What Are Network Infrastructure Devices?
Devices that are part of the network infrastructure transmit the communications required for data, applications, services, and multi-media. The majority or all network traffic must pass through routers, firewalls, switches, servers, load balancers, intrusion detection systems, domain name systems, and storage area networks, making them prime targets for malicious cyber actors. The management of hosts and services by organizations using legacy protocols facilitates successful credential harvesting by malicious cyber actors. A network's routing infrastructure is essentially at the control of whoever manages the network's data flow.
What Security Risks Do Network Infrastructure Equipment Face?
- Many network devices are not kept up to the same security standards as general-purpose computers and servers once they are installed.
- Few network devices run antivirus, integrity-maintenance, and other security measures to protect general-purpose hosts, such as small office/home office and residential class routers.
- These network devices are created and distributed by manufacturers with exploitable services enabled for simple setup, use, and maintenance.
- Network device owners and operators frequently fail to alter vendor default settings, make the devices operationally hard, or apply regular patches.
- Once a piece of equipment is no longer being supported by the manufacturer or vendor, internet service providers are not permitted to replace it on the customer's property.
- When they check into cyber attacks, seek for intruders, and restore general-purpose hosts, owners and operators sometimes ignore network devices.
How Can Network Infrastructure Devices’ Security Be Strengthened?
To increase the security of their network infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) advises users and network managers to put the following recommendations into practice:
- Network and function division and segmentation.
- Keep lateral communications to a minimum.
- Strengthen network hardware.
- Access to infrastructure devices is secure.
- Out-of-band (OoB) network management is carried out.
- Verify the hardware and software's integrity.
Networks and Functions Should Be Segmented and Divided
The complete infrastructure design, including segmentation and isolation, must be taken into account by security architects. An effective security measure to stop an intrusion from spreading exploits or lateral movement around an internal network is proper network segmentation. On a network that isn't properly segregated, hackers can control important devices or access confidential information and intellectual property. According to their function and mission, network segments are divided by segregation. A network that is securely divided can confine hostile activity, lessening the impact of intruders who manage to get a foothold inside the network.
Sensitive Information Should Be Separated Physically
Local Area Network (LAN) segments can be divided by conventional network equipment like routers. In order to define borders, expand the number of broadcast domains, and efficiently filter user broadcast traffic, organizations can put routers between networks. By limiting traffic to different network segments and even shutting down specific network segments during an intrusion, organizations can use these boundaries to contain security breaches and limit access for intruders.
- When constructing network segments, use the need-to-know and least privilege concepts.
- Segment the network according to the security needs and sensitive information.
- Utilize secure setups and security recommendations across all network tiers and segments.
Sensitive Information Should Be Virtually Separated
As technologies advance, new approaches are created to boost network security measures and information technology efficiency. The logical isolation of networks on the same physical network is known as virtual separation. The same design ideas as physical segmentation are used in virtual segmentation, which doesn't need any additional hardware. Other internal network segments can be protected from intrusion using already available methods.
- To separate a user from the rest of the broadcast domains, employ private Virtual Local Area Networks (VLANs).
- Utilize virtual routing and forwarding (VRF) technology to divide network traffic among several concurrent routing tables on a single router.
- By tunneling across public or private networks, Virtual Private Networks (VPNs) can be used to securely extend a host or network.
Reduce Extraneous Lateral Communications
Unfiltered peer-to-peer communication, including workstation-to-workstation communication, introduces major vulnerabilities and makes it simple for a network intruder to get access to several systems. Unfiltered lateral communications enable an intruder to establish a strong beachhead within the network and then build backdoors into the entire system. Backdoors impede defenders' attempts to contain and eliminate the intruder while assisting the invader in maintaining persistence within the network.
- Use host-based firewall rules to impose restrictions on communication and prevent packets from other hosts in the network from flowing. To restrict access from services and systems, the firewall rules can be written to filter on a host device, user, program, or internet protocol (IP) address.
- Use a filter called a VLAN access control list (VACL) to manage access to and from VLANs. The creation of VACL filters is required to prevent packets from traveling to other VLANs.
- Network managers can isolate crucial devices onto network segments by physically or virtually logically segregating the network.
Protection and Security for Network Devices
Securing networking devices with secure configurations is a fundamental technique to improve network infrastructure security. Administrators can find a variety of recommendations from governmental bodies, businesses, and suppliers, including benchmarks and best practices, on how to harden network equipment. Along with legislation, rules, site security policies, standards, and industry best practices, administrators should put the following advice into practice:
- Disable remote administration protocols that are not encrypted, such as Telnet and FTP.
