This is the first of a six-part series discussing five basic network security principles (The Fab Five) that when implemented properly can significantly improve the security posture of any IT environment. The reality is, no matter how simple something is, it doesn’t mean that it is implemented properly or even at all. The best time to implement these principles is when starting a network or project from scratch. This is obviously not always an option as lot of us have walked into environment entrenched in misconfigurations and mismanagement where we couldn’t tell what was up and what was down. Given that reality, it only gets worse the longer you wait.
This article will provide a high-level overview of each of these principles. Over the course of the next few weeks, subsequent posts will take a deeper dive into their purpose and application.
Network Security Principle 1: Documentation
Everybody wants to be a bodybuilder, but don’t nobody wanna lift no heavy ass weight.
-Ronnie Coleman
I have a similar quote that I have used in my office in regards to engineers. “Everyone wants to be a network engineer, but nobody wants to do any real network engineering”. Documentation is the backbone of any good engineer. Guess what? The majority of folks don’t want to do it. It’s not fun, it’s not sexy, it’s tedious, and no one ever really sees it, so who cares. I’ve worked at places where there was no documentation when I showed up. It was horrific. You don’t know what exists, why things work or communicate the way they do, and what type of cascading impacts any modifications to your environment might cause.
I see necessary documentation broken down into a few high level different areas:
- IP/VLAN documentation
- Diagrams
- Dataflows
- Plans, Policies, and Procedures
- Configurations (baseline and/or backup)
Network Security Principle 2: Isolation
Isolation doesn’t bother me at all. It gives me a sense of security.
-Jimmy Page
Service isolation, putting only like devices/services in the same network segments or VLANs, does indeed provide a greater level of security. Some will say VLANs are not security. They are correct, by themselves with no further configurations or additional protections layered over them, they provide no additional security. However, what they do is provide the first step in segmenting your network. Once you have things grouped in a way that makes logical/business sense, you can then employ various other protections that meet the needs and requirements of those services. Without beginning with this type of isolation, it makes it near impossible to manage the other layers of security efficiently.
Network Security Principle 3: All Kinds of ACL’s
The “implicit deny” at the bottom of ACL’s is like gravity. You can’t see it, but you know it’s there.
– JBIZZLE703
Access control lists (ACL’s) that limit what type of traffic can be sent between hosts is one of the most basic and valuable tools we have in our network security toolbox. Often folks think of ACL’s from the perspective of a firewall protecting an internal network from the Internet. That is only one part of an all encompassing web of ACL’s that should be applied across your environment, including inter and intra VLAN ACL’s. A lot of folks don’t implement any ACL’s on their internal network. Without these in place, lateral movement between devices is almost inevitable.
Network Security Principle 4: Private VLANs
Without great solitude no serious work is possible.
– Pablo Picasso
We’ve already discussed quite a bit about the benefits of private VLANs here. You should really be using them in your toolbox of ways to limit lateral movement within a VLAN. They are easy to implement and to the uninitiated seem to have mystical powers.
Network Security Principle 5: Port Security
While port security remains one of our single greatest vulnerabilities, it makes little sense to give operational control of our ports* to a foreign nation without first doing proper investigations.
-Dave Reichert
*Applicable to both sea ports and physical switch ports ?
Implementing port security on switches, especially those that have connections to wall jacks in office buildings is paramount to ensuring that unauthorized devices don’t gain access into your IT environment. There are obvious challenges to this in organizations that are trying to support collaboration with outside vendors/partners and need to support on demand network access. However, even in those cases, there are configuration and architectural options available to protect the rest of the network from “dirty devices”.
The Wrap Up
Over the next few weeks, we’ll dig a bit deeper into each of these principles. I’ll provide a further breakdown and share some examples that can be used as jump point for getting started with each of these in your own environments.
Find out more about J.B.C.’s Cyber&Sight™ blog here.