Securing your network infrastructure is a process, not a task. It is
something that, once started, does not end. You must remain constantly
vigilant to the threats against your network and continuously undertake
actions to prevent any compromises. Because of the scale of the
undertaking, hardening your network infrastructure is not an endeavor
you should undertake lightly.
Depending on the size and complexity of your environment, you might
spend weeks or even months planning before you make any changes. At the
same time, if you are looking at how to harden your network, you
probably recognize that you have security issues that need to be
addressed, even if you aren’t sure exactly what those issues are or how
to fix them. This can put you in a bind in that you may have issues
that really need to be addressed immediately, before the full-scale
hardening process begins.
So what are some things you should do immediately, right now, without
any hesitation? I’m glad you asked. In this guide, we will look at six
things you should do right now, before you do anything else.
There are many tasks you can perform as part of the systematic
hardening process. These are all generally big-ticket items—for
example, hardening your routers and switches or implementing DMZs and
perimeter network devices. These tasks take time, sometimes months from
the initial planning and design phase to the implementation. Although
all these tasks are necessary, you should undertake six tasks, in
particular, before you do anything else on your network. I consider
these six tasks to be the biggest impact undertakings you should
evaluate. At the same time, I don’t want to mislead you into thinking,
“OK, if I do these six things, I am probably pretty safe.” You aren’t.
However, what you will have is an excellent foundation from which to
start the systematic hardening process of your network infrastructure.
This foundation consists of the following elements
- Review your network design
– If you don’t know what your network design looks like, how your
devices are interconnected, how the data flows in your enterprise, you
will never be able to successfully protect your network. The first step
to hardening your network is to understand it.
- Implement a firewall
– If you don’t have a firewall, stop reading this guide right now and
go buy or build one and implement it on your network. I’m deadly
serious here. Implementing a firewall has the most impact of any task
you can perform for hardening your network infrastructure because it
allows you to define a perimeter.
- Implement access control lists (ACLs)
– You should be restricting and controlling all traffic entering and
exiting your network from the outside world. At the same time, you
should be restricting traffic between internal network segments. If
there isn’t a business justification for the traffic, block it. You
should be filtering traffic with ACLs not only on your external
firewalls and routers, but on your internal firewalls and routers as
- Turn off unnecessary features and services –
Although traditionally the realm of servers and applications,
unnecessary services equally plague your network infrastructure
devices. If you don’t have a reason to be running a particular service
on your network equipment, don’t do it.
- Implement virus protection
– Today’s worms and viruses, though directed at applications and
computers, have the uncanny side effect of often causing Distributed
Denial of Service (DDoS) attacks against routers and switches because
of how they attempt to replicate. The easiest way to protect against
these kinds of attacks is to ensure that every system from Windows to
Unix, desktop to server, runs virus protection. Don’t forget to
implement virus protection on your gateway devices, such as SMTP
gateways, to prevent email–based viruses and worms as well.
- Secure your wireless connections
– Wireless connectivity presents a unique problem to securing your
network. If you aren’t sure why you are running wireless, turn it off.
Revisit the issue once you know why you are implementing a wireless
network. If you have to run wireless, ensure that you implement
encryption and authentication to prevent unauthorized users from
connecting and/or intercepting and reading your wireless communications.
Review Your Network Design
Someone once told me, “In order to know where you are going, you have
to know where you came from.” This is true for hardening your network
infrastructure. In order to effectively protect your resources, you
must know how your network is designed. You must know how your routers
are interconnected, where your network ingress points are, where your
various resources are located, and so on. Only once you know this
information you can effectively protect those resources. In addition,
if your network does become compromised, knowing how everything is
connected will help you in determining how to recover from it or how to
isolate the problem to specific network segments. At the same time, I’m
not proposing that the first thing you should do is redesign your
network. Remember, we are looking at things you can do right now to
make an immediate impact on the security of your network.
Because every network is different, it is impossible for me to provide
you a comprehensive review of a network design. I can, however, provide
you with 21 questions you should be asking as you review your network
design. These questions will help you better understand where and how
your network can be hardened.
are your Internet connections? Today’s networks commonly have multiple
Internet connections. Review your network design and identify all your
Internet connections. These can range from your enterprise Internet
connection to a backup/redundant connection for your company, all the
way down to a DSL or cable modem connection used as a temporary backup
exclusively for your sales force. Be prepared to locate “surprises,”
such as unauthorized connections to your network in executive suites.
