Awareness – Secure Configurations

Configuration of hardware and software to policy and standard on Workstations, Laptops, Servers, Switches, Routers, and Firewalls is absolutely critical to the continued function of a secure network.  The single largest breach target that I am aware of is presented by not changing the default parameters on these devices before introducing it into production.  Each of these devices will typically ship with an “ease of integration” configuration, with everything turned on and wide open.  Unacceptable.

It is essential that every piece of equipment on your network be configured securely, consistently, and only enables the services that are actually required.  The fewer services provided by a device, the less of an attack surface is presented to an attacker.  All systems on your network should be provisioned from a standard hardened image, not installed from scratch.  Installing from scratch and customizing installations introduces the potential for significant error.

Network infrastructure device operating systems and firmware should be updated as quickly as possible after a release from the device vendor.  Just like any other computing device, routers, switches and the like are subject to software vulnerabiilties and are targets for attack.  Vulnerabilities on these devices run the gamut from information disclosure to denial of service, and include remote code execution.

The network infrastructure should also be managed across network connections separate from the business network.  Don’t allow systems on the general communications LAN to be actively managing your internetworking devices.  Use different physical connections for management sessions.  This will make it much more difficult for an attacker to exploit your devices and own your network.

All of these devices’ configuration details should be reorded in a Configuration Management System.  They should be audited against the CMS records regularly to identify deviations, conflicts, and unauthorized changes.  Unauthorized change, if detected in time, can prevent a major breach.  Typically, an attacker will need to introduce some sort of configuration change in order to procure or secure access in your environment.