Security > 100 Network Security Best Practices

100 Network Security Best Practices

by

Network Security is the process of protecting your network and data from security threats. It is a massive topic that covers a wide range of technologies, policies, and configurations.

The good news is I’ve compiled a huge list of network security best practices that I’ve personally used and researched. Most of these best practices can be referenced from various security frameworks and benchmarks.

Check it out.

General Network Security

This section is a list of network security recommendations that is not specific to any device.

1. Segment Your Network

Segmentation divides your network into smaller networks. Smaller networks make it easier to control, monitor and isolate network traffic. Some segmentation options include grouping by device, function, or security levels.

For example, all computers go on subnet 10.2.2.0/24, guest wifi on 10.2.3.0/24, and servers on 10.2.4.024. This will segment each device into its own network segment.

Network segmentation diagram.

network segmentation diagram

2. Keep Software Updated

The software that runs on your switches, routers, firewalls, and other infrastructure equipment needs to be updated on a regular basis. Outdated software contains security vulnerabilities and bugs. For example, have a routine to check and upgrade Cisco IOS on switches and routers.

3. Scan for Vulnerabilities

Vulnerability scanning is the process of scanning your network for security flaws and misconfigurations. It is recommended to scan every device connected to your network from endpoint computers to network switches and routers.

Tenable Nessus and Rapid7 are two popular vulnerability scanning tools. You should scan your network at least once a month.

nessus vulnerability scanner

4. Network Firewall:

Invest in a good enterprise-grade firewall. Network firewalls are used to control network traffic from one network to another, typically the internet to your internal network. Palo Alto and Fortinet are highly recommended firewall brands.

Make sure you know how to size a firewall for your network. An undersized firewall can impact network performance and network security.

5. Personal Firewalls

Personal firewalls are often disabled, this is a huge mistake and will weaken your network security. Personal firewalls are great for blocking lateral traffic (host to host) which is often a method used by viruses to spread from machine to machine. Personal Firewalls can help you control unwanted traffic being sent and received from each host.

The Microsoft Security Compliance Toolkit recommends inbound connections be set to block. This would block any incoming connection to the endpoint that it did not initiate.

In the diagram below, the computer’s firewall is allowing Office 365 traffic but blocks unexpected traffic from the infected computer.

host based firewall

6. Intrusion Prevention Systems (IPS)

An IPS is a network technology that analyzes network traffic for malicious activity. For example, an IPS can detect an SQL injection packet and block it before it reaches a server. This technology will scan an entire packet to understand the data being sent or received. IPS systems are typically built into a network firewall device.

intrusion prevention diagram

7. Web Filters

No user or device should have direct internet access, all traffic should go through a web filter to control/monitor internet traffic. Web filters will help to block unwanted traffic from reaching your network and devices.

Web filters are often included with a Network Firewall and may require an additional license. There are also host-based filterings such as DNSFilter and OpenDNS. Host-based web filters are great for mobile users that don’t connect to a corporate network.

8. Email Spam Filters

Spam filters are designed to detect and block malicious and spam emails. Ransomware and viruses often enter a network through an email attachment.

All major email providers include a Spam filter, but you will need to customize the spam policies and create custom rules. For example, it is recommended to block certain email attachments that can contain malicious code. You will need to manually create this rule and keep it updated.

Another custom rule that is useful is blocking certain keywords that are typically found in spam and phishing emails.

9. Centralize Event Logs

Your network equipment should be logging both failed and successful log attempts, what changes are being made, who made the change, errors, critical events, and so on. These events should be sent to a centralized logging server to consolidate, analyze and review. This will make your life easier and help to quickly spot any security issues.

Expert opinion:

Rod Lewis, Author at Auvik

Centralized logging, where all of your network devices send data to a central server, is far more advantageous than logging your systems locally. With central logs, you have one complete view of your environment.

https://www.auvik.com/franklyit/blog/centralized-logs/

10. Defense in Depth

Defense in depth is a security strategy that uses multiple layers of security to protect your network and devices. What this means is you should not depend on one network security technology to protect your network or data.