Identify these ingress points because those are where you will
implement your firewalls.
- Where are your external connections?
External connections range from traditional frame relay and ATM
connections to dedicated serial T1/T3 lines to the Internet connections
addressed previously. They are typically used to connect remote offices
or external business partners. These are all potential ingress points
on your network. Consequently, you need to implement firewalls at those
connections as well as potentially employ encryption for the data
- What networks/subnets are you using? Identify
the IP addressing scheme and the location of all your subnets. Are you
using dynamic addressing products and protocols such as VitalQIP and
DHCP? DHCP networks, although they provide significant ease of resource
addressing, create a security issue. Anyone can connect to your DHCP
network and immediately begin attempting to gain access to your network
resources by exploiting weak security that might exist elsewhere on
- What routing protocols are you employing? The
routing protocols you use will identify the methods you can implement
to protect those protocols. The steps you take to harden Routing
Information Protocol (RIP), for example, are not necessarily the same
as the steps to harden Open Shortest Path First (OSPF). Are you
redistributing routes between protocols? Knowing what protocols you are
running, where they are running, and how they are configured will
dictate how to harden the protocols.
- Are you running Spanning
Tree Protocol? Spanning Tree Protocol, like your routing protocols,
contains a tremendous amount of information about your network that any
hacker would give his two front teeth to get. Identify where you are
running Spanning Tree Protocol so that you can decide whether you need
to be running it in that location.
- Where is your Intrusion
Detection/Protection System (IDS/IPS) located? You need to know what
you are monitoring for and where you are monitoring. Are you only
monitoring with network-based intrusion detection systems (NIDSs) or
are you also using host-based intrusion detections systems (HIDSs)?
Where are you performing these functions, and more important, where are
- Where are you performing content filtering? Knowing
where and how you are performing content filtering is critical in
preventing web-based exploits from entering your network. This is
commonly done at your Internet connections, but it might make sense for
you to do this in other locations, such as between extranet partners.
you implementing NAT, and where are you implementing NAT? Network
Address Translation (NAT) is commonly implemented at your Internet
connections; however, with growth and acquisitions, companies are using
NAT on their internal network segments more and more. NAT can present
problems with IPsec encryption as well as increased network complexity.
Knowing where you are implementing NAT can illustrate areas of your
network that you need to keep an eye on, in particular, to make sure
NAT is working securely and properly.
- What VLANs are in use?
Virtual Local Area Networks (VLANs) can be a saving grace to large
networks, making it much easier to logically separate resources. At the
same time, VLANs can dramatically increase the complexity of a network,
consequently allowing security problems to be hidden by the
complexities of the VLAN. A common example of this is having VLANs for
networks of different security levels (that is, inside and outside or
inside and DMZ) running on the same switch fabric. This is a bad thing
because switches have historically shown a propensity to allow traffic
to traverse between VLANs when it shouldn’t. Knowing where you have
VLANs will help you harden those VLANs
- Where is your server
resources located? If your server resources are located on a dedicated
subnet away from your users, it’s much easier to implement ACLs or
similar filters to protect those resources. Knowing where your critical
server resources are located will allow you to strategize a method to
protect those resources.
- Do you provide VPN/remote access
connectivity? VPN/remote access connectivity is one of the biggest
threats to your network’s security posture. This is due in large part
to the fact that you rarely have control of the equipment that is
connecting via your VPN connections. Employee’s home networks are
rarely protected as they should be, and when those systems connect via
VPN to your corporate network, it becomes susceptible to compromise.
Knowing where your VPN/remote access connectivity occurs allows you to
focus on where to protect against remote exploits.
vendor’s equipment are you using? Different vendors are susceptible to
different exploits. Likewise, different vendors implement different
methods to secure their equipment. Knowing what vendor’s equipment you
have on your network will allow you to develop a reasonable policy for
hardening that equipment.
- What network devices are you using?
