Network security is a major challenge for companies. Indeed, the growing importance of IT assets, the interconnection of information systems and their exposure have increased the risks of attacks. At the same time, information (data) is produced, processed, exchanged and exploited by systems and on networks that may be vulnerable in all their components or configuration: servers, workstations, segmentation, Wi-Fi, user access, applications, etc.
Why is it important to secure an internal network?
Networks are one of the main targets of attacks because their design rarely considers security risks. This usually results in:
- Lack of access management systems and procedures
- Lack of encryption mechanisms
- Poor or insufficient management and configuration of network equipment
- Lack of patch and update management policies
- Lack of or poor segmentation of the network
- Lack of network and system security assessment
We concede that designing a network architecture is a complex process. However, proper design should not be based solely on functional requirements. It must also take into account security considerations to avoid critical vulnerabilities that could compromise the entire information system. It is therefore necessary to include security requirements in the network design phase, which should ensure the following objectives:
- Confidentiality, to ensure that authorised users or systems have ‘ONLY’ access to the resources and data to which they are entitled.
- Integrity, to ensure that resources, data and information are not altered, stolen or destroyed by unauthorised users or resources.
- Availability, to ensure smooth operation and uninterrupted access to services and resources.
- Traceability, to ensure that all modifications and changes in the system are monitored and controlled.
To sum up in one sentence: the continuity of an organisation’s activity, and therefore its sustainability, implies that of its information system. However, this continuity can only be ensured by the implementation of a security policy and measures tailored to the company’s specific challenges. However, information without a system to deliver it is useless, and a system cut off from its users is meaningless. This is why network security must be one of the priorities of any company, whatever its sector, activity or size.
Securing an internal network is therefore vital and necessarily involves implementing best practices in terms of configuration, integration, monitoring and security testing.
This article does not aim to be exhaustive. It will address network security from a best practice perspective only, with some additional information on the risks, types of attacks and vulnerabilities that can be exploited by attackers to compromise an internal network. We invite you to take a look at our article: How to strengthen the security of your network infrastructure to counter the most common attacks? in order to have a more comprehensive view of the security issues and risks related to the internal network.
Internal network segmentation
Network segmentation is the separation of the network into physical and logical domains, each protected by a defined security perimeter. In practice, it involves splitting the network into smaller network segments that are isolated from each other within virtual local area networks (VLANs) or physical networks (LANs).
On the one hand, this allows workstations, devices, applications, servers and other systems with different levels of criticality to be grouped together in separate zones in order to optimise management and security levels. On the other hand, segmentation enables the restriction of authorised connections by differentiating, for example, an internal network for which no connection from the Internet is authorised from a network accessible from the Internet. This is generally referred to as a demilitarised zone or DMZ. Furthermore, the implementation of such a DMZ requires the installation of firewalls between the partitioned networks in order to control the incoming and outgoing information flows.
VLAN network segmentation
VLANs therefore enable to create virtual networks connected to a physical device (switch), allowing to separate the traffic between the different logical networks defined. This ensures that machines in one VLAN cannot communicate with those belonging to another VLAN, unless interconnection is desired. Thus, VLANs not only provide better control but also simplify the management and administration of the network.
However, let’s be clear, they do not provide any security mechanism per se. Indeed, the segmentation of the network into VLANs does not thwart attacks, but it remains an essential security measure, as it is one of the main ways to reduce the impact of a successful attack.
Wi-Fi network partitioning
Wi-Fi networks can also be used as attack vectors. It is therefore necessary to distinguish the Wi-Fi connections of personal or visitor terminals from those of the organisation’s systems, and to filter the flows of workstations connecting to the Wi-Fi network. To do this, several partitioned Wi-Fi networks can be set up in order to restrict access to certain critical resources while ensuring that only the necessary elements are accessible to the different predefined user groups.
To reduce the risk of your network being compromised, you should ensure that:
- Segment and partition the network according to the criticality of the information and systems on the network (DMZ, internal networks, critical networks, etc.).
- Consider segmentation requirements in any new network expansion.
- Dedicate an administration area for the network that is logically or physically separate from the other networks.
Securing Wi-Fi networks
The use of WIFI networks is essential in most companies, generally for reasons of comfort and performance optimisation. However, as mentioned earlier, it is necessary to separate the uses by implementing segmentation mechanisms. This provides additional security.
Furthermore, the physical security of Wi-Fi access points and related infrastructure should not be overlooked. Appropriate controls should therefore be implemented to protect the equipment.
Lastly, Wi-Fi network communications must be secured and encrypted using a proven protocol such as WPA2 and WPA3. Generally and if possible, the deployment of Wi-Fi networks on information systems handling sensitive data should be avoided or, failing that, specific measures should be implemented.
