Networks play a crucial role in the effective functioning, security, and resilience of numerous organizations. This document offers a foundational overview of essential elements to consider while designing, operating, or maintaining secure and resilient networks. It also assists in implementing the NCSC’s Cyber Security Design Principles. For more in-depth information, please refer to the ‘further reading’ sections.
Important Note
While many topics discussed herein are relevant to cloud-based networks, it’s advisable to consult the NCSC’s Cloud Security Guidance for detailed information regarding cloud-based solutions.
Identifying Your Network Assets
Are you aware of all assets within your network?
Identifying all components of your network is a critical step towards enhancing security and resilience. Attackers often exploit unknown systems within a network that are left unsecured or incorrectly decommissioned.
Further Reading from NCSC:
Asset Management Guidance
Best practices for robust asset management in cybersecurity.
Acquiring, Managing, and Disposing of Network Devices
Guidance on the lifecycle management of network devices.
Products on Your Perimeter: Understood as Harmful Until Confirmed Otherwise
This blog discusses how attackers infiltrate networks via accessible devices.
Understanding Potential Threats
What threats should your network be safeguarded against?
The security measures you integrate into your network should correspond with the specific threats you need to defend against. Failing to execute ‘threat modeling’ may lead to misallocation of resources against irrelevant threats, or worse, leaving your network exposed to unrecognized dangers.
NCSC Further Reading
Threat Modelling Guidance
This guidance outlines how threat modeling contributes to informed risk management decisions.
Access Restriction Strategies
How can you manage network access to authorized personnel only?
Control access to your network and its resources by adhering to the principle of ‘least privilege’, ensuring that users and systems have access only to the resources necessary for their roles.
Further Reading from NCSC
Minimize Privilege and Application Reach
Best practices for secure configuration and usage of devices.
Enterprise Authentication Policy Guidance
Implement effective authentication across devices.
Systems Administration Architectures
Insights into common system administration approaches.
Systems Administration
Highly privileged accounts are prime targets for attackers. Administrators typically have the access needed to modify security settings and manage user accounts, which could lead to significant risks if compromised.
NCSC Further Reading
Secure System Administration Guidance
Design principles to safeguard sensitive data.
Security Architecture Anti-Patterns
Common pitfalls to avoid when designing computer systems.
Passwords and PINs
Passwords and PINs authenticate users for network access and should be complemented by other authentication measures to strengthen security via multi-factor authentication (MFA).
NCSC Further Resources
Multi-Factor Authentication for Corporate Online Services
Strong MFA strategies for organizations.
Authentication Methods: Selecting the Right Option
Recommended models beyond passwords.
Password Administration for System Owners
Effective password strategies for enhanced security.
Allow Lists and Deny Lists
Allow lists and deny lists regulate access to resources. Allow lists permit specified access, whereas deny lists block specific access. Opt for allow lists to maintain the principle of ‘least privilege’.
Certificates
Certificates provide a more reliable authentication method compared to passwords, though they can be complex to manage. They are used in scenarios such as network access and VPNs.
NCSC Further Reading
Utilizing TLS for Data Protection
Profiles for configuring TLS securely.
Virtual Private Networks
Guidelines for VPN technologies.
Designing Robust Network Architecture
Is security integrated into your network’s design from the outset?
Choosing the right network architecture can:
- Make it harder for attackers to compromise or disrupt your network
- Reduce the impact of any security breaches
- Facilitate the detection of malicious activities
Omitting security during the design phase can lead to substantial challenges and increased costs later.
NCSC Further Reading
10 Steps to Cyber Security: Architecture and Configuration
Securely design, build, and manage systems.
Device Security Guidance: Network Architectures
Advice for secure remote access architectures.
Secure Design Principles
Guidelines for designing secure systems.
Network Segmentation
Network segmentation involves dividing your network into smaller parts to control traffic flow and access between them. This strategy assists in securing management interfaces used by administrators.
Further NCSC Reading
Preventing Lateral Movement
Guidelines to hinder lateral movement in networks.
Implementing Network Segmentation and Segregation
Advice from the Australian Cyber Security Centre.
