Network Infrastructure Security Guide

NSA - Network Infrastructure Security Guide

All networks are at risk of compromise, especially if devices are not properly configured and maintained. An administrator’s role is critical to securing the network against adversarial techniques and requires dedicated people to secure the devices, applications, and information on the network.

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.

2. Network architecture and design

A secure network design that implements multiple defensive layers is critical to defend against threats and protect resources within the network. The design should follow security best practices and model Zero Trust principles, both for network perimeter and internal devices.

2.1 Install perimeter and internal defense devices

NSA recommends configuring and installing security devices at the perimeter of the network according to security best practices:

• Implement multiple layers of next-generation firewalls throughout the network to restrict inbound traffic, restrict outbound traffic, and examine all internal activity between disparate network regions. Each layer should utilize different vendors to protect against an adversary exploiting the same unpatched vulnerability in an attempt to access the internal network.

• Place publicly accessible systems and outbound proxies in between the firewall layers in one or more demilitarized zone (DMZ) subnets, where access can be appropriately controlled between external devices, DMZ devices, and internal systems.

• Deploy multiple dedicated remote log servers to enable activity correlation among devices and detection of lateral movement.

• Implement redundant devices in core areas to ensure availability, which can be loadbalanced to increase network throughput and decrease latency.

• Implement a network monitoring solution to log and track inbound and outbound traffic, such as a network intrusion detection system (NIDS), a traffic inspector, or a full-packet capture device.

2.2 Group similar network systems

Similar systems within a network should be logically grouped together to protect against adversarial lateral movement from other types of systems. Adversaries will target systems that are easier to exploit, such as printers, and use that initial access to further propagate to other systems on the network. Proper network segmentation significantly reduces the ability for an adversary to reach and exploit these other systems.

Implement access restrictions on the internal routers, switches, or firewalls to allow only those ports and protocols that are required for network operations or valid mission need. Access control lists (ACLs) may need to be duplicated and applied directly to the switches to restrict access between VLANs.

2.3 Remove backdoor connections

A backdoor network connection is between two or more devices located in different network areas, generally with different types of data and security requirements. If one device is compromised, an adversary can use this connection to bypass access restrictions and gain access to other areas of the network.

Verify that all network interfaces of a device are at similar security levels, or that an intermediate device provides both logical and physical separation between different network areas.

2.4 Utilize strict perimeter access controls

NSA recommends a deny-by-default, permit-by-exception approach achieved by carefully considering which connections to allow, and then creating rulesets that focus on permitting only the allowed connections. This method allows a single rule to deny several types of connections, instead of needing to create a separate rule for each blocked connection.

NSA also recommends enabling logging, at a minimum, on all rulesets that deny or drop network traffic. Logging should also be enabled on successful and unsuccessful administrator access to critical devices.

2.5 Implement a network access control (NAC) solution

A NAC solution prevents unauthorized physical connections and monitors authorized physical connections on a network. Port security is a mechanism that can be implemented on switches to detect when unauthorized devices are connected to the network via a device’s media access control (MAC) address.

However, port security can be difficult to manage. A more robust solution utilizes 802.1X, which authenticates devices based on a trusted digital certificate installed on the device. While it is more complex to implement, due to the use of certificates, it is easier to manage than port security and offers a higher level of assurance.

2.6 Limit virtual private networks (VPNs)

A VPN tunnel can be established between two endpoints to provide an encrypted communication channel over a network. It should only be used when the confidentiality and integrity of the traffic cannot be maintained through other methods. VPN gateways are typically accessible from the Internet and are prone to network scanning, brute force attempts, and zero-day vulnerabilities. To mitigate many of these vulnerabilities, disable all unnecessary features on the VPN gateways and implement strict traffic filtering rules.

3. Security maintenance

Outdated hardware and software may contain publicly known vulnerabilities and provide an easy mechanism for adversaries to exploit the network. These vulnerabilities are mitigated by regularly upgrading the hardware and software to newer versions that are supported by the vendor.

