Network
Security Checklist
Your business faces threats on many fronts, and the more users, devices, and applications you add, the more vulnerable your network becomes.
Network security is any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network.
Network security combines multiple layers of defences at the edge and in the network. Each network security layer implements policies and controls. Authorized users gain access to network resources, but malicious actors are blocked from carrying out exploits and threats.
Digitization has transformed our world. How we live, work, play, and learn have all changed. Every organization that wants to deliver the services that customers and employees demand must protect its network. Network security also helps you protect proprietary information from attack. Ultimately it protects your reputation.
Major China manufacturers like Dahua, HikVision, Uniview are not impacted, from everything we have seen. We executed the proof of concept code from the disclosure on multiple devices and were unable to gain access using the backdoor.
The backdoor primarily impacts devices using HiSilicon SOC with Xiongmai
software, which is dozens of small OEM manufacturers, using minimally modified
OEM firmware, Open Source OS and drivers, and enabling telnet on port 9530.
For Firewalls
SL No |
Guidance |
Compliance |
1 |
Update the router to the latest firmware version. |
|
2 |
Disable ping (ICMP) response on WAN port. |
|
3 |
Disable UPnP (universal plug-and-play). |
|
4 |
Disable IDENT (port 113). |
|
5 |
Disable remote management of the router. |
|
6 |
Change the default administrator password. |
|
7 |
Enable stateful packet inspection (SPI). |
|
8 |
The settings for a firewall policy should be as specific as possible.
Do not use 0.0.0.0 as an address. |
|
9 |
Check for incoming/outgoing traffic security policy |
|
10 |
Check for firewall firmware / OS updates |
|
11 |
Allow only HTTPS access to the GUI and SSH access to the CLI |
|
12 |
Re-direct HTTP GUI logins to HTTPS |
|
13 |
Change the HTTPS and SSH admin access ports to non-standard ports |
|
14 |
Restrict logins from trusted hosts |
|
15 |
Set up two-factor authentication for administrators |
|
16 |
Create multiple administrator accounts |
|
17 |
Modify administrator account lockout duration and threshold values |
|
18 |
Create multiple administrator accounts |
|
19 |
Check if all management access from the Internet is turned off, if it
does not have a clear business need. At most, HTTPS and PING should |
|
20 |
Ensure that your SNMP settings are using SNMPv3 with encryption and configure
your UTM profiles |
|
21 |
All firewall policies should be reviewed every 3 months to verify the
business purpose |
|
For
Routers
SL No |
Guidance |
Compliance |
1 |
Do not use Default password for your router |
|
2 |
Check if the router block access to a modem by IP address |
|
3 |
Ensure that router admin gets an alert when a new device joins the
network |
|
4 |
Most routers let you disable UPnP on the LAN side |
|
5 |
Enable port forwarding and IP filtering for your router |
|
6 |
Check if the router supports HTTPs, in some routers it is disabled by
default |
|
7 |
If HTTPS is supported, can admin access be limited exclusively to
HTTPS? |
|
8 |
Check if the TCP/IP port used for the web interface can be changed |
|
9 |
To really prevent local admin access, limit the LAN IP address to a
single IP address that is both outside the DHCP range and not normally
assigned. |
|
10 |
Check if the admin access can be limited to Ethernet only |
|
11 |
Check if the router access can be restricted by SSID and/or by VLAN |
|
12 |
The router should not allow multiple computers to logon at the same
time using the same userid |
|
13 |
Check if there is some type of lockout after too many failed attempts
to login to the web interface |
|
14 |
Make sure the remote administration settings are turned off by default |
|
15 |
Check if the port number can be changed remotely |
|
16 |
If you forget to logout from the router, eventually your session
should time out, and, you should be able to set the time limit, the shorter,
the more secure |
|
17 |
Inbound WAN: What ports are open on the WAN/Internet side? The most
secure answer is none and you should expect any router not provided by an ISP
to have no open ports on the Internet side. One exception is old school
Remote Administration, which requires an open port. Every open port on the
WAN side needs to be accounted for, especially if the router was provided by
an ISP; they often leave themselves a back door. The Test your Router page
links to many websites that offer firewall tests. That said, none of them
will scan all 65,535 TCP ports or all 65,535 UDP ports. The best time to test
this is before placing a new router into service. |
|
18 |
