Updated: Jun 29
Protecting network communication requires not only that a Network Administrator lock down a network with a firewall, custom scripts, malware protection, anti-virus, server level authentication, and server level firewalls or security protection, but it also includes isolating the data sent across a network. This is because there is always a possibility that a user has the ability to get into a network by cracking the firewall encryption and accessing a switch. Most switches have the ability to enter complex passwords, but they do not have the ability like servers to be highly secure.
Layer 2 network should be comprised of Wire Speed Gigabit Switches in segmented VLANs. IEEE 802.1D RSTP is enabled on all core network switches, and IEEE 802.1Q links are established packets to traverse in the LAN. IEEE 802.3AD is used as needed. Packet Frames come with a Header VLAN ID tagged to them when traversing in the LAN and are directed to 802.1Q Trunks that only allow that VLAN to pass.
A given trunk’s traffic should be segmented by VLAN. Load balancing is then typically done on the port or ether channel level; however, to accommodate heavy traffic flow, it is also considered when determining the most secure route (especially with “dedicated hosts”). Servers have multiple NICs connected to multiple switches (and multiple ASICs in remote branches) for redundancy.
iSCSI traffic should be completely segmented on two separate switches with broadcast and multicast storm control enabled, in addition to jumbo frames and flow control. One circuit is established as an 802.1Q 10 GigE trunk for passing only the storage networks between switches. There is one additional circuit to the Office Network for the network management VLAN only.
All NIC ports are shut in our facilities that are not in use and are moved to a different VLAN than our production or iSCSI networks. All network ports in our core network should be thourally documented. SNMP traffic is limited to a private community and for a particular host. This is to prevent an attacker from directly connecting to the network. Furthermore, admin passwords for SSH and enable passwords should be configured differently on each switch. Firewalls have another password as well, varying from the switch passwords.
IEEE 802.11 traffic for employees (including SSH, RDP, and other vulnerable ports) is best if its SSID is hidden, and a firewall is enabled. Cloud Guru IT now uses 802.1X for on-prem or cloud IDP instead of a WPA2 key, unless WPA2 is in guest mode. Furthermore, we have completely eliminated telnet and instead use SSH for specific users, ensuring maximum security for our clients.
Guest traffic also has a hidden SSID and is limited to TCP/IP and SMTP traffic for email. It is also filtered via an interface on the firewall. Our Channel is also set to something obscure (as opposed to something used frequently). MicroVPN or VPN pass-through is enabled but with IPSec, PPTP, L2TP enabled.