The objective of this control is to ensure the protection of information in networks and its supporting information processing facilities. Communications encompass the breadth of digital data flows both within an organization and between external entities across network infrastructures. These flows now include data, voice, video, and all of their associated signaling protocols. Securing this information flows as they traverse Intranets, Extranets, and the Internet requires effective network infrastructure management as well as controls, policies, and procedures. This control provides guidance in planning, developing, and implementing the most essential elements of a Communications Security strategy.
Networks must be managed and controlled in order to protect information within systems and applications. Put in simple terms, the organization should use appropriate methods in order to ensure it is protecting any information within its systems and applications. These network controls should consider all operations of the business carefully, be adequately and proportionately designed, and implemented according to business requirements, risk assessment, classifications, and segregation requirements as appropriate. Some possible examples of technical controls for consideration may include; Connection control and endpoint verification, firewalls and intrusion detection/prevention systems, access control lists, and physical, logical, or virtual segregation. It is also important to enforce the fact that when connecting to public networks or those of other organizations outside organizational control, consider the increased risk levels and manage these risks with additional controls as appropriate. You will need to bear in mind that the auditor will be looking to see these implemented controls are effective and managed appropriately, including the use of formal change management procedures.
Security of network services in information security refers to the set of practices and technologies that are used to protect the various services that run on a network, such as email, web, file transfer, and database services. These services are often targeted by attackers because they are critical to the functioning of an organisation and are typically the entry point for attackers to gain access to the network.
A 8.20 Networks security
Networks and network devices should be secured, managed and controlled to protect information in systems and applications.
To protect information in networks and its supporting information processing facilities from compromise via the network.
ISO 27002 Implementation guidance
Controls should be implemented to ensure the security of information in networks and to protect connected services from unauthorized access. In particular, the following items should be considered:
- the type and classification level of information that the network can support;
- establishing responsibilities and procedures for the management of networking equipment and devices;
- maintaining up to date documentation including network diagrams and configuration files of devices (e.g. routers, switches);
- separating operational responsibility for networks from ICT system operations where appropriate;
- establishing controls to safeguard the confidentiality and integrity of data passing over public networks, third-party networks or over wireless networks and to protect the connected systems and applications . Additional controls can also be required to maintain the availability of the network services and computers connected to the network;
- appropriately logging and monitoring to enable recording and detection of actions that can affect, or are relevant to, information security;
- closely coordinating network management activities both to optimize the service to the organization and to ensure that controls are consistently applied across the information processing infrastructure;
- authenticating systems on the network;
- restricting and filtering systems connection to the network (e.g. using firewalls);
- detecting, restricting and authenticating the connection of equipment and devices to the network;
- hardening of network devices;
- segregating network administration channels from other network traffic;
- temporarily isolating critical sub networks (e.g. with drawbridges) if the network is under attack;
- disabling vulnerable network protocols.
The organization should ensure that appropriate security controls are applied to the use of virtualized networks. Virtualized networks also cover software-defined networking (SDN, SD-WAN). Virtualized networks can be desirable from a security viewpoint, since they can permit logical separation of communication taking place over physical networks, particularly for systems and applications that are implemented using distributed computing.
Network security is a key component of an organisation’s broader information security policy. Whilst several controls deal with individual elements of an organisation’s LAN and WAN setup, It is a series of broad protocols that deal with the concept of network security as a governing principle in all its various forms. It is focused on two key aspects of network security across all its general guidance points Information security and Protection from unauthorised access (particularly in the case of connected services). To achieve these two goals, Organization must:
- Categorise information across a network by type and classification, for ease of management and maintenance.
- Ensure that networking equipment is maintained by personnel with documented job roles and responsibilities.
- Maintain up to date information (including version controlled documentation) on LAN and WAN network diagrams and firmware/configuration files of key network devices such as routers, firewalls, access points and network switches.
- Segregate responsibilities for an organisation’s network from standard ICT system and application operations , including the separation of administrative traffic from standard network traffic.
- Implement controls that facilitate the secure storage and transfer of data over all relevant networks (including third-party networks), and ensure the continued operation of all connected applications
- Log and monitor any and all actions that directly impact information security as a whole across the network, or within individual elements
- Coordinate network management duties to complement the organisation’s standard business processes.