For example, you install the latest and greatest network firewall and you think that is all you need, WRONG. This only protects the perimeter of your network.

Examples of defense in depth:

  • Perimeter – Firewall.
  • Network – Network segmentation, prevent lateral movement.
  • Physical Security – cameras, badge access, locked doors.
  • Host – antivirus, host-based firewall, EDR.
  • Application – Ensure software is updated and supported.
  • User/Device – Multi-factor authentication.

All of the above are examples of security methods used at different layers. If a virus gets past the perimeter it then has the network layer to go through, when it gets to the host it has another layer of security.

11. Enable 802.1x or NAC

802.1x is used to authenticate wired or wireless LAN access. It forces devices to authenticate before granting access to the network. This is the best way to protect unwanted devices from connecting to your network. For example, if a user brings in their personal laptop and plugs it into an open wall jack, 802.1x would block the device unless you authorized it.

12. Honeypots

Honeypots are used as a decoy to detect or deflect security threats. They are designed to look like a real system or asset to lure bad actors from legitimate targets.

In the diagram below, the attacker found a server that looks to be real so started attacking it. In reality, this is a honeypot server that looks real and will alert the security team of suspicious activity.

network security honeypot

13. Baseline Network Traffic

Understanding your network traffic will help you identify normal vs abnormal traffic. Abnormal could be a potential security threat like data leaks, DDoS attacks, or viruses spreading on your network. Baselining is not easy and will take time, you will need a network monitoring and bandwidth monitoring tool for this task.

Baseline network traffic should include protocols in use, bandwidth usage on all critical interfaces, and applications in use.

The screenshot below is from the SolarWinds Netflow Analyzer tool.

solarwinds network analyzer

14. Network Redundancy (Multiple Vendors)

Network redundancy is a strategy of providing multiple network paths for your network, this could be to the internet, to your data center, or both. If your entire network is dependent on one network connection then you have a single point of failure.

A network failure can impact network security in multiple ways such as no logging, no security updates, no visibility, no reporting, and so on.

15. Configuration Backup

Configuration backup is the process of saving the configuration of your network equipment such as your switches, routers, firewalls, and so on. This is important for network security so you can quickly recover from a network outage or disaster.

ManageEngine Network Configuration Manager and SolarWinds CatTools are two good backup solutions.

16. Physically Secure Equipment

Servers, switches, routers, firewalls, and other network equipment should be in dedicated rooms that are secured. I recommend electronic locks that log who goes in and out of the room. Additional security equipment includes:

  • Security Cameras
  • UPS/Battery backup
  • Cooling
  • Fire Extinguishers
  • Racks with locks

17. Training

Network security is a huge topic that is always changing. You should keep your skills up to date by taking online training courses and practicing in a lab environment.

There are many online training programs to choose from, Pluralsight, Udemy, hackthebox, cbtnuggets, and SANS, are some good options. Also, check with your vendor or reseller as they may offer some free training options. There is also a lot of good stuff on youtube.

18. DNS Filtering

DNS filtering is a service that blocks known malicious websites based on the DNS hostname. This service is often part of a security appliance (firewall) but you can also configure this at the host level.

DNS filtering works by checking the DNS name against a list of known bad addresses, if the service detects the address is bad it will block it. Quad9 is a free DNS filtering service that can be used for personal or business use. OpenDNS is another popular filtering service but it can be expensive.

dns filtering example

19. Segment Guest Network (WIFI)

Most companies have a guest WIFI network for vendors, customers, contract workers, and so on. The guest network should be a separate network from everything else. It should in no way have access to your secure network or any services, it should strictly be used for internet access only.

20. Segment BYOD Devices

Any unmanaged device should be on a separate network from managed devices. Since you are not managing these devices you do not know if they are secure or what is running on them. These devices pose a major threat to your network and should be blocked.