Routers require different security measures than switches do. Switches
require different security measures than hubs do. By identifying the
devices employed on your network, you can develop a security policy
that addresses the specific issues of each device type on your network.
are your device naming conventions? Although a relatively mundane item,
device naming conventions can be a real problem in large environments
where you need to figure out what a device is or where it might be
located by name alone. Using names of fish and trees, as one company I
worked at, serves only to make identifying where a problem or
security issue is occurring much more difficult than it needs to be. At
the same time, using names that lead people to critical or sensitive
servers or resources can also be an issue. You need to strike a balance
between function and anonymity.
- What circuit types do you
employ? Point-to-point connections and frame relay connections require
different methods of hardening. Identifying the various circuit types
you are using will allow you to define a policy that doesn’t overlook a
- What network protocols and standards are in use?
Are you using Hot-Swap Router Protocol (HSRP)? What about Data-Link
Switching (DLSw)? Do you still need to run Internetwork Packet
Exchange/Sequenced Packet Exchange (IPX/SPX)? By examining the network
protocols and standards in use on your network, you can identify
security issues unique to each protocol or standard.
- Do you
have dedicated management segments? Using dedicated management segments
is one of the best methods to protect your devices from remote
management exploits. Where are these segments, and most important, who
has access to them? Knowing this information will help ensure that
people do not inadvertently gain management access to your equipment.
are your critical segments? Backbone connections, critical Line of
Business (LOB) segments, human resources (HR) segments, and so on, need
to be identified so that you can ensure not only that the data on those
segments is protected, but that those segments are reliable and
redundant. Connections between subnets and segments—particularly
critical subnets and segments—represent locations where filtering and
access lists should be implemented to protect those subnets and segments
kind of AAA mechanism are you using on your network? Are you using
common passwords (for example, enable secret passwords) or are you
performing user-based authentication? Do you have RADIUS or TACACS+ for
authentication, authorization, and accounting?
- What kind of
enterprise monitoring/management products are you using? Many
management protocols such as SNMP and Syslog transmit their data in an
unencrypted and therefore insecure fashion. Identifying what management
products you are using, where they are located, and what devices they
communicate with will allow you to determine the most effective method
for securing the traffic.
- Where are your wireless connections?
Wireless represents a significant security issue on a corporate
network. Know where you have wireless access points set up so that you
can identify and secure that access.
Implement a Firewall
If you can do nothing else to harden your network, you need to
implement a firewall. The reason for this is simple: a firewall is the
single device that can do more to keep unauthorized traffic from
entering a network than any other device. Now you might have heard that
firewalls aren’t effective anymore because so many things use port 80
to pass traffic; however, those situations are a small, small portion
of all the threats that exist from which a firewall can protect you. In
addition, when implementing an application-filtering firewall, you can
gain the ability to filter application content, identifying legitimate
web requests from illegitimate web requests. Finally, remember that a
firewall, although the best single choice you can make, is most
effective as a component of security, being complemented by an
intrusion detection/prevention system (IDS/IPS) and content filters.
Although many folks think of a firewall as something used to protect
their network from Internet-based threats do not overlook the value of
using firewalls at other locations on your network. For example, you
can use a firewall on your WAN perimeter to filter traffic to and from
frame relay or point-to-point circuit connections across a public
internetwork. Likewise, you can implement a firewall to filter traffic
between internal LAN segments, protecting critical business resources
such as HR servers and application servers from unauthorized traffic.
There are a few types of firewalls to consider:
- Application proxies
- Stateful packet-inspecting/filtering gateways
- Hybrid firewalls
1. Application Proxies
Application proxies are identified by their ability to read and process
an entire packet to the application level and make filtering decisions
based on the actual application data, not just the packet header.
Application proxies receive all incoming packets and completely decode
them to the Application layer. The actual application data can then be
scrutinized to determine whether it is legitimate data. If this data is
legitimate, the firewall will rebuild the packet and forward it
accordingly. Because of this capability, application proxy firewalls
can apply a significant amount of intelligence before making a
One drawback is that this type of filtering introduces latency to
network communications and requires significant amounts of processing
power. Another drawback is that unless the firewall has the proxy
capability for a given protocol or service, it might not be able to
facilitate communications with the given protocol or service. Secure
Computing Sidewinder G2, Microsoft’s Internet Security &
Acceleration (ISA) Server 2000, CyberGuard firewall/VPN appliances, and
Symantec Enterprise Firewall are examples of application proxy
2. Stateful Packet-Inspecting/Filtering Gateways
Packet-inspecting/filtering gateways are generally not able to process
the packet to the application level to make a filtering decision.