- Ensure that all systems and relevant applications require authentication prior to operation.
- Filter traffic that flows through the network via a series of restrictions, content filtering guidelines and data rules.
- Ensure that all devices that connect to the network are visible, authentic and are able to be managed by ICT staff.
- Retain the ability to isolate business critical sub-networks in the event of a security incident.
- Suspend or disable network protocols that are either compromised or have become unstable or vulnerable.
Network security management includes the following controls:
- Network controls that will ensure information communicated through the networks will be protected – for example, logging and monitoring of the actions in the network, restrictions of the connections to the network. authentication of the systems connected to the network, etc. Annex A doesn’t require documenting this control; however, in order to ensure effective network controls, responsibilities and procedures for managing network equipment can be documented.
- Security of network services will be managed by deﬁning network service agreements with relevant security parameters and requirements such as the implementation of ﬁrewall and intrusion detection systems and monitoring the performance of the network providers. This control should be documented by signing the network service agreements.
- Segregation in networks is one of the methods to manage the security of networks. This means dividing the network into smaller separate networks that are easier to manage and protect. This division can be made based on the criticality of the domain (for public access, server domain, etc), based on the organizational departments (for example, for top management, for ﬁnance department, etc.), or some other combination suitable for the organization. ISO 27001 doesn’t require documenting this control.
Establishing Responsibility and Procedures for Network Management and Operations
Information flowing across networks cannot be secured without effective management of the physical and logical network infrastructure, including physical cabling, logical topologies, network devices, and network services. A centralized entity with appropriate responsibility and authority is generally the most effective way to ensure consistency and manageability across the organization’s Intranet and Extranets. In many organizations achieving a single point of responsibility and authority for all network infrastructure can be challenging. Management of network infrastructure includes network operations, which is a separate function from the data center or information processing operations. Network security operations are often another distinct function but must coordinate closely with network operations.
The large scale and high complexity of modern networks in the modern organization contribute to a challenging environment for security professionals and network administrators. The fundamental aspects of network services and protocols were not designed with information confidentiality in mind. Network Controls have been designed and implemented to compensate for this lack of security and continue to evolve as threat actors and their attack methods become more sophisticated.
Methods of Attack
Before determining which controls should be implemented and in which order, it is helpful to understand the common methods of attack. Note that a risk management approach is recommended to fully analyze all threats and responses. The ultimate goal of attackers is to gain access to or modify data of value. Their targets are typically servers, workstations, or other computers connected to your University’s networks, but they will make use of networks, other computers, people, or any other tool to achieve their objectives. Their attack strategies typically involve some form of reconnaissance, followed by exploitation – attempts to bypass or disable network or host security controls by exploiting vulnerabilities, and finally data modification or exfiltration. A Denial of Service (DoS) is a specific type of attack designed to disrupt operations or make networks and systems unavailable.
Reconnaissance – Attackers use reconnaissance to discover networks, hosts, or vulnerabilities. A variety of freely available tools are available that allow scanning or probing of systems accessible to the Internet. In targeting a specific University, an attacker needs only to know publicly available information such as the range of IP subnets used by the school. Scanning often involves discovering what TCP or UDP ports are active on the various hosts within the University’s networks. Firewalls, IDS/IPS, network isolation, authentication, and logging are some of the tools network or security administrators use to limit or detect reconnaissance activities.
Exploitation – The protocols used across the Internet and within the Intranets and Extranets were designed for availability and openness rather than security and privacy. Attackers abuse and exploit the inherent lack of security of TCP/IP and the other various protocols and their associated network devices to their advantage. Their specific methods are numerous and varied, but can generally be categorized as follows:
- Sniffing – intercepting and examining network traffic
- Spoofing – impersonating a network host or user
- Man-in-the-Middle – covertly impersonating an intermediary host or network service such that the parties on either end of the connection are unaware that their communications are being captured and possibly altered
- Hijacking – taking over or re-routing one end of an otherwise valid communication between two parties
- Replay attacks – using intercepted communications or authentication interactions to falsely authenticate
- Password Cracking – using sophisticated or simple brute force attacks to guess weak passwords
- System or Application exploitation – once an attacker is in contact with a system at any of the application layer protocols such as FTP, Telnet, SSH, HTTP, HTTPS, SNMP, and others, weaknesses in the Operating System or the applications can be exploited to gain unauthorized access
Data Modification and Exfiltration – Once access to systems or data is gained, the data can be modified or copied (exfiltrated). While data owners might quickly know if data is modified, data exfiltration can take place in relative secrecy unless there are sufficient monitoring and controls in place to detect it. Most Universities have reasonable protections in place to prevent or detect external attacks but are not as diligent in monitoring outbound traffic to detect confidential or sensitive data that is being copied by a successful attacker.