For example, a manager brings a personal tablet or phone to work and wants to connect it to the network. Connect it to the Guest network or a separate network from the secure corporate network.

21. DMZ Public Facing Equipment

Do not port forward into the internal network, this means you are creating a hole directly from the internet (untrusted) to the internal (trusted) network.

Public-facing equipment should be put into a separate network called a DMZ. This puts a buffer zone between the internet and the internal network.

The diagram below shows the DMZ in a separate zone (DMZ) from the internal network.

dmz network diagram

22. Network Security Frameworks

A security framework is a set of policies and controls that can be audited. There are various security frameworks, and your organization may be required to be in compliance with one of them.

  • SOC 2
  • Nist
  • HIPAA
  • PCI
  • GDPR

23. Network Security Benchmarks

Benchmarks are a set of guidelines to help harden systems and devices. Benchmarks can be used to secure the configuration of systems.

  • CIS Benchmarks
  • STIG
  • Microsoft Security Toolkit

24. Secure Wireless

For business, WPA-Enterprise is the best option to secure wireless. WPA-Enterprise requires individuals to authenticate and provides better authentication. WPA-Personal uses shared keys and encryption that can be cracked easily.

25. DHCP Snooping

DHCP snooping is a network security technology that can block unauthorized (rogue) DHCP servers from offering IP addresses to devices on your network. DHCP snooping is typically implemented on a network switch. The steps to enable this will vary depending on which brand you are using.

26. BPDU Guard

BPDU Guard is a security feature that defends the spanning tree protocol (STP) against BPDU related threats and helps to protect the layer 2 networks.

27. Detect Rogue DHCP Servers

A rogue DHCP server is an unauthorized server handing out IP addresses to devices on your network. These rouge servers can communicate with your devices and cause all kinds of network security issues.

You can use a packet capturing tool like Wireshark to detect DHCP packets on your network.

wireshark dhcp packets

28. Principle of Least Privilege

The least privilege model is simple, all users should log on with a user account that has the minimum permissions to perform a task. This should apply to all users, even network administrators. Does every admin need full permissions to a switch, router or firewall? Consider limiting access to staff if they don’t need full rights.

Expert opinion:

Debbie Walkowski, Author at F5

One of the most obvious benefits of practicing least privilege is that it reduces an organization’s attack surface

Attack surface refers to all entry points through which an attacker could potentially gain unauthorized access to a network or system to extract or enter data or to carry out other malicious activities.. A broad attack surface is challenging for organizations to defend. The outcomes can be disastrous if, for example, attackers happen upon unprotected cloud-based databases, APIs with no authentication controls, backdoorsAn undocumented way to access a system that allows an attacker to bypass typical security controls. left in critical software, or servers that are wide open to any type of traffic. Any of these situations can lead to destructive attacks or significant data breaches like the following recent examples, which occurred in part due to excessive or nonexistent privilege:

https://www.f5.com/labs/articles/education/what-is-the-principle-of-least-privilege-and-why-is-it-important

29. Use Separate Admin Accounts

To help mitigate security threats, use a dedicated separate account for administrative tasks. The account used to check email and browse the internet should not be used to perform admin tasks. When making changes to switches, firewalls, and other network gear you should use a separate account.

30. Network Audit

A network audit is a process of detecting and inventorying your network and connected devices. This is typically done by a 3rd party that has the resources and tools to do a thorough audit. The audit can help you create an inventory, find misconfigurations that can impact network security, find outdated equipment, review industry best practices and create network documentation and diagrams.

31. External Penetration Testing

A penetration test attempts to break into your network and computer systems to find security vulnerabilities. A pen test should be done by a professional with years of experience and be done annually. Black Hills Information Security offers pen testing and other security services. An external penetration test will scan your public-facing systems such as web servers and routers.

32. Internal Penetration Testing

An internal penetration test will scan your internal networks and systems. You can choose a portion of your network, specific systems, or the entire network.

