Go back

Network Hardening and the Dynamic Art of Security

Jan 2, 2022

In 2022, networks are constantly under attack and even the smallest vulnerabilities can be quickly identified and exploited. Network hardening is critical for networks to eliminate potential vulnerabilities and ensure that they are adhering to the ‘golden rules of cyber security. While no network will ever be 100 percent safe, organizations that can harden their networks can drastically reduce the number of successful attacks against them.

Network Hardening

The three key phases to hardening a network all come with specific challenges for most networks.

1. Document the existing network design and configuration

To eliminate security vulnerabilities, the first step is gaining a comprehensive view of the network. The problem is the documentation of existing network infrastructure is a tedious, manual process for most organizations resulting in out-of-date network diagrams or maps. This inability to have a dynamic view of the network results in a limited understanding of security along with application traffic flows. What you need is how the network is running today, not how it was deployed a year or two ago. And you need to understand the protocols in use, filters in place, and traffic paths at a glance.

With Dynamic Network Maps, organizations can automate the existing network in detail to not only provide edge-to-cloud visibility but offer detailed asset reports and more. To validate security along critical application paths, engineers can visualize access lists and firewall policies. NetBrain’s A/B path calculator works at the layer-4 port-level to analyze ACLs and policy-based routing to visually validate that ‘good’ traffic is permitted and ‘bad’ traffic is denied across every path.

2. Identify and remediate security vulnerabilities

To effectively analyze potential security vulnerabilities, network teams need to analyze every configuration in the network and determine how information can flow. This is typically done one of two ways; manually, where an engineer analyzes every configuration and tried to determine how information can be accessed or passed from point to point; or with custom, scripts to try to automate the process. Performing this manually is a painstaking and tedious process, and custom scripts only speed up the process marginally and are locked to the specific devices in question. Scripts are not very portable and require advanced scripting knowledge to build and run. And when anything changes in the environment, scripts fail.

NetBrain’s PDAS network automation can validate every network configuration against a common set of ‘golden rules’ (e.g. device passwords are encrypted, timeouts are configured, HA pairs are identical, TELNET is prevented, etc.) To perform this assessment, NetBrain looks at the desired network intents, along with every device’s configuration, and proactively tests these rules continuously. If a device is out of compliance, NetBrain will report it and can even create a service ticket within ITSM systems for operator intervention before intrusions occur.

3. Safeguard against future vulnerabilities

Ensuring that network teams follow defined security practices is critical and enforcing these policies across broad teams can be a challenge. Security teams can leverage any number of ‘golden rules’ identified in step 2 to create Executable Runbooks for the network team to use collaboratively for future remediation. These Runbooks may include design guides to enforce security best practices going forward.

Upon configuring any network change or installation of a new application, implementation engineers should execute a vulnerability assessment Runbook to ensure that it meets pre-defined security standards. The Runbook will scan each new configuration to ensure it meets the predefined ‘golden’ requirements. And NetBrain’s PDAS event management system can even be configured to auto-trigger a vulnerability assessment at the instant a change takes place.

The art of securing any hybrid infrastructure starts with proactive enforcement. Security vulnerabilities are far easier to manage than what is required AFTER a breach has occurred. By understanding how any network ‘should’ be configured, along with the intentions of every device across the structure, security and compliance are very straightforward. The NetBrain PDA System continuously tests the live network against a no-code created a set of golden baselines in a highly controlled fashion and assures that the network is delivering services exactly as the application designers intended.