cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Top 10 Basic Network Security Practices

Level 10

To get started with securing your network, you don’t need to begin with a multi-million dollar project with multiple penetration tests, massive network audits, wide-spread operating systems upgrades, and the installation of eye-wateringly expensive security appliances. Those are all great things to do if you have the staff and budget, but just starting with some entry-level basics will provide a huge step forward in securing your network from today’s more common vulnerabilities. These ten practices are relatively easy and quick ways to create the foundation of a robust security program.

1. Patching

Keeping operating system patches up to date may seem like a no-brainer, but it still seems to fall by the wayside even in large organizations. I use the term “patching” very loosely here because I want to highlight the importance of updating all operating systems, not just Windows.

It’s important to set a regular Windows patch schedule and automate it using whatever tools you have available. Whether this is weekly or monthly, the key is that it’s regular and systematic.

Also remember all the other operating systems running on the network. This means keeping track of and updating the software running on network devices such as routers, switches, and firewalls, and also Linux-based operating systems commonly used for many servers and specialized end-user use cases. 

2. Endpoint Virus Protection

Not long ago, endpoint virus protection was a bear to run because of how resource intensive it was on the local computer. This is not at all the case anymore, and with how frequently malware sneaks into networks via email and random web-browsing, endpoint protection is an absolutely necessary piece of any meaningful security program.

3. Policy of Least Privilege

Keep in mind that attack vectors aren’t all external to your network. It’s important to keep things secure internally as well. Assigning end-users only the privileges they need to perform their job function is a simple way to provide another layer of protection against malicious or even accidental deletion of files, copying or sending unauthorized data, or accessing prohibited resources.

4. Centralized Authentication

Using individual or shared passwords to access company resources is a recipe for a security breach. For example, rather than use a shared pre-shared-key for company wireless, use 802.1x authentication and a centralized database of users such as Windows Active Directory in order to lock down connectivity and restrict what resources users can access. This can be applied to almost any resource including computers, file shares, and even building access.

5. Monitoring and Logging

Monitoring a network and keeping extensive logs can be very expensive simply because of the cost associated with the hardware and licensing needed to audit and store large amounts of data. However, this may be one area in which it would be a good idea to explore some software options. Most network devices have very few built-in tools for monitoring and logging, so even a basic software solution is still a huge step forward. This is very important for creating network baselines in order to determine anomalous behavior as well as traffic trends needed to right-size network designs. Additionally, having even very basic logs are priceless when investigating a security breach or performing service-desk root cause analysis.

6. End-user training

The only way to completely secure a network is to turn off all the computers and send them to the bottom of the ocean. Until management approves such a policy, end-users will be clicking on links they shouldn’t be clicking on and grabbing files from the file share just before their friendly exit interview. End-user training is a practice in changing culture and security awareness. This is a difficult task for sure, but it’s an inexpensive and non-technical way to strengthen the security posture of an organization. End-user training should include instructions on what red flags to look for in suspicious email and how to report suspicious activity. It should also include training to prevent password sharing and how to use email properly.

7. Perimeter Security

The perimeter of the network is where the local area network meets the public internet, but today that line is very blurred. A shift toward a remote workforce, the use of cloud services, and the movement away from private circuits means that the public internet is almost an extension of the LAN. Traditionally, perimeter firewalls were used to lock down the network edge and stop any malicious attack from the outside. Today, so much necessary business traffic ingresses and egresses the perimeter firewall that it’s important to keep firewall rules up-to-date and maintain a very keen awareness of what services run on the network. For example, a very simple modification for egress filtering is to restrict outbound traffic to any destination on port 25 (Simple Mail Transfer Protocol) to only the email server. This simple firewall change prevents any infected computer from generating outbound mail traffic possibly marking the organization as a spam originator.

8. Enterprise IoT

The Internet of Things may certainly be a buzzword in some peoples’ minds, but many companies have been dealing with a multitude of small, insecure, IP-enabled devices for years. Manufacturing companies often use hand-held barcode scanners, medical facilities use IP-based tracking devices for medical equipment, and large office campuses use IP-based card access readers for doors. These devices aren’t always very secure sometimes utilizing port 80 (unencrypted HTTP) for data transmission. This can be a big hole in an organization’s network security posture. Some organizations have the money and staff to implement custom management systems for these devices, but an entry-level approach to get started could be to simply place all like devices in a VLAN that has very restricted access. Applying the policy of least privilege to a network’s IoT devices is a great first step toward securing the current influx of IP-enabled everything.

