My network is installed and running, now what?
You wouldn’t believe all the neat functionality, otherwise known as IEEE standards, vendors pack into modern switches. You also wouldn’t believe how many times these options meant to harden and protect your network infrastructure, go un-implemented. (Disclaimer: turning on some of these options can impact the availability of your network and should be planned out accordingly)
An oldie, but goodie – Spanning Tree
One IEEE standard, Spanning-Tree (STP), is one of the most misunderstood and under-optimized protocols I have personally run across when reviewing a network. It first became a standard back in 1990 to prevent loops in a switched network. Some vendors ship with the basics of STP enabled, while others ship with it disabled. No matter if it’s running right off the bat, or what version it is, here are some easily overlooked guidelines to follow and options to have.
- Manually set the root bridge priority to a switch of your choosing. The last thing you want is some old switch under someone’s desk being elected the root bridge.
- BPDU guard (Cisco) / BPDU (Bridge Protocol Data Units) protection (HP) – this will help prevent loops on ports that are configured to plug into end device ports like printers, PCs, etc. If any BPDUs enter the port, whether it is another switch or a dumb hub plugged into itself, the port will shut down.
- Other notables items are root guard, which provides a mechanism to enforce root bridge placement in a network, and loop guard, which adds additional checks in case of hardware failure, i.e., unidirectional links.
Since spanning tree convergence after a network failure takes time, one of the current networking trends is to eliminate loops as much as possible using various technologies to add loop-free redundancy and increase throughput. I’ll address these technologies in a future blog entry.
Did I secure my network devices as much as I think I did?
Network infrastructure security, as you may already know, can get way more complex than applying a strong password to all of your devices. Some organizations even go as far as to have an out of band management network. At the very minimum, however, here is a checklist on some things to pursue when hardening your network. Some of these items may require an outage period or, at the very least, a change window.
- Disable non-encrypted forms of management access, i.e., telnet or HTTP. Enable SSHv2 / HTTPS (TLS v1.2 preferred).
- Authenticate administrative access against a centralized user database, i.e., Active Directory. Log changes if possible.
- Automate device configuration backups and notification of changes.
- Apply access lists (ACLs) to allow management access from only authorized networks or devices, especially on perimeter devices. Perimeter devices should have ACLs applied so only specific access is granted to the devices. For example, BGP should only be allowed to/from authorized BGP peers.
- Disable services that are not needed. Do you only use SSH to manage your devices? Disable web/GUI access. Disable CDP or LLDP on perimeter network devices.
- Configure network time protocol (NTP) to keep all log entries accurate across the organization.
- Configure logging. Log to a syslog server if possible.
- Document your network and keep it up to date.
- Enable routing protocol authentication if supported.
- Keep abreast of bugs or exploits in firmware running on devices in your network. Patch devices during your change management / outage windows.
- Audit firewall rules periodically to see if access is still needed. Disable access as services are decommissioned.
- Have a trusted, second pair of eyes review the health and security posture of your network.
In this day and age, Network Administrators are being asked to complete more and more tasks, but don’t necessarily have the time, the manpower, or the skill set to accomplish them all. Being so busy, it’s easy to turn network security and health into an afterthought. If you need assistance with identifying the latest network and security best practices, Peters & Associates can help! You can shoot us an email at firstname.lastname@example.org or give us a call at 630.832.0075. We’re happy to help.