Firewall Security Best Practices:
a) Implement a default-deny policy: Configure your firewall to deny all incoming traffic by default and only allow necessary traffic based on predefined rules.
b) Create granular rule sets: Define specific rules to allow or block traffic based on source/destination IP, port numbers, and protocols. Regularly review and update these rules.
c) Enable Intrusion Prevention System (IPS): Activate IPS to detect and block malicious traffic patterns, known attack signatures, and suspicious activities.
d) Enable logging and monitoring: Configure firewall logging to record network activities and set up real-time alerts for security events. Regularly review logs for anomalies.
e) Apply firmware updates and security patches: Keep firewall software up to date with the latest vendor-provided updates to address vulnerabilities and enhance security.
Additional security parameters
- Enable stateful packet inspection: Configure the firewall to inspect the state of network connections and allow only legitimate traffic that matches valid connection states.
- Implement VPN tunnels: Utilize Virtual Private Network (VPN) technology to establish secure encrypted connections between remote networks or individuals.
- Enable denial-of-service (DoS) protection: Activate DoS protection mechanisms on the firewall to detect and mitigate potential DoS attacks.
- Implement geolocation-based filtering: Use geolocation-based filtering to restrict access from specific regions or countries known for malicious activities.
Example script (Cisco ASA firewall):
enable
configure terminal
access-list outside_access_in permit tcp any host <internal_IP> eq 80
access-list outside_access_in permit udp any host <internal_IP> eq 53
access-list outside_access_in deny ip any any
access-group outside_access_in in interface outside
logging enable
logging buffer-size 16384
logging monitor informational
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
service-policy global_policy global
Router Security Best Practices:
a) Change default credentials: Modify the default username and password for router access to prevent unauthorized access.
b) Disable unnecessary services: Turn off unnecessary protocols and services such as Telnet, SNMP, or FTP if they are not required.
c) Secure remote management access: Enable Secure Shell (SSH) and disable Telnet for secure remote access. Use access control lists (ACLs) to restrict management access to specific IP addresses.
d) Implement access control lists (ACLs): Apply ACLs to control traffic entering or leaving the router based on specific criteria like source/destination IP, port numbers, or protocols.
e) Enable encryption protocols: Use encryption protocols like IPsec or SSL/TLS for securing router-to-router or remote connections.
Example script (Cisco IOS router):
enable
configure terminal
hostname MyRouter
enable secret <password>
line vty 0 4
password <password>
login
interface GigabitEthernet0/0
ip address <internal_IP> <subnet_mask>
no shutdown
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny any
interface GigabitEthernet0/1
ip address <external_IP> <subnet_mask>
ip access-group 1 in
no shutdown
Additional security parameters
- Disable unnecessary routing protocols: Turn off any routing protocols that are not required for proper network functioning.
- Enable logging and monitoring: Configure syslog or SNMP to monitor router events and generate alerts for suspicious activities.
- Implement Role-Based Access Control (RBAC): Define different user roles with specific privileges to restrict access and ensure proper authorization.
- Utilize Control Plane Policing (CoPP): Apply CoPP policies to protect the router’s control plane from excessive traffic or DoS attacks.
- Enable Secure Domain Name System (DNSSEC): Implement DNSSEC to add a layer of security and validate the authenticity of DNS responses.
Switch Security Best Practices:
a) Disable unused switch ports: Turn off any unused switch ports to prevent unauthorized devices from connecting to the network.
b) Enable port security: Set limits on the number of MAC addresses allowed per port and define actions (such as shutting down the port) if a violation occurs.
c) Implement VLAN segmentation: Use VLANs to separate and isolate network traffic, ensuring that each VLAN is associated with the appropriate security policies.
d) Enable Spanning Tree Protocol (STP): Use STP to prevent network loops and maintain a stable network infrastructure.
e) Implement port authentication: Utilize protocols like IEEE 802.1X to enforce user-based authentication on switch ports.
Example script (Cisco Catalyst switch):
enable
configure terminal
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 10
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 20
switchport port-security
switchport port-security maximum 2
switchport port-security violation shutdown
spanning-tree vlan 10,20 root primary
Additional security parameters
- Enable Dynamic ARP Inspection (DAI): Enable DAI to mitigate ARP spoofing attacks by validating ARP packets against a trusted database.
- Implement Port Security with MAC address limiting: Configure MAC address limiting to allow only a specific number of MAC addresses per switch port.
- Enable Secure Shell (SSH) version 2: Utilize SSHv2 for secure remote management access to the switch.
- Enable Secure Management VLAN: Isolate management traffic by placing management interfaces on a dedicated VLAN.
- Implement Network Access Control (NAC): Integrate the switch with a NAC solution to enforce security policies and verify the health of connected devices.