Network Hardening Techniques

Best Practices

Best practices are used to ensure networking devices and security appliances are secured from threat actors, cyber-attacks and threats.

Router Advertisement (RA) is used in IPv6 to create a stateless configuration.
IPv6 clients on a network send Router Solicitation (RS) messages to search for any IPv6 routers on the network.
The IPv6 routers responds to the Router Solicitation (RS) messages with Router Advertisement (RA) messages back to the clients.
Router Advertisement (RA) Guard is used to prevent a threat actor sending unsolicited or spoofed Router Advertisement (RA) messages.
Router Advertisement (RA) Guard inspects and validates the messages Router Advertisement (RA) messages.

Port Security is use to defend against a CAM table overflow attack.
Port Security is used to prevent an unauthorized device from connecting to the switch and the network.
Port Security filters the source MAC addresses from devices that are connecting to a switch.
Port security can be applied to Access or Trunk ports.

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.
DHCP spoofing is dangerous because clients can be leased IP information such as malicious DNS server addresses, malicious default gateways and malicious IP assignments.
DHCP snooping builds and maintains a database called the DHCP Snooping Binding Database. This database includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on each untrusted switch port or interface.
DHCP snooping recognizes two types of ports:
- Trusted DHCP ports - Only ports connecting to upstream DHCP servers should be trusted. These ports should lead to legitimate DHCP servers replying with DHCP offer and DHCP Ack messages. Trusted ports must be explicitly identified in the configuration.
- Untrusted ports - These ports connect to hosts that should not be providing DHCP server messages. By default, all switch ports are untrusted.

Prevents man-in-the-middle attacks and eavesdropping
Prevents ARP poisoning and spoofing
Inspects MAC addresses learned on an untrusted port and match a client's IP address.
Uses DHCP Snooping database for leverage.
Default rate limit is 15 packets per second on an untrusted port.
All ports are untrusted once enabled.

This plane controls the entire network device and how it operates.
This is the brain of the device. Layer 2 and even Layer 3 forwarding mechanisms, routing protocols, IPv4 and IPv6 routing tables, Spanning-Tree Protocol (STP), and so on all exist in the control plane.
CoPP is used to protect the control plane on networking device by dropping inbound unsolicited messages from threat actors.

A Private VLAN creates an isolate port/interface on the switch.
Devices that are connected to an interface that is associated with a Private VLAN will be isolated only to the port they are connected too.

Disabling unused or unneeded switchports simply administratively shutdown the interfaces/ports on switch to prevent an unauthorized device from connecting to the network and the switch.

Sometimes devices on a network will be running services which are not needed by clients, these services may be vulnerable and a threat actor on the network may attempt to exploit the security vulnerabilities on those running unneeded running services.
Disabling unneeded network services helps reduces the attack surface within an organization.

Default passwords are usually set on a device by the vendor to help consumers to easily access a device.
If a user does not change the default password on their device, a threat actor on the network can gain unauthorized access to a networking device by exploit the default credentials on the device.

Password complexity and length should always be enforced to ensure administrators and users create complex password to reduce the risk of a threat actor compromising users' passwords.

The Default VLAN is the primary VLAN which is loaded onto a managed switch after booting up.
A new out-of-box switch normally has all it ports assigned to VLAN 1 by default.
This means, if you connect multiple devices on any number of physical ports on the switch, by default, all devices will be able to communication with each other.
All ports are assigned to VLAN 1 by Default
The Native VLAN is VLAN 1 by Default
Management VLAN is VLAN 1 by Default
VLAN 1 cannot be renamed or deleted

Patch management involves the processes of distributing and applying updates to applications and devices.
Improve security
Helps with compliance
Additional features

Access control models allows a security professional to control the privileges of a user or system which is attempting to access a resource.
Organizations implement various access control models to prevent users from performing unauthorized actions or tasks on the company-owned systems.
It allows control models helps security professionals to enforce authorization policies within the organization.

This type of access control is based on your job role within an organization.
This model ensures a person with a certain job roles has all the privileges he or she needs to perform their job efficiently.
Such access controls can be creating using the Group Policy Objects (GPOs) in a Windows Server environment.

Explicit deny - Deny traffic that is denied by a specific rule created by the administrator on the firewall.
Implicit deny - Deny any traffic that is not explicitly allowed on the firewall.

Back

Page updated

Google Sites

Report abuse