Instead, packet-inspecting/filtering gateways tend to process the data
to the Network/Transport layer and make filtering decisions based on
the protocol and port numbers contained in the packet header only.
Packet-inspecting/filtering gateways also typically implement a
stateful packet inspection model, which allows the firewall to maintain
a record of the state of all conversations occurring through the
firewall, automatically permitting responses for legitimate outbound
requests. IPtables, IPchains, SonicWALL, Clavister, and many of your
SOHO firewalls such as Linksys and D-Link are examples of
3. Hybrid Firewalls
Now-a-days most of the firewalls fall into the hybrid category.
Although they typically perform stateful packet filtering/inspecting
for making most filtering decisions, they may have some application
proxy functionalities built in for specific high-risk protocols and
services such as HTTP and FTP. Most of the firewalls on the market
today are hybrid firewalls. Examples of hybrid firewalls are Check
Point Firewall-1 NG, Cisco Secure PIX, and Netscreen Deep Inspection
Which Firewall Should You Implement?
There is no right answer as to which firewall to use for your
environment. This is one of the rare cases when I really can’t give you
a definitive answer. You will need to make a decision based on your
requirements and your environment. For example, if you require
extremely high throughput, a packet-filtering firewall would be a good
choice to implement. If you are using standard protocols and require
the most rigorous application inspection, an application proxy would be
a good choice to implement. In some environments, you might even need
both—a packet-filtering firewall to perform initial packet inspection
on all traffic, and an application proxy behind that to perform the
more detailed application filtering. Regardless of which type of
firewall you decide is best for your environment, however, if you do
not currently have a firewall, make sure you get one. Any of the
firewalls mentioned are better than having none at all.
Implement Access Control Lists
Properly implemented access control lists (ACLs) on your routers
provide packet-filtering capabilities without the stateful
functionality of a full-featured firewall. Consequently, I think of
ACLs on routers as being part of a firewall system, where the router is
performing initial packet-filtering functionality in front of a
firewall that is providing the full-bore stateful filtering or
application proxy functionality.
Here are some types of access you should filter with your ACLs immediately:
- Block RFC1918 addresses at your perimeter, including the following:
- Block bogon addresses – The term bogon
refers to packets addressed to/from a bogus network. Bogons represent
the addresses that have not been allocated by the Internet Assigned
Numbers Authority (IANA) and Regional Internet Registries (RIRs) to
Internet service providers (ISPs) or organizations for use. A current
list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space.
Any entry with the term “reserved” or “unallocated” should be blocked
as a bogon. You will need to periodically update the bogons you are
blocking because those addresses get assigned to legitimate ISPs and
organizations for use.
- Implement spoof protection
- Implement TCP SYN attack protection
- Implement LAND attack protection
- Implement Smurf attack protection
- Block multicast traffic if it is not needed.
- Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).
- Implement ACLs to control who can manage the router via SNMP
Turn Off Unnecessary Features and Services
One point of security that has been hammered on within the
desktop/server world is the need to turn off unnecessary services.
Unfortunately, people commonly overlook the fact that it is not just
the desktops and servers that are potentially running unnecessary
services—your network devices are also likely doing this. Here is a
list of services you should look for on your network equipment and turn
off if you are not actively using them:
- Cisco Discovery Protocol (CDP)
- TCP and UDP small servers
- Finger server
- HTTP server
- Bootp server
- Network Time Protocol (NTP) service
- Simple Network Management Protocol (SNMP) services
- Configuration auto-loading
- IP source routing
- Proxy ARP
- IP directed broadcast
- IP unreachable, redirects, and mask replies
- Router name and DNS name resolution services
Implement Virus Protection
Virus protection and implementing virus protection typically fall
within the realm of the server/desktop administrator. Indeed, in large
environments, if you are responsible for the network infrastructure,
you may never be involved in any virus-protection discussions.
