Network security fundamentals

Are you aware of the assets your network comprises?

Recognizing all the assets within your network is a vital initial step towards achieving effective security and resilience. A frequent avenue for attackers to breach a victim’s network is through systems that the organization may be unaware of, and thus not properly secured or decommissioned.

Additional NCSC Reading:

Asset Management Guidance
Guidance on implementing asset management for effective cyber security.

Acquiring, Managing, and Disposing of Network Devices
Guidance for organizations on acquiring, managing, and disposing of network devices.

Products on Your Perimeter Considered Harmful
A blog entry detailing how attackers infiltrate networks through internet-accessible products.

Which threats should you protect against?

The security controls integrated into your network should correspond to the specific threats you must defend against. If ‘threat modeling’ is neglected, it is probable that resources will be wasted on ineffective controls or, worse, that the network will be vulnerable to unrecognized threats.

Further NCSC Reading:

Threat Modeling Guidance
A guide on how threat modeling can inform risk management decisions.

How can you restrict access to your network to only authorized individuals and systems?

Access to your network and its assets should be strictly overseen. The ‘least privilege’ principle mandates that users and systems only access the resources necessary for their roles.

Additional NCSC Reading:

Minimize the Privilege and Reach of Applications
How to securely select, configure, and utilize devices.

Enterprise Authentication Policy Guidance
Effective authentication implementation on smartphones, tablets, laptops, and desktop PCs.

Systems Administration Architectures
Common approaches to system administration architectures.

Systems Administration

Highly privileged accounts, such as those used for system administration, are prime targets for attackers. Administrators usually possess the ability to alter security settings, install software, delete users, and access all files, necessitating proportional security measures to mitigate risks if such accounts are compromised.

Further NCSC Reading:

Secure System Administration Guidance
Design principles to protect your most sensitive data.

Security Architecture Anti-Patterns
Design patterns to avoid in computer systems design.

Passwords and PINs

Passwords and PINs provide users with identity verification for network access. They should be implemented alongside additional authentication factors for enhancing security through multi-factor authentication (MFA).

Further NCSC Reading:

Multi-Factor Authentication for Corporate Online Services
Guidance for organizations on implementing strong MFA methods.

Authentication Methods: Selecting the Right Type
Recommended authentication models for organizations transitioning ‘beyond passwords.’

Password Administration for System Owners
Password strategies to help maintain organizational security.

Allow Lists and Deny Lists

Allow lists and deny lists assist in managing access to resources, including networks. An allow list grants access solely to specified resources, while a deny list blocks access to specified resources. To uphold the principle of ‘least privilege,’ allow lists are preferable, as deny lists have limitations in that they can only block known threats.

Certificates

Certificates typically offer a more sturdy method for authentication than other mechanisms (such as passwords), though they may be more complex to implement and maintain. They can be utilized for network access, Transport Layer Security (TLS), and Virtual Private Networks (VPNs).

Further NCSC Reading:

Using Transport Layer Security to Protect Data
Recommendations for securely configuring TLS.

Virtual Private Networks
Choosing, deploying, and configuring VPN technologies.

Has security and resilience been integrated into your network from the start?

Choosing and implementing the most suitable network architecture can:

• make it challenging for attackers to cause compromise or disruption
• lessen the impact of a compromise should one occur
• facilitate the detection of potentially malicious activities

If security and resilience are overlooked during the design phase, the repercussions may lead to increased complications and costs later in the process.

Further NCSC Reading:

10 Steps to Cyber Security: Architecture and Configuration
Guidance on securely designing, building, and maintaining systems.

Device Security Guidance: Network Architectures
Advisories on designing remote access architectures for enterprise services.

Secure Design Principles
Guidance on cyber secure system design.

Network Segmentation

Network segmentation involves dividing your network into smaller segments to control traffic flow and define access permissions between different networks. Consideration should also be given to securing management interfaces utilized by administrators for system configuration.

Further Reading:

Preventing Lateral Movement
NCSC guidance on preventing lateral movement within enterprise networks.

Implementing Network Segmentation and Segregation
Guidance from the Australian Cyber Security Centre.

Zero Trust Architecture

A zero trust architecture is an approach where inherent trust in the network is eliminated. Access is validated based on defined policies, with every request being checked. Trustworthiness is established by evaluating context, which requires strong authentication, authorization, and device health checks.

Further Reading:

NCSC’s Zero Trust Architecture Design Principles
How to implement your own zero trust network architecture in an enterprise setting.

NIST Zero Trust Architecture (PDF)
Advanced guidance from the US National Institute of Standards and Technology.

How can you safeguard data traversing your networks?