3.1 Verify software and configuration integrity

An adversary can introduce malicious software into network devices by modifying operating system files, the executable code running in memory, or the firmware or bootloader that loads the operating system of a network device. Software that has been maliciously modified on a network device can be used by an adversary to violate data integrity, exfiltrate sensitive information, and cause a denial of service (DoS).

NSA recommends verifying the integrity of operating system files installed and running on devices by comparing the cryptographic hash of the file with the known good hash published by the vendor. When upgrading operating system files, perform the same integrity verification on the files prior to and after installation to ensure no modifications were made.

NSA also recommends implementing a configuration change control process that securely creates device configuration backups to detect unauthorized modifications. When a configuration change is needed, document the change and include the authorization, purpose, and mission justification. Periodically verify that modifications have not been applied by comparing current device configurations with the most recent backups.

3.3 Maintain up-to-date software and operating systems

Maintaining up-to-date operating systems and stable software protects against critical vulnerabilities and security issues that have been identified and fixed in newer releases. Devices running outdated operating systems or vulnerable software are susceptible to a variety of published vulnerabilities, and exploiting these devices is a common technique used by adversaries to compromise a network.

3.4 Stay current with vendor-supported hardware

Once a vendor publishes an end-of-life notice or announces that a device will no longer be supported, NSA recommends constructing a plan to upgrade or replace affected devices with newer equipment, according to vendor recommendations. Outdated or unsupported devices should be immediately upgraded or replaced to ensure the availability of network services and security support.

4. Authentication, authorization, and accounting (AAA)

Centralized AAA servers provide a consolidated mechanism to manage administrative access to devices, and the accounts created are more challenging for an adversary to compromise since credentials are not stored directly on devices.

4.1 Implement centralized servers

All devices should be configured to use centralized AAA servers. NSA recommends implementing at least two AAA servers to ensure availability, and assist with detecting and preventing adversary activities.

4.2 Configure authentication

Authentication verifies the identity of a person or entity. All devices should be configured to use centralized servers for AAA services first, and local administrator accounts as a backup method only if all the centralized servers are unavailable.

This order of precedence will prevent an adversary, who obtains local administrator account credentials, from logging into the devices since access will usually be controlled by the AAA servers.

4.3 Configure authorization

Authorization validates that a person or entity has permission to access a specific resource or perform a specific action. NSA recommends adequately restricting what legitimate administrators are authorized to execute to prevent an adversary from performing unauthorized actions with a compromised account.

4.4 Configure accounting

Accounting keeps records of all relevant resources accessed or actions performed, holding administrators accountable. At a minimum, accounting records should be collected when an exec session (shell) is started and stopped, and when shell commands are started and stopped.

4.5 Apply principle of least privilege

Least privilege is a security concept that authorizes access to a person or entity at the lowest privilege level necessary to perform authorized tasks. To implement least privilege, administrators should initially log in with the lowest privilege level necessary. This provides an additional layer of security that an adversary must circumvent to fully compromise a device. It also prevents administrators from inadvertently making configuration changes to a device.

4.6 Limit authentication attempts

Limiting the number of authentication attempts and introducing a login delay prevents an adversary from performing brute force password cracking against a device in an attempt to obtain access.

5.2 Change default passwords

NSA recommends removing all default passwords and assigning a unique, complex, and secure password to all levels of access, including both user and privileged levels. Additionally, when introducing new devices into the network, change the default user and privileged level passwords before attaching the device to the network.

5.4 Store passwords with secure algorithms

Passwords are generally stored in the configuration of a device or in a local database, as clear text, encrypted, or a one-way hash. NSA recommends that all passwords on a device be stored using the most secure algorithm available, and never stored as clear text. One-way hash algorithms are irreversible and generally should be used for storing passwords. However, if one-way hash algorithms are unavailable, the passwords should be encrypted with a strong unique key.

