Guidance

10 Steps: Network Security

Updated 16 January 2015

This guidance was withdrawn on

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

Connecting to untrusted networks (such as the Internet) exposes corporate networks to attacks that seek to compromise the confidentiality, integrity and availability of Information and Communications Technologies (ICT) and the information they store and process. This can be prevented by developing policies and risk management approaches to protect corporate networks by applying security controls that are commensurate with the risks that have been identified and the organisation’s risk appetite.

2. What is the risk?

Corporate networks need to be protected against both internal and external threats. The level to which networks are protected should be considered in the context of the organisation’s risk appetite, risk assessment and corporate security policies.

Businesses that fail to protect their networks appropriately could be subject to a number of risks, including:

Leakage of sensitive corporate information

Poor network design could be exploited by both internal and external attackers to compromise information or conduct unauthorised releases of sensitive information resulting in compromises in confidentiality, integrity and availability

Import and export of malware

Failure to put in place appropriate boundary security controls could lead to the import of malware and the compromise of business systems. In addition, users could deliberately or accidentally release malware or other malicious content to business partners or the general public via network connections that are poorly designed and managed

Denial of service

Networks that are connected to untrusted networks (such as the Internet) are vulnerable to denial of services attacks, where access to services and information is denied to legitimate users, compromising the availability of the system or service

Exploitation of vulnerable systems

Attackers will exploit poorly protected networks to gain unauthorised access to compromise the confidentiality, integrity and availability of systems, services and information

Damage or defacement of corporate resources

Attackers that have successfully compromised the network can damage internal and externally facing systems and information (such as defacing corporate websites), harming the organisation’s reputation and customer confidence

3. How can the risk be managed?

Produce, implement and maintain network security policies that align with the organisation’s broader information risk management policies and objectives. Follow recognised network design principles (ie ISO/IEC 27033-1:2009) to help define the necessary security qualities for the perimeter and internal network segments and ensure that all network devices are configured to the secure baseline build.

3.1 Police the network perimeter

Limit access to network ports, protocols and applications filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malware and other malicious content.

Install firewalls

Firewalls should be deployed to form a buffer zone between the untrusted external network and the internal network used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to communicate with authorised networks and network addresses. This will reduce the exposure of ICT systems to network based attacks.

Prevent malicious content

Deploy antivirus and malware checking solutions to examine both inbound and outbound data at the perimeter in addition to antivirus and malware protection deployed on internal networks and on host systems. The antivirus and malware solutions used at the perimeter should be different to those used to protect internal networks and systems in order to provide some additional defence in depth.

3.2 Protect the internal network

Ensure that there is no direct network connectivity between internal systems and systems hosted on untrusted networks (such as the Internet), limit the exposure of sensitive information and monitor network traffic to detect and react to attempted and actual network intrusions.

Segregate network as sets

Identify, group and isolate critical business information assets and services and apply appropriate network security controls to them.

Secure wireless devices

Wireless devices should only be allowed to connect to trusted wireless networks. All wireless access points should be secured. Security scanning tools should have the ability to detect and locate unauthorised wireless access points.

Protect internal Internet Protocol (IP) addresses

Implement capabilities (such as Network Address Translation) to prevent internal IP addresses from being exposed to external networks and attackers and ensure that it is not possible to route network traffic directly from untrusted networks to internal networks.

Enable secure administration

Administrator access to any network component should only be carried out over dedicated network infrastructure and secure channels using communication protocols that support encryption.

Configure the exception handling processes

Ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers.

Monitor the network

Tools such as network intrusion detection and network intrusion prevention should be placed on the network and configured by qualified staff to monitor traffic for unusual or malicious incoming and outgoing activity that could be indicative of an attack or an attempt. Alerts generated by the system should be promptly managed by appropriately trained staff.

Assurance processes

Conduct regular penetration tests of the network infrastructure and undertake simulated cyber attack exercises to ensure that all security controls have been implemented correctly and are providing the necessary levels of security.