A network infrastructure device is a component of a network that transports communications necessary for the transmission of data, applications, services, and multi-media content. This group of devices includes routers, firewalls, and switches as well as servers and load balancers, as well as intrusion detection systems, domain name systems, and storage area networks (SAN).
These devices are ideal targets for malicious cyber actors because they must handle the vast majority of organizational and customer traffic, if not all of it.
An attacker who establishes a physical presence on a company’s gateway router can monitor, modify, and deny traffic to and from the company.
Having access to the internal routing and switching infrastructure of a company allows an attacker to track traffic to and from key hosts within the network, as well as to leverage trust relationships to move from one host to another within the network.
Organizations and individuals who use legacy, unencrypted protocols to manage hosts and services make it simple for malicious cyber actors to harvest credentials from their systems and networks. Whoever controls the routing infrastructure of a network, in essence, has complete control over the data that flows through the network.
What security threats are associated with network infrastructure devices?
Attackers frequently target network infrastructure devices because they are easy to compromise. Many network devices, once installed, are not maintained at the same level of security as general-purpose desktops and servers, although they should be. Several other factors can contribute to the vulnerability of network devices, including:
Small office/home office and residential-class routers are among the few network devices that are equipped with antivirus, integrity maintenance, and other security tools that can be used to protect general-purpose hosts.
Manufacturers design and distribute network devices that include exploitable services and are designed to be simple to install, operate, and maintain, according to the manufacturer’s specifications.
Owners and operators of network devices frequently do not alter the default settings set by the vendor, harden them for operation, or perform regular patching on their devices.
Once equipment on a customer’s premises is no longer supported by the manufacturer or vendor, Internet service providers are not permitted to replace the equipment.
When investigating cyber intrusions, looking for intruders, and restoring general-purpose hosts after they have occurred, owners and operators frequently overlook network devices.
How can you improve the security of network infrastructure devices?
To improve the security of their network infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that users and network administrators implement the following recommendations:
- Networks and functions should be segmented and segregated.
- Reduce the number of unnecessary lateral communications.
- Increase the security of network devices.
- Access to infrastructure devices must be restricted.
- Out-of-band (OoB) network management is carried out.
- Verify the hardware and software’s ability to function properly.
- Networks and functions should be segmented and subdivided.
Overall infrastructure layout, including segmentation and segregation, must be taken into consideration by security architects. Network segmentation is an effective security mechanism for preventing an intruder from spreading exploits or moving laterally around an internal network. It is important to use network segmentation correctly. In a poorly segmented network, intruders can extend their reach and take control of critical devices, as well as gain access to sensitive data and proprietary information. Segregation is the process of dividing a network into segments based on its role and functionality. It is possible for a securely segregated network to contain malicious events and thus lessen the impact of intruders who have gained a foothold somewhere within the network if they are properly protected.
Segment and Segregate Networks and Functions
Traditional network devices, such as routers, are capable of separating segments of a Local Area Network (LAN). The placement of routers between networks allows organizations to define network boundaries while also increasing the number of broadcast domains available and effectively filtering the broadcast traffic generated by users. Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and even shutting down segments of the network during an intrusion, preventing adversaries from gaining access to sensitive information.
- When designing network segments, keep in mind the principles of least privilege and need-to-know information.
- Network segments should be created to separate sensitive information from security requirements.
- Make sure to follow all security recommendations and configure all network segments and network layers in a secure manner.
- Sensitive information is virtually separated from the rest of the data.
When new technologies are introduced, new strategies are developed to improve the efficiency of information technology and the security of network infrastructures. Virtual separation refers to the logical separation of networks that are connected to the same physical network as one another. Virtual segmentation is based on the same design principles as physical segmentation, but it does not necessitate the purchase of any additional hardware. Existing technologies can be used to prevent an intruder from gaining access to other internal network segments after successfully breaching one.
Physical Separation of Sensitive Information
- To keep a user isolated from the rest of the broadcast domains, private Virtual Local Area Networks (VLANs) can be created.
- Utilize virtual routing and forwarding (VRF) technology to segment network traffic across multiple routing tables on a single router while maintaining a high level of performance.
- Tunneling through public or private networks is possible with Virtual Private Networks (VPNs), which are used to securely extend a host or network.
- Reduce the number of unnecessary lateral communications.
Virtual Separation of Sensitive Information
It creates serious vulnerabilities when unfiltered peer-to-peer communications, including workstation-to-workstation communications, are allowed to take place. This can allow an intruder’s access to spread quickly to multiple systems. As soon as an intruder gains control of an effective beachhead within the network, unfiltered lateral communications enable the intruder to establish backdoors throughout the network. Backdoors assist the intruder in maintaining persistence within the network while impeding the efforts of the defenders to contain and eliminate the intruder.
Use host-based firewall rules to restrict communication by preventing packets from other hosts in the network from passing through the firewall. To restrict access from services and systems, firewall rules can be created to filter on a host device, a user, a program, or an internet protocol (IP) address. Creating firewall rules is simple.
Implement a VLAN access control list (VACL), which is a filter that regulates access to and from VLAN networks. VACL filters should be implemented to prevent packets from being routed to other VLANs.
Network administrators can isolate critical devices onto network segments by logically segregating the network using physical or virtual separation techniques.
Hardening Network Devices is an important step.
One of the most fundamental ways to improve network infrastructure security is to protect networking devices by securely configuring them. On how to harden network devices, government agencies, organizations, and vendors provide a wide range of guidance to administrators, including benchmarks and best practices for implementing network security measures. It is recommended that administrators put the following recommendations into effect in conjunction with applicable laws and regulations as well as site security policies, standards, and industry best practices.
Disable remote administration protocols that are not encrypted and are used to manage network infrastructure (e.g., Telnet, File Transfer Protocol [FTP]).
Disable services that aren’t needed (e.g., discovery protocols, source routing, Hypertext Transfer Protocol [HTTP], Simple Network Management Protocol [SNMP], Bootstrap Protocol).
It is recommended that you use SNMPv3 (or a subsequent version), but not SNMP community strings.
Access to the console, auxiliary, and virtual terminal lines must be granted with a password.
Implement strong password policies and make use of the most secure password encryption technology available.
Controlling access lists for remote administration can help you protect your routers and switches.
Configurations should be backed up and stored offline. Make use of the most recent version of the network device operating system and make sure it is up to date with all of the latest patches.
Test security configurations regularly to ensure they meet security requirements.
When sending, storing, and backing up configuration files, use encryption or access controls to keep them safe.