Saturday, January 10, 2015

10 Ways to Secure Your Internal Network


We see this often. On the outside, you have these imposing fortress walls. Once inside, there are no further defences and everything is wide open to attack. The same applies to networks as well. Once you get past the big imposing firewall, everything on the internal network or intranet is wide open to further intrusion.

So here are 10 ways to secure your internal network. These measures range from the simple to the more draconian.

1. Harden existing machines. Update OS patches as they become available. Keep anti-virus signatures updated at a reasonably high frequency. Nowadays commercial AV vendors push updates to clients multiple times per day. Even the free ones update once per day and that might be good enough for many cases.

2. Reduce the attack surface and minimize exposure by closing unused ports and shutting down unnecessary services. Case in point is the Asus wifi router infosvr issue where a service that wasn't really needed turned out to be a big security vulnerability.

3. Secure remote access protocols. At a minimum, enable Network Level Authentication if you are using Remote Desktop to remotely access other Windows machines. Also, ensure that a minimum set of users is allowed to remotely access these machines. Whether for Windows, Linux or any other OS, remote login is a powerful function. Hand this out only when needed.

4. Ensure encryption is turned on for network traffic wherever possible. This applies equally for client-to-server traffic as well as server-to-server traffic (such as application server to database server).

5. Optionally, go beyond simple encryption by turning on IPSEC with two-way certificates to defeat sniffing, spoofing and other impersonation attacks. Certificate management could be a problem as you would probably need to own an entire PKI (Public Key Infrastructure) setup for this.

6. Setup an intrusion detection system (IDS) to monitor network traffic. This is a given but it is easier said than done, as IDS systems tend to either generate too many or too few warnings and alerts. Tuning an IDS can turn out to be an exactingly fine art in itself.

7. Conduct regular vulnerability assessments. Just about the same network penetration testing tools are available to both attackers and defenders and many of them are free and open-source, so this is definitely doable. It just takes effort and time - or if you have to outsource this, it will take money. Quite a bit of money.

8. If you have a wireless segment, you can follow these 11 guidelines to secure wireless networks. In particular, disable over-the-air management of wireless AP's, and enable the highest encryption levels wherever possible. Whether this is WPA2 (Personal) with a suitably complex password, or going all the way to two-way WPA2 Enterprise with 802.11x EAP-TLS depends on your situation and level of security required.

9. If you are letting public visitors use your internet as a courtesy or as part of your legitimate business operations, use a guest wifi network separate from your internal network. Never shall the two mix.

10. Where possible, for your wifi network, find the setting for and enable AP isolation. This will invalidate certain classes of attacks on the WPA2 protocol on the internal side of the network.

0 comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More