I am going to consider network security improvements at each of the seven layers of the OSI (Open Systems Interconnection) model.
I am also going to introduce a new layer to the OSI model, the User layer at layer 8.
Layer 1 Physical layer
- Ensure Servers are physically stored in a locked environment.
- UPS is installed
- WIFI – Disable SSID broadcasts, strong password on AP, implement strong encryption.
- Offsite backups – whether physical storage of disks or cloud based backups
- Disable unused ports on routers, switches and firewalls.
Layer 2 Data Link layer
- Implement VLans on switches to protect against MAC Flooding, ARP and Spanning Tree Attacks
- Separate management and user traffic into different Vlans. Don’t use Vlan 1. If VOIP is used, separate voice and data traffic.
Layer 3 Network Layer
- On Routers assign strong passwords to VTY lines, assign strong passwords to Console and Aux ports and Telnet.
- Introduce Network Policy Servers and quarantine zones for users who bring their own devices and for remote access users to ensure that their machines are patched and have up to data antivirus and antimalware software.
- Introduce Firewalls and Intrusion Detection Systems.
- Introduce NAT as a method of obscuring internal hosts IP Address from the internet.
Layer 4 Transport Layer
- Use port scanning software to identify unnecessary open ports.
- Ensure that FTP port 21 is closed.
Layer 5 Session Layer
- For mobile users implement SSL VPN
- For branch offices implement IPSec
- Introduce policies of Strong passwords that do require changing every month
- Set up auditing of failed logins
Layer 6 Presentation Layer
- Introduce Encryption services TLS/SSL
Layer 7 Application Layer
- Ensure Antivirus and Antimalware are installed and up to date
- Operating System is updating either from WSUS or Windows Updates directly
- Implement Kerberos authentication
- Ensure Internet Browser is being updated.
Layer 8 User Layer
- Educate users about latest threats and suspicious emails
- Educate users about common social engineer techniques
- Educate users about the importance of rebooting machines to let updates install
The above is by no means an exhaustive list of things that need to be considered when securing a network. But I think it does show that security is not just a lock on a door, it is a technique of layering and trying to consider what needs to be done where by using the OSI model helps us to create a reasonable plan of action.
Although no direct quotes have been taken, the references below are what I used to base my ideas on.
Oxenhandler, D. 2003. “Designing a Secure Local Area Network”, “SANS Institute, InfoSec Reading Room”. Available online at http://www.sans.org/reading-room/whitepapers/bestprac/designing-secure-local-area-network-853 accessed online 14/9/2014
Pace, K. 2004. “A layered Security Mode: OSI and Information Security”, SANS Institute. Available online at http://www.giac.org/paper/gsec/3908/layered-security-model-osi-information-security/106272 accessed online 14/9/2014
Reed, D. 2003. “Applying the OSI Seven Layer model to Information Security”, “SANS Institute, InfoSec Reading Room”. Available online at http://www.sans.org/reading-room/whitepapers/protocols/applying-osi-layer-network-model-information-security-1309 accessed online 14/9/2014
Surman, G. 2002. “Understanding security using the OSI Model”, “SANS Institute, InfoSec Reading Room”. Available online at http://www.sans.org/reading-room/whitepapers/protocols/understanding-security-osi-model-377 accessed online 14/9/2014
Airtight Networks, unknown. “Wifi Security Best Practices”, ‘AirtightNetworks.com’, available online at http://www.airtightnetworks.com/fileadmin/pdf/resources/WiFi_Security_Best_Practices.pdf accessed online 14/9/2014