33. Secure Configuration Templates/Images

The default configuration from the manufacturer will be configured for ease of use rather than security. Create your own images or templates for all devices to ensure your assets are configured with the correct security settings. You can use the various benchmarks and frameworks to assist with creating a secure configuration.

34. MFA for Remote Network Access

MFA should be required to access the secure network from a remote location.

35. MFA for Admin Access

Enable MFA for administrator access where supported. For example, RDP access.

36. MFA for External Apps

Externally exposed or cloud-based systems should require MFA access.

37. Stay Informed

With the constant threat of viruses, ransomware, and security vulnerabilities you need to stay informed on the last security news. CISA has various resources you can subscribe to for the latest security news.

Twitter is also a great source to get updates on the latest network security news. Type in a word such as ransomware or cybersecurity and follow industry experts.

ransomware twitter search

38. Network Monitoring Tools

High bandwidth or CPU usage could be a sign of a DDoS attack. When viruses or ransomware attack your network there is often an increase in resource utilization such as high CPU, memory, and bandwidth. These resources can easily be tracked with a network monitoring tool and viewed in a dashboard.

SolarWinds NPM, PRTG Monitor, Zabbix, and Nagios are some recommended monitoring programs.

39. Network Security Tools

Knowing how to use network security tools can increase your knowledge of networking and how attackers operate. This gained knowledge can help you to improve the network security of your organization. For example, running a port scan with Nmap can detect devices on your network and what services they run.

Below is a screenshot of a Nmap scan.

nmap port scanning

40. Control/Monitor Remote Access

All remote access such as VPN should be monitored, logged, and controlled. Product support will often request VPN access to troubleshoot an issue, in most cases, they don’t need full network access. Give them access to only the device they need and be sure to log when they connect and disconnect. If possible I find it best to disable vendor access and only enable it when needed.

41. Disable Insecure Protocols

Insecure protocols provide weak or no encryption. For example, telnet sends data over the network in plain text, it can be captured and read by an unauthorized user. These insecure protocols weaken network security and the integrity of your data. Telnet, SMBv1, HTTP, FTP, LLMNR, NTLM, SNMPv1, and 2 are weak protocols that should be avoided.

42. Disable Unnecessary Services

Some systems have services enabled by default that you may not need such as DHCP or file sharing. These services are an entry point for an attacker, it’s like adding another door or window to a house. It is recommended to disable unnecessary services, this should be part of your secure configuration template.

43. Use Packet Capturing

Wireshark is a packet analyzer used for network troubleshooting and analysis. This tool will show you the network packets that are being sent and received on your network. I find it useful for analyzing a single host or small networks.

For example, you can analyze the packets that are being sent on the network or to a single host. You can use the packet capture to detect insecure protocols in use, find unwanted traffic patterns like host-to-host communication, and much more.

I think packet capturing is an underrated tool that every network administrator should learn.

Below is a screenshot of a packet capture from a client to a server. I wanted to see what SMB version was being used.

wireshark packet capture

44. Span Port

A span port also referred to as port mirroring sends a copy of all traffic from one port to another port. This comes in very useful when you want to analyze specific network traffic without disrupting the network. For example, if a server is connected to port 1, you can mirror that traffic to port 2 and use Wireshark to analyze the traffic.

span port network diagram

45. Network Diagrams

Establish and maintain network diagrams and documentation. These can be very helpful when troubleshooting or replacing/upgrading network equipment. I’m a big fan of the Diagram.drawio app for creating network diagrams.

46. Access Control List (ACL)

An access control list is a list of rules that either deny or allow network traffic. ACLs can improve network security by controlling network traffic on the network.

Here is an example ACL of denying telnet access to a server. The command line syntax will be different for each manufacturer. 

10 deny tcp host 192.168.15.2 any eq telnet

47. Limit Access to Management Network (ACL)

A user in the HR department does not need management access to a switch, router, or firewall. You should configure access control lists on your management network to limit which networks can access it.