Unfortunately, today’s worms and viruses are having a larger impact on
the network infrastructure, which means you need to become concerned
with the status of virus protection on your network. In addition, you
can install virus-protection gateway devices and virus-protection
applications in conjunction with your existing firewalls and gateways
to prevent viruses from entering your network. You should be involved
in advocating these systems being implemented.
The methods that many of the worms use to self-replicate (for example,
by scanning an entire subnet and attempting to connect to every IP
address on that subnet) have the uncanny ability to result in a denial
of service (DoS) on many routers. The reason for this is pretty
straightforward. When a router receives a packet destined for a subnet
that it is directly connected to, the router will generate an ARP
request for the destination MAC address. In the case of these worms,
often the destination is not online, but the router has no way of
knowing this and issues the ARP request anyway. The router then must
wait for a response, or wait for the ARP request to time out before it
can drop the packet in question. As the router gets hit with thousands
of these requests, it fills its buffers and input/output queues with
these packets waiting for the timeout periods to occur. Often this
consumes the entire free RAM on a router. The end result is that the
router starts dropping legitimate traffic because it cannot queue the
traffic, and/or the router will no longer accept VTY sessions because
it does not have enough free RAM to house those sessions. Both of these
circumstances result in a DoS against the router. In fact, when you
think about it, the way that these worms work is a great example of
just how effective a distributed denial of service (DDoS) attack can be.
If you are not running virus protection on all your systems—Windows, Unix, Linux, and Macintosh based—you need to be.
Don’t forget your gateway virus protection when talking about
implementing virus protection on all your systems. This allows you to
catch and stop a significant amount of viruses attempting to enter your
network at your network ingress points. TrendMicro, Network Associates,
and Symantec all have gateway virus protection you can implement. Don’t
overlook the value of implementing virus protection on your gateways
The only way to effectively prevent your network from being susceptible
to virus- and worm-based DDoS attacks is to keep the systems that
propagate the worms from being infected in the first place and to
attempt to prevent the viruses from entering your network to begin with.
Secure Your Wireless Connections
What you can do right now is to locate and remove all wireless access
points that you do not need or did not plan properly. This may sound
like a little bit of overkill, but it isn’t. If you have not developed
a wireless security plan and implemented your wireless network by
restricting IP addresses and implementing encryption and
authentication, you need to unplug everything and start all over again
building a secure wireless network. If you must run wireless, you can
do the following four tasks to harden your wireless network against
a written wireless security policy that allows only IT supported
wireless products that are only implemented by IT. If an employee goes
out and buys the latest, cheapest personal wireless access point or
router, that should be grounds for dismissal.
- Only allow authorized MAC addresses to connect to your wireless network
Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), or 802.11i
for encryption. Be aware that WEP has been compromised, but is better
than clear text.
- Require authentication via shared secret key, 802.1x, RADIUS authentication, or certificates as supported by your devices.
Securing your network infrastructure is going to be a long process that
involves examining all your network infrastructure equipment and
evaluating what vulnerabilities exist as well as identifying how to
harden your equipment against those vulnerabilities. However, you can
undertake six tasks to start making an immediate impact on the security
of your network.
First, you must review your network design so that you know what you
are dealing with. This will serve as a roadmap of what needs to be
done. Next, you need to implement a firewall. A firewall is the best
thing you can introduce into your environment to address security.
After that, you should implement ACLs on your equipment. Restrict not
only the traffic that can pass through the system, but also who has
access to the system. At the same time, review all your network
equipment and ensure that any unnecessary services and features have
been turned off or disabled. Protocols like Spanning Tree Protocol are
very good at what they do, but if you do not need that functionality,
turn those features off. Although likely not in the realm of the
network infrastructure engineer; virus protection can make your life
much easier. Insist that virus protection be installed and configured
on all systems in your enterprise. Also, make sure there is a regular
schedule for updating the virus signatures and scanning engine to
protect against new viruses. Last but not least, secure your wireless
connections. Wireless today is really just an open door to your
network, inviting unauthorized access to anyone who happens to be in
range of your wireless access point. If you don’t need wireless access,
don’t use it. If you do, make sure you have properly secured your
wireless access points. If you aren’t sure whether your wireless access
points are secured, turn them off and start again.
Security is a complex process; however, these six tasks are all
relatively easy to perform and will make an immediate and noticeable
impact on your overall security posture.