June 2, 2017
In 2017, networks are constantly under attack and even the smallest vulnerabilities can be quickly identified and exploited. Network hardening is critical for networks to eliminate potential vulnerabilities and ensure that they are adhering to the ‘golden rules’ of cyber security. While no network will ever be 100 percent safe, organizations that can harden their networks can drastically reduce the number of successful attacks against them.
The three key phases to hardening a network all come with specific challenges for most networks.
1. Document the existing network design and configuration
To eliminate security vulnerabilities, the first step is gaining a high-level view of the network. The problem is the documentation of existing network infrastructure is a tedious, manual process for most organizations resulting in out-of-date network diagrams or maps. This inability to have a dynamic view of the network results in a limited understanding of security along application traffic flows.
With Dynamic Network Maps, organizations can automate the existing network in detail to not only provide end-to-end visibility, but offer detailed asset reports and more. To validate security along critical application paths, engineers can visualize access-lists and firewall policies. NetBrain’s A/B path calculator works at the layer-4 port-level to analyze ACLs and policy-based routing to visually validate that ‘good’ traffic is permitted and ‘bad’ traffic is denied across every path.
2. Identify and remediate security vulnerabilities
To effectively analyze potential security vulnerabilities, network teams need to analyze every configuration in the network. This is typically done one of two ways; manually where an engineer analyzes every configuration; or with custom scripts to automate the process. Performing this manually is a painstaking and tedious process, and custom scripts only speed up the process marginally. Most scripts are not very portable and require advanced scripting knowledge to build and run.
NetBrain’s adaptive network automation can validate every network configuration against a common set of ‘golden rules’ (e.g. device passwords are encrypted, timeouts are configured, etc.) To perform this assessment, NetBrain looks at every device’s configuration and searches for pre-defined rules within each. If a device is out of compliance, NetBrain will report it
3. Safeguard against future vulnerabilities
Ensuring that network teams follow defined security practices is critical and enforcing these policies across broad teams can be a challenge. Security teams can leverage the ‘golden rules’ identified in step 2 to create Executable Runbooks for the network team to use for future network changes. These Runbooks may include design guides to help enforce security best practices going forward.
Upon configuring a change, implementation engineers should execute a vulnerability assessment Runbook to ensure that it meets pre-defined security standards. The Runbook will scan each new configuration to ensure it meets the predefined ‘golden’ requirements. An event management system can even be configured to auto-trigger a vulnerability assessment at the instant a change takes place.
For the entire process to work effectively, collaboration is imperative. With NetBrain, security teams and network teams can work collaboratively through the platform during triage, forensics, and for hardening security to proactively prevent threats.