• Choose a category
• All
• Classic-Fiction

The two most essential operational aspects of network device hardening involve ensuring that your network devices run only necessary protocols, services, and access control lists. The next two sections describe these capabilities from a security perspective.

Enabling and Disabling Services and Protocols

Many routers offer the ability to provide Dynamic Host Configuration Protocol (DHCP) services, packet filtering, service protocol configuration options, and other services for use in a network. Make sure your router is configured to allow only the protocols and services you’ll need for your network. Leaving additional network services enabled may cause difficulties and can create vulnerabilities in your network. As much as possible, configure your network devices as restrictively as you can. This additional layer of security costs you nothing, and it makes it that much harder for an intruder to penetrate your system.

Working with Access Control Lists

Access control lists (ACLs) enable devices in your network to ignore requests from specified users or systems or to grant them certain network capabilities. You may find that a certain IP address is constantly scanning your network, and you can block this IP address. If you block it at the router, the IP address will automatically be rejected any time it attempts to utilize your network.

ACLs allow a stronger set of access controls to be established in your network. The basic process of ACL control allows the administrator to design and adapt the network to deal with specific security threats.

Hardening Applications

As we’ve explained, a good way to begin securing a network is to make sure every system in the network is up-to-date and to verify that only the protocols you need are enabled. Unfortunately, these steps aren’t enough. Your servers and workstations also run applications and services. Server services (especially web, e-mail, and media servers) are particularly vulnerable to exploitation and attack. These applications must also be hardened to make them as difficult as possible to exploit.

The following sections deal with hardening your applications, both on the desktop and at the server, to provide maximum security.

Hardening Web Servers

Web servers are favorite areas for attackers to exploit. Microsoft’s Internet Information Server (IIS), a common web server, continually makes it into the news. IIS, like most web servers, provides connections for web browsers.

Web servers were originally simple and were used primarily to provide HTML text and graphics content. Modern web servers allow database access, streaming media, and virtually every other type of service that can be contemplated. This diversity gives websites the ability to provide rich and complex capabilities to web surfers.

Every service and capability supported on a website is potentially a target for exploitation. Make sure they’re kept to the most current software standards. You must also make certain that you’re allowing users to have only the minimal permissions necessary to accomplish their tasks. If users are accessing your server via an anonymous account, then common sense dictates that you must make certain the anonymous account has only the permissions needed to view web pages and nothing more.

Two particular areas of interest with web servers are filters and controlling access to executable scripts. Filters allow you to limit the traffic that is allowed through. Limiting traffic to only that which is required for your business can help ward off attacks.

A good set of filters can also be applied to your network to prevent users from accessing sites other than those that are business related. Not only does this increase productivity, it also decreases the likelihood of users obtaining a virus from a questionable site.

Executable scripts, such as Common Gateway Interface (CGI) scripts, often run at elevated permission levels. Under most circumstances this isn’t a problem