Like other types of security controls, network controls can be categorized into various types, depending on their primary function.
Preventive controls seek to stop or prevent attacks or intrusions before they occur. Firewalls, Intrusion Prevention Systems, Web Gateways, and physical Isolation of network cabling and devices are all examples of preventive controls.
Detective Controls seek to detect attacks or intrusions in progress or after (ideally very soon after!) they have already taken place. Intrusion Detection Systems, Log collection and review, Security Information and Event Management (SIEM) systems, AntiVirus software, and video surveillance in data centers and communications facilities are examples of detective controls.
Administrative controls direct users – employees, faculty, students, contractors, and partners – to follow specific procedures. Examples include policies against connecting rogue hubs, switches, or routers to the network, the use of network traffic sniffers, unauthorized network services, and procedures for provisioning network access accounts.
Technical controls often enforce administrative controls, but can also limit or prevent network activity/traffic, or isolate network segments or users to increase overall security. Examples include network access control, group policy objects, strong authentication, encryption, and Virtual Private Network (VPN) technology.
A sound network control strategy employs the concept of Defense In-Depth to provide optimal security. Firewalls at the network perimeter limit the traffic that is allowed in and out of the network. IDS/IPS devices detect and prevent traffic that is suspicious or known to be malicious. Internal network isolation limits the visibility of network traffic to devices and users by department or role. Access to wireless and wired networks is restricted to authenticated users only. Strong passwords are enforced for all network computers. Computers run host-based firewalls and AntiVirus software. Certain sensitive network traffic is encrypted so that it cannot be intercepted. All of these controls are combined together to provide a layered or In-Depth defensive strategy.
Network Design and Architecture
Centralized management of networks allows for strategic network design and architecture that can be more readily optimized for performance, availability, and security. All endpoints should terminate to network switches to remove the possibility of internal network traffic sniffing by computers and users. Highly sensitive data and traffic such as for Data Centers or communications facilities should be isolated through virtual LAN (VLAN) technology and/or Firewalls. Highly unregulated traffic such as for student residence halls should also be isolated. The architecture of the network should allow for the strategic placement of firewalls, demilitarized zones (DMZ’s), and IDS/IPS devices such that all network traffic between the University Intranet and the Internet can be adequately controlled and monitored.
Perimeter controls must be strategically placed such that all network traffic flowing in and out of the Organization’s internal networks, i.e. its Intranet, can be controlled and monitored. These controls are critical to network functionality and security and therefore must be fault-tolerant and have redundant backups available. In addition, they must be capable of processing the anticipated peak volume of network traffic. This is especially important for larger Universities with extremely high aggregate Internet bandwidth. Typical perimeter controls include:
- Routers – The border router is typically capable of allowing or denying connections, but its primary purpose is to route traffic at the network border or DMZ
- Firewalls – firewalls (sometimes called border firewalls) block or limit traffic, typically by TCP/UDP port
- IDS/IPS – An Intrusion Detection System and/or Intrusion Prevention System adds an extra layer of protection, examining, limiting, or blocking traffic that was allowed through the border firewall, but is highly suspicious or known to be malicious
- Data Loss Prevention (DLP) – some DLP solutions inspect all network traffic to detect or block confidential data from leaving the Intranet
- “Next Generation” Firewalls – The term “NextGen” is a marketing term used by some vendors to imply a higher level of sophistication and thus a higher level of protection. While many of these products do perform as advertised, they are essentially serving the same or combined functions like firewall and IDS/IPS technology.
