In this blog I would like to share with you 10 best practices that can be used to best mitigate against malicious users and attacks on your network.
- Signature management – If you have an IPS (intrusion Protection System) or IDS (Intrusion Detection System) system you will need to ensure that these signature databases are up to date. It’s important to schedule time to make sure that these databases that contain all of the information that is required to allow you to recognise malicious traffic have all of the latest updates.
- Device hardening – This is where we apply a collection of best practices and recommendations to your network hardware to make them more difficult to penetrate from malicious users. A simple example of one of these practices is to turn off the ability to connect to networking equipment via telnet and only allow access via SSH. Do your research and implement all of these best practices.
- Change your Native VLAN – Most switches will have by default a native VLAN where traffic between clients are untagged with any VLAN information. If you keep your switch defaulted with this VLAN and your clients are part of this native VLAN then anyone who has access to this switch can plug their device in and then have access to the information passed across this VLAN. It’s best practice to change your native VLAN to something else and create a different VLAN for your production devices that the native VLAN does not have access to.
- Define privileged user accounts on your network devices – If you have one account and password to log into your network devices including your enable secret password and this has been given to all staff and one of those staff members leaves the organisation then you would need to change those login details. Creating a different account for each user with different levels of access is a better practice.
- Role separation – If you have an I.T department with members with different levels of technical abilities its a good idea to separate permissions given to each of these users. Granulate permissions on your different systems based on the role of the user
- Create a honey port or honey net – Create a separate network which is less secured then your production network and have fake information and devices on this network. This looks Sweet to the attacker and by attracting them into this distraction network they will spend a large amount of time snooping this network for valuable information. You can then monitor this network and see what these attackers are looking for or the techniques they are using to penetrate into a network to better protect you live production network.
- Penetration testing or Pen testing – This is where you will hire an external consultant who will try and gain access to your system. These consultants will then report back on vulnerabilities and security weaknesses on your network.
- Turn on STP (Spanning tree Protocol) – Not only do you need to protect your network from malicious activity but you also must protect your network from outages and failures. Using STP or Spanning Tree Protocol you can protect yourself from link or switch failures due to the unauthorised installation of new networking gear. Either you connect another switch to your network by accident or you deliberately connect two switches together via two different cables in hope to introduce redundancy, this can result in a broadcast storm and bring down the links between the switches. Spanning Tree protocol should always be configured on Cisco switches to prevent two switches from being connected in a loop causing a broadcast storm.
- Enable Floodguard. – Malicious users will often connect to a switch and start sending out frames claiming to be from different mac addresses in attempt to fill up the switches mac address table. Floodguard is something that you will want to turn on to prevent this from happening This will set a maximum amount of mac addresses that is allowed to be learnt from a switch port.
- DHCP snooping – When a computer boots up a message will be sent out as a broadcast to find out if there is a DHCP server are available to obtain an IP address from. If another DHCP server is connected to your network other then your corporate DHCP server then a PC can potentially obtain an IP address form this rogue DHCP server forcing the clients to go out of their gateway and capturing their data. DHCP snooping is a feature that you can set on your Cisco switch to allow what ports on the switch will be trusted as having a DHCP server attached and which are not. You would typically only trust the one port in which your DHCP server is connected and untrust all other ports.
This is a list of best practices for you to implement on your network to ensure that your network is not only protected but also to make it more difficult for those malicious users doing harm to your network.