- Disable unused services including HTTP, SNMP, Bootstrap Protocols, source routing, and discovery protocols.
- Avoid SNMP community strings and instead use SNMPv3 or a better protocol.
- Secure access to auxiliary, virtual, and console terminal lines.
- Use strong password encryption and implement strict password restrictions.
- By restricting remote access lists, you can secure routers and switches.
- Limit physical access to switches and routers.
- Use the most recent version of the network device operating system and keep it updated. Back up configurations and save them offline.
- Check security setups on a regular basis against security requirements.
- When distributing, storing, or backing up files, encryption or access controls should be used to protect configuration files.
Secure Device Access for Infrastructure
Users can be granted administrative rights to gain access to resources that are not publicly accessible. Because hackers can abuse administrative privileges that are wrongly approved, broadly granted, or not carefully audited, limiting administrative privileges for infrastructure devices is essential to security. In order to move throughout a network, increase access, and seize total control of the infrastructure backbone, adversaries can leverage compromised privileges.
Use multi-factor authentication (MFA), for instance, to confirm a user's identity. Attackers frequently take advantage of lax authentication procedures. To authenticate a user's identity, MFA uses at least two identification components. The three elements of identity are a password, a token, and a fingerprint. By putting in place safe access policies and processes, organizations can lessen unwanted access to infrastructure.
Controlling Privileged Access and Passwords
Put access data for network device management on a server that offers authentication, authorization, and accounting (AAA) services. Using a AAA server, network administrators can grant users with various levels of authority depending on the least privilege principle. A user's attempt to carry out an unlawful command will be rejected.
- Modify the default passwords.
- In accordance with Canada's User Authentication Guidance for Information Technology Systems ITSP.30.031 V3 and the National Institute of Standards and Technology's SP 800-63C Digital Identity Guidelines, make sure passwords are at least eight characters long and permit passwords of 64 characters (or longer).
- Verify passwords against lists of forbidden values, such as passwords that are often used, expected, or compromised.
- Verify that all passwords are hashed and salted.
- Passwords should be kept in a secure off-network location, such as a safe, for access in an emergency.
In addition to using the AAA server, if practical, create a hard-token authentication server. It is more challenging for hackers to steal and reuse credentials to access network devices when MFA is used.
Manage Out-Of-Band Operations
OoB management remotely manages network infrastructure devices by using alternative communication channels. These dedicated communication channels can be configured in a variety of ways, from physical isolation to virtual tunneling. By limiting access and isolating user traffic from network management traffic, using OoB access to control the network infrastructure would improve security.
- Separate management traffic from regular network traffic.
- Make sure that all device management traffic originates from OoB.
- Verify that all management channels are encrypted.
- Encrypt all remote connections to infrastructure components, including dial-in or terminal servers.
- Manage all administrative tasks over a secure channel from a dedicated, fully patched host, ideally on OoB.
- Test patches, disable unused services on routers and switches, and enforce strict password requirements to harden network management equipment.
- Observe the network and examine the logs.
- Use access controls to only allow services such as management or administrative functions that are absolutely necessary (e.g., SNMP, Network Time Protocol, Secure Shell, FTP, Trivial FTP, Remote Desktop Protocol [RDP], Server Message Block [SMB]).
OoB management offers security oversight and has the ability to take corrective action without letting an adversary (even one who has already gained access to a piece of the network) know about the modifications.
Verify the Hardware and Software’s Integrity
Devices that are bought through illegal methods are frequently referred to as gray market, secondary, or counterfeit devices. The information of users and the general integrity of the network environment are seriously at danger from unauthorized devices and software. Gray market goods haven't been sufficiently vetted to fulfill quality requirements, hence they can pose dangers to the network. In addition, equipment might be infected with malicious software and hardware thanks to supply chain breaches.
- Keep a close eye on the supply chain and only make purchases from licensed resellers.
- Resellers should be required to enforce supply chain integrity checks to confirm the legitimacy of the hardware and software.
- Examine each device for tampering after installation.
- Verify serial numbers obtained from various sources.
- Download software from reputable sources, including patches and upgrades.
- To find unapproved firmware alterations, do hash verification and compare values to the vendor's database.
- On a regular basis, check the network configurations of devices by monitoring and logging them.
- To raise awareness of gray market devices, train network owners, administrators, and procurement staff.
The confidentiality, integrity, or availability of network assets can be compromised by compromised hardware or software, which can also impair network performance. Organizations should regularly check the software's integrity because unauthorized or harmful software can be put onto a device after it is in use.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2022 Arthur Dellea