Network hardening techniques
(Last updated on December 20, 2021)
The network is the lifeblood of any infrastructure, allowing communication between hardware and services. Protecting one’s network against penetration is essential. Successful attacks can lead to data theft or outages, effectively crippling services, and undermining privacy. These problems are expensive and time consuming to fix.
With users working remotely, IoT devices accumulating, and cloud infrastructure booming, the company’s attack surface is greatly increased. IT pros and network engineers are taking proactive steps to counteract external threats. Network hardening techniques, including the strategies provided in this blog, protect systems against the most common attacks.
Embrace purposeful chaos engineering
It’s not always apparent where your network’s weaknesses may lie. Sniffing out those points of vulnerability requires ample testing, often resembling stress testing. This “chaos engineering” deliberately subjects your network resources to adverse conditions, or troublesome events. It’s an excellent way to determine strengths and shortcomings in real time.
Chaos testing can occur during development or production. In fact, it’s argued that no stress testing is complete without live testing. Just like simulations aren’t 100% representative of realistic scenarios, groups of users have a knack for introducing unique, systemic stressors.
How do you test? Step one is determining your network’s steady state, or operational baseline under normal conditions. Continuous monitoring makes this immensely easier, though teams can pull trends from retrospective analysis. These insights provide a point of reference, answering the question, ‘How do we know what’s abnormal in the first place?”
Some useful metrics to track:
- Error rates
- Traffic rates (based on given days and times)
The real-world challenges for your ecosystems will have assorted impacts. Chaos testing should reflect this. It’s important to scale each test in severity. Activity and traffic spikes can also occur without warning during uptime. Focus on creating events that disrupt your baseline, much like they would in the wild. Include both failure and non-failure events.
Production experimentation isn’t faultless. Depending on your testing breadth, some users may be adversely impacted. This tradeoff is necessary. However, sound chaos engineering practices aim to minimize these negative consequences. Containment is important. Ideally, your customers will only perceive this chaos testing as a temporary blip, without major disruption.
Chaos engineering can teach us plenty about how our networks function, and how they tick. For example, you might learn that hardware upgrades are necessary to handle user activity. You might learn which endpoints are problematic. Additionally, the practice reinforces the criticality of deep network monitoring—which can encourage better habits moving forward.
This approach is also perfect for those running atop a Kubernetes layer. Today’s applications run as microservices, meaning reliable network performance is essential to letting apps chatter.
Manage your network out-of-band
Remote networks are the norm these days, and admins working from home don’t enjoy the same access privileges they once had at the office. Accordingly, these team members need access points into the network in order to perform critical maintenance.
Unfortunately, attackers can exploit open firewall ports that stem from traditional management methods. Out-of-band methods leverage dedicated access to IT infrastructure, without having to tap into corporate LANs. Because outside connections are used, admins can perform tasks even when the company network goes dark. This type of access facilitates the following:
- Remote monitoring
- Uptime-and-service restoration
It’s expected that network devices will crash throughout their lifespan. Performance hiccups happen as a result of attacks or normal stressors. Network hardening isn’t just applicable to security. A network’s durability also depends on rapid maintenance and issue remediation. This is essential when you’re overseeing numerous resources: routers, switches, firewalls, servers, power, storage, and telecommunications assets. Secure tunnels and VPNs help achieve this needed level of access.
Automated management and updates
While tied more so to software tools than remote access, we’ll file this under the management category. Several first and third-party tools exist on the market today to handle widespread network management. While admins once completed a tedious checklist of manual tasks, there are now ways to automate those most critical to security.
Humans inherently make mistakes while operating this way. Though no tool (or system) is perfect, they can expedite processes like network scans, data collection, and visualization. These can uncover configuration errors. Additionally, automation makes updating critical systems much more efficient. The logging functionality that accompanies these programs is great for providing insights that teams may uncover later.
Whatever tool you use can expose your resources, tagging them as current or outdated. From here, you can passively perform multiple, concurrent updates with just a few clicks. Improved organizational agility and reliable vulnerability patching are chief benefits. Try to locate a tool that facilitates this for vendor-specified router firmware patches.
Encrypt all network traffic and internal data
Mountains of personal data traverse the internet ether every day. Trustworthy companies must protect customer and user data at all points throughout their journey. You might’ve heard of TLS/SSL, IPsec, SSH, or PGP before, which are all common communication encryption protocols. Measures like these ensure data is scrambled and unreadable by outside actors. Secure connections must be made between servers and end devices.
Accordingly, data at rest must be safeguarded. Hashing and salting are essential processes for thwarting decryption, in the case of network intrusion. While a hacker might infiltrate your database, they’ll struggle to glean real value from its contents.
Adjacently, try to implement software-based measures against malware and spyware. This is yet another step-in separating data from bad actors.
Proper firewall and port management
First and foremost, a firewall is a critical tool in blocking unauthorized communications, or filtering connections to the company network. This protective layer sits between the network and the internet at large. However, much of the work starts after a firewall is implemented.
Proper consolidation is paramount when managing the firewall. These layers operate using rules, which dictate how incoming and outgoing communications flow. Unused rules are problematic. An expanded rule list increases your network’s overall attack surface; therefore, removing any unused rules is important. They otherwise offer no real-world benefits. Accordingly, it’s often smarter to reconfigure these rules and make them applicable to your network traffic. Purpose-driven configurations are always preferable. Validation ensures that rules are doing their jobs appropriately.
Next, we need to discuss ports. These communicative endpoints facilitate chatter between devices and your network. They can also become major security risks when mismanaged. For example, unneeded ports expose your network to greater intrusion risks. When left up and running, an attacker may leverage them to gain access.
Blocking these and their respective services will minimize your overall attack surface. Similarly, only keep ports open that serve specific (and critical) network functions. There’s also an old vulnerability related to NetBIOS and TCP/IP in Windows. You can squash this by closing ports 137, 138, 139, and 445.
Additionally, make sure to enable switchport security. This feature lets you define which addresses can send traffic to individual network switchports. Also consider enabling MAC address filtering and DHCP snooping.
Educate Your employees
The old adage rings true: knowledge is power. It’s important to keep teammates trained and aware of the common security threats networks face daily. These threats evolve constantly, thus making continuing education important.
What happens when breaches occur, and how can debriefing help? How are criminals gaining network access currently? Awareness is key to avoiding silly security mistakes. Simulated events can make this clear for IT professionals, allowing them to see what occurs during an attack. The goal is quicker recognition and mitigation, when preventative measures do fail.
Maintain a list of best practices and make it widely available to everyone involved with network security. This, alongside prompt alerting and communication practices, will help defend your network from unwanted penetration.
Compliment your hardening efforts with Specops
Specops Software creates tools that make network security better on the password management side. Specops Password Auditor keeps systems safe from breached or compromised passwords, preventing employees from leveraging them, while keeping admins informed. Domain accounts are easily viewable, as are their statuses.
Additionally, Specops Password Policy takes a deeper dive into password rules, best practices, and compliance. Users are told when their passwords are risky and are prevented from creating non-compliant phrases. Password Policy can target any GPO (Group Policy Object) level, group, user, or computer present on the network. The result is uncompromising cybersecurity across your entire ecosystem.