Author: Bill Thomas, Config Toolbox LLC (configtoolbox.com)

Target Reader: Small/Mid Business Network Engineer

Securing your network isn’t easy, but you have no choice but to do it — and do it well.  

Business networks are under attack constantly, averaging a breach every 60 seconds or less depending upon which statistical source you get your data from.  With that amount of pressure the odds are against you, but you can win. 

Hackers often use broadcast methods of attack rather than targeting someone specific, unless you are a high profile company or person.   My blogs are intended for small/mid business networks, so the odds are in your favor that you won’t become a ‘targeted’ risk — but you can never assume and must always keep your defenses strong.  Your risk is often from the inside rather than the outside — meaning, your users.  

Whether your network is on-prem, cloud, or hybrid, you have an arsenal of options available to you.  Let’s dig into some of those options.

Here we go —

Firewalls

Not shocking — Firewalls are your number one weapon for defending your network.  They must be strategically placed, configured well, and monitored constantly with proactive logging and email alerts via syslog when something needs attention.  They must also be configured with threat prevention, traffic decryption to allow inspection (excluding sensitive data), URL filtering, and malware protection.  I recommend Palo Alto Networks for firewalls.

Internet Routers

Engineers often overlook the importance of protecting the Internet routers.  After all, they are the closest device to your Internet connection and the first to see malicious traffic.  You should setup an access-list (ACL) on your external interface connecting to your Internet Service Provider (ISP).   This ACL should block RFC1918 addresses, restrict ICMP (but not block all ICMP), restrict BGP neighbors to authorized peers only, block specific inbound ports you know will never be allowed, etc.  Management access to the router also needs to be hardened with logging and email alerts enabled via syslog.  Lastly, ensure management access to the router using a separate interface connecting to a VLAN with strong security and limited access.

Authentication, Authorization, and Accounting (AAA)

Many small/mid networks don’t use AAA, but you need to.  AAA allows you to centralize management access to your network devices with detailed logging.  This is accomplished by configuring a server that supports AAA, configuring it with user profiles, and then setting up each network device to use AAA for authentication rather than local device authentication.  If your company is under audit/compliance requirements, then AAA is a must do.

Syslog

Ensure that every network device is using syslog and sending to a centralized syslog server with detailed logging enabled, such as informational.  You should save all logs for 6 months at minimum for audit/compliance, however longer retention is preferred if you have the storage for it.   You should also configure your syslog server to email you when certain events trigger, such as critical events.   

Network Gear Backups

Make sure that all network devices are backed up as changes are saved or once a day at minimum.  This is good to do for any number of reasons, but becomes critical if you need to recover after something bad occurred.  

This list doesn’t encompass everything you should do, but it’s a good starting point to secure your network and see what is happening.  Security is like an onion with many layers that make it whole — hence the phrase “security is defense in layers”.  You will need to secure your network, servers, desktops, and applications using different methods to make your overall security posture whole.  Config Toolbox is a core infrastructure company, however we can still provide guidance in the others areas if you need help.

Let us know if you have any questions or need config guidance.

- Config Toolbox @ https://configtoolbox.com/contact-us

PRIVACY POLICY

Config Toolbox is mindful of your privacy.  Please see our website for Disclaimer, Privacy Policy, and Terms and Conditions. (https://configtoolbox.com/config-toolbox-blog)