Network security fundamentals

Are you aware of all the assets in your network?

Identifying all the assets present in your network is a crucial step towards achieving security and resilience. One common method by which an attacker can penetrate a network is through unrecognized systems within the network that remain unsecured or improperly decommissioned by the organization.

Further Reading from NCSC:

Asset Management Guidance
Implementing effective asset management practices is essential for strong cybersecurity.

Guidance on Network Devices
Recommendations for organizations on acquiring, managing, and disposing of network devices.

Understanding Network Perimeter Risks
A blog post discussing how attackers infiltrate networks via products accessible over the internet.

What threats should you be prepared to face?

The security controls you integrate into your network should correspond with the specific threats you are protecting against. Without adequate threat modeling, resources can be wasted on irrelevant controls, or you might unintentionally expose your network to unidentified risks.

Further NCSC Resources

Threat Modeling Guidance
Insights on how threat modeling can enhance risk management strategies.

How do you limit access to your network?

Access to your network and its assets must be strictly controlled. Following the ‘least privilege’ principle ensures that users and systems have access only to the resources necessary for their roles.

More NCSC Reading

Minimizing Application Privileges
Detailed guidance on securely choosing, configuring, and utilizing devices.

Enterprise Authentication Policies
Recommendations for effective authentication on smartphones, tablets, laptops, and desktops.

Systems Administration Architectures
Insights into common methodologies for system administration architectures.

System Administrators

Highly privileged accounts, such as those used for system administration, are attractive targets for attackers. These accounts can typically modify security settings, install software, delete users, and access all files. Consequently, they must be secured in line with the risk they pose to the organization if compromised.

Additional NCSC Resources

Secure System Administration Guidance
Design principles to help protect your most sensitive information.

Avoiding Security Architecture Anti-Patterns
Design patterns that should be avoided in computer system designs.

Managing Passwords and PINs

Passwords and PINs provide a means for users to verify their identities for network access. It is crucial to combine these with additional factors for authentication to strengthen security through multi-factor authentication (MFA).

More Reading from NCSC

MFA for Corporate Services
Guidance on implementing robust methods of MFA for organizations.

Choosing Authentication Methods
Recommended authentication models for organizations transitioning beyond password reliance.

Password Administration Strategies
Strategies to help organizations maintain security through effective password management.

Allow and Deny Lists

Allow lists and deny lists are effective tools for managing access to resources, including networks. Allow lists only grant access to specified resources, while deny lists block access to specific resources. To uphold the least privilege principle, prefer using allow lists. Deny lists can be limited, as they can only deny access to known entities, potentially enabling unauthorized access to anything not explicitly excluded.

Certificates

Certificates typically provide a more reliable authentication method than alternatives like passwords. Nevertheless, they can be more complex to implement and manage. Applications for certificates include network access, Transport Layer Security (TLS), and Virtual Private Networks (VPNs).

Further Reading from NCSC

Using TLS to Safeguard Data
Recommended practices for securely configuring TLS.

Guidance on VPN Technologies
Recommendations for selecting, deploying, and configuring VPN technologies.

Have you designed security and resilience into your network from the outset?

Identifying and applying the most effective network architecture can:

• make it more challenging for attackers to cause compromise or disruption
• lessen the impact of a compromise should it occur
• facilitate the detection of potentially malicious activities

Neglecting to incorporate security and resilience at the design phase can lead to increased difficulties (and costs) later on.

More NCSC Reading

10 Steps to Cyber Security: Architecture and Configuration
Guidance on securely designing, building, maintaining, and managing systems.

Device Security Guidance: Network Architectures
Advice on designing a remote access architecture focused on enterprise services.

Safe Design Principles
Guidance on designing secure cyber systems.

Network Segmentation

Segmentation entails dividing your network into smaller segments. This approach grants control over traffic flow and specifies what access is permitted between various networks. Proper segmentation considerations also apply to the management interfaces used by administrators for infrastructure configuration.

Further Reading

Preventing Lateral Movement
NCSC guidance on thwarting lateral movements within enterprise networks.

Implementing Network Segmentation and Segregation
Guidelines from the Australian Cyber Security Centre.

Zero Trust Architecture

A zero trust architecture removes inherent trust from the network. Instead, the network is presumed hostile, and every access request is vetted based on an access policy. Trust in a request is built through contextual factors, which must rely on strong authentication, authorization, device health, and the sensitivity of the accessed data.

Further Reading

NCSC’s Zero Trust Architecture Design Principles
Guidelines for implementing your own zero trust network architecture in an enterprise environment.

NIST Zero Trust Architecture (PDF)
Comprehensive guidance from the US National Institute of Standards and Technology.

How do you safeguard data traversing your networks?