Inbound LAN: What ports are open on the LAN side? Expect port 53 to be
open for DNS (probably UDP, maybe TCP). If the router has a web interface,
then that requires an open port. The classic/standard utility for testing the
LAN side firewall is nmap. As with the WAN side, every port that is open
needs to be accounted for. |
|
19 |
Outbound: Can the router create outgoing firewall rules? There are all
sorts of attacks that can be blocked with outgoing firewall rules. Generally,
consumer routers do not offer outbound firewall rules while business class
routers do. In addition to blocking, it would be nice if the blocks were
logged for auditing purposes. Note however, that devices connected to Tor or
a VPN will not obey the outbound firewall rules. |
|
For
Network Switches
SL No |
Guidance |
Compliance |
1 |
Check if the latest firmware is used. |
|
2 |
Check the switch's user guide's for security features and see if the
required ones have been implemented properly. |
|
3 |
Create an Enable Secret Password Encrypt Passwords on the device |
|
4 |
Use an external AAA server for User Authentication |
|
5 |
Create separate local accounts for User Authentication Configure
Maximum Failed Authentication Attempts |
|
6 |
Restrict Management Access to the devices to specific IPs only |
|
7 |
Enable Logging for monitoring, incident response and auditing. You can
enable logging to an internal buffer of the device or to an external Log
server. |
|
8 |
Enable Network Time Protocol (NTP) - You must have accurate and
uniform clock settings on all network devices in order for log data to be
stamped with the correct time and timezone. This will help tremendously in
incident handling and proper log monitoring and correlation. |
|
9 |
Restrict and Secure SNMP Access |
|
For
Linux Servers
SL No |
Guidance |
Compliance |
1 |
Update your package list and upgrade your OS |
|
2 |
Remove unnecessary packages |
|
3 |
Detect weak passwords with John the Ripper |
|
4 |
Verify no accounts have empty passwords |
|
5 |
Set password rules |
|
6 |
Set password expiration in login.defs |
|
7 |
Disable USB devices (for headless servers) |
|
8 |
Check which services are started at boot time |
|
9 |
Detect all world-writable files |
|
10 |
Configure iptables to block common attacks |
|
11 |
Set GRUB boot loader password |
|
12 |
Disable interactive hotkey startup at boot |
|
13 |
Enable audited to check for read/write events |
|
14 |
Secure any Apache servers |
|
15 |
Lock user accounts after failed attempts with Fail2Ban |
|
16 |
Set root permissions for core system files |
|
17 |
Keep watch for any users logging on under suspicious circumstances |
|
18 |
In case of remote access activity: Make sure that the suspicious
activity is flagged and documented |
|
19 |
Make sure that the Suspected account privileges temporarily frozen |
|
20 |
Make sure that there is a process in place for changing system
configurations |
|
21 |
Check that all system configuration changes are being recorded |
|
22 |
Ensure start-up processes are configured correctly |
|
23 |
Ensure regular users cannot change system startup configuration |
|
24 |
Remove unused software and services |
|
25 |
Review your server firewall security settings and make sure everything
is properly configured |
|
26 |
Make sure that membership to both the admin and superadmin group is
restricted to as few users as Possible without causing any problems |
|
For
Windows Servers
SL No |
Guidance |
Compliance |
1 |
Install the latest service packs and hotfixes from Microsoft |
|
2 |
Enable automatic notification of patch availability. |
|
3 |
Set minimum password length. |
|
4 |
Enable password complexity requirements. |
|
5 |
Do not store passwords using reversible encryption. (Default) |
|
6 |
Configure account lockout policy. |
|
7 |
Restrict the ability to access this computer from the network to
Administrators and Authenticated Users. |
|
8 |
Do not grant any users the 'act as part of the operating system'
right. (Default) |
|
9 |
Restrict local logon access to Administrators. |
|
10 |
Deny guest accounts the ability to logon as a service, batch job,
locally or via RDP |
|
11 |
Place the warning banner in the Message Text for users attempting to
log on. |
|
12 |
Disallow users from creating and logging in with Microsoft accounts. |
|
13 |
Disable the guest account. (Default) |
|
14 |
Require Ctrl+Alt+Del for interactive logins. (Default) |
|
15 |
Configure machine inactivity limit to protect idle interactive
sessions. |
|
16 |
Require the "Classic" sharing and security model for local
accounts. (Default) |
|
17 |
Do not allow any shares to be accessed anonymously. |
|
18 |
Restrict anonymous access to named pipes and shares. (Default) |
|
19 |
Do not allow any named pipes to be accessed anonymously. |
|
20 |
Do not allow everyone permissions to apply to anonymous users.
