Network Best Practices for ITS and Enterprise Networks

Architecture and Data flow.

Layer 2.
1.
2.
3.
4.
5.

Install 3 layer hierarchy network architecture (core, distribution and access layer) or at
least a collapse core architecture where core and distribution is merged.
Configure two uplink links to aggregation/distribution layer
Configure RSTP/MST or ERPs to prevent switching loops and broadcast storm
Configure IGMP snooping version 3 for multicast traffic on access layer switches
Link aggregation should be used to increase port speed and provide HA.

Layer 3
1. Configure nonproprietary routing protocol that uses Bandwidth for metric instead of hop
count for determining best part. Supports equal load balancing.
2. Optimize network convergence and route lookup by Summering network routes in
routing protocol.
3. Ensure all OSPF areas are connected to area 0 without virtual link.
4. Configure Protocol independence multicast (PIM), PIM-dense sparse mode on all IP
interfaces and Auto rendezvous point (RP) for redundancy and load balancing.

Security (management, control and data plane)

Physical security.
All ITS cabinets should be equipped with a door monitoring device such as ITwatchdogs or
similar device that is configured to send SNMP traps to a network management system (NMS)
server such as Whatsup gold, Solarwinds or Paessler PRTG whenever cabinet door is opened.
This will ensure that the network administrator is notify if cabinet has been compromised to gain
access to network devices.
Layer 2 security
In order to ensure all Access layer devices operating at layer 2 be secured from authorized
access, the following measures must be taken.
1. All switches must not be allowed to operate on default native VLAN 1. An agreed upon
VLAN ID by the network design team shall replace the default VLAN value of 1. This
will go a long way to mitigate VLAN hopping attack or double tagging attack.
2. Port security should be enforced to ensure only allowed devices (Max devices per port)
can have access to the network. This will mitigate connecting 2 devices per port with RJ45 port Splitter for reconnaissance attack, MAC spoofing and CAM flooding attacks.
3. Create multiple VLANs to isolate traffic that need to run parallel.
4. Shutdown all unused ports and move off default VLAN to VLAN created for unused
ports

By. Gipson Mbah (gipsuh@yahoo.com)- Credit to Savonia University- Teku

5. Install AAA server(s) to authenticate, authorize and log access/activity on each network
device in the infrastructure. In the absence of multiple AAA server for redundancy, each
network device (router or switch) should have a local account database to grant access to
the device if the AAA server becomes unavailable.
6. Enable encrypted password for console and VTY lines access.
7. Enforce VTY lines authentication through AAA server with fall back to local database if
AAA server becomes unavailable.
8. In an environment of multiple network administrator, create different privilege access
groups and associate allowed executable commands to them. Place administrators in
different groups based upon their role. This will give only the super admin access to high
level commands while limiting the helpdesk technician.
9. Enable only SSH and https connections to devices; this will mitigate password sniffing
10. Used minimum of 10 character passwords (include upper and lower case, numbers and
special characters) with only allowed 3 fail attempts .This mitigate brute force attack
11. Configure VTY and Console time out 3 minutes. (applies to Layer 3)
12. Install and configure NTP server for the network infrastructure. This will ensure all
devices on network are synced to accurate time and alerts/logs time stamps are accurate
for auditing and troubleshooting. (applies to Layer 3)
13. Configure a management VLAN for all network gears, routers, firewalls, switches and
Wireless AP and have all these devices monitored from NMS computer for state of health
and port traffic statistics.
14. Network devices should be configured to send level 3 syslog messages to NMS, text or
email to network administrator. (applies to Layer 3)
15. Configure Private VLAN with isolated ported port for Critical servers that dont need to
talk to each other.
Layer 3 security
1. Ensure all access to layer 3 devices is account for by AAA server and fall back to local
account database if non-cluster AAA server goes offline.
2. Configure MD5 authentication of OSPF or EIGRP routing protocol between existing
Layer 3 devices. This will mitigate injection of malicious route in the routing table.
3. Configure extended ACL to allow inter VLAN communication.
4. Enable stateful packet inspection on layer 3 edge device; this will ensure no TCP session
initiated from the outside will be allowed into the network.
5. Configure ACL that denies all access from the outside world into the ITS network except
to for allowed specific hosts and TCP/UDP ports
6. Enable only SSH and https connections to devices; this will mitigate password sniffing
7. Used minimum of 10 character passwords (include upper and lower case, numbers and
special characters) with only allowed 3 fail attempts .This mitigate brute force attack
8. Utilized latest vulnerability test tools (Nessus, GFI Langurad or others) to scan routers,
firewall and switches for firmware vulnerability and regularly update firmware.

Firewall/Router
By. Gipson Mbah (gipsuh@yahoo.com)- Credit to Savonia University- Teku

1. Ensure all access to layer 3 devices is account for by AAA server and fall back to local
account database if non-cluster AAA server goes offline
2. Close all ports in and out of the network except for ports used by allowed applications.
3. Create network objects, service groups and allow communication between VLANs,
inside interface, DMZ or outside interface based network objects and service
groups/ports.
4. Disable any service running on device that isnt being use. (applies to Layer 2 devices)
5. Deploy Firewall that support deep packet inspection and control(layer 7) and user
identity control (patented layer 8)
6. Configure global policy to inspect all traffic (including ICMP) into and out of router or
firewall.
7. Configure and direct all inbound Stateful traffic into the network through the intrusion
prevention system (IPS) system for analysis and constantly update IPS signatures
database.
8. Configure at least one IPS device for inline mode (with limited critical signature active to
avoid latency) and one for passive mode (with more signatures). Passive mode IPS
generate wouldnt block attack but will in real time send alert to Network admin for
prompt action.
9. Install IPS device with preprocessor that support SSL decryption and deep packet
inspection (packet header and payload)
10. Install firewall/router that support advance antivirus/malware module that will scan all in
bound traffic before it hits end devices.
11. Configure and pass VPN traffic through IPS.
12. Configure class-map and limit embryonic/max connection per device from WAN to
LAN. This will mitigate DOS/DDOS attacks.
13. Utilize URL filtering to blacklist dangerous sites.

NETWORK SECURITY ADMIN CENTER

1. Configure computer on management VLAN only to monitor network gears. Computer
should support 3 monitors, one for each of the following; NMS, IPS and Firewall.
2. Configure computer on critical servers VLAN for other network security activities;
monitoring server apps and health status, accessing vulnerability on server and running
patches.
3. Configure computer for non-network security related tasks on common network VLAN.

By. Gipson Mbah (gipsuh@yahoo.com)- Credit to Savonia University- Teku