Zero Trust Architecture
Zero trust architecture removes implicit trust in the network. Each access request is verified according to an access policy, enhancing security through strong authentication and authorization frameworks.
Additional Resources
NCSC’s Zero Trust Architecture Design Principles
Implementing zero trust architecture within enterprises.
NIST Zero Trust Architecture (PDF)
Insights from the US National Institute of Standards and Technology.
Protecting Data in Transit
How do you safeguard data moving across networks?
A fundamental network function is efficiently moving data, sometimes sensitive data that may traverse insecure devices. Implementing controls to ensure data confidentiality, integrity, and availability during transit is crucial.
Virtual Private Networks (VPNs)
How do you secure external access and connections?
VPNs allow secure connections over untrusted networks. It’s essential to maintain VPN software and hardware throughout their lifecycle to mitigate vulnerabilities that attackers could exploit.
Further NCSC Resources
Device Security Guidance: Virtual Private Networks
Advice on deploying and configuring VPN technologies.
Zero Trust Migration: When Can I Remove My VPN?
An informative blog examining VPN security in the context of zero trust.
Protocols
Are the protocols you utilize appropriate?
Your network protocols should inhibit potential breaches and facilitate rapid detection of any compromise. Prefer protocols with built-in security features, such as HTTPS over HTTP, when hosting websites.
NCSC Further Reading
Using TLS for Data Protection
Recommendations for securely configuring TLS.
Protocol Design Principles
A guide for protocol designers to ensure security.
Securing Network Perimeters
How do you manage network ingress and egress?
Identifying network boundaries is essential, especially with zero trust architecture in place. Protecting boundaries between different security zones is critical, often accomplished through firewalls. Enhanced management of Domain Name Systems (DNS) is increasingly necessary.
NCSC Further Reading
Products on Your Perimeter: An Evolving Threat Landscape
This blog explores modern tactics that attackers employ to breach networks.
Firewalls and Rule Management
Firewalls can be hardware or software-based, providing protection against unauthorized access. They operate through allow and deny rules that govern traffic access based on predefined attributes.
- Allow Rules: Authorize traffic matching specific criteria.
- Deny Rules: Block known harmful traffic attributes.
It is prudent to implement a ‘deny all’ rule after establishing specific allow rules, adhering to the principle of least privilege.
DNS Security
As most networks rely on DNS services, securing your DNS is vital. Implement controls to mitigate potential threats, including:
- Managing who can edit your DNS records
- Limiting DNS query volumes
- Utilizing DNS Security Extensions (DNSSEC)
- Applying deny lists against known malicious domains
NCSC Additional Resources
Protective Domain Name Service (PDNS)
Details on NCSC’s service to combat malware through DNS management.
Protective DNS for the Private Sector
Guidelines for implementing Protective DNS.
PDNS for Schools
Scaling protective DNS for wider institution coverage.
Managing Public Domain Names
Best practices for managing public domain names owned by your organization.
Keeping Systems Up-to-Date
How do you keep your systems secure and current?
Staying updated with the latest patches is crucial for security. Implement a policy that mandates prompt and, if possible, automatic updates as part of your update management process. Neglecting this may expose systems to known vulnerabilities that attackers could exploit.
NCSC Further Guidance
Vulnerability Management Guidance
Establishing effective vulnerability management protocols.
Effective Network Monitoring
How do you identify potential compromises within your network?
An effective monitoring system enables organizations to detect activities diverging from expected behavior. This allows for timely threat detection and resolution before significant damage occurs. When developing or reviewing your monitoring strategy, consider the following:
- Identify monitoring objectives
- Ensure adequate logging for analysis
- Analyze logs for actionable insights
- Detect signs of misuse swiftly
NCSC Further Resources
Logging and Protective Monitoring Guidance
Strategies for utilizing logs to identify threats and protect devices.
Building a Security Operations Centre
Framework for designing a robust SOC and monitoring capability.
To SOC or Not to SOC?
A blog detailing circumstances where a traditional SOC isn’t necessary for a secure environment.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/network-security-fundamentals