48. Infrastructure ACLs (iACLs)

Infrastructure ACLs are used to protect routers from malicious traffic. For example, allow ICMP echo reply but deny ICMP timestamps. These ACLs are typically applied to interfaces connected to the internet.

49. SNMP ACLS

Limit SNMP to your network management system by using an ACL. Workstations or other devices do not need access to query a network device for SNMP info, this should be restricted to your NMS system.

50. Use SNMPv3

SNMP is a protocol used to collect information from devices on a network. SNMP version 1 is the original protocol, version 2 was added to address growing networks. Both are considered insecure as they are unencrypted and lack advanced authentication. SNMPv3 increased security and is the recommended version to use.

51. Use built-in Management Ports

If your device has a dedicated port for management then use it. The ethernet management port has a separate VRF and is not connected to the main data plane.

cisco ethernet management port

52. Encrypt Data (Transit & Rest)

Data transmitted over a network should be encrypted to protect from man-in-the-middle attacks. Also, data should be encrypted at rest to prevent access in plain text. Microsoft bitlocker can be used to encrypt windows systems, check with your manufacturer to verify if your product supports encryption at rest.

53. Computer Security Incident Handling Guide

No matter how much you invest in network security there is always a risk. Establish and maintain an incident handling guide so your organization knows what to do in the event of an attack such as ransomware.

See the NIST incident handling guide for more details.

54. Block Internet (if not needed)

If a device doesn’t need internet access then block it on the firewall. This has become more challenging with so much depending on the internet, but it can still help import network security. There are still many things like various servers, switches, SANs, and other IT infrastructure devices that don’t need the internet.

55. Network Inventory

You cannot defend what you don’t know. Establish and maintain an inventory of all network assets. Inventory and control of Enterprise Assets is a top security control recommended by the Center for Internet Security.

56. DHCP Logging

Enable DHCP logging on all DHCP servers. This can help identify what is connected to the network and assist with inventory. It’s also useful to identify unmanaged devices that are connecting to your network.

manageengine eventlog analyzer

57. Configuration Management

A configuration management tool such as NCM will track configuration changes, backup configurations, ensure compliance, and apply bulk changes. These tools can save you hours of manual work and ensure you have a secure configuration.

58. Lockout Failed Logon Attempts

Network devices should have a lockout policy that blocks connections after x number of failed logon attempts. For example, after 5 failed logon attempts VTY connection attempts are blocked for 1 minute. This will help with brute force logon attempts.

59. Disconnect Idle Timeout

Administrator access should be disconnected if idle for 10 minutes. For example, if you SSH into a cisco switch and there is no input for 10 minutes the session will disconnect. This prevents unauthorized users from misusing abandoned sessions.

60. Change Default SNMP Community String

Any device should have the default SNMP community string changed, or disable SNMP when unused. The default string is well known and allows hackers to scan your network for this default configuration.

61. Change Default Passwords

Change device’s default passwords. Default system passwords are well known and if not changed, allow attackers easy access to your systems.

62. Block Lateral Communication

When hackers gain access to a system they look to pivot to other systems on the same network. For example, if PC1 is compromised the hacker could find PC2 and connect to it. Viruses will also scan and try to infect computers on the same network. To block these attacks it is recommended to block lateral movement on the network, typically from workstation to workstation. This is often done with a personal firewall.

block lateral network traffic

63. Deploy Endpoint Detection and Response

An EDR solution combines real-time continuous monitoring and collection of data from endpoints. EDR is a replacement for traditional Antivirus.

Crowdstrike is a popular EDR solution.

64. Mobile Device Management (MDM)

MDM lets you centrally manage mobile devices such as tablets, phones, smartwatches, and laptops.

How does an MDM improve network security? Mobile devices are often unmanaged meaning you have no visibility into the security posture of the device. You don’t want devices connecting to your network that are not patched and have not been checked for security threats.

An MDM will ensure the device is patched and meets your organization’s standards for network access.

65. Use VPN

When using an untrusted network such as public wifi use a VPN to secure and encrypt network communications. For remote offices, consider using a site-to-site VPN.