9. Personal Devices

End-users’ personal mobile devices, including smartphones and tablets, often outnumber corporate devices on many enterprise networks. It’s important to have a strategy to give folks a pleasant experience using their devices while keeping in mind that these are normally unmanaged and unknown network entities. To start, simply require by policy that all personal smartphones must use the guest wireless. This may ruffle some executive feathers, but really there’s almost no reason for a tiny smartphone to access company resources while on the LAN. Of course there are exceptions, but starting with this type of policy is at least a good company conversation starter to move toward a decent end-user experience without compromising network security.

10. Physical security

It may go without saying that a company’s servers, network devices, and other sensitive infrastructure equipment should be behind locked doors, but often this is not the case. Especially in smaller organizations where there may be a culture of trust, entire server rooms are unlocked and accessible to anyone walking by. Physical security can take the form of biometric scanners to enter secure data centers with cameras peering down from overhead, but a simple first step is to lock all the network closets and server room doors. If keys are unaccounted for, locks should be changed. Additionally, disabling network ports not assigned to a workstation, printer, or other verified network device is a good way to prevent guests from plugging in their non-corporate devices into the corporate network.

You don’t need to mortgage the farm to start making great strides in your organization’s security posture. These relatively simple and entry-level tasks will prevent most of the attack vectors we see today. Start with the basics to lay the foundation for a strong network security posture.

39 Comments
MVP
MVP

Good points here...on the topic of patching though...you only specifically talk about OS patching.  Application patching as well as related libraries is just as bad and you must be diligent in keeping those patched as well (java, flash, etc.).

Also on topic, you could mention how Orion and it's various pieces can provide solutions for those 10 areas. 

Level 10

Good point about patching. I was keeping very high level for this post, but you're absolutely right. Application patching should be part of a good security program as well and spelled out specifically in SOPs so nothing falls by the wayside.

Level 14

Let's not forget the IOS/NX-OS/Name your route-switch gear OS patching.  Got keep the perimeter firewall and IDS up to date as well.

Level 14

As for the firewalls, I would prefer to allow all 443 traffic outbound based on subnet.  All other communications would be point to point.  Deny by default, allow by what the users can justify.

Agreed on all points.  Not one of those ten can be overemphasized.

Level 10

Thanks very much. Definitely a high-level overview of the basics, but in my opinion and experience, that's the place to start when putting together a security program.

Starting with a great security program and top-notch practices and procedures from day one--that's the challenge I see.  Who can afford to start a business with full-fledged and exemplary security solutions and practices in play?

Who can NOT afford to have security in full force from day one?

It wouldn't be hard to define a Security Catch-22 scenario that defeats startups from succeeding.

Level 13

Physical security is one usually over looked by IT.

One of the things that we've done is remove physical access to various network ports throughout the building (sticky MAC) and any desk that is vacant, we've shut down the ports on the switch and removed the patch cable.

Level 14

Your are so right, physical security is the easiest to implement and yet often overlooked.

Level 13

10 for 10.  So agree on all points.

Level 14

Great points.... # 6 and # 10 are too often overlooked.

Level 13

one of my favourite things are APC racks (physical security speaking). How many people know that it is a universal key?

I suspect everyone who's ever bought an APC enclosure has looked at the key, eventually lost or wanted to replace/add a key, and discovered they're all identical.

I remember that day. I was learning to swap tapes for backup jobs and asked how to figure out the keys since they aren't labeled. I got laughed at.

Level 13

policy of least privilege - we used Avecto to remove all administrator rights - even from the administrators...

MVP
MVP

There are so many things out there that use the same key or subset of X number of keys.

Insecurity at its finest.

Level 9

All are great points, but 8 and 9 are front and center in our organization right now.

Level 13

I'll bet they are rhrohde​...nothing worse that trying to secure something that is totally insecure...

Yes to all 10. Now how to get rich? Get all of these to individual practices to exist cohesively. Because depending on the size of your company each one of them could be a full-time job. And I am sure not all of us are that fortunate...

