Network Security

CIS recommends a layered approach to Network Security, in accordance with best practice. The outline below is our starting point for network security.

Layer 1: Physical Layer

Data and systems should be covered by ISO 27001:2013 A.11.1, where this is not possible a suitable substitute should be in place.

Layer 2: Data Link Layer

802.11 is widely used for access control on wireless networks, 802.1X is similarly available for Ethernet ports. 

Use of 802.1Q (VLANs) is relevant for segregation.

Layer 3: Network Layer

Null routing IP addresses from FireHOL Cybercrime IP Feeds mitigates against known bad network access.  Null routing is more efficient than using a packet inspection firewall. 

(Automated) log analysis should done to dynamically block abusive traffic targeting your network specifically.  Once blocked any further access from these addreses is out of scope.  This is mitigattion against brute force and escallation attacks.

Layer 4 & 5: Transport & Session Layers

Protecting ports that are opened out of necessity, but need not be available publically, with a packet inspection firewall is essential.  CIS completes a daily (nmap) audit from a public internet IP and compares against a "known good" / gold standard scan an reports any exceptions.  These should be handled by an Incident Response mechanism for investigation.

Some ports (like filesharing) could be dynamically opened for users who have completed 2FA for defined time period.

CIS feeds log analysis of SIP, SSH and SMTP, POP and IMAP traffic data to our Layer 3 firewall to dynamically block abusive traffic.

Layer 6 & 7: Presentation Layer & Application Layer

Protocols at this layer are mostly capable of specific use authentication with at least a username and password.   See AAA below.

AAA

All resources require access controls and reporting for proper management.

Authentication

According to PSD2 Strong Customer Authentication (SCA) requires multi-factor, or more specifically two-factor authentication (2FA), using at least 2 of a knowledge factor (something known), a posession factor (something had) or an inherent factor (something you are) for authentication.

Password / Knowledge Factor : Any initial password assigned should be confirmed to be changed after a fixed onboarding period is over.  Accounts should be considered at risk during this period and suitable mitigations made.  A site like https://howsecureismypassword.net/ will demonstate to users whether their password complexity and length is suitable.

Dynamic Password / Posession Factor : TOTP apps are ubiquitous.  The secret generated should to be treated as sensitive personal data similar to a password. Exchanging the secret (possibly via QRcode) is a high / at risk activity and should be suitably managed.

Authorisation

Assigning authenticated users roles (role-based authorisation) provides for the easiest way to meet periodic auditability requirements but allowing roles permissions and role membership to be audited independantly.

Accounting

Log files should be fed back into security mechanisms or exception reported as appropriate.  For example failed remote connection attempts, logins to telephony and email reasources as well as connections from disallowed geographies should be noted and further attempts blocks where possible. How we feed Windows log entries to a central syslog server