66. End User Security Training

End users should be required to take security awareness training once a year. This should include details on using strong passwords, email phishing attempts, social engineering, and specific threats to your organization or compliance needs. KnowBe4 has a great email phishing tool for training end users.

67. Standardize Time

All systems should use a centralized time server, this will ensure systems log the correct time. When troubleshooting or investigating a security incident, having the correct time is critical.

68. Collect DNS Logs

Collecting DNS logs can identify malicious traffic on your network. This is often a feature of network firewalls but DNS logs from servers can also be collected and analyzed.

Firewall Best Practices

This section is a list of firewall best practices.

69. Only Allow What is Needed

On your network firewall, you should only allow what is needed. If a user needs to browse the internet don’t create a rule that is any/any which means allow all protocols to any destination. Instead, you should create a rule that allows http/https from the source IP address. Any additional protocol that is allowed opens the door for an attack.

70. Be Specific with Rules

This is basically the same as #69 but because it is so important I’m going to repeat it. Here is an example, if a server needs SSH access then specify the destination port and address. Don’t open every port and destination address, be very specific with ports and source/destination addresses.

71. Don’t Use Any/Any Rule

Unless you have some very specific reason don’t use any/any. This is allowing all addresses and ports. Sometimes this is used as a quick fix but try to avoid this or have a review process to address and clean up these rules.

72. SSL Inspection

SSL inspection enables your firewall to inspect encrypted traffic. This is pretty common in enterprise equipment, if your equipment supports SSL inspection, then use it. Make sure to size your equipment properly so performance is not impacted.

73. Review Rules

Have a process to review firewall rules. There are times when you may have added a temporary rule for troubleshooting or for a quick fix and forget to delete it. If you have multiple firewall admins, they may have entered something incorrectly that could impact your network security. A regular review process can help clean up old or misconfigured rules.

74. Send Logs to an Analyzer

If your firewall has no built-in log analyzer then get one. A log analyzer lets you quickly identify and react to network security threats.

If you use Fortinet firewalls they have a nice product called FortiAnalyzer that collects and analyzes firewall logs.

fortinet fortianalyzer

75. Know Firewall Capabilities

Some firewall products are loaded with security features. Take the time to understand these features and if they are beneficial to your organization. Manufacturers add new features all the time to product updates, so check release notes for added features.

76. Enable Failover

Don’t rely on a single firewall, you should have a secondary firewall ready in case the primary fails. Most enterprise grade firewalls can be configured for high availability, this means if one firewall fails the other can automatically become the active firewall.

77. Use The Comment Section

If your firewall rules have a comment section use it. I like to reference a support ticket in the comment section so I or other admins can look at the details. It’s impossible to remember what every rule is for, so have a way to document or reference why it was requested.

78. Test Software Updates

I have experienced major issues after upgrading firewall software. If you can, I recommend a secondary firewall you can test upgrades on.

Switch & Router Network Security

This section is a list of network security recommendations for switches and routers. Most of these are from the Cisco IOS Harding Guide and CIS Benchmarks.

79. Smart Net Total Care

If you have smart net contracts I recommend using SNTC. It will track your devices, contracts, Cisco IOS versions and provide security alerts on the products in your environment.

cisco smart net total care

80. Enable AAA new model

Authentication, authorization, and accounting (AAA) provides a centralized service for managing and monitoring device access.

81. Set privilege 1 for local users

Setting the local user account to privilege 1 prevents unrestrained access. This will force the local user account to use the enable password when modifying the configuration.

82. Create Access Control List (ACL) for VTY lines

Creating an Access Control List for VTY lines limits what host or networks can connect to the device. You should limit the access to authorized devices for administrator use. Jim’s computer in the sales department does not need to SSH to a router so block it.

83. Set Transport input SSH for VTY Lines

This command will disable telnet on the VTY lines and only accept SSH connections.

