Advanced configuration of network devices

It is important to consider all the current threat actors and future threat actors when designing an enterprise network. Networks are complex and need thorough planning to properly mitigate against known threats and future unknown threats. Advanced tools to detect and mitigate these threats are covered in Chapter 2, Integrating Software Applications into the Enterprise, of the book. Baseline configuration guides (government/DoD networks use STIGs,) are essential, along with a configuration policy. Routers, switches, and other core network components should be compliant before being placed into a production/live environment.

Transport security

It is important when remotely configuring services and hardware over the network that all connections are encrypted and authenticated. Many organizations use the Zero Trust model, ensuring all network connections and actions must be validated.

SSH is recommended for accessing network appliances and services across the network.

Tip

When using SNMP for monitoring and management, it is important to ensure support for version 3 (v3), with full support for encryption and authentication.

Port security

Port security means restricting access to network ports using a combination of disabling unused network ports and deploying ACLs on network appliances.

On a layer 2 device, such as a Wi-Fi AP or switches, we can restrict access based on MAC addresses, and we can enable port security on a per-port basis.

There are two different approaches to restricting access to ports, as outlined here:

• Dynamic locking: You can specify the maximum number of MAC addresses that can be associated with a port. After the limit is reached, additional MAC addresses are not added to the CAM table; only the frames with allowable-source MAC addresses are forwarded.

Cisco refers to these dynamic addresses as sticky secure MAC addresses.

• Static locking: You can manually specify a list of MAC addresses for a port.

Figure 1.30 shows a MAC filter on a wireless AP:

Figure 1.30 – Wireless ACL

Restrictions can be implemented using either the whitelisting or blacklisting of MAC addresses.

Route protection

It is important to ensure network traffic flow is protected. Routers will send neighbors route updates using common dynamic routing protocols. If these routes are poisoned or tampered with, this could allow an attacker to route all traffic through an MITM exploit, sniffing all network traffic. Data could be sent through an endless series of loops, causing a DoS exploit. To prevent these types of attacks, we should ensure we adopt the following practices:

• Network devices are configured using an approved baseline.
• Routing updates should only be accepted after a secure authentication handshake.
• We should avoid the use of less secure routing protocols (such as RIP).
• Disable unnecessary management interfaces.

Distributed DoS protection

Distributed DoS (DDoS) attacks can cause major availability issues for an enterprise, often resulting in costly outages and disaffected customers. Recent attacks have seen traffic volumes of over 2.5 terabytes per second (Tbps) directed at a target organization. In 2017, Google was targeted in an attack that resulted in spoofed Domain Name System (DNS) requests being sent to 180,000 DNS servers. The resulting traffic was directed at Google infrastructure services. The following screenshot shows high levels of ingress traffic:

Figure 1.31 – DDoS attack traffic

DDoS mitigation is used to describe the process of guarding applications or networks against a DDoS attack. We can configure rules on our edge routers or work with our ISP to deliver this mitigation.

ISPs will incorporate these services into the services that their customers are using, or this may be an additional chargeable service.

Remotely triggered black hole

Remotely triggered black hole (RTBH) is a technique documented in IETF RFCs 5635 and 3882. RTBH filtering is a popular and effective technique for the mitigation of DoS attacks.

Often, a DDoS attack will overwhelm security devices on the enterprise perimeter. To thwart this type of attack, the customer will have an arrangement with their ISP. When a threshold is reached, a rule is triggered that sends an authorized route update to the ISP routers. The rule will automatically drop all traffic intended for the customer's internet-facing service. The ISP can then begin to identify the attack and look to block the malicious traffic. When this is done, the normal routing will be put back in place. The process is illustrated in the following diagram:

Figure 1.32 – RTBH

Blackhole used for DDOS mititigation can also be referred to as sinkholes.