In order to keep network secure, hardware and software are not just enough, implementing proper configuration and ongoing maintenance is important and define as network principles. The following are some of the Secure Network Administration Principles :-
Rule based management
It is a concept of controlling network communication and IT driven events through rule or filter based systems. Firewalls, IDS/IPS, router, proxies, anti-virus etc are examples of rule based security management tools. Each of these systems either allow or deny packet based on the rule and if any packet doesn’t matches the rule, then it is denied by default. This can also be stated white-list security management concept.In this concept, if any security event or activity doesn’t matches the rule, then by default it is denied. Zero-day attacks are been blocked using this white-list security management tools.
Firewall follows the first-match-apply rule system. The final rule of firewall is deny which is by default which means if there is rule doesn’t specifically allows or that was not explicitly denied by any rule then it is always block by default. Firewall is a great example of white-list security management tools. Firewalls can have separate inbound (Packets coming inside) and outbound (Packets leaving) rules depending on the type of firewall like stateful inspection firewall. One important aspects while implementing firewalls is to review each rule carefully since it might block useful packets or create any loopholes.
Virtual Local Area Network is a hardware implementation for segregating LAN using switches. By default all ports are assigned to VLAN 1, but network admin can change VLAN assignment on any port or group together ports to assign same VLAN. Main motive of VLAN is traffic management. Communication within VLAN is fast and there is no hindrance but communication between VLAN requires routing function. These routing functions are either provided by routers or special switches known as multilayer switches.
VLAN is used for controlling traffic for security and performance factors. Apart from this, they are used to isolate traffic from network segment. If we want to avoid certain VLAN to communicate then it can be achieve by not defining a route between them or by specifying filter between VLAN. VLAN should allow packets that are necessary but deny any unnecessary packet.
Secure router configuration
This is can be stated as any malicious or unauthorised changes in the route must be prevented and this can be achieve by following simple configurations:-
- Router access password should be secret and unique.
- Configure router to deny all Internet Control Message Protocol (ICMP) type 5 redirect messages.
- Make use of secure protocol for authentication and data encryption.
- Preconfigure IP address of trusted network through which packets would be exchanging.
- Configure management interfaces to work only on internal interface and make use of secure protocols.
Access Control List
ACL are use define who can be allowed or denied to perform a specific function.ACL are mostly applicable to object access but can be extended to communication as well. Most of the cases routers, switches, firewall make use of ACL as security management measure. All these rules are called as “Rules of ACL” or “Filters”. In terms of security control activity, ACL allows packets by exception and deny by default.
Port Security can refer to several things when considering IT. It can physical port such as Rj-45 on wall jacks such that no unauthorized access can be done through that open port. Any unused port can be locked down wiring closet and server vaults and then disconnecting the main workstation from the patch panel. Another smart way of achieving this to install smart patch panel which would monitor MAC address of the system which is connected to which empty port. In addition, it will also detect whether valid device is disconnected or replaced by an invalid device.
Another aspect of port security in terms of TCP management is checking for TCP and UDP ports. If a service is assigned to a port then port is active. All the other ports (TCP or UDP) are closed if they are not assigned with any services. Hackers can get information about what ports are open and what services are assigned by port scanning. Firewalls, IDS’s, IPS’s and other security tools can detect these scans and can either block them or feed them with false information thus leading to make port scanning less effective.
802.1x is a port bases security mechanism and based on Extensible Authentication Protocol (EAP). Commonly use for closed-environment wireless networks but can be also use for firewalls, proxies, VPN gateways etc where authentication is required. Consider 802.1x as an authentication proxy when wish to use existing authentication can be use rather than configuring another.
When 802.1x is used, it allows and deny a connection based on authentication of user or service. Initially 802.1x was used as compensation for weakness of Wired Equivalent Privacy (WEP) but now it is also as a component of many complex authentication system like Dial-In User Service (RADIUS), Diameter, Cisco System’s Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC).
It is a mechanism that is use against massive DDOS attacks. Sole purpose of this mechanism is to to detect the activity and automatically begin blocking it. This would prevent malicious attack from been entering the network. Cisco IOS has floodguard command which is used to enable or disable flood defender (Cisco Solution for addressing flooding attacks).
A loop in the network is transmission pathway that repeat itself. The problem with loop is that it used network resources specially network throughput capacity. Loops mostly occur at layer 2 or layer 3 related to Ethernet or IP respectively. Ethernet level looping is overcome by using STP protocol which works at switches and bridges level. STP learns path through traffic management.
IP resolves looping using different technique.Instead of preventing the pathway of packet, IP controls the distance of packet and minimizes amount of looping. Control over IP packets is achieve with count down in IP packet header called TTL (Time To Live). Initial value for TTL is set based on the OS ( Windows set to 128 but older version of windows sets to 32. Linux system sets from 64-255 ). When ever packet is re-transmitted value is decreases by the router and when value reaches to 1,packet is discarded sends source with an error message (“ICMP Type 11—Timeout Exceeded”).
Implicit deny is a security stance which means that to resources is specifically not granted i.e. denied default. The default-deny is implicit in the permission management agreement and doesn’t needs to be defined.These is different as compared to firewalls, routers where default deny-all is the last rule. Implicit deny is the default response when an explicit allow or deny isn’t present,
Network Bridging can be a desired feature for network design. It is in expensive, transparent to layer 3+ protocols, maintains collision domain isolation, self-configuring and avoids 5-4-3 later 1 limitations. However, there are some drawbacks like can cause latency, doesn’t divide collision, don’t scale well and can result in loop. To overcome this Network Separation is the desired feature.
There are two ways of achieving this first is to implement IP subnets and use routers and second way to physically create 2 separate network that don’t need to communicate. Also can be accomplished by using firewalls by securing filters and traffic management.
Log analysis the the technique where reviewing of audit trails, log files or other form of computer generated records is required. This analysis is done for identifying policy violations, downtimes, malicious events or other concerned issues. Log analysis should be regularly done in active network environment. Some log analysis can be done automatically by different engines like IDS, IPS but apart from this manual log analysis is also required as well.
Unified threat management
Also known as All in One Security Appliances hardware designed to work in between private network and internet.It is used to filter the traffic entering and leaving the network.They are implemented to perform firewall, IDS, IPS, to provide DDOS protection, spam filtering, virus scanning ,web filtering and tracking activity. Some unified threat management tool also work on server side to maintain web applications and wireless security features. For small companies a product that provides all in one feature is cost saving factor but for large scale companies it is not a optimum choice.