The National Security Agency this week released detailed recommendations for businesses trying to secure their network infrastructure from attack, giving safe configuration guidance for commonly used network protocols and urging the use of basic security measures to all networks.
The NSA report began by stressing the importance of zero trust network security principles, but most of it covers specific steps network administrators should take to protect their infrastructure from compromise. Configuration tips for network administrators include using secure and frequently changed passwords for all administrative accounts, limiting login attempts, and updating and patching potentially vulnerable systems. The report also describes safe configurations for SSH (secure shell), HTTP, and SNMP (simple network management protocol).
“Improper configuration, improper management of configurations, and weak encryption keys can expose vulnerabilities throughout the network,” the report said. “All networks are at risk of being compromised, especially if devices are not properly configured and maintained.”
The NSA has further recommended the use of network access control systems as an additional layer of security for corporate networks. The idea is to implement a robust system to identify individual devices on a network, as port security can be difficult to manage and tracking devices connected via MAC address can be circumvented by an attacker.
The use of centralized authorization, authentication, and accounting servers is also touted as a strong security measure by the NSA. This avoids the use of potentially vulnerable legacy authentication technologies, as they do not rely on credentials stored on connected devices, which can be relatively easy to compromise. According to the agency, doubling the deployment of AAA servers — which handle requests for system resources — provides a level of redundancy and can help detect and prevent malicious activity more easily.
Robust logging techniques are another key technique for keeping corporate networks secure, ensuring that the network infrastructure captures a sufficient amount of log data makes identifying and tracking a potential attack much easier. simpler than they would otherwise be, the NSA said. Login attempts, whether successful or not, are particularly important for this, but the agency noted that generating too many messages could complicate log reviews.
The NSA report is available for To download. It contains detailed instructions for Cisco IOS users on how to accomplish most of the tasks it suggests, but the general principles are valid for users of network equipment from any vendor.
Copyright © 2022 IDG Communications, Inc.