Thus, to secure WI-FI networks, it is necessary to:
- Separate WIFI networks from the rest of the network
- Strengthen the security of access points:
- Change the default configuration of access points: administration and Wi-Fi passwords, default SSID, etc.
- Disable unused management interfaces and services.
- Disable SSID broadcast.
- Set up MAC address filtering.
- Enable logging of access point activity.
- Implement effective encryption techniques:
- Avoid the use of vulnerable protocols such as WEP.
- Disable WPS.
- Use strong encryption such as WPA2, WPA2-PSK, WP3
Securing the administration and management of network devices
The administration and management of active network devices is a critical aspect that must be handled in an appropriate manner, with adequate security measures, to prevent unauthorised intrusion. To return to the subject of network segmentation, it is strongly recommended to create an area dedicated to the administration of network devices. This segment enables to manage and verify the proper functioning of all components within a given security perimeter.
Furthermore, management traffic should also be separated from the rest of the communications to eliminate the possibility that it could be intercepted in transit. Where appropriate, management traffic should transit through a secure protocol.
Thus, as the administration and management of network devices is by nature particularly sensitive, it must be adequately protected, with appropriate filtering, restrictions and protocols. To do this, it is therefore necessary to:
- Have an inventory of the network infrastructure with the location, role, rights and version of each system component.
- Ensure that the software and operating systems (OS) of the network infrastructure components are kept up to date.
- Strengthen equipment security:
- Change default administration accounts and passwords.
- Disable all unused services and interfaces.
- Restrict physical access to equipment to authorised persons only.
- Restrict access to equipment administration interfaces to authorised persons only.
- Use encrypted communication protocols (SSH, HTTPS, SMBv3, LDAPS, etc.).
Securing communications and data exchanges on the network
Information and data that are transmitted in clear test on a network, i.e. unencrypted, constitute a major risk in terms of confidentiality and integrity. The risk is even greater on Wi-Fi networks, as communications can be intercepted throughout the perimeter covered by the access point.
In this configuration, logins, passwords, technical documents and other sensitive data (personal, payment information, etc.), can easily be retrieved by attackers with appropriate eavesdropping tools. This type of attack is known as “sniffing”.
Given the risks, encryption of information and data flowing over the network is necessary. To protect oneself, it is essential to integrate an encryption layer into existing protocols (http, rtp, ftp, etc.) to guarantee the confidentiality and integrity of communications.
Control and secure user access
Implementing a secure access control system
Access control is probably the most central aspect of network security. It should be based on permissions and access rights to a well-defined security perimeter. To protect against unauthorised access or network intrusion, authentication mechanisms should be used for users and devices.
Indeed, access of systems and users must always be authenticated and authorised beforehand. This allows to confirm the identification of the account owner before assigning rights (according to his role, function, etc.) and to keep a record and follow-up of his actions (via logs).
However, given the size, nature and complexity of some networks, and the specificities of some organisations, managing authentication databases can be difficult. In general, a centralised single sign-on (SSO) solution can address this issue, as long as it is properly integrated and secure.
Implementing an effective password policy
Authentication security naturally requires the implementation of an effective password policy. On this point, three words of order:
- The complexity of the password that must be enforced when an account is created: it must above all be long (more than 15 characters). On this point, nothing is better than the implementation of a proven password manager.
- The identifiers contained in passwords, the name of the company or application followed by the year and an exclamation mark are widespread practices known to attackers. Therefore, if possible, enforce the creation of passwords that do not contain at least the identifier and make users aware of the risks associated with the use of predictable passwords.
- Password expiration policies to encourage frequent password changes are a false good idea. On the face of it, it seems like a good security measure. However, the analysis of user behaviour shows a different reality in hindsight. Indeed, most of the time, users simply create another password that is not secure because it is easy to remember and therefore easy to guess by attackers. It is therefore recommended to ban these password expiration policies and simply encourage users to choose a sufficiently long and complex password.
In summary, to secure user access and improve control, it is therefore necessary to:
- Define and separate roles and responsibilities for access to all network resources.
- Set up access rules based on the “zero trust” principle of “everything is generally prohibited unless authorised” rather than the more flawed rule of “everything is generally authorised unless prohibited”.
- Allocate permissions and access rights on the principle of least privilege, i.e. “limit the rights of any user to only those applications/data necessary for their tasks.
- Ensure traceability of changes in access rights.
- Strengthen authentication by implementing strong authentication (strong passwords, tokens, certificates, etc.).
- Choose a strong password: Length is the watchword.
- The password should not be attached to any personal information that is easy to guess or obtain.
- It goes without saying: do not keep a record of the password in clear text.
- Avoid using default passwords.