A fundamental function of a network is the transfer of data. This implies that sensitive information may flow across devices with uncertain security. It is crucial to implement measures that ensure the confidentiality, integrity, and availability of data during transit.

Virtual Private Networks (VPNs)

How do you secure unauthorized access and connections from external networks?

VPNs establish secure network connections over unprotected networks. It is crucial that if VPNs are employed, the relevant software and devices are consistently maintained throughout their lifecycle to mitigate the risk of vulnerabilities that could be exploited by hackers.

Further Reading:

Device Security Guidance: Virtual Private Networks
NCSC’s guide to selecting, deploying, and configuring VPN technologies.

Zero Trust Migration: How Will I Know If I Can Remove My VPN?
An NCSC blog that explores the security implications of an ‘Always On VPN.’

Protocols

Are the protocols you are utilizing appropriate?

Protocols supported by your network should complicate efforts for compromise and disruption. In case of a breach, if protocols are chosen with security and resilience in consideration, detection and impact reduction become feasible. For example, opting for HTTPS rather than HTTP is beneficial when hosting a website.

Further NCSC Reading:

Using Transport Layer Security to Protect Data
Recommended profiles for securely configuring TLS.

Protocol Design Principles
An NCSC resource for protocol designers throughout their design processes.

How can you control what enters and exits your network?

Identifying and securing network boundaries remains critical, even with the increasing adoption of zero trust architecture. Boundaries between distinct subnets or security zones exemplify where perimeter security must be reinforced. One common method for regulating perimeter access is through firewalls, and it is becoming increasingly essential to manage Domain Name System (DNS) security effectively.

Further NCSC Reading:

Products on Your Perimeter Considered Harmful
An NCSC blog discussing the evolution of attackers’ strategies for penetrating networks.

Firewalls and Access Control Rules

Firewalls can be implemented as hardware or software, designed to block unauthorized access to or from the network. They come in various forms, from basic packet-filtering firewalls to sophisticated ‘next generation’ firewalls that integrate application-layer filtering. Commonly used are allow rules which define traffic allowed into a network or system, and deny rules which block specific traffic based on various attributes.

• Allow rules: Permit traffic that matches predefined attributes (like IP addresses).
• Deny rules: Block traffic matching a specified set of attributes (like known malicious URLs).

Typically, a combination of these rules is employed, processed from top to bottom, with the first matching rule applied. Following the establishment of access rules, implementing a final ‘deny all’ rule is a sound practice to maintain the principle of least privilege.

DNS Security

Most networks depend on DNS, making its protection crucial. Whether operating your own DNS servers or relying on external ones, enhancing its security is imperative. Recommended measures include:

• Regulating who can modify your DNS record and/or server
• Limiting the quantity of DNS queries made
• Securing DNS queries using DNS Security Extensions (DNSSEC)
• Establishing a deny list for known malicious domains using appropriate threat intelligence

Further NCSC Reading:

Protective Domain Name Service (PDNS)
Overview of NCSC’s PDNS service aimed at preventing malware distribution via DNS.

Protective DNS for the Private Sector
Advice on selecting and deploying protective DNS systems.

PDNS for Schools
NCSC’s ‘Protective Domain Name Service for Schools’ scaled to safeguard a broader range of organizations.

Managing Public Domain Names
Best practices for overseeing public domain names associated with your organization.

How do you ensure your systems remain secure and current?

Applying the latest updates is vital for maintaining your security posture. Establishing a policy to default to immediate updates, ideally automatically, should be central to your update management process. Although this standard applies generally, some scenarios may require exceptions (e.g., safety-critical systems). Unpatched systems may harbor widely known vulnerabilities, making them ripe for exploitation by attackers.

Further NCSC Reading:

Vulnerability Management Guidance
Core principles for implementing an effective vulnerability management process within organizations.

How can you identify if your network has been compromised?

An effective security monitoring function will empower your organization to swiftly detect any non-compliance with policies or expected behaviors occurring on your network. This facilitates quick detection and remediation of threats before they escalate into larger issues. When developing or assessing your monitoring capabilities, it is crucial to:

• Understand what you need to monitor
• Ensure necessary logs are accessible for analysis
• Develop your analysis to provide actionable insights
• Enable detection of misuse signs

Further NCSC Reading:

Logging and Protective Monitoring Guidance
Utilizing logging and monitoring practices to identify threats and safeguard your devices.

Building a Security Operations Centre
Guidance for organizations to develop a SOC and establish security monitoring capabilities.

To SOC or Not to SOC?
A blog discussing that a ‘full-fat SOC’ is not always necessary for environments designed to be secure from the outset.