84. Set password for enable secret

The enable secret password adds an additional layer of security for the enable password. This command will provide better security by storing the enable secret password using a nonreversible cryptographic function.

85. Enable service-password encryption

When this is not enabled device passwords may be displayed in plain text. This will require the passwords to be displayed in an encrypted format.

86. Set Banner Text

Banners are a message that displays when logging into a network device that provides notice of legal rights. This may be required by your organization, check with HR or your legal department.

87. Set username security for all local users

Provides additional security for local user accounts.

88. AutoSecure Command

This single command is a quick way to secure a router configuration. This command enhances the security of a router by auto configuring many security settings that would otherwise take many commands to configure. More details on the AutoSecure command are in the Cisco Security Configuration guide.

89. Use Port Security

Port security limits the number of MAC addresses on a switch port. This can be useful to auto shut down ports that detect multiple mac addresses. For example, a user brings in a hub and plugs it into the port in their office. With port security, the port would detect multiple MAC addresses and shut them down.

90. Use 2048 or greater for crypto key

When creating an RSA key pair you should use at least 2048 bits.

91. Disable Unused Services

A security best practice is to disable any unneeded service. Here are some cisco recommendations, you will need to determine if you use any of these services.

  • bootp server (issue the no ip bootp server command)
  • DHCP services (issue no service dhcp command)
  • Packet Assembler/Disassembler (PAD) service (issue no service pad command)
  • Finger service (issue no ip finger command)
  • Maintenance Operation Protocol (MOP) service. (issue no mop enabled command)
  • Domain Name resolution server. (issue no ip domain-lookup command)
  • HTTP server. (issue no ip http server command)
  • no service config command. This prevents Cisco IOS from attempting to locate a config file from a TFTP server
  • Link Layer Discovery Protocol (Issue the no lldp transmit and no lldp receive command)

92. Disable CDP on Untrusted Connections

Cisco Discovery Protocol (CDP) is used to discover other CDP enabled devices on the network. It is considered a security risk because of the amount of information it can provide from queries. Cisco recommends disabling CDP on interfaces that connect to untrusted networks.

93. Logging Settings

Here are some recommended logging rules.

  • Set logging enable
  • Set buffer size: 64000
  • Set logging console to critical
  • Set IP address for logging host
  • Set logging trap to debugging or informational
  • set ‘service timestamps debug datetime
  • Set ‘login success/failure logging’

94. Set NTP to Authenticate

Require NTP authentication to ensure Cisco devices update from authorized NTP servers.

95. Create a Single Loopback Interface

Loopback interfaces are always up, whereas physical interfaces can change state, and the interface can potentially not be accessible. The loopback interface can be used for management protocols such as SSH, SNMP, and Syslog to send and receive traffic.

96. Disable IP Source Routing

Unless a network depends on source routing, it should be disabled. IP source routing is enabled by default, it is disabled with the no ip source-route command.

97. Disable Proxy Arp

Proxy ARP is a service where a device connected to one network answers ARP requests that are addressed to a device from another network. Proxy ARP can break the LAN security perimeter and extend across multiple Layer 2 networks. Proxy ARP can also increase the amount of ARP traffic on the network.

98. Dynamic ARP Inspection

Dynamic ARP inspection can be used to mitigate ARP poisoning attacks.

99. Disable SSHv1

SSHv1 is considered to be insecure and should be disabled. It can be disabled with the IP ssh version 2 command. SSHv2 provides stronger encryption and authentication algorithms.

100. Authentication Fallback

When using AAA for authentication ensure failback authentication is configured in the event AAA fails.

Conclusion

As you can see network security is complex and covers many areas of computer networking. Good network security is more than just securing a switch or router, you must use many layers of security to mitigate security threats.

Network security best practices are not a one size fits all, this is because all organizations and networks are different. You will need to review the best practices and determine what is best for your organization. If you are audited you may be required to follow one of the security frameworks such as NIST or PCI.

What network security tips do you have? Let me know in the comments below.

Leave a Comment