NSA recommends assigning a unique and complex password to all levels of access, including both user and privileged level accesses. Passwords should meet the following complexity requirements:

• Use all the different character classes (uppercase, lowercase, numbers, and special characters)

• Be at least 15 characters long

• Not be identical or similar to passwords assigned elsewhere

NSA also recommends checking for weak passwords on a regular basis to enforce the organization’s organization’s password policy. Password complexity should be checked before setting a new password. NSA recommends checking for password reuse across multiple accounts and levels of access, and across multiple devices. Identical hashes can be an indication of password reuse.

6. Remote logging and monitoring

Proper logging includes sending logs to multiple remote log servers, synchronizing the clock to multiple authenticated time sources, and implementing log management policies and procedures. A security information and event management (SIEM) system can be used to aggregate and analyze logs received by the remote log servers.

6.1 Enable logging

NSA recommends enabling syslog logging, setting the local log buffer to 16 megabytes or greater, and establishing a procedure to verify the logs are received and reviewed on a regular basis. Most devices should be able to support the larger buffer size, but it can be decreased for a particular device if there is insufficient memory.

6.2 Establish centralized remote log servers

NSA recommends establishing at least two remote, centralized log servers to ensure monitoring, redundancy, and availability of device log messages. If supported, ensure the log messages are encrypted in transit to prevent unauthorized disclosure of sensitive information.

6.3 Capture necessary log information

NSA recommends setting the trap and buffer logging levels on each device to at least syslog level “informational” (code 6) to collect all necessary information. Devices can be configured for “debugging” (code 7), but the increased number of generated messages may slow down the log review process.

Finally, NSA also recommends enabling log messages to indicate when a user was successful or unsuccessful at logging into the system. Even though these events are recorded on the centralized AAA servers when accounting is properly configured, this information is not logged in the local buffer. 7.1 Disable clear text administration services

NSA recommends using encrypted services to protect network communications and disabling all clear text administration services (e.g., Telnet, HTTP, FTP, SNMP 1/2c). This ensures that sensitive information cannot be easily obtained by an adversary capturing network traffic.

7.3 Utilize secure protocols

NSA recommends ensuring administration services are using the latest version of protocols, with the proper security settings adequately enabled. SSH version 2 is the preferred method for remotely accessing devices. Encrypted HTTP servers should be configured to only accept Transport Layer Security (TLS) version 1.2 or higher.

7.4 Limit access to services

NSA recommends configuring ACLs to allow only administrative systems to connect to devices for remote management. Devices do not have the capability to support ACLs should be placed on a separate network management segment (e.g. VLAN).

Even though every ACL has an implied deny statement at the end, it is a best practice to explicitly include it so denied attempts are logged. NSA also recommends removing unused ACLs from the configuration to reduce confusion around whether or not they are properly applied.

7.5 Set an acceptable timeout period

Setting a timeout period for idle connections allows sessions to close after a prescribed time of inactivity. NSA recommends setting the session timeout for administrative connections to five minutes or less on all remote devices.

7.7 Disable outbound connections

After authenticating to a device via a management port, a user generally has the ability to remotely connect to other systems on the network through supported protocols (e.g., Telnet and SSH). NSA recommends disabling outbound connections to limit an adversary from moving through the network.

If outbound connections are required for copying files to or from the devices for maintenance or integrity verification, restrict it to only SSH and limit the number of devices that can be accessed via outbound ACLs; revert to the above configuration once the task is complete.

7.9 Disable unnecessary network services

During the initial installation of devices, several TCP and UDP services are enabled by default, even though the provided features are unnecessary for normal operations. These services can degrade the security level of the network, offering an adversary additional access points to exploit a device and leave it susceptible to unauthorized monitoring, information gathering, and compromise.

7.10 Disable discovery protocols on specific interfaces

Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) are broadcast protocols that periodically advertise network topology and device information to neighboring devices that support the protocol and are listening for packets.

This functionality is enabled by default and can be useful for administrators to obtain information about the network, but it is also extremely useful to an adversary who can passively gather network configuration information.