- The recording and storage of passwords should also be protected by implementing encryption mechanisms that ensure their confidentiality and integrity. For more information on best practices for secure password storage, you can check our article: How to securely store passwords in a database?
- Implement, if necessary, a centralised solution for authentication and authorisation of access to network resources (SSO).
- Place authenticated devices and users in security areas that match their profiles and privileges.
- Block access to unauthenticated devices and users or place them in dedicated zones that allow restricted access to network services.
- Implement techniques to protect against unsuccessful login attempts (e.g. limit the number of login attempts before blocking access).
- Disconnect login sessions after a period of inactivity.
For more details on these best practices, we refer you to our article: How to secure authentication, session management and access control systems?
Logging is a control mechanism for monitoring the network and ensuring traceability. However, even if best practices in logging and monitoring do not provide any protection against attacks, they do allow the detection and investigation of unusual events and intrusions.
To facilitate the management and exploitation of logs, it is advisable to centralise them in a dedicated area allowing easier administration. To do this, it is necessary to implement programs (agents) on all the machines to be monitored in order to send back to the server all the events listed in your log files. This is important because, in the event of a machine being compromised, it is likely that the logs will be destroyed by the attacker. Centralising, synchronising and duplicating the logs will ensure that you always have a copy.
Finally, it is recommended to use equipment with native logging functionality.
In summary, best logging practices involve:
- Establish procedures for log management, analysis and backups.
- Determine the level of logging required for each piece of equipment regarding their criticality.
- Determine the critical elements to be monitored that will generate alerts (metrics).
- Centralise logs on a central solution (log server).
- Send activity logs to a secure and dedicated management network and encrypt their transmission.
- Restrict access to logs to authorised persons only.
For more information on the principle and best practices of logging and monitoring, you can consult our article: Logging and Monitoring: definition and best practices.
Securing an application is vital and this necessarily involves implementing best practices in terms of development, integration, monitoring and security testing.
We have discussed the issue of application security in a previous article. We invite you to consult it for an overview of the best practices to implement, in terms of reducing the attack surface, server security, authentication security, protection of sensitive data, etc.: How to secure a website or a web application?
And for more information on the common vulnerabilities of web applications, we refer you to our article: How to strengthen the security of your web applications to counter the most common attacks?
Raising awareness of security risks, including social engineering threats
The risks of intrusion into systems are significant and workstations are often a gateway for attackers. Indeed, a workstation without adequate protection can not only jeopardise the information processed and stored on it, but also serve as an attack vector to compromise the systems to which it has access.
It is therefore essential that basic security practices are known and implemented by the systems security team and users. These measures are based on:
- Technical protection of workstations, which involves:
- Systematic and daily backup of data.
- Secure configuration and regular updates.
- Encryption of storage media (keys, disks, etc.)
- Cautious and informed user behaviour, which includes:
- Choosing strong passwords.
- A careful attitude towards USB drives.
- A wise use of the Internet (browsing, downloading, using online services).
- A cautious attitude towards emails and calls received given the increase in social engineering attacks (phishing, vishing, etc.).
Protecting against social engineering risks
Beyond the technical risks, the most common vulnerability exploited to compromise an information system is the human element, via social engineering attacks. These attacks consist of using social skills to obtain or compromise information about a company or its systems.
Email ( through phishing) remains the main attack vector, as most studies and examples of successful social engineering attacks on small, medium and large companies show. And the consequences are often devastating and irreversible. However, there are simple measures to limit the impact of this type of attack:
- Implement a security strategy adapted to your risks. Data encryption, network segmentation, rigorous access control, [etc.] are all ways of thwarting attacks or reducing their impact.
- Carry out social engineering tests to to assess the attitude of your staff to phishing emails. The results of these tests can be used to optimise awareness campaigns. For more information on what to consider when creating a social engineering campaign, you can consult our white paper:
- Raise awareness and train your technical and non-technical teams, as cybersecurity is everyone’s business. Indeed, there are training courses offered by third parties, allowing you to raise awareness among your teams about social engineering attacks. The objective is to facilitate the understanding of the mechanisms of cyber attacks through phishing in particular, and the adoption of best practices and postures to avoid taking the bait.
Perform a network penetration test to assess risks and strengthen your security
A network penetration test remains the best way to test the security of your systems against attacks. The objective: to identify potential vulnerabilities and propose security patches.
Indeed, this type of offensive audit follows a proven methodology, allowing for an in-depth analysis of the risks of internal networks, some of which have been mentioned in the heart of this article. From this point of view, a network penetration test consists of mapping the network and then carrying out tests on the elements identified: servers, workstations, Wi-Fi, network devices, workstations, etc.
The report issued following the tests enables to understand the mechanisms of the discovered vulnerabilities in order to reproduce and correct them.