Securing the network infrastructure

New guidance issued by the National Security Agency

Network environments are constantly evolving in response to new technologies, vulnerabilities, and defences. While all networks face the danger of intrusion, network administrators can considerably reduce the likelihood of events, as well as limit the potential effect, in the case of a compromise by hardening and securing their network.

According to a press release issued by the National Security Agency (NSA) on 1 March 2022, the agency has produced a cybersecurity technical study for its Network Infrastructure Security Guidance that includes network infrastructure best practices. The technical recommendations of the NSA are built upon existing best practice and incorporate elements such as ‘zero trust’, ‘defence in depth’ and ‘least privilege access’ among other key security principles. The guidance therefore goes hand in hand with other security standards such as Center for Internet Security (CIS) Top 18, ISO 27002 and COBIT 5, with the main difference being that these NSA guidelines go into more detail regarding the actual technical implementation performed by security administrators.

The NSA notes that a full network compromise typically occurs due to issues such as improper configuration, incorrect handling of configurations and weak encryption keys which then go on to expose vulnerabilities in the entire network. The guidance highlights the criticality of an administrator role and dedicated team of IT and security professionals. These functions are pivotal in securing the network against adversarial techniques by helping secure the devices, applications, and information on the network.

The key principles listed in the NSA Network Infrastructure Security Guidance are:

1. Network Architecture and Design

One of the key principles when designing and implementing a network architecture is that if implementing a ‘defence in depth’ approach. Best security practices and zero trust principles should be adopted for both network perimeter and internal devices. When designing the external network perimeter it is important to keep in mind the following security best practices:

  • Install perimeter and internal defence devices
    These include border routers, multiple layers of firewalls, network monitoring solutions, remote log servers and redundant devices to ensure availability. 
  • Group similar network systems
    Similar systems within a network should be logically grouped together to protect against adversarial lateral movement from other types of systems.
  • Remove backdoor connections
    If a backdoor connection to a device is compromised, an adversary can use this connection to bypass access restrictions and gain access to other areas of the network. 
  • Utilise strict perimeter access controls
    If firewalls and perimeter routers are not configured with adequate network security policies, it will permit unnecessary access to or from the internal network and increase the risk of network compromise and information gathering
  • Implement a network access control (NAC) solution
    A NAC solution prevents unauthorised physical connections and monitors authorised physical connections on a network.
  • Limit and encrypt virtual private networks (VPNs)
    VPN gateways tend to be accessible from the Internet and are prone to network scanning, brute force attempts, and zero-day vulnerabilities. To mitigate many of these vulnerabilities, administrators should disable all unneeded features and implement strict traffic filtering rules for traffic flowing to VPN gateways

2. Security Maintenance

Security maintenance is key to limiting the possibility of publicly known vulnerabilities being present on an organisation’s hardware and software. Security maintenance should be performed on a regular basis to ensure devices continue to operate securely. Key activities include:

  • Verifying software and configuration integrity
    The NSA recommends verifying the integrity of operating system files installed and running on devices by comparing the cryptographic hash of the file with the known good hash published by the vendor. 
  • Maintain proper file system and boot management
  • Maintain up-to-date software and operating systems
    Maintaining up-to-date operating systems and stable software protects against critical vulnerabilities and security issues that have been identified and fixed in newer releases. 
  • Stay current with vendor-supported hardware
    Vendors eventually stop supporting specific hardware platforms and, if a failure occurs, these end-of-life devices cannot be serviced.

3. Authentication, Authorisation and Accounting

The implementation of centralised Authentication, Authorisation and Accounting (AAA) servers and their proper configuration makes your environment more challenging for an adversary to compromise since credentials are not stored directly on devices. This can be achieved by:

  • Implementing centralised servers
    The NSA recommends implementing at least two AAA servers on the network to ensure availability, and assist with detection and prevention of adversary activities.

  • Configuring authentication
    All devices should be configured to use centralised servers for AAA services first, and local administrator accounts as a backup method only if all the centralised servers are unavailable.

