Network infrastructure Security refers to the safeguarding of the interconnected devices on an enterprise’s premises and within its network that are designed to be a medium of communications necessary for applications, data services, and multimedia. This may include but are not limited to networking hardware such as routers, switches or LAN cards, networking software such as firewalls and security applications, and network services such as DSL and satellite wireless protocols.
The following are the protective measures and approaches that the CISA recommends:
1. Segment and segregate networks and functions
Infrastructure layout involves the proper segmentation and segregation of data. This is an effective security mechanism that restricts potential intruder exploits from breaching other parts of the internal network. One way of segregating is using hardware such as routers that can partition networks by creating boundaries, filtering broadcast traffic. Furthermore, these smaller segments can constrain traffic or can be shut down upon discovery of an attack. Virtual segregation is a lot like physically segregating a network with routers but without the required hardware.
2. Limit unnecessary lateral communications
Filtering peer-to-peer communications within a network is crucial in limiting the movement of intruders from computer to computer. By inhibiting their movement, attackers will be constrained in establishing persistence in the target network by installing applications or embedding backdoors, or other malicious tactics to carry out their planned data breach.
3. Harden network devices
Hardening network devices refers to the process of eliminating attacks by patching vulnerabilities, de-activating non-essential services, and configuring systems with robust security measures like password management, permissions, and disabling unused network ports. Doing this enhances network infrastructure security. Enterprises must adhere to industry standards and best practices about network encryption, securing access, using strong passwords, restricting physical access, safeguarding routers, backing up configurations and regularly testing security settings.
4. Secure access to infrastructure devices
The principle of least privilege (PoLP) refers to the concept of granting the minimum levels of access or permissions that a user needs to perform his/her job functions. Doing this strategically limits access to sensitive system features, applications, files, and data and also includes limiting user accounts to those needed to carry out legitimate operations and removing accounts that are no longer required. Administrative privileges are granted to allow only trusted users to access resources. Additional security measures include implementing multi-factor authentication (MFA), managing privileged access, and managing administrative credentials.
5. Perform out-of-band (OoB) network management
Out-of-band (OoB) management refers to the use of management interfaces (or serial ports) for managing and networking equipment.
OoB allows network operators to establish trust boundaries in accessing the management function to apply it to network resources and can be used to ensure connectivity, independent of the status of other in-band network components. By using dedicated communications paths to manage network devices remotely, network security is strengthened through the segregation of user traffic from management traffic.
6. Validate integrity of hardware and software
IT needs to be wary of gray market products as these products, although sold legally but outside of a brand’s permission, are often a vector for attacks into a network. Products sold outside the authorized channels can be pre-loaded with malicious software waiting to breach an unsecured network. One way of mitigating this risk is by regularly performing integrity checks on enterprise devices and software.
Network infrastructure devices are ideal targets for malicious cyber actors because most or all organizational and customer traffic must pass through them. This makes it all the more important that organizations exercise due diligence in updating their systems and using encrypted protocols for managing hosts and services.