Securing the network (part 2) #CyberSecMonth
Partitioning, protecting and controlling: the secrets of a secure network
Internet access has become almost indispensable in a professional context. Unsecured access to the Internet can become the source of many problems: malicious code, downloading dangerous files, taking control of the terminal, leaking sensitive data, and many other threats. Securing the organization’s network therefore means ensuring the integrity of the information system!
Adopt the right reflexes:
Dissociate the services visible from the Internet from the system:
Hosting services visible on the Internet internally is a practice that requires a lot of vigilance on the part of the organization. Indeed, administrators must be able to guarantee a high level of protection. If the organization cannot do this, it can still use outsourced hosting for its services visible on the web.
Internet hosting infrastructures must be physically partitioned from all other system infrastructures. It is also recommended to set up an infrastructure for interconnecting these services with the Internet to filter the flows related to these services from the entity’s other flows. These flows must imperatively pass through a reverse proxy server with many security mechanisms embedded.
Professional messaging, a channel to prioritize:
Messaging is the main vector of infection in the workstation, particularly when opening attachments containing malicious code or clicking on a link that redirects to an equally malicious site. Beyond an awareness phase to be conducted internally, it is necessary to check the authenticity of the message through another channel (telephone, SMS, etc.) in case of doubt.
The redirection of professional messages to a personal message is to be avoided since this practice represents a data leak. A remote access solution to professional messaging is a good alternative against this problem. In case of hosting the email system it is important to have an antivirus scanning system to prevent the reception of infected files but also to activate TLS encryption of exchanges between email servers as well as between user workstations and hosting servers.
Remain vigilant about partner relationships:
Organizations sometimes need to establish a dedicated network interconnection with a supplier or customer, especially to exchange data. These exchanges must pass through a private network or a site-to-site tunnel (Ipsec). By principle, partners cannot be considered secure and secure, so it is essential to perform IP filtering with a firewall as close as possible to the flow entries on the entity’s network. The flow matrix should be reduced if necessary for operational purposes, maintained and equipment should comply with it.
Do not forget the physical security of the entity:
Physical security mechanisms are also part of an organization’s security strategy. It is important to put in place adequate physical security measures and to continually raise awareness among users of the risks associated with circumventing rules. In addition, network outlets in public areas should be restricted or even disabled if possible to prevent intrusion.
The access to server rooms and other technical rooms must be secured with secure locks and badge systems. Unaccompanied access by external service providers should be prohibited or, failing that, access should be traced and limited to strict time slots. It is important to regularly review access rights in order to identify unauthorized access or to update them (departure of an employee, change of service provider, etc.). In short, you need to know your information system in order to be able to control access to your infrastructure.
How to apply these solutions?
Securing the computer network is not easy without special skills. To act effectively, you need good methodologies and appropriate tools. Tools can be obtained easily and quickly, unlike methodologies that are more complex to address. These methodologies can be obtained through the internal training plan or with the assistance of an expert such as Tranquil IT.
The first step we recommend is to contact a PASSI to carry out a complete audit of your fleet. They are classified into different categories:
- Architecture audit
- Configuration audit
- Source code audit
- Intrusion test
- Organizational and physical audit
ANSSI certifies the audit bodies on each of these criteria individually. Not all PASSI are qualified for all criteria, refer to the PASSI list for more information. Once your audit is complete, we can help you apply the audit body’s recommendations to secure your network.
Take advantage of our expertise
Tranquil IT has 15 years of expertise in the local network security sector. We can easily help you to apply the recommendations of an Information Systems Security Audit Service Provider (PASSI). We combine our DevSecOps methodologies with a combination of tools that we master to act efficiently and securely on a fleet. We therefore use SRP (Software Restriction Policies) to establish security barriers, Samba Active Directory for user rights management and WAPT for application control to ensure the security of your IT assets.
The European CyberSecurity Challenge 2018, a successful challenge?
The French team quickly positioned itself in the top three on the first day of competition. Finally dethroned in the middle of the day, France was able to establish itself as a major player in the competition. The French team again took first place on the second day, the end of the competition was extremely tough and the scores were very close. Germany will finally finish first in this competition, but we can still congratulate our French team who finished second on the podium, an impressive performance for its first participation. The revenge will take place in 2019 in Romania!
Find all our recommendations on Twitter and LinkedIn and on hashtag : #TousSecNum, #CyberSecMonth, #ECSM2018 et #ECSM. Also follow our hashtag #CyberConseil to follow Tranquil IT’s advice and discover the following graphics.
In previous articles, we presented you in detail the story of Samba Active Directory. From its evolution in Active Directory to the new features of Samba 4.10, we didn't forget any details... Or almost! Indeed, the history of Samba Active Directory cannot be complete...read more
At the beginning of April 2019, the ITES (Innovation Technology European Summit) took place in Deauville. Organized by the CRIP (Club of IT Infrastructure and Production Managers) since 2013, the event brings together the various players in the IT eco-system with...read more
Samba Active Directory version 4.10 has been release for several days! We managed to hold back our impatience to tell you about it and take the time to test the brand new version. In a previous article, we borrowed the DeLorean to go back in time and discover the...read more