Isn't it silly everyone assumes IoT devices are:

  • A good idea?
  • Secure?
  • Automatically / mandatorily allowed on corporate networks?
  • Something no one in Security / IT can say "no" to?
Level 20

We do all of these with the exception of basically banning iot devices and cellphones, and cameras.  There's no BYOD.

Level 10

This is a great list, and it covers all the fundamentals for security!

End User Training is a big one.

Level 13

It's funny you said that rschroeder​ - everyone seems to be on board with data, remote access, etc...but really...is it too hard to program a non-IT home thermostat? Is it really too hard to open the fridge to see what you need to purchase?

It SHOULD NOT be too hard to do these things.  I.T. people like us shouldn't find it hard.  But my 80-year-old mother-in-law will buy a new refrigerator and blindly allow a service technician to connect it to the Internet, simply through ignorance.  She has no skill to leverage the refrigerator information available through the Internet, nor has she any desire to develop such skills.

I see plenty of well-educated people who are technophobes who will not crack a manual or open a command GUI for fear of permanently breaking something.  These are doctors and lawyers and teachers, and they've developed a fear of I.T. systems.

Given that some people will remain afraid to handle these administrative tasks, and others won't develop the skill sets necessary, and still more will remain ignorant of the best practices and how to apply them (or worse, remain trusting and innocent and ignorant of the dangers of others using their IoT equipment to perform DDOS attacks), it seems best to prevent IoT technology from being deployed without a guarantee and validation that correct security deployment and training and great customer service are part of the package that accompany buying/installing such devices.

The Luddite within observes that civilization survived quite nicely without Internet access to programmable thermostats and refrigerators for millennia.  And it observes that making these things available to those who trust the things to be safe and secure is a simple way to fool most of the people most of the time.

The pessimist within says this kind of snake-oil-salesmanship will always accompany us, as we find bad apples in every barrel, people who are willing to steal or subvert, who have morals that are not developed past a five-year-old's desire to steal a toy from a peer.

The optimist within suggests that we may look for worthy individuals, those who are well endowed with a sense of honor, who practice altruism, may have to pull the bacon out of the fire once again.

The pragmatist within asks "why can't people always develop / deploy  IoT systems with secure solutions that are idiot proof--and do so far before these devices come to market?"

MVP
MVP

idiot proof ?

Is there any that are truly idiot proof ?

Kind of like child proof...

Notice how that aren't as many things marked water proof anymore ?  More like Water resistant.

Probably the best we can attain is idiot resistant so at least we can't be sued by the one idiot who can't figure it out.

Level 21

I think this is a great list.  To extend the conversation I think it would be awesome to see these types of security practices categorized by difficulty to implement versus value/impact.  Doing something like that would provide a great road-map for companies to start withing and I would see such a model building on itself.

Level 10

Thanks - I like your suggestion, too. Sounds like a good follow-up post idea!

I like them all, I think it might do us well to think like all four when adopting new thing. 

The luddite: Do we really need this? Is the old way so bad?

The pessimist What's in the fine print?

The optimist Will this widget might solve any long standing issues?

The pragmatist Should we wait until the next generation of this before choosing?

Level 7

Agreed, application patches are often overlooked even though we constantly hear about vulnerabilities in software such as Java and Flash. It always makes me tense up a little when I see a java installation that hasn't been updated in multiple years.

MVP
MVP

agreed, but then you have to factor in how far from the edge it is....

If it is extremely isolated then not as much of a concern.

Level 14

11.  Get rid of stupid users

MVP
MVP

goodzhere​, that is a never ending battle.

Hence the term, you can't fix stupid.  Once you get rid of all the stupid users, they will just create a new kind of stupid user.

Wouldn't that be nice? But in the absence of that we must make the environment as "stupid user" proof as possible.

MVP
MVP

there is no such thing as stupid proof.  Stupid resistant is about as close as you can get.

Level 14

The effort to be as stupid resistant as possible and still be functional.

MVP
MVP

exactly....until IT seagulls start circling around.

Level 11

Right on the mark.

Level 13

I'd add backups and backup testing checking.

I agree, backups and test restores.