4.3 Given a scenario, apply network hardening techniques

  •  Best Practices
    • Secure SNMP
    • Router Advertisement (RA) Guard
    • Port Security
    • Dynamic ARP Inspection
    • Control Plane Policing
    • Private VLANs
    • Disable Unneeded Switchports
    • Disable Unneeded Network Services
    • Change Default Passwords
    • Password Complexity/Length
    • Enable DHCP Snooping
    • Change Default VLAN
    • Patch and Firmware Management
    • Access Control List
    • Role-Based Access
    • Firewall Rules
      • Explicit Deny
      • Implicit Deny
  • Wireless Security
    • MAC Filtering
    • Antenna Placement
    • Power Levels
    • Wireless Client Isolation
    • Guest Network Isolation
    • Preshared Keys (PSKs)
    • EAP
    • Geofencing
    • Captive Portal
  • IoT Access Considerations

Now that we’ve described some of the bad things out there, how can we keep them from getting into our network?  We will talk about physical security later, but let’s look at some software configuration

  • Use the most secure version of the protocol that is available.  For example, use secure SNMP instead of normal SNMP; use secure FTP instead of regular FTP, etc.

  • Use Router Advertisement (RA) Guard.  Remember that when we connect a bunch of routers together, they start communicating and figure out who each other’s neighbors are?  That way, we can build a network with multiple routers regardless of the make or model.

    The problem is that a malicious user could
    • send out rogue router advertisement messages to our legitimate router which would confuse our routers and disrupt our network
    • install a rogue router that listens to the router advertisement guard messages


Thus, we can configure a guard on the router that filters the messages based on their source IP address, source MAC address, and other factors.

  • Control Plane Policing.  Remember that a switch or router sends traffic through the “data” plane and management traffic through the “control” plane.  A hacker wanting to disrupt the device might attempt to send a large amount of traffic through the control plane.

    Control Plane Policing allows us to protect the switch and router control planes from attacks.  It does so by reducing the amount of traffic that the control plane can accept through a QoS policy.  When the switch receives, on its data plane, a packet with a destination of the control plane, it will decide whether to forward or drop that packet.
  • Change Default VLAN.  The default VLAN should always be changed.  This prevents VLAN hopping.

  • Private VLANs.  A private VLAN is an idea where we can break a single VLAN into multiple sub VLANs.  The main VLAN is called the primary VLAN.  A port belonging to the primary VLAN is known as the promiscuous port and can talk to all other ports.  The sub VLANs can be of two types

    • Isolated VLAN – a port assigned to an isolated VLAN can not talk to any other port except the promiscuous port

    • Community VLAN – a port assigned to a community VLAN can talk to any other port in that same community and with the promiscuous port

The advantage of the private VLAN is that we can separate traffic from devices within the same VLAN.  It also reduces the number of VLANs and IP subnets that are required.

  • Disable Unneeded Switchports.  It goes without saying that if a switch port is not used (not physically connected to a device), then we should turn it off.  That way, if somebody tries to connect a device to it, no traffic will flow.

  • Disable Unneeded Network Services.  Many services may be enabled by default on your switch, router, computer, or server.  Turn off any services that you aren’t using such as DHCP servers, web servers, FTP, SMTP, etc.  Sometimes these services are installed and operational by default.

    Every running service is a potential for a security vulnerability because if you aren’t using it, then you likely aren’t monitoring or patching it.

  • Change Default Passwords.  I mentioned this many times.  It is important to change the default username and password on every device, and to not use devices that do allow you to change the default password.

  • Password Complexity/Length.  You must enforce a password that is complicated so that it cannot be easily guessed.  Some rules for password complexity

    • Includes at least eight characters

    • Includes special characters, capital letters, and numbers

    • Does not include the user’s name or other personally identifying information

    • Does not reuse old passwords

  • Patch and Firmware Management.  You should make sure to patch all devices when patches become available.  Some devices are configured to automatically download and install patches.  When there are many devices of many makes and models, an automated system should be used.  The system will

    • Determine when a patch is available for a given device

    • Automatically deploy the patch onto the device

    • Verify that the device has been successfully patched or report the failure to patch to an administrator

  • Access Control List.  The Access Control List is a set of rules for what traffic is permitted to pass and what traffic is not permitted.  There are many types of rules, based on

    • Source IP address.  Where is the traffic coming from?  The source IP address could be on the LAN or on the WAN.  It could be a specific IP address or a range of addresses.

    • Destination IP address.  Where is the traffic going?  The destination IP address could be on the LAN or on the WAN.  It could be a specific IP address or a range of addresses.

    • Source Port Number.  What is the port number of the source traffic?  The source port could be on the LAN or on the WAN.  It could be a specific port or a range of ports.

    • Destination Port Number.  What is the port number of the destination traffic?  The destination port could be on the LAN or on the WAN.  It could be a specific port or a range of ports.

    • Username.  Access Control Lists can be user-based.  Permissions can be granted or denied to specific users based on their needs in the organization.  For example, guests can be permitted to access only the internet and not resources such as remote desktop or SQL servers.

    • Rules can be specific or could combine a combination of parameters

      • For example, a rule could say ‘Allow traffic from 10.1.1.1, port 5 to the range of IPs 192.168.3.0 to 192.168.3.255’.  All traffic received from 10.1.1.1 port 5 will be permitted to access destinations in the range of 192.168.3.0 to 192.168.3.255.  Traffic from other source IP addresses and/or ports will be rejected.  Traffic from 10.1.1.1 to destinations outside of 192.168.3.0 and 192.168.3.255 will be rejected.

      • Always Allow.  An Always Allow rule allows all traffic matching a rule.  For example, “always allow traffic from the source IP 10.1.1.1”.  All traffic from 10.1.1.1 will be permitted regardless of the port number or destination.

      • Always Deny.  An Always Deny rule denies all traffic matching a rule. For example, “always deny traffic from the source IP 10.1.1.1”.  All traffic from 10.1.1.1 will be denied regardless of the port number or destination. 

        This is also known as an Explicit Deny.  If we create a bunch of rules to allow traffic from specific sources, and then tell the firewall to block any traffic that doesn’t match those rules, that is known as an Implicit Deny.  In other words, Implicit Deny means that the traffic is blocked until another rule is created to allow it, whereas Explicit Deny blocks the traffic regardless of any other rules.

    • Order of Operations

      • A firewall could have dozens or thousands of rules.  The rules are ranked in order of priority.

      • When the firewall receives a piece of traffic, it starts checking the rules in order until it finds one that matches the traffic’s source and destination.  It then applies that rule to the traffic.

      • The firewall will only apply one rule to a piece of traffic.  Once that rule is applied, the firewall stops checking additional rules.

      • It is important to put the rules in logical order so that traffic is not accidentally accepted or rejected.  When a firewall receives a piece of traffic that does not match any rules, it will either allow or reject the traffic based on its configuration.

      • Many firewalls are preconfigured with two default rules

        • Always allow traffic with a source inside the network (LAN)

        • Always reject traffic with a source outside the network (WAN)

      • The two default rules should be put at the bottom of the list.

        • The first rule (allowing all traffic from inside the LAN) is dangerous because users cannot be trusted to access only safe resources on the internet.  It should be modified (broken down) into two rules.

          • Always allow traffic with a

            • Source inside the network (LAN)

            • Destination outside the network (WAN)

            • Limited to specific ports outside the network (port 80, port 443, port 3306, etc.).  The specific ports should be based on resources that users need to access.

          • Always deny traffic

            • Source inside the network (LAN)

            • Destination outside the network (WAN)

            • This rule applies second; any traffic not matching the previous rule will be denied

  • Role-Based Access – Permissions are not assigned to individual users or to objects.  Instead, permissions are assigned to operations/actions (known as roles)

    • A user can be assigned to a specific group (the user is given a role); the user inherits the permissions assigned to the role

    • The organization can define the operations and actions that are relevant to their organization.  For example:

      • Sales person (can access sales data)

      • Accountant (can enter data into the accounting system)

    • Accounts payable clerk (can approve invoices and issue payments)

How can we enforce security on wireless networks?

  • MAC Filtering.  We can enforce a rule where only devices with specific MAC addresses are permitted on our wireless network. 

    This rule works if we have an accurate inventory of all the wireless devices that may connect.  It is not practical if we allow users to bring their own devices and connect them to the wireless network.  It can also be bypassed by a hacker who spoofs his device MAC address to match that of one that is authorized.

  • Antenna Placement.  We can adjust the position and type of antennas so that our wireless signal does not exit our building.  This would prevent hackers outside the building from connecting.

  • Power Levels.  We can adjust the power level on the device so that the wireless signal does not propagate outside of our building.  This would prevent hackers outside the building or in neighboring suites from connecting.

  • Wireless Client Isolation.  A wireless client can normally communicate with another wireless or ethernet client (and vice versa) provided they are on the same VLAN or WLAN.  Traffic from a wireless device destined to another device on the same VLAN travels through the wireless access point to the switch and then back through the switch (or another switch) or wireless access point as applicable.

    Wireless Client Isolation prevents different wireless clients from communicating with each other, even though they are on the same VLAN and subnet (and possibly connected to the same wireless access point).

    This is important when we have a wireless network open to guests or unrelated users.  For example, devices connected to the guest Wi-Fi at a hotel or student Wi-Fi at a University should not be able to reach to each other.  A guest in one hotel room should not be able to see devices belonging to a guest in another hotel room.

    The isolation may be enforced by the router.

  • Guest Network Isolation.  If we have a guest Wi-Fi and a corporate Wi-Fi, we should physically or logically isolate the guest Wi-Fi network.

    • Physically isolating the network requires us to construct and configure a physically separate guest network.  That means separate wireless access points, switches, routers, and wiring.  This measure might be too expensive for most customers. 

    • Logically isolating the network allows us to map the guest Wi-Fi SSID to a separate VLAN that can reach the internet, and no other devices.  This VLAN should also enforce wireless client isolation.

  • As mentioned earlier, we can use Preshared Keys and EAP to enable wireless security.  Extensible Authentication Protocol (EAP) is a system for authenticating with a wireless network.

    • EAP is a framework for providing authentication, but there are more than 40 possible methods that can be used, depending on the specific vendor of the equipment.


    • Each vendor may have more specific requirements and new protocols are being developed all the time

    • Within EAP are several methods, including

      • LEAP

        • Lightweight Extensible Authentication Protocol

        • Developed by Cisco

        • LEAP is not supported by Windows but is supported by many third-party applications

        • Cisco does not recommend using LEAP anymore because it does not protect user credentials

      • PEAP

        • Protected Extensible Authentication Protocol

        • Originally, EAP assumed that communications would be secure; therefore, it did not provide a mechanism to secure the data being transmitted.

        • PEAP corrects this by providing a secure TLS tunnel

        • A server-side certificate is used to create a PKI tunnel

      • EAP-NOOB

        • Nimble out-of-band authentication for EAP

        • Used by devices that do not have preloaded authentication information such as Internet of Things devices

        • The user must assist the device in connecting via an out of band channel

        • There are different connection options including QR codes and NFC

        • Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) exchange takes place over the in-band EAP channel.  The user then provides the out-of-band channel message from the server to the device or from the device to the server, depending on what is required.

      • EAP-FAST

        • Flexible Authentication via Secure Tunneling

        • Designed by Cisco to replace LEAP

        • Three parts

          • In band provisioning via Diffie-Hellman.  The client is provided with a shared secret.

          • Tunnel establishment.  A tunnel is established between the server and the client.

          • Authentication.  The user is authenticated

      • EAP-TLS. 

        • EAP – Transport Layer Security

        • Uses TLS (Transport Layer Security) as its protocol.

        • All wireless manufacturers support EAP-TLS

        • Considered very secure

        • EAP-TLS requires a client-side certificate.  When a system is authenticated with a certificate, a password is not required.  Even if a hacker obtained the username/password, without a certificate, the hacker would not be able to connect to the Wi-Fi.

        • EAP is not implemented as widely as it should be because it requires the certificate

      • EAP-TTLS

        • EAP Tunneled Transport Layer Security

          Extends TLS so that the client does not require a certificate.  Instead, the server creates a tunnel with the client.  The client can then authenticate to the server using a legacy password or other authentication method.  The tunnel protects the client from eavesdropping.

  • Geofencing.  Geofencing allows us to track the physical location of a wireless device and send an alert if it leaves the building or if it is taken to a portion of the building where it is nor permitted.  This ensures that secure devices such as laptops or mobile readers are not removed from the building.

  • Captive Portal.  A Captive Portal is a web page that a user sees when they first connect to the wireless network.  The Captive Portal allows the user to authenticate with the wireless network.  It may also inform the user of the terms and conditions that he must adhere to when using the network.  Captive Portals are common on guest Wi-Fi networks.

What about IoT devices?  What if IoT devices such as HVAC sensors, alarm sensors, etc. need to connect to our network? 

  • We should determine how we will identify each IoT device uniquely

  • We should determine how we will authenticate that IoT device.  How do we know that the connected device is legitimate?

  • Can we ensure that the device will establish a secure end-to-end communication with the server?

  • Can we ensure that the device will securely connect to the network?

  • Can we encrypt the data that is stored on the device?

  • Can we ensure that the device is not compromised by hackers?