A primary role of a network is to facilitate data movement. However, this may involve sensitive data passing across devices whose security cannot be guaranteed. Therefore, it’s imperative to implement controls that maintain the confidentiality, integrity, and availability of data in transit.

Virtual Private Networks (VPNs)

How can you secure remote access to your network?

VPNs create secure connections over untrusted networks. It is vital to ensure that any VPN software and appliances are properly maintained throughout their lifecycle and not overlooked post-implementation. Neglecting this increases the risk of critical vulnerabilities being exploited by attackers, establishing a foothold in your network.

Further Reading

Guidance on VPN Technologies
NCSC’s recommendations for selecting, deploying, and configuring VPN technologies.

Zero Trust Migration Insights
An NCSC blog weighing the security characteristics of an ‘Always-On VPN’.

Protocols

Are your network protocols appropriate?

Protocols used within your network should make it difficult for attackers to exploit vulnerabilities or disrupt services. Choosing secure protocols aids in detecting and reducing the impact of potential compromises. For instance, it is advised to use HTTPS instead of HTTP for hosting websites.

Additional NCSC Reading

Using TLS for Data Protection
Recommendations for securely configuring TLS profiles.

Protocol Design Principles
An NCSC paper offering guidance for protocol designers during the design phase.

How do you regulate what enters and exits your network?

Despite the challenges in defining network boundaries, especially with the adoption of zero trust architecture, safeguarding established boundaries remains critical. Boundaries between different subnets or security zones are examples where perimeter security must be enforced. Firewalls are a common and effective means of controlling what traverses these boundaries. Additionally, careful management of Domain Name Server (DNS) security is becoming increasingly prevalent.

Further Reading from NCSC

Assessing Risks of Perimeter Products
An NCSC blog exploring how attacker methodologies have evolved to breach networks.

Firewalls and Rules

Firewalls, which can be hardware or software-based, are essential for preventing unauthorized access to networks. They come in various forms, from simple packet-filtering firewalls to ‘next generation’ firewalls that integrate packet filtering with additional application-layer functions. All firewalls utilize allow and deny rules.

• Allow Rules: Control access by only permitting traffic that meets certain criteria, such as specific IP addresses or application types.
• Deny Rules: Block traffic based on explicit criteria, such as a database of known malicious IP addresses.

Firewalls typically operate based on a combination of allow and deny rules processed in order of priority, applying the first match encountered. Implementing a final ‘deny all’ rule, following the establishment of access permissions that meet the minimum necessary resources, is considered best practice to uphold the principle of least privilege.

DNS Security

Most networks depend on DNS, making its security vital. Whether you manage your own DNS servers or rely on external services, various measures must be implemented to mitigate DNS-related threats, such as:

• controlling change permissions for your DNS records or servers
• restricting the frequency of DNS queries
• securing queries with DNS Security Extensions (DNSSEC)
• utilizing deny lists to block known malicious domains informed by a relevant threat intelligence feed

Further NCSC Resources

Protective Domain Name Service (PDNS)
Information about the NCSC’s PDNS aimed at curtailing the use of DNS for malware distribution and operational threats.

Protective DNS Guidance for the Private Sector
Tips on selecting and deploying Protective Domain Name Systems (DNS).

PDNS for Schools Program
Extension of the NCSC’s Protective Domain Name Service tailored for a broader array of organizations.

Best Practices for Managing Public Domain Names
Effective strategies for handling publicly owned domain names within your organization.

How do you ensure your systems remain secure and current?

Keeping systems updated with the latest patches is crucial for securing your infrastructure. You should implement a policy that mandates updates by default, which means applying updates as swiftly as possible and ideally automatically. This should form the backbone of your update management strategy, although it may not apply to all scenarios (e.g., for safety-critical systems or specialized operational technology). Regularly unpatched systems may harbor known vulnerabilities, which attackers can exploit to gain access to your network.

More NCSC Resources

Vulnerability Management Guidance
Principles aimed at helping organizations establish an effective process for managing vulnerabilities.

How can you identify if your network has been breached?

An effective security monitoring mechanism enables your organization to detect activities on your network that deviate from policy or expected behavior. This facilitates quick identification and remediation of threats before significant damage occurs. When establishing or reviewing your security monitoring capabilities, it’s essential to:

• clearly define your monitoring objectives
• ensure necessary logs are available for evaluation
• provide insightful analysis from the collected data
• detect signs of misuse and unauthorized access

Further Resources from NCSC

Logging and Protective Monitoring Guidance
Effective use of logging and monitoring to identify threats and safeguard devices.

Building a Security Operations Centre
Guidance fosters the design of a SOC and security monitoring infrastructure.

To SOC or Not to SOC?
A blog post discussing that, for environments designed with security in mind, a comprehensive SOC may not be essential.