NSA recommends disabling CDP and LLDP on all devices capable of using these services. If a service is required for proper network communications (e.g., some Cisco Voice-over-IP (VoIP) phones), only enable it on point-to-point links between devices that require the protocol or on voice enabled ports.

8.1 Disable IP source routing

IP source routing is a rarely used feature that enables the sender of a packet to specify a predetermined list of intermediate nodes where it should be forwarded rather than using the internal routing table to make a decision.

Leveraging this setting, an adversary could transmit packets through a route of their choosing. Along with IP address spoofing, an adversary can use the IP source routing feature to successfully bypass ACLs and other network restrictions, essentially choosing its own network path. NSA recommends disabling IP source routing on all devices, not just routers, since this feature is not required for normal network operations.

8.2 Enable unicast reverse-path forwarding (uRPF) uRPF is a method of protection against IP spoofing that instructs a router to examine both the source and destination addresses in the packet. When a packet is received on an interface, the source address is compared to entries in the routing table and is forwarded if the return route matches where the packet was received. Otherwise, it is discarded due to concerns that the source address in the packet may have been spoofed. NSA recommends enabling uRPF on external interfaces of perimeter routers.

8.3 Enable routing authentication

Dynamic routing protocols are used to distribute information to neighboring devices and provide routes to reach other networks. Network devices will use this information to populate their routing tables, which are then used to determine the next hop for forwarding a packet to the requested destination. To control the flow of traffic, an adversary may inject, modify, or corrupt the routing information sent and received by neighboring devices. Routing authentication should be enabled to prevent route manipulation and ensure the routing information received from neighboring devices has not been manipulated by an unauthorized source.

9.1 Disable dynamic trunking

A trunk is a point-to-point link between two devices that exchange VLAN encapsulated frames. Depending on the traffic being sent over the link, it is possible for an interface port to dynamically configure itself to be either a trunk or an access port. An adversary that is connected to a dynamic port could instruct it to become a trunk port and potentially gain access to network traffic without regard to VLAN separation.

NSA recommends disabling dynamic trunking as it is not necessary for an interface port to dynamically configure itself. When a device is added to the network, ensure that all interface ports are explicitly configured as either trunk ports or access ports.

9.2 Enable port security

Port security limits the number of valid MAC addresses allowed to connect to a switchport, restricting connectivity to only authorized systems. A switchport not configured to enforce port security could allow an adversary with physical access to connect an unauthorized system.

NSA recommends enabling port security on all active switchports on a device, and setting the maximum number of allowed MAC addresses for each port to be exactly one, or two if VoIP capabilities are in use.

9.4 Disable unused ports

Leaving unused ports enabled on a device allows an adversary to attach a rogue device to the network and perform information gathering or compromise attempts. NSA recommends disabling all unused ports on a device by shutting down the associated interfaces and, if supported by the device, assigning unused ports to an unused VLAN.

9.5 Disable port monitoring

Port monitoring is typically used for connecting an NIDS, diagnosing a problem, or using a network analyzer to monitor the network. Depending on the vendor, port monitoring is also known as "port mirroring” or "port spanning.” An adversary connected to the destination port of a port monitoring session will be able to collect network traffic sent through all the source ports specified by the session.

NSA recommends disabling all inactive port monitoring sessions on a device. Port monitoring should only be enabled for those ports where it is necessary, and all sessions should be disabled once they are no longer needed.

9.6 Disable proxy Address Resolution Protocol (ARP)

Proxy ARP is a technique in which a proxy server on a network answers ARP requests for an IP address that is not on that network. It helps devices on a subnet reach remote subnets, without configuring routing on a default gateway.

NSA recommends disabling proxy ARP on all interfaces unless the device is being used as a

LAN bridge or to allow inbound network address translations (NAT) for multiple destination IP addresses. It may be necessary to disable proxy ARP on each individual interface, rather than disabling it globally.