As IT professionals, our goal is to remain transparent to the end users of our company. All too often, while we are trying to keep up with the demands of the environment, we neglect one of the most important elements in IT security: maintenance. When we first design our networks, we design them for security, efficiency, and redundancy. Most of those design elements don’t change over time. But many parts of a network need constant attention to maintain a high level of security. So, what are top eleven tips to keep your network secure?
1. Anti-Virus and Anti-Malware
This one is a no-brainer. Every company needs some type of malware protection. Even a free version of anti-virus can have a real impact. Anti-virus needs to be installed on all devices that are capable of running it. A simple anti-virus program is capable of mitigating the vast majority of threats. Active monitoring ensures each machine is staying updated and compliant.
It is important to stay current on operating system and firmware upgrades. The only exception is when an update can break the functionality of a piece of hardware or software. Updates should be managed by a network resource to ensure compliance and relieve network utilization. Windows updates can be managed by a WSUS (Windows Server Update Services) or SCCM (System Center Configuration Manager) server. Third party utilities provide a way to manage network device firmware and configurations. These centralized management solutions offer reporting on compliant devices and errors encountered.
3. Policies and Procedures
Every company should have an Acceptable Use Policy (AUP) for their employees to review. An Acceptable Use Policy should include information security guidelines detailing acceptable uses of the network including the websites an employee is permitted to visit. AUP almost always mentions, in some form, that company devices are not to be used for any personal business.
Other policies should include the following:
- Guest Access or Personal Equipment Policies
- Incident Response Procedure
- Documents Standardizing Usage Policies
First, these documents serve as a liability coverage for an employer. Second, they inform employees that their employer is paying attention to their activities. Third, they acknowledge that the employer will curb any nefarious activities such as downloading illegal material or visiting questionable websites.
4. Email and Website Filtering
Using software to scan for malware on computers is important. But, there are devices that can block the malicious software before they even make it to the device. Email scanning and Web filtering are components of network security that monitor, in real time, incoming email attachments, messages, and websites that may contain embedded malicious software. Also, administrators are capable of filtering websites by subject matter, such as gambling, video streaming, and online shopping, among others.
Many people don’t think about backups as a security process or a security risk, but they are both. It is important to back up all your information including device configurations and firmware versions. But most people don’t consider making sure the backup data is secure. Access to backup data would provide an intruder with all the data and device configurations. Backups should be encrypted on a secure system with limited access.
Firewalls are an important part of an initial network design. They need regular maintenance to ensure optimum operation. Networks change over time including our Internet facing parts of the network. It is important that regular firewall maintenance is performed. First, regular firewall maintenance ensures old rules that are no longer needed are removed. Second, this process removes any old user accounts and configurations. Some examples include:
- Local VPN Accounts
- Site to Site VPN Accounts
- Old NAT (Network Address Translation) Rules
- Old Access Rules
Any configurations that are not being used should be disabled or removed to ensure maximum security.
7. Security Scans
A security scan is exactly what hackers do to your network before a big attack. Network scanning can reveal security problems and interesting information for a network administrator to review. Scanning sends requests to servers through every available path. When a server responds, you learn what service is responding and many times, which versions. If I send a request to a server on port 80 and it responds, I would then know that a web server is running. If I look a little deeper, I can tell if it is a Microsoft IIS server or a Linux server running Apache. Further still, I can identify the version. And when I know that, I know which vulnerabilities I can exploit.
Designing a secure environment from the start is a huge step for security. But as we all know, many changes happen, and they happen often. It is a good idea to set up an annual review of your organization. The annual review will ensure that your environment stays secure. The process increases the situational awareness of your network engineers and administrators. An audit can be broken down into a few categories:
- Policy and Procedure Audit: Policies don't need frequent change. But with the adoption of new technologies into the organization, it may be necessary to add new policies. Reviewing existing policies ensures they are relevant and aligned with organizational security outlook.
- Systems Audit: A systems audit usually focuses on servers and their configurations. The audit includes any domain services such as Active Directory. As such, any group policies that are enforced need to be reviewed. User accounts should be checked to ensure former employees no longer have access to resources.It is important to make sure that old operating systems are decommissioned when they are no longer needed. Aging hardware should be replaced or discarded.
- Network Audit: A network audit is going to focus on your network devices and their settings. Making sure firmware is up to date is as important as running Windows updates. A yearly or even a quarterly audit of firewall rules is recommended. Documenting a business case for each rule is a good idea to speed up the audit process.
9. Intrusion Detection and Prevention
Intrusion detection and prevention systems (shortened to IDS/IPS) are specialized devices that look at patterns of traffic at all levels of communication, where a firewall enforces rules on a per packet basis. IDS/IPS systems used to be expensive and only for the big companies. Nowadays, the systems are getting less expensive. It’s important for small and medium businesses to know about IDS/IPS systems, so they implement these features into their network.
New generations of these technologies are making administration and reporting easy. These devices will pay for themselves many times over.
10. Log Aggregation and Analyzation
Keeping logs is easy to do. Making sense of those logs is a completely different story! Depending on your applications and budget, several vendors have great solutions for log aggregation. The most expensive and featured options are capable of intelligent grouping of events to give you a timeline for a specific event. Being able to track changes or review events can be quite valuable for root cause analysis and accountability.
Documentation may not seem like a security measure, but being able to access critical information on time is. Good documentation includes network topology, contact information for hardware vendors, and any rules that may have an impact on the network flow. Network documentation streamlines troubleshooting and remediation processes.
Network Is an Ever-Changing Environment
As any administrator will attest, a network is an ever-changing environment. Standard procedures ensure the ongoing security of a network. A daily routine that includes checking in on your network configurations and design will maximize network security. Above that, you will be able to foresee problems before they get big enough to cause major issues.
Networks, like cars, require regular maintenance to perform at their best. If neglected, they will deteriorate.
Senior Network Engineer | AfidenceIT