(Default) |
|
21 |
Do not allow anonymous enumeration of SAM accounts and shares. |
|
22 |
Do not allow anonymous enumeration of SAM accounts. (Default) |
|
23 |
Disable anonymous SID/Name translation. (Default) |
|
24 |
Configure Microsoft Network Server to digitally sign communications if
client agrees. |
|
25 |
Configure Microsoft Network Server to always digitally sign
communications. |
|
26 |
Disable the sending of unencrypted passwords to third party SMB
servers. |
|
27 |
Configure Microsoft Network Client to digitally sign communications if
server agrees. (Default) |
|
28 |
Configure Microsoft Network Client to always digitally sign
communications. |
|
29 |
Allow Local System to use computer identity for NTLM. |
|
30 |
Disable Local System NULL session fallback. |
|
31 |
Configure allowable encryption types for Kerberos. |
|
32 |
Do not store LAN Manager hash values. |
|
33 |
Set LAN Manager authentication level to only allow NTLMv2 and refuse
LM and NTLM. |
|
34 |
Configure file system as well as registry permissions. |
|
35 |
Ensure all volumes are using the NTFS file system. |
|
36 |
Configure user rights to be as secure as possible: Follow the
Principle of Least Privilege |
|
37 |
Disable or uninstall unused services. |
|
38 |
Configure log shipping (e.g. to Splunk). |
|
39 |
Configure Event Log retention method and size. |
|
40 |
Configure Policy Change audit policy & Privilege Use audit policy. |
|
41 |
Configure Logon/Logoff audit policy. |
|
42 |
Configure Account Management audit policy. |
|
43 |
Configure the number of previous logons to cache. |
|
44 |
Require strong (Windows 7 or later) session keys. |
|
45 |
Configure machine inactivity limit to protect idle interactive
sessions. |
|
46 |
Digitally encrypt or sign secure channel data (always). (Default) |
|
47 |
Configure Windows Firewall to restrict remote access services (VNC,
RDP, etc.) to the organization VPN or only networks. |
|
48 |
Configure the Windows Firewall in all profiles to block inbound
traffic by default. (Default) |
|
49 |
Enable the Windows Firewall in all profiles (domain, private, public).
(Default) |
|
50 |
Update and enable anti-spyware and antivirus software through Windows
update. |
|
51 |
Set the system date/time and configure it to synchronize against
Organization time servers. |
|
52 |
Disallow remote registry access if not required. |
|
53 |
If RDP is utilized, set RDP connection encryption level to high. |
|
54 |
Install software to check the integrity of critical operating system
files. |
|
55 |
Provide secure storage for Confidential (category-I) Data as required.
Security can be provided by means such as, but not limited to, encryption,
access controls, file system audits, physically securing the storage media,
or any combination thereof as deemed appropriate. |
|