There’s no single step you can take for total network protection. Even after following every best practice, there are still going to be zero-day exploits, undiscovered tactics, and the margin for error (misconfiguration, stale access rules, etc.).
While network protection is a never-ending effort, here are some baseline requirements that you can immediately address with your team.
Note: These tips are still just a starting point. You’ll need to dig deeper for the best protection.
Observability.
Where is your inbound traffic coming from today? Where is your outbound traffic going? Have these traffic patterns changed recently? Observe and monitor inbound and outbound traffic. Familiarity with your network traffic’s shape, cadence, and structure is essential to understanding what is anomalous or expected.
Ingress and Egress.
Network appliances including switches, routers, and firewalls handle bidirectional traffic. Ensuring ACLs (Access Control Lists) are in place to manage what you are expecting inbound as well as outbound is very important. Consider a proxy or outbound filter for egress traffic.
Application Inventory.
An application inventory is a baseline requirement for many next-level security controls. You need to know, with 100% confidence, what is running on your network. Tools to monitor applications on your network are plentiful and will largely depend on the type of architecture you have deployed. Environments with large Microsoft deployments would be well served by something like InTune or SCCM. For environments that are heavy Linux, you may benefit from a tool such as Satellite for Red Hat or Landscape for Ubuntu. These tools will enable you to see what is running in your environment and will set you up to understand the type of network traffic expected. They’re also a great start to architecting a disaster recovery plan.
Patching.
One of the biggest challenges IT organizations face is patching. There are endless numbers of patches to be applied at all levels of the infrastructure stack. Don’t skimp on them or prioritize other actions. OS tools are and will continue to be compromised regularly. Stay on top of patching to prevent known aspects of your OS and applications from becoming a problem.
Geo-blocking.
Geo-blocking is a system used to limit access to the internet based on geographic location. Geo-blocking IP addresses is not a definitive protection step, but it can be helpful in blocking more amateur attacks. A malicious attack is as likely to occur from within your country as it is from outside. When used in combination with other layers outlined here, geo-blocking is a useful tool — especially in removing traffic that you know is not applicable to your business.
IDS/IPS.
IDS/IPS: easy to purchase and turn on, yet extremely difficult to properly configure and manage. Be sure you have someone on staff (either FTE or a trusted advisor) who knows what they’re looking at from the IDS/IPS system and can interpret its potential impact on your systems and business. For instance, it’s common to find application environments/servers executing HTTP, FTP, and other protocols that they’re not expected or supposed to be executing.
Backup & Recovery.
You should have a well-defined backup and recovery plan, including air-gapped backups, immutable data environments, and 24x7x365 support that is ready, willing, and most importantly able to failover or re-establish production environments should something go wrong.
It’s important to remember this is not a comprehensive list of steps or actions. It would be in your best interest to look at a framework to align to. There are many out there, and depending on your industry, there’s likely one built just for you.
If you are not sure where to begin, please reach out. We’d be happy to have a conversation that puts you on the proper path.
