Expert Insights with CyberEdBoard

Network Firewalls, Network Access Control , Security Operations , Training & Security Leadership

Managing Security at the Network Layer

How to Safeguard Critical Infrastructure
Managing Security at the Network Layer
Shervin Evans, enterprise architect and information security officer, Deltec Bank & Trust Ltd., and CyberEdBoard member

Neglecting network security can lead to serious consequences for organizations. An organization's IT architecture is built on its network layer, and failure to adequately secure this layer can result in devastating breaches, data theft and prolonged downtime. Here are the essential practices for managing network security, along with real-world examples that reinforce the importance of comprehensive protection.

See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture

Securing Access: The Front Line of Defense

Network devices such as routers, switches, firewalls and web application firewalls are the core of any IT infrastructure. Protecting access to these devices is essential to network integrity. Unauthorized access can lead to privilege escalation, network outages and data breaches.

Best Practice: Role-Based Access Control With TACACS

Implementing role-based access control or RBAC ensures that users only have access to the systems they need to perform their duties. Coupled with Terminal Access Controller Access Control System or TACACS, RBAC can offer a robust way to manage user access to network devices such as switches, routers and firewalls. TACACS centralizes authentication for network devices, allowing administrators to enforce RBAC policies, track login activity and enforce command-level authorization.

  • TACACS for access management: TACACS provides a secure method for authenticating users who need access to network devices. It enables logging and auditing of every command entered by users, ensuring accountability and security.
  • Multifactor authentication: Combining RBAC with MFA adds an additional layer of protection, requiring users to verify their identity through more than just a password. This significantly reduces the risk of compromised credentials.

Regular audits of user permissions and network access are necessary to prevent privilege creep, a situation where users accumulate more access than is necessary over time. By using TACACS alongside RBAC and MFA, organizations can better manage and track access to critical network devices.

Real-World Example: The Consequences of Weak Access Control

A major breach occurred when organizations left their Remote Desktop Protocol ports exposed to the internet. Attackers exploited weak or stolen credentials to access sensitive network components. The breach escalated quickly, leading to widespread data theft and operational disruptions. Enforcing TACACS, RBAC and MFA for network equipment could have prevented unauthorized access, highlighting the importance of these layered controls.

System Hardening: Reinforcing Network Devices

System hardening is essential to minimize vulnerabilities and reduce the attack surface of your network devices. Each component of the network - routers, switches, firewalls, servers, desktop computers, laptops and Wi-Fi access points - needs to be secured.

Best Practice: Hardening Key Network Devices

  • Routers and switches: Disable unused ports, enforce strong passwords and restrict access to management interfaces using TACACS to monitor and control administrative access.
  • Firewalls and WAFs: Implement policies to block unnecessary traffic, use intrusion detection systems and apply patches regularly to close vulnerabilities.
  • Servers and endpoints: Ensure all devices are updated with the latest security patches, disable unused services and use endpoint protection tools to guard against malware.

Real-World Case: Misconfigured Cloud Services

Capital One suffered a breach in 2019 because of a misconfigured firewall in its AWS cloud infrastructure. Paige Thompson, a former AWS engineer, exploited this vulnerability to gain unauthorized access to sensitive data, affecting over 100 million customers. By using a custom tool, Thompson was able to detect misconfigured AWS accounts, which enabled her to breach Capital One's environment and obtain access to an unsecured S3 bucket. The exposed data included sensitive personal information such as Social Security numbers and bank account information. Ultimately, Capital One had to pay over $270 million in fines and compensation, as well as an additional $190 million in settlements for customers affected by this breach.

This incident highlights the severe consequences of cloud security misconfigurations and the need for continuous vigilance in safeguarding digital assets.

Limiting Access Points: Reducing Entry Vectors

Minimizing entry points into the network is key to reducing attack vectors. This involves segmenting the network into zones - such as user, server and management zones - and enforcing strict access controls between them.

Best Practice: Network Segmentation

Network segmentation isolates critical systems, ensuring that an attack in one part of the network doesn’t compromise the entire infrastructure. Organizations can use firewalls, VLANs and access control lists to limit communication between zones, reducing breach damage.

Real-World Example: Open Ports as Attack Vector - WannaCry

One of the most devastating cyberattacks in recent history was the WannaCry ransomware attack in May 2017. It exploited a vulnerability in Microsoft's Server Message Block protocol through open port 445, which allowed it to spread quickly across networks. Globally, hundreds of thousands of computers were affected by the attack, which encrypts files and demands a bitcoin ransom to unlock them.

The ransomware used an exploit known as Eternal Blue, which was initially developed by the NSA and later leaked by a hacker group called Shadow Brokers. Although Microsoft released a patch for the vulnerability in March 2017, many systems hadn't applied it, leaving them vulnerable. Hospitals, government agencies and major corporations were most affected, resulting in widespread operational disruptions.

Designing for High Availability: Ensuring a Resilient Infrastructure

Security isn’t just about preventing attacks. It's also about network resilience. High-availability configurations ensure systems remain operational even if a component fails. This includes having redundant systems such as multiple firewalls, routers and load balancers to prevent single points of failure.

Best Practice: Implement Redundant Systems

By implementing failover mechanisms and redundant network configurations, organizations can ensure critical systems remain operational during attacks or outages. For example, using redundant firewalls, load balancers and backup systems ensures traffic reroutes automatically in case of failure.

Real-World Example: DDoS Attack on Primary Servers - Dyn

One of the most famous examples of DDoS attacks is the 2016 Dyn incident, which targeted one of the world's largest DNS providers. There was widespread disruption of internet services because of this attack, orchestrated primarily by the Mirai botnet. A botnet launched the attack by exploiting vulnerable Internet of Things (IoT) devices, such as cameras and routers. Dyn's DNS servers were overwhelmed with traffic, making major websites such as Twitter, Netflix, Amazon, and GitHub unavailable in many regions, especially in the Northeast.

Despite Dyn's ability to mitigate some of the later effects, the attack exposed weaknesses in DNS infrastructure and underscored the importance of securing IoT devices. Companies that solely relied on Dyn faced greater service disruptions compared to those that diversified their DNS providers; it also highlighted the risks of relying on single DNS providers without backups.

Protecting the Network at Every Layer

Effective network security requires a comprehensive, multilayered approach. From strong access controls using RBAC and TACACS to system hardening and minimizing access points, these measures collectively enhance network infrastructure security. Designing for high availability ensures that even in the face of an attack or system failure, your business can continue to operate smoothly.

By applying best practices and learning from real-world incidents, organizations can build a secure, resilient network capable of defending against today's sophisticated threats. The time to secure your network is now - before it's too late.


CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community - CyberEdBoard.io.

Apply for membership

Shervin Evans has extensive experience in risk management, compliance, system/network design and crafting robust security strategies. Before Deltec, he played pivotal roles in renowned financial services firms and multinational corporations, enhancing protection for critical assets and sensitive data. He specializes in areas such as cloud security, threat intelligence, SOC implementation, regulatory framework and incident response.



About the Author




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.