- Web Gateway – A secure web gateway does not necessarily sit at the perimeter, but does filter web-based traffic, providing more granular IDS/IPS functionality for web-based traffic or content
- Network Address Translation (NAT) – not strictly a security control, NAT limits the visibility of endpoints within the University Intranet from potential attackers on the Internet.
Note on encryption – while encryption is an effective control for data in transit, security administrators should also be aware that too much encryption of network traffic can severely limit many perimeter controls such as IDS/IPS, DLP, and Secure Web Gateways. Many vendors are now providing cloud-based network protection, which can supplement or replace many of the on-premise perimeter or interior controls network and security administrators have used.
Isolation – Network segments or subnets within the University Intranet should be appropriately isolated according to the security requirements of the users and endpoints. Virtual LAN (VLAN) technology is the primary control used to isolate users and endpoints.
Endpoint Hardening – All network devices and endpoints should be hardened to reduce their attack surface. Hardening involves maintaining current patch levels, AntiVirus, host-based firewalls, host-based IDS/IPS, disabling unnecessary services, using strong passwords, and other protections as appropriate. Software whitelisting can also provide additional endpoint protection. Network and security administrators should not neglect printers, multi-function devices, and other network-attached devices which often have insecure services opened up, such as FTP, Telnet, or SNMP.
Vulnerability Management – A Vulnerability Management System can help ensure that all endpoints on the network are adequately hardened. Vulnerability Management should ideally include web-based applications to reduce vulnerability to SQL-Injection, Cross-Site Scripting, and other web-based exploits.
Network Access Control (NAC) – Registering all endpoints before allowing connection to the network can prevent unauthorized devices from connecting as well as enforce security baselines. For instance, University IT Security Policies may state that all endpoints have automatic security updating enabled, authentication must be done via the central Active Directory domain, and AntiVirus and Firewall must be active. NAC can prevent systems that do not meet these requirements from accessing all or certain portions of the network.
WiFi Security Controls – The WiFi should be protected and in most cases, isolated from all other internal networks, particularly when the Organization has chosen to make WiFi open-access. Open-access WiFi allows any computer within range to connect and therefore should be provided limited services such as Internet access only. WiFi that connects to more sensitive portions of the network should be limited to authorized users only. All WiFi should use WPA2 or stronger encryption. Note that enabling these levels of control across a large campus can be costly and require sophisticated equipment.
Remote Access – remote access to internal or Intranet networks can be a high-security risk if not properly planned and secured. While a Virtual Private Network (VPN) service is an excellent way to allow remote users to securely connect to your internal networks or Intranet, it provides no assurance that the connecting endpoint computer is itself secure. Security administrators should strongly consider enforcing Network Access Control for VPN connections or strictly limiting the use of VPN to selected trusted users. Outbound VPN can also introduce the risk of opening up internal networks to potentially unsecured external networks. Many organizations chose to block outbound VPN at the firewall for this reason. Other remote access tools and protocols need to be carefully controlled or limited. Remote Desktop Protocol (RDP) and Secure Shell (SSH) can introduce additional risks. RDP is best blocked at the firewall or provided through an RDP Gateway. While SSH is a secure protocol, the Linux and Unix systems that typically use SSH are often administered outside of the campus directory service and can thus have weak passwords. External attackers routinely look for open SSH ports and attempt to use Rainbow tables or Brute Force to crack passwords. Web-based services such as LogMeIn, VNC, GoToMyPC, etc. can also introduce the risk of unauthorized remote access. Security administrators should carefully assess the risks associated with these services.
Back Doors – Remote Access protocols and services can create “back doors” of access to internal networks and should be carefully administered. Other back doors include analog modems, cellular services on smartphones and tablets, Bluetooth personal area networks, and removable media such as USB and CD/CDRW drives.
Encryption- Encryption of certain network traffic is an essential network control. All confidential or sensitive information leaving the network should be encrypted with proven strong encryption algorithms. Authentication protocols that transmit passwords or encryption keys over the network should also be encrypted. Secure Sockets Layer (SSL) is a common encryption protocol used for web traffic.
