In today's rapidly evolving digital landscape, the security of network infrastructure and the robustness of network devices against vulnerabilities have become paramount for organizations worldwide.
With cyber threats becoming more sophisticated and pervasive, it's essential to understand the standards for assessing vulnerabilities in network equipment.
This guide aims to provide a comprehensive overview of the criteria for evaluating network infrastructure security and the vulnerabilities of network equipment.
By equipping yourself with this knowledge, you can ensure that your network remains impervious to the ever-changing threats, safeguarding your organization's data and assets.
1. Criteria for assessing network infrastructure security vulnerabilities
Configure network line (ISP) redundancy
- If your network (ISP) line is configured as single, ensure that your network line (ISP) is configured as redundant because a line failure can cause service failure.
Configure network equipment redundancy
- Ensure that network equipment is configured for redundancy as there is a risk of service failure in case of equipment failure while operating in a single equipment configuration.
Configure information security system redundancy
- Check whether the information protection system is redundantly configured as there is a risk of service failure in case of equipment failure while the information protection system is operating in a single equipment configuration.
Configure critical server redundancy
- Check whether the critical server is redundantly configured as there is a risk of service failure in case of equipment failure during operation with a single equipment configuration of the server.
Existence of aging equipment with software and hardware end of support (EOS)
- Check for end-of-service (EOS) aging equipment, as vendor support for software and hardware can lead to unwanted degradation and failure of equipment, patching of new vulnerabilities, etc.
Having separate zones for recovery in the event of a disaster or failure
- Whether network sections such as disaster recovery centers or backup centers are in place in case of emergencies such as disasters or failures.
Configure network segregation by business characteristics
- Check that network segments are appropriately segregated by business characteristics, as a lack of segregation could potentially expose the entire network to risk in the event of a breach.
Configure network segregation between dev/test and production networks
- In the case of development and test (verification system) servers, there is a possibility that the strength of security settings is set lower than that of production servers, and it may be outside the scope of protection of the information protection system, so check whether the sections are separated and operated separately.
Control user access to critical server sections
- If access control is not performed from the user's device to the main server section, there is a risk of exposure to unauthorized access and malware, so check whether the user's device is performing control so that only access that meets the user's authorization is allowed when accessing the main server.
Control access between separate network segments
- Ensure that appropriate access controls are in place with least privilege policies to prevent unauthorized access between segregated network segments based on the nature of the business.
Presence or absence of security policy-unenforced bypass routes
- Checks for bypass routes to uncontrolled network contacts within segregated network segments.
Lack of access control to unnecessary sections of the external communications network
- Check whether there are sections or systems that are directly accessible from the outside due to inadequate access control other than DMZ sections that are allowed to be accessed from the external communication network.
Internal Communications Network Public IP Usage Controls
- Check whether unnecessary public IPs are assigned to the internal communication network because public IPs are directly accessible from the outside and may allow inappropriate access.
Whether to block external communication network for information system (server, DB) located in the internal section
- If the internal server can access the external communication network, there is a risk of information leakage or virus infection, so check whether the internal section information system is allowed to access the outside.
Adequacy of access control to external and internal communication networks (groupware, etc.) from critical devices
- There is a risk of malware infection due to access to the external communication network from critical devices, and there is a possibility of leakage or destruction of important information.
Whether you recognize the failure and have a plan in place to respond
- Check whether a monitoring system is in place to immediately recognize and respond to failures, as it is difficult to immediately identify and respond to failures if the person in charge is not aware of them.
Appropriateness of intrusion detection system configuration for each network segment
- Check if there are any exempted sections as intrusion attempts and abnormal traffic cannot be detected if the network sectional intrusion detection system is missing or installed in an inappropriate location.
Appropriateness of DMZ configuration for servers (such as web servers) that communicate with the external network.
- Check whether public servers that should be located in the DMZ section are located in the internal section, as this may cause a breach of that section and the entire section.
Appropriateness of security settings for network management system activity history, log management, and user rights settings
- There is a risk that important information may be exposed to unauthorized persons due to improper permission settings of the network management system, and it may be difficult to identify the cause in the event of a failure due to improper work history and log management.
2. Criteria for assessing network equipment security vulnerabilities
Whether to back up network equipment settings
- To ensure that the system can be quickly restored to normal in the event of an emergency, such as a failure or downtime of network equipment.
Set SNMP Community Name Complexity
- When setting the SNMP Community String, set it to comply with complexity to ensure that it is not easily inferred by unauthorized parties.
Set SNMP community permissions
- Set the SNMP Community String permission to Read Only (RO) to ensure that unauthorized parties cannot change network configuration information even if they capture the Community String.
Set up SNMP access control (ACL)
- Set up SNMP access lists (ACLs) to limit the exposure of network information, such as blocking SNMP access from unauthorized parties.
Block external interface SNMP access
- Apply access list (ACL) blocking settings for SNMP service ports on the external interface of network equipment to restrict access by unauthorized users.
Whether to create local users and manage permissions
- Create a local user when accessing the device to block access by unauthorized people
Whether to use enhanced authentication (AAA)
- Enable Authentication Authorization Accounting (AAA) authentication for device access to prevent unauthorized access.
Using duplicate weak passwords
- Check for duplicate passwords used by users, administrators, etc. as duplicate passwords can lead to account information leakage by unauthorized persons.
Whether to set enable secret
- To encrypt the Enable password, which was exposed in plain text, so that it cannot be easily identified by unauthorized parties if the network equipment configuration is exposed.
Whether to set a secure encryption algorithm
- Encrypt user and administrator passwords to make it difficult for unauthorized parties to identify passwords on the device if the network device configuration file is exposed to the outside world.
