The network should be designed, configured, and maintained to deliver high performance and reliability to meet the needs of the business, while also providing access controls and necessary privileges. The intent of network security management is to protect the critical information assets, client data, and reputation while providing secure and reliable services by implementing and managing technical safeguards on all critical networks. The impact of the loss of network services to the organization would be high, and it is imperative that adequate controls are implemented to ensure network continuity.
Network Security Basics
The networks include: Local Area Networks (LAN) that connect users to host systems and data; Wide Area Networks (WAN) that connect clients, partners, affiliate companies and remote staff with host systems and data to conduct transactions and serve operations; and other remote access connections that provide remote staff, vendors and partners with access to critical services. Although this connectivity provides the platform for core services, these same networks provide significant risk and must be managed properly via a strong information security program and risk management strategy and assessment.
The network should be logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnets for publicly accessible system components that are logically separated from the internal network. This segmentation should be based on organizational and/or compliance requirements. Network traffic should be controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements.
Internal wired, wireless, and external networks (the Internet) should be segregated based on functionality/classification of the data/systems using firewalls to define logical/physical segmentation of the network and access control policies should be enforced for each domain.
Network Access Best Practices
Network and network services to which users are authorized access should be specified. The organization should determine who is allowed access to specific networks and network services along with specifying the means of access allowed (to include specific ports, protocols, services, and rationale).
If a connection is identified as non-secure, you (a.k.a. the organization) should identify and implement compensating controls.
The organization should identify and manage external information systems that may be used by employees and personnel. Authorized individuals should be prohibited from using external information systems unless systems are verified having adequate security controls and an approved connection or processing agreement is in place.
Network DMZ Security
A DMZ should be established and all systems/components storing/processing sensitive/critical data should be placed behind this DMZ. Access should only be allowed to specific networks and network services defined by specific ports, protocols, and services utilized. Network traffic through a firewall should be restricted according to the access control policy where traffic is denied and permitted only by exception.
A baseline of network operations and expected data flows for users/systems should be established and managed. A current network diagram should be maintained and updated whenever there are network changes. The network diagram should be reviewed/updated no less than every six (6) months.
Routing controls should be implemented through security gateways (e.g., firewalls) used between internal and external networks (e.g., the Internet and 3rd party networks). Firewall/routers should be implemented with a standard configuration. Firewalls should validate source/destination addresses, hide internal directory services and IP addresses, and restrict messaging, file transfer, interactive access, and common Windows applications. Firewall standards should be reviewed at least semi-annually.
For each connection, the interface characteristics, security requirements, and the nature of the information communicated should be documented. Any firewall, router, and network connection changes should be approved and tested prior to implementation. Network scans should be performed on a quarterly basis to identify unauthorized devices or components.
Public-Facing Systems and Applications Security
Public-facing web applications will be identified and application-level firewalls should be implemented to control traffic to these applications. An intrusion detection/prevention solution (IDS/IPS) should be implemented on the network perimeter and other key points on the network and that the IDS/IPS should be kept up to date.
The organization should maintain and enforce network based URL filters that limit a system’s ability to connect to websites not approved by the organization. The organization specifically blocks access to known file transfer and e-mail exfiltration websites. In addition to URL filtering, the organization should deny communications with (or limit data flow to) known malicious IP addresses (blacklists), or limit access only to trusted sites (whitelists).
Network Configuration Management
Security hardening should be implemented according to approved standards summarized in the network device hardening procedures. The CISO or equivalent role should approve and maintain the procedures to include, at a minimum, the following:
- Document purpose of each network device with the minimum server and software included in the system.
- Install minimum hardware and software to accomplish the specific purpose.
- Establish standards consistent with best practices recommended by vendors and industry sources.
- Removal of all vendor defaults such as guest accounts, default passwords, and standard settings like “community strings” from systems and applications prior to installing on the network.
- For wireless environments, change wireless vendor defaults, including, but not limited to, default SSID, passwords, and SNMP community strings. Enable Wi-Fi Protected Access (WPA or WPA2) technology for encryption and authentication when WPA-capable.
- All unnecessary functionality, such as scripts, drivers, features, subsystems, and file systems should be removed.
- Verify the most current version of hardware and software is installed.
- Enable logging on all network devices and tools.
- Encrypt all key and password files.
- Test all configurations prior to deployment.
Network Security Checklist
Network security management should be performed to protect all sensitive information and customer records in addition to providing a platform to meet functional requirements. Operations require both performance and protection to perform its mission for customers. At a minimum, the organization should define and publish procedures, diagrams, and inventories and maintain documentation to accomplish the following:
- A current inventory of all critical systems, network devices and software version levels and patches deployed.
- An approved inventory list with asset owner, contact information, and purpose, and the personnel authorized to use the devices.
- Acceptable uses for the technology.
- Acceptable network locations for the technology.
- A list of company-approved products.
- Publish diagrams of critical network connections that define the function, name, location, IP address, and capacity of critical network and security devices, services, host systems, applications, and confidential data storage.
- Standard Configurations for all network devices with removal of vendor defaults.
- Operating procedures for all systems and security devices.
- Copies of all licenses, instructions and license keys for all deployed systems.
- An inventory of all users and group privileges authorized on systems.
- Explicit management approval must be sought prior to use of any devices on the network.
- Ensure that all devices used on the network are authenticated to with username and password or required authentication method.
- After a specific period of inactivity, automatically disconnect the sessions.
- Virtual machines and/or air-gap (stand-alone) systems are used to isolate and run applications that are required for business and/or clinical operations, but present a high risk for connection to the network.
- Network infrastructure is managed across network connections that are separated from the business use of that network relying on separate VLANs or on entirely different physical connectivity for management sessions for network devices.
- Networks are segmented based on the label or classification level of the information stored on the servers ensuring all sensitive information is located on separated VLANs.
- Network switches will be configured for Private (VLANs – port isolation).
- Separate virtual local area networks (VLANs) will be created for Bring Your Own Devices (BYOD) systems or other untrusted devices such as legacy medical devices.
- Internet access from virtual local area networks (VLANs) for BYOD systems or other untrusted devices (legacy medical devices) must go through at least the same border as corporate traffic.
For more information and details on how we can help, contact us today!