  • Configure authorisation
    The NSA recommends adequately restricting what legitimate administrators are authorised to execute to prevent an adversary from performing unauthorised actions with a compromised account. 

  • Configure accounting
    System configuration changes should be centrally recorded, and a process must be implemented to periodically review these records to detect potential malicious activities. 

  • Apply principle of least privilege
    Many common tasks do not require privileged level access, such as viewing status of network interfaces or reviewing routing tables. To implement least privilege, administrators should initially login with the lowest privilege level necessary. This provides an additional layer of security that an adversary must circumvent to fully compromise a device. It also prevents administrators from inadvertently making configuration changes to a device. 

  • Limit authentication attempts
    Limiting the number of authentication attempts and introducing a login delay prevents an adversary from performing brute force password cracking against a device in an attempt to obtain access.

4. Administrator Accounts and Passwords

The NSA provides detailed guidance on the best ways to manage and store credentials such as usernames, passwords. The guidelines here primarily focus on local accounts and passwords which may be required should a centralised AAA solution fail:

  • Use unique usernames and account settings

  • Change default passwords

  • Remove unnecessary accounts

  • Employ individual accounts to enforce accountability

  • Store passwords with secure algorithms

  • Create strong passwords

5. Remote Logging and Monitoring

Logging and monitoring provides administrators with visibility into network security events. This allows  them to review event information for suspicious activity and investigate any security incidents. Logging should be enabled on all (or critical) network devices, with the generated logs being shipped to a centralised remote log server. 

This information needs to be cleaned to ensure that any unnecessary information does not prevent critical data from being identified. It is also important to synchronise device clocks as this is critical to ensure log message timestamps can be easily correlated across geographically dispersed time zones, and used to collectively trace a network incident from one device to another. The NSA recommends that each device and the remote log servers use at least two trustworthy and reliable time servers to ensure accuracy and availability of information. Internal time servers should be established as the primary source for all devices, which should subsequently synchronise with authoritative external sources.

6. Remote Administration and Network Services

The NSA showcases numerous ways administrators can secure a network. This includes:

  • Disabling of clear text administration services

  • Ensuring adequate encryption strength

  • Utilisation of secure protocols

  • Limiting access to services

  • Setting acceptable timeout periods

  • Enabling TCP keep-alive

  • Disabling outbound connections

  • Removing SNMP read-write community strings

  • Disabling unnecessary network services and discovery protocols

7. Routing

Routing is critical to forwarding data between computers and networks. Improper configuration of routing devices could allow adversaries to redirect data to a different destination and therefore allow sensitive data to be collected and stolen. Key items to keep in mind when configuring routing devices include:

  • Disabling IP source routing
    Along with IP address spoofing, an adversary can use the IP source routing feature to successfully bypass ACLs and other network restrictions, essentially choosing its own network path. 

  • Enable unicast reverse-path forwarding (uRPF)
    This is a method of protection against IP spoofing that instructs a router to examine both the source and destination addresses in the packet.

  • Enable routing authentication
    To control the flow of traffic, an adversary may inject, modify, or corrupt the routing information sent and received by neighbouring devices. To prevent route manipulation, routing authentication should be enabled to ensure the routing information received from neighbouring devices has not been manipulated by an untrusted source.

8. Network Ports

The interface ports of network switches physically connect workstations, servers, and other devices to the network - In order to exploit such interfaces an adversary must obtain physical access to the network or use a system or communication method which is already established onto the network. Properly configured interface ports can prevent an adversary from performing exploitation attempts against the network. Key configurations include:

  • Disabling dynamic trunking
  • Enabling port security
  • Disabling default VLAN
  • Disabling unused ports
  • Disabling port monitoring
  • Disabling proxy Address Resolution Protocol (ARP)

Contact us

Michel Ganado

Michel Ganado

Digital Services Leader, PwC Malta

Tel: +356 2564 7091

Kirsten  Cremona

Kirsten Cremona

Senior Manager, Advisory, PwC Malta

Tel: +356 7975 6911

Follow us