Network Security Policies
A strong set of network security policies complements technical controls. While policies cannot always be technically enforced, users need to be aware of behaviors that are unacceptable by the policy. Examples include:
- Use of strong passwords
- No sharing of user account credentials
- Users are not allowed to install and run illegal software, such as network sniffing/scanning or P2P File Sharing software
- All user accounts must be centrally managed and issued
- Prohibition of rogue switches, routers, hubs
- All network cabling and outlets must be installed by central network services
- The limited expectation of privacy
Security policies provide a means of enforcement in the event of known violations.
Log Management and Auditing
Routers, switches, IDS/IPS, firewalls, Directory Services controllers, and other network devices have a wealth of information about activity on the network. However, the massive amount of data they produce makes it difficult to adequately correlate and review for possible intrusions or perform forensic investigations. A Security Information and Event Management (SIEM) solution can greatly reduce the effort and expense involved and provide a much higher level of visibility for security. Network Access Control
All network controls should be routinely validated by an authorized external third party. The process is typically referred to as Penetration Testing (Pen Tests). A qualified Pen Tester can help ensure that the controls you have carefully implemented are working effectively. Many organizations are required to perform such testing on an annual or biennial basis.
8.21 Security of network services
Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.
To ensure security in the use of network services.
The security measures necessary for particular services, such as security features, service levels and service requirements, should be identified and implemented (by internal or external network service providers). The organization should ensure that network service providers implement these measures. The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored. The right to audit should be agreed between the organization and the provider. The organization should also consider third-party attestations provided by service providers to demonstrate they maintain appropriate security measures. Rules on the use of networks and network services should be formulated and implemented to cover:
- the networks and network services which are allowed to be accessed;
- authentication requirements for accessing various network services;
- authorization procedures for determining who is allowed to access which networks and networked services;
- network management and technological controls and procedures to protect access to network connections and network services;
- the means used to access networks and network services [e.g. use of virtual private network (VPN) or wireless network];
- time, location and other attributes of the user at the time of the access;
- monitoring of the use of network services.
The following security features of network services should be considered:
- technology applied for security of network services, such as authentication, encryption and network connection controls;
- technical parameters required for secured connection with the network services in accordance with the security and network connection rules;
- caching (e.g. in a content delivery network) and its parameters that allow users to choose the use of caching in accordance with performance, availability and confidentiality requirements;
- procedures for the network service usage to restrict access to network services or applications, where necessary.
Network services include the provision of connections, private network services and managed network security solutions such as firewalls and intrusion detection systems. These services can range from simple unmanaged bandwidth to complex value-added offerings.
A ‘network service’ can broadly be described as a system running on the ‘network application layer’, such as e-mail, printing, or a file server. Network services also include managed applications and security solutions such as firewalls or gateway antivirus platforms, intrusion detection systems and connection services. Network services often represent the most important functional parts of a network, and are critical to the day-to-day operation of a modern commercial ICT network. Security is therefore paramount, and the use of network services needs to be closely monitored and directly managed to minimize the associated risk of failure, intrusion and business disruption.The three main security types, when addressing the broader concept of network service security:
- Security features
- Service levels
- Service requirements
These three measures should be taken into account by all internal and external network service providers, and the organisation should take steps to ensure that providers are fulfilling their obligations at all times. Organisations should judge a network service provider on their ability to manage services as dictated by an unambiguous set of SLAs, and monitor adherence to the best of their ability. Part of this operational assessment should include references obtained from trusted sources that attest to a network service provider’s ability to manage services in a secure and efficient manner. Network security rules should include:
- Any network services and associated networks that are allowed to be accessed.
- The authentication requirements for accessing said network services, including who is authorised to access them, from where and when they are able to do so.
- How personnel obtain prior authorisation to access network services, including final sign-off and business case analysis.
- A robust set of network management controls that safeguard network services against misuse and unauthorised access.
- How personnel are allowed to access network services (i.e. remotely or exclusively onsite).
- Logging procedures that detail key information about network service access, and the personnel who utilise them – e.g. time, location and device data.
- Monitoring the use of network services.
To increase security across all network services, including back-end functionality and user operation.
- Organisations should consider security features such as authentication, encryption and connection controls.
