secure the network.

Focus on the Basics

Many failures in network security happen due to a lack of basic security hygiene. While this problem extends up the entire IT stack, there are basic steps every network engineer should follow. Network gear should have consistent templated configuration across your organization. Ad-hoc configurations, varying password schemes, and a disorganized infrastructure opens the door for mistakes, inconsistencies, and vulnerabilities. A well-organized, rigorously implemented network is much more likely to be a secure network.

As part of the standard configuration for your network, pay special attention to default passwords, SNMP strings, and unencrypted access methods. Many devices ship with standard SNMP public and private communities. Change these immediately. Turn off any unencrypted access methods like telnet or unsecure web (http). If your organization doesn't have a corporate password vault system, use a free password vault like KeePass to store enable passwords and other sensitive access information. Don't leave a password list lying around, stored on Sharepoint, or unencrypted on a file share. Encrypt the disk on any computer that stores network configurations, especially engineer laptops which can be stolen or left accidentally.

To Firewall or Not to Firewall

While many hyperscalers don't use firewalls to protect their services, the average enterprise still uses firewalls for traffic flowing through their corporate network. It's important to move beyond the legacy layer 4 firewall to a next-generation, application-aware firewall. For outbound internet traffic, organizations need to build policy based on more than the 5-tuple. Building policies based on username and application will make the security posture more dynamic without compromising functionality.

Beyond the firewall, middle boxes like load balancers and reverse-proxies have an important role in your network infrastructure. Vulnerabilities, weak ciphers, and misconfigurations can leave applications and services wide open for exploit. There are many free web-based tools that can scan internet-facing hosts and report on weak ciphers and easy-to-spot vulnerabilities. Make use of these tools and then plan to remediate the findings.

Keep A Look Out for Vulnerabilities

When we think of patch cycles and vulnerability management, servers and workstations are top of mind. However, vulnerabilities exist in our networking gear too. Most vendors have mailing lists, blogs, and social media feeds where they post vulnerabilities. Subscribe to the relevant notification streams and tune your feed for information that's relevant to your organization. Make note of vulnerabilities and plan upgrades accordingly.

IT security is a broad topic that must be addressed throughout the entire stack. Most network engineers can't control the security posture of the endpoints or servers at their company but they do control networking gear and middle boxes which have a profound impact on IT security. In most instances, you can take practical, common sense steps that will dramatically improve your network security posture.

  • eyvonne.sharp thanks for posting!  I am gathering information and have added your post into my documentation.

    My biggest vulnerability is the inability to get management to understand the importance of security.  I would laugh, but it makes me cry!

  • I have recently had the opportunity to change my role at our company and work as a InfoSec Admin directly with our very experienced CISSO.  We have been starting at the basic block & tackle level and working our way up with regard to security and compliance and it's been a very educational process.  This isn't to say we didn't have security and compliance in place before but our CISSO wanted to start at the bottom and work his way up through things to ensure everything was in place as it should be and it's been surprising to find how many different opportunities there were to improve on the basics that we already had in place.  At this point I would recommend going though this process to everybody as it's a great way to validate what you think you have in place and find things that may be missing or that have fallen to the wayside at some point.

  • I am becoming a big fan of one going one with one vendor, whenever possible, for as mush infrastructure as possible so that we can consolidate dashboards and streamline support. I will give up functionality for efficiency in most cases.

  • Very nice... a future regular blog for sure!

  • This is a good article and I agree with rschroeder as a weekly page or blog on this subject would help to make sure we network engineers are following what you termed as basic security hygiene. SolarWinds helps in managing some of the security fundamentals that we should take care of, especially when you run it against the compliance templates.

Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.