2/5/2019 TestOut LabSim

3.4.1 Manageable Network Plan

Manageable Network Plan

In this lesson, we're going to discuss implementing a manageable network plan.

An unmanageable network is an insecure network. Implementing a manageable network increases overall network security.

You do this by using a manageable network plan.

Milestones
A manageable network plan is composed of a series of milestones that turn an unmanageable network into a manageable network.

The first milestone is to prepare to document your network. The second milestone is to map that network. The third milestone is to protect the network
architecture. And the fourth milestone is to ensure your network devices are accessible. These are the four milestones that we're going to address in this
particular lesson. Milestones five, six, seven, and eight are covered in another lesson.

A manageable network plan takes time and a lot of resources to implement, but it's worth it. Once your network is manageable, you'll be able to implement
security measures much more efficiently and much more effectively.

Prepare to Document
Let's look at milestone number one, preparing to document your network. We're not talking about documenting your network at this point. What we're
talking about is setting up a way to document.

Some suggestions include making it user friendly. If you have a complex documentation system that everybody hates, they're not going to use it. Make it
easy using some type of online wiki to document information and a blog or an RSS feed to notify your administrators whenever that wiki changes.

Include enough detail. Include usable details, not mundane information that nobody cares about. Use timestamps on your documentation. That way, we
know whether the document we're looking at is still valid.

Restrict access to the documentation and possibly even encrypt it. Be certain that only a specific list of people can see it.

Keep a hard copy. If there is a power outage, a hardware failure, or a major natural disaster, you could lose access to all of that documentation. Print out a
hard copy and keep it in a secure location.

Map Your Network

Let's look at milestone two, mapping the existing network. To manage your network efficiently, you must know where everything is located.

Create an accurate map of your current network topology. Don't forget to include your wireless devices.

Create a list of all of the devices on the network. This includes computers, printers, servers, switches, routers, firewalls, and any other physical hardware
devices implemented on your network.

Record the host name, role, and MAC address of each device. If available also record the IP address and if it's statically or dynamically assigned, the
service tag and its physical location and what operating system or firmware versions it may be using.

If your network is large, consider using a network scanner to automatically scan all the devices on your network. NMAP is a great utility for this. But don't
rely just on the network scanner. After you develop your initial list with the network scanner, verify the information by performing a room-by-room
walkthrough. You should also identify who's responsible for managing each device.

Generate a list of all the network protocols in use on the network. A great way to do this is to use a network scanner like WireShark. As you do, it's very
likely you will find unauthorized devices and protocols on your network. Consider removing them.

Protect Your Network

In milestone three, we protect the network architecture. This includes several steps.

Identify and document which users have access to what information on the network. For example, you may determine that human resources employees
have access to personnel related files, while the research and development staff has access to design documents.

Identify high value network assets. This does not refer to how much the asset cost. It refers to how valuable that asset is to the organization. Ask yourself
the question, —œWhat would happen to the business if this particular system went offline?— If its disappearance would go unnoticed, it's a low value
asset. If that system went offline and the entire organization halted, that's a high value network asset.

Document your trust boundaries. Look at all of the systems that comprise your network and rank them by your level of trust in that system. One thing we
can do to increase security is to establish boundaries between systems that have different levels of trust. For example, we might put our low-trust systems
into a DMZ and put our trusted systems on a secured network. That way, if an untrusted system is compromised in some way, it doesn't affect the trusted
systems.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 1/2
2/5/2019 TestOut LabSim
Identify the chokepoints on the network. These chokepoints should protect the high value assets that you identified earlier. If necessary, reposition those
chokepoints through the trust boundaries you've documented. For example, you could limit the number of internet access points on your network. This will
decrease your overall attack surface. You may decide to segregate and isolate your networks.

Make sure that only users and groups that need specific data can actually access it. You can do this either physically or use VLANs. For example, you
could create a separate VLAN that can only be accessed by human resources. That way, sensitive employee data is protected from everyone else in the
organization.

Likewise, you might create a separate VLAN for the research and development organization so that all of their design documents are protected from those
who should not have access. You could also separate data networks from voice networks. This way, the failure of one network doesn't affect the other.

Consider isolating your wireless and wired networks from each other. Also consider isolating server functions. Aggregated server functions open multiple
attack vectors into a single piece of hardware. To reduce the security exposure, use dedicated servers for each service.

Don't overlook physical security. Make sure that high-value systems are not only logically secured on the network, but also physically secured.
Unauthorized people should never be able to physically touch a server. Look at your high value systems and ask yourself, —œIf I were a vending machine
repairman working on-site, would I be able to get to the server?— If the answer is yes, then you need to implement physical security to protect those
systems.

Reach Your Network

Let's move on to milestone four, network device accessibility.

A device that is hard to administer won't be checked very often. Because you're not looking at it often, it's more likely to have security vulnerabilities. To fix
this problem, make sure that every device on your network can be easily accessed.

This access could be physical, walking up to the device and accessing its console. Or, it could be a remote access over a network connection.

While these devices must be accessible, they also have remain secure. For example, we could make a network device very accessible by unlocking the
data center door, but we've also made it less secure in the process. Make sure your devices are securely accessible. Keep in mind the following
suggestions.

First, don't use insecure, clear text protocols to access these network devices, such as Telnet or FTP. These protocols do not encrypt information that's
being transmitted over the network. Any authentication information you send to access a device as well as any files you upload or download from the
device will use clear text. Anybody running a sniff will be able to capture that information and compromise the security of that device.

Use GPOs to enforce hardening information on your Window systems. Set up your security policy using GPOs and they will automatically be applied to
workstations and servers. Avoid manually configuring security settings. GPOs ensure that these security settings are enforced effectively and efficiently.
Make sure that your remote access connections are secure. This ties into the first point about banning insecure protocols.

Account for physical access issues. Suppose an administrator has physical access to a system's console and uses it to complete their day-to-day work.
The admin leaves that console logged in with administrative access while they walk away to go do something else. This dramatically decreases the
security of the system.

Automate the security administration of devices as much as possible. This helps ensure that it actually gets done by taking the human element out of the
situation.

Summary
That's it for this lesson. In this lesson, we talked about the first four milestones in a manageable network plan. By implementing these measures your
network will be secure and easy to manage.

TestOut Corporation All rights reserved.

https://cdn.testout.com/client-v5-1-10-551/startlabsim.html 2/2