- Rigid parameters should be established that dictate the connection to network services.
- Users should be able to choose the amount of data cached (temporarily stored) by a network service to both increase overall performance and ensure that data isn’t excessively stored to the point of it being a tangible security risk.
- Restricting access to network services.
Security features of network services
Network services are basically the provision of connections, private network services, firewalls, and Intrusion Detection Systems.Security features of the network services could also include:
- Network security technology – This can be implemented through the segregation of networks, for example configuring VLANs with routers/switches, or also if remote access is used, secure channels (encrypted) are necessary for the access, etc.
- Configuring of technical parameters – This can be implemented through Virtual Private Networks (VPN), using strong encryption algorithms, and establishing a secure procedure for the authentication (for example, with electronic certificates).
- Mechanisms to restrict access – This can be implemented with firewalls, which can filter internal/external connections, and also can filter access to applications. Intrusion Detection Systems can also be used here, Basically, Intrusion Detection Systems (IDS) are devices that can be based on hardware or software, and they constantly monitor connections to detect possible intrusions to the network of the organization. They can also help firewalls to accept or reject connections, depending on the defined rules. Here it is important to note that an IDS is a passive system, because it can only detect; but, there are also Intrusion Prevention Systems, known as IPS, which can prevent intrusions. The IPS are not specified by the standard, but are very useful and can also help firewalls. So, basically, if you want to manage the security of network services, you can use these types of hardware/software:
- Routers/switches (for example, for the implementation of VLANs)- Firewalls or similar perimeter security devices (for example, for the establishment of VPNs, secure channels, etc.)
- IDS/IPS (for intrusion detection/intrusion prevention).
Network services agreements
At this point, we have identified the network services, but if we want to align with the requirement of this control, we need to go one step further. This means that these network services should be included in network services agreements (or SLA, Service Level Agreements), being applicable to internal services provided in-house, and also to services provided from outside, by which I mean those that are outsourced. So, for the development of a network service agreement, basically you need to consider what network services are established, how they are offered (from inside, or outside, resources, etc.), service levels (24×7, response and treatment of incidents, etc.), and other key components. If the network service is outsourced, it is also important to consider periodic meetings with the external company, and in these meetings it is important to review the SLAs .For the security mechanisms included in the SLA, the selection could be based on the results of the risk assessment (basically, for the highest risks, the strongest security mechanism will be necessary), or even using the organization’s contacts with special interest groups for specific environments like government, military, etc., where the implementation of specific regulations could be needed
Network services include Directory services, Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), authentication services, messaging/email, remote access, and others. These services have traditionally been provided on-premise by network and/or security administrators. Today, many organizations are turning to outsourced cloud providers for many of these services. Security mechanisms, service levels, and management requirements of all network services need to be identified and included in-network services agreements, whether these services are provided in-house or outsourced. Put into simple terms, the organization should include all the various security measures it is taking in order to secure its network services, in its network services agreements. Your auditor will want to see that the design and implementation of networks take into account both the business requirements and security requirements, achieving a balance that is adequate and proportionate to both. They will be looking for evidence of this, along with evidence of a risk assessment.
Most organizations utilize some form of Directory Service, such as Microsoft Active Directory. Other essential services include DHCP, DNS, and remote access services such as VPN. Because these services operate at the network and IP layers of the OSI stack, and they perform essential functions for all network hosts, they must be well-managed and secured. Only a very small number of network administrators should have administrative access to the underlying servers. These servers must also be hardened and kept up to date with security patches. Logging to an external aggregator or SIEM is also strongly recommended.
External Network Services
Highly available Internet connectivity has opened the door for organizations to shift network and other application services to external cloud providers. While there are many reputable and very capable providers, it is nonetheless more difficult to hold an external entity accountable at the same levels possible with internal staff. Organizations entering into agreements with cloud providers need to carefully review and negotiate the specific terms and conditions of these agreements. Service Level Agreements, Confidentiality Statements, and Privacy Policies are among the types of documents that must be carefully reviewed and updated. The default versions of these documents will typically be written in favor of the external provider rather than their customers. External service providers should be held to the same level of security controls as those that apