It’s a sad truth that not all network devices are built with network device security in mind. Some ship with default credentials like admin / admin, with SNMP set to public, or with operating systems that haven’t been updated in years.
As with any other device, it’s important to practice good hygiene when managing network devices. Good hygiene means things like keeping firmware up to date, changing credentials away from the defaults, and refreshing end-of-life hardware and software.
If you’re already doing these things, great! You get a well-deserved pat on the back. By following these simple guidelines, you’re already in the front half of the network management pack. But what else can you be doing to continually improve the security posture of your network infrastructure devices?
Here we’ll go over what network device security is, how to secure network devices, and share five security best practices.
What is network device security?
Network device security is the use of policies and configurations that a network administrator sets to monitor and protect the network devices from any unwanted or unauthorized access, changes, or use. It is vital for any organization to have secure network infrastructure devices in order to limit disruptions or data loss. Network device security enables organizations to better control access to their network devices, and in turn better control access to their network.
What are the types of network security devices?
There are many types of network devices, but these are some of the most commonly used ones for securing a network.
For most networks, the firewall is one of the first lines of defense. Firewalls act to isolate your network and protect it from unwanted network traffic. Depending on your network, firewalls can be built into devices such as routers and switches or implemented as standalone protection.
Firewalls can operate in two ways:
- Whitelisting: The firewall blocks everything except specifically listed network traffic.
- Blacklisting: The firewall only blocks suspicious traffic from the network.
Deciding which of these policies to choose is part of determining how to manage a network, but more often than not, you’ll want to take a Whitelisting approach.
Network access control (NAC)
Network access control (NAC) is a network security device that checks the security settings of any devices trying to enter the network and either denying entry if settings do not meet predefined policy requirements or allowing entry to the network if settings match access requirements.
Intrusion Prevention and Intrusion Detection Systems (IPS / IDS)
Intrusion prevention and intrusion detection systems scan and alert you of any network attacks. They act in conjunction with the firewall and scan for anything that may have cleared the firewall and entered the network.
While intrusion detection systems notify you of any intrusions and require action on your part, intrusion prevention systems notify you and actively respond to the intrusion without your intervention.
Proxy servers provide network security by acting as a go-between for your network computer’s web browser and the server on the other end of the connection. Inappropriate and malicious websites are blocked by proxy servers and access control policies are enforced.
These are only some of your choices when it comes to types of network security devices, and no single one will do it all. Instead, it’s important to take a layered approach and utilize as many types of security as your network needs to ensure your network infrastructure devices remain protected and secure.
How do I secure a network device?
If you’re wondering how to secure network devices, there are actually several ways to enhance the security of network infrastructure.
It’s important to keep up-to-date inventories of all your network devices and to know exactly what security policies have been applied to each one. Taking inventory can be a time-consuming task when done manually, so opt for a network scanning tool that can do this for you like Auvik.
Identify devices at high-risk
By evaluating your devices and narrowing in on the ones with increased risk, you can proactively take additional measures to ensure your network remains secure. Be sure to also look at devices that contain sensitive information or are lacking in strict access permissions and implement greater security measures there as well.
Determine areas of device weakness
While you identify high-risk devices, also notice where these devices exhibit weaknesses that need attention. By finding these areas of device weakness, you can locate where patches are needed and deploy extra security to the device to protect it and your network.
Use configuration and management tools
Manually performing network configuration and security tasks is a time-consuming burden on your administrator, and these tasks can be done more efficiently and accurately with configuration and management tools. Repetitive tasks and standards maintenance are done automatically with configuration management tools, and any changes to network configurations are detected and flagged in real-time to ensure you know exactly what is happening when as well as who is making the changes. Auvik‘s network management system provides the tools you need with the security and privacy your network demands.
Routine reporting and audits
Regularly reviewing your devices is key to securing network devices. Utilize reports that analyze your device’s security measures and keep tabs on whether everything is working as it should or if you need to make any adjustments.
5 Security Best Practices for Network Devices
1. Limit the IP ranges that can manage network infrastructure
Do your users need direct access to switches or firewalls? How about the IP phone subnet? For nearly every person I talk to the answer is a clear ‘no’.
Most network devices allow you to select management IPs or apply access control lists (ACLs) to services such as SNMP and SSH. Use this feature to restrict access to a couple of management servers you have on site.
This is especially important for perimeter devices. If you’ve enabled SSH access to a firewall from the outside, it’s critical that access is locked down. Be careful not to lock yourself out though.
2. Use SNMPv3 throughout the network
SNMP has gone through a few iterations over the years. SNMPv2c, the most commonly used version, has been around for decades with little change. SNMPv3 is a great option for those looking to manage devices over SNMP while adding some network device security and encryption to that management.
Using SNMPv3 instead of v2c over public networks is obvious, but security-conscious service providers have increasingly been using SNMPv3 within private networks as well. That’s because v3 reduces the amount of management data traversing the network in clear text—in case someone is listening in who shouldn’t be.
3. Rotate network device credentials
It’s that time of year: Time to change your firewall password from Fall2019 to Winter2019, am I right?
While some may rightfully question your choice of passwords, good on you to rotate your credentials on a quarterly basis. We typically see teams rotating network device credentials at least annually. Credentials are an important method of securing network devices.
Already rotating regularly? You’re well ahead of the curve.
Credential rotation isn’t on your regular calendar yet? Start the habit now by setting a recurring ticket in your PSA.
4. Disable unused network ports
Helpful employees, malicious actors, shadow IT—these are all people who would love to plug something into an open Ethernet port on your switch. Trouble is, they can cause a broad range of issues, from broadcast storms to security breaches and unsanctioned hardware on your network.
If you have extra ports on routers, switches, and firewalls after completing the initial configuration, disable them. If they’re ever needed again, you can log back in and re-enable them.
5. Secure SSH on network devices
First of all, thank you for having SSH configured and not Telnet. (You do have Telnet disabled, right?)
There are a few things to consider when securing SSH:
- Disable SSHv1. Version 2 is newer and more secure.
- Enable an idle timeout so that any idle sessions are closed down.
- Ensure the network device software is up-to-date. Many network devices use OpenSSH, and over the past few years there have been many OpenSSH bugs identified and fixes put in place.
6. Bonus! Add a warning banner
Consider implementing a warning banner sanctioned by the legal team that users will see when they log in. While this won’t prevent access and won’t stop malicious actors, it may give an accidental hacker second thoughts.
It’s important to keep in mind that the steps to implement each of these recommendations will be different between network device vendors. You may also find that some settings discussed aren’t available on your network infrastructure devices. That’s OK—implement what you can and manage the risk around the others. What is network management without an individual approach to each network?
Achieving a secure network is a constantly moving target that relies heavily on network device security. If you’re not being proactive and continually re-evaluating and managing the risks, you’ll be behind before you know it. Auvik’s network monitoring and management software helps you prevent, detect, and resolve network issues quickly. Our cloud-based secure network management ensures you always know what’s on your network.
Your Guide to Selling Managed Network Services
Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.