Set password complexity
- To ensure that password complexity policies are followed to prevent attackers from gaining access to network equipment when they attempt to gain access.
Remote management access control
- To prevent unauthorized users from accessing network equipment remotely.
Whether to set a session timeout
- Check whether an automatic timeout is set for sessions that are inactive for a certain period of time to prevent unauthorized use of the system in the user's absence, and if so, check whether the session timeout is excessive.
Using insecure protocols (such as TELNET) for VTY connections
- Use encryption protocols when accessing network equipment via a remote terminal (VTY) to prevent plain text data from being exposed to attackers by network sniffing attacks.
Whether to block unnecessary auxiliary input/output ports (AUX)
- To disable unused I/O ports to prevent access by unauthorized parties
Whether to block unnecessary Source routing
- Source routing is a feature that allows packets to be sent to a path of the packet sender's choosing, rather than through a routing path, to prevent unauthorized parties from exploiting it for attacks.
- Check the settings on your router or switch to ensure that the IP source routing option is disabled.
- For Cisco equipment, check that the no ip source-route command is included in the configuration file (config).
Whether Proxy ARP blocking is enabled
- To block unauthorized parties because they can forge packet addresses to request Proxy ARPs and use the responses to obtain information about the router and network.
- If Proxy ARP is enabled, you must disable the feature. For Cisco equipment, you can disable Proxy ARP using the no ip proxy-arp command in interface configuration mode.
IP Directed Broadcast blocking check - IOS 11
- Disable IP Directed Broadcast to block DoS attacks (such as Smurf attacks)
- Connect to the router, and verify that IP Directed Broadcast is disabled. On routers running Cisco IOS 12.0 or later, IP Directed Broadcast is disabled by default; however, on routers running IOS 11.x or earlier, you might need to manually disable it.
- On Cisco routers, you can disable IP Directed Broadcast by using the no ip directed-broadcast command in interface configuration mode.
Whether to run unnecessary services
- To eliminate potential risks, as unnecessary services that are not required for operations can make you a target for unintentional attacks.
NTP settings and whether to synchronize time
- For system time accuracy and accurate log analysis when events occur
Enable logging
- To enable monitoring for network equipment operation and security
Whether to set a time for logging messages
- To include the exact time in log messages to enable analysis of the attack.
Whether to set the logging buffer size
- Cisco routers store log messages in a memory buffer, and you can set the size of the buffer to a certain level for debugging or monitoring purposes.
Set up remote log server integration
- To manage separate log files by installing a log server remotely because there are limitations to storing logs on network devices, and logs may be deleted.
Setting console logging levels
- To prevent unnecessary log message output, as sometimes log messages are only output to the console and are not operationally necessary.
Setting up ingress filters on external interfaces
- Setting up an ingress filter on an external interface to filter packets entering the internal network
Set up an egress filter on an external interface
- Set an egress filter on an external interface to filter packets sent from the inside to the outside
Setting up anti-spoofing filters
- To block spoofing attacks by filtering incoming packets on the external interface using the internal network IP band as the source IP.
Setting up IP multicast blocking
- If IP multicast is not enabled, filter multicast packets to prevent them from being exploited in attacks.
- To verify that multicast is enabled, use commands that look up the relevant settings. For example, on Cisco devices, you can use the show ip multicast routing command.
Setting up ICMP blocking
- Block ICMP packets from outside to inside to prevent internal information from being leaked and to prevent denial-of-service attacks, etc.
Setting up ICMP redirect blocking
- To prevent routing table changes by blocking ICMP redirect packets on external interfaces
Setting up ICMP unreachable blocking
- To prevent ICMP unreachable messages from being used to expose whether certain ports on network equipment are enabled or disabled when scanning and exploited for DoS attacks.
Setting up ICMP mask-reply blocking
- To block the ICMP mask-reply service to prevent network configuration information from being exposed to unauthorized parties.
Set ICMP Timestamp, Information Requests blocking settings
- Block ICMP Timestamp, Information Requests to prevent network information from being exposed to unauthorized parties.
Set up filtering to block denial-of-service (DDoS) attacks
- To block ports where denial-of-service attacks can occur
Availability of the latest/urgent security patches and updates
- To ensure that the latest version of the network equipment operating system and the last released security patches have been reviewed (including testing against stable versions of the operating system and the latest security patches) and implemented
Whether to restrict command execution permissions
- Set the user's per-command privilege level to Level 15 to prevent access by unauthorized parties.
Disable warning messages at logon
- To display an appropriate warning message via banner to users accessing the router
Whether to enable tcp keepalives
- Use TCP KEEPALIVES to block the session when the remote user is terminated to prevent attacks via hijacking and to ensure that the session is terminated normally.
Disable unused interfaces
- To prevent unauthorized persons from obtaining network information and causing disruptions to communication equipment through unused interfaces.
Hardening switch hub security
- Security settings to prevent network traffic from being exposed to or tampered with by unauthorized parties
Whether passwords are periodically changed and managed
- Check whether the passwords of network equipment accessors are changed/managed periodically as there is a threat of password theft due to password dictionary attacks if the password is not changed for a long period of time.
Whether vulnerable services are running
- Check whether vulnerable services* are running as there are threats such as equipment information exposure and transmission information exposure if vulnerable services are running.
* CDP, LLDP, TFTP, Finger, identd, Smart Install, etc.
#NetworkSecurity #CyberSecurityTips #VulnerabilityAssessment #TechSafety #DigitalDefense #InfoSec #CyberThreats #SecureNetworking #ITSecurity #NetworkInfrastructure
