Securing the network (part 1) #CyberSecMonth
A week dedicated to network security
We continue to distribute our #CyberConseils with a new topic: Network security. The ANSSI hygiene guide recommends 8 measures to secure its network, so it is a dense and complex subject. So, we preferred to cut it in two parts for more readability and simplicity. Find the second graphic design and our recommendations in a few days. Don’t worry, this article should give you something to keep you busy while waiting for the next step!
Protect your network for more security
Internet access has become almost indispensable in a professional context. Unsecured access to the Internet can become the source of many problems: malicious code, downloading dangerous files, taking control of the terminal or even the terrifying leak of sensitive data. Securing the organization’s network therefore means ensuring the integrity of the information system!
What can be done to secure the network?
Segment and partition:
A network without partitions allows any machine to access another machine connected to the same network. If one of them is compromised, all connected machines are also threatened. The design of the network architecture must therefore be thought of by segmentation into zones composed of systems with homogeneous security needs. It is recommended to segment the different servers (infrastructures, business…) and the different roles on the network (users, administrators). These areas consist of VLANs, dedicated IP sub-networks and dedicated infrastructures if required. IP filtering and firewall allow to promote the partitioning of zones. It is also important to compartmentalize the equipment and flows associated with administrative tasks.
Organizations must set up a secure gateway to the Internet. This protection measure must contain a firewall that filters connections and a proxy that authenticates users and logs requests. This way, you will have a partitioned and secure network. In case of an attack, thanks to logging, you will quickly find the origin of the vulnerability.
The use of secure and common network protocols, such as those based on the use of TLS, ensures network integrity.
Control Wi-Fi access networks:
The use of Wi-Fi can present a risk in a professional environment, particularly in view of the poor control of the coverage area or the lack of secure access configuration. Thus, the segmentation of the network architecture limits the consequences of an intrusion to a specific perimeter of the information system. What is important to do:
- The flows of workstations connecting to the Wi-Fi network must be filtered and restricted.
- It is also important to implement robust encryption and centralized authentication including through machine client certificates.
- The wifi network should not be secured with a single shared password. If this is not possible, this unique password must be complex and renewed regulary.
- Login passwords must not be disclosed to unauthorized third parties.
- Access points must be managed in a secure manner.
- Wi-Fi connections of personal terminals or visitors must be differentiated from Wi-Fi connections of the organization’s terminals (usually with a Wifi guest).
How to apply these solutions?
Securing the computer network is not easy without special skills. To act effectively, you need good methodologies and appropriate tools. Tools can be obtained easily and quickly, unlike methodologies that are more complex to address. These methodologies can be obtained through in-house training or with the assistance of an expert such as Tranquil IT.
To start, we recommend contacting a PASSI to conduct an audit of your fleet. Audits are classified into several categories:
- Architecture audit
- Configuration audit
- Source code audit
- Intrusion tests
- Organizational and physical audit
ANSSI certifies the audit bodies on each of these criteria individually. Not all PASSI are qualified for all criteria, refer to the PASSI list for more information. Once your audit is complete, we can help you apply the audit body’s recommendations to secure your network.
Get help from an expert
Tranquil IT has more than 15 years of experience in securing the local network. Have yourself audited by an Information Systems Security Audit Service Provider (PASSI) and entrust us with the implementation of the recommendations. We combine Software Restriction Policies (SRP) to establish security barriers, Samba Active Directory for user rights management and WAPT for application control to ensure the security of your IT assets. This “winning combination” and our DevSecOps methodologies allow us to act efficiently and securely on a fleet.
- 5 tips to protect against ransomware – Ministère de l’économie et des finances
- Guide to good IT practices – ANSSI
Find all our recommendations on Twitter and LinkedIn and on hashtag : #TousSecNum, #CyberSecMonth, #ECSM2018 and #ECSM. Also follow our hashtag #CyberConseil to follow Tranquil IT’s advice and discover the following graphics.
This is already the end of the 2018 edition of CyberSecMonth, we hope that you will continue to raise awareness and remain vigilant about the challenges of digital security. On our side, we would like to conclude our CyberAdvice by sharing with you a latest graphic...
At Tranquil IT, we are Samba Active Directory experts and systematically advise our clients on the implementation of an AD. Why is Active Directory your ally in everyday life? We will try to explain it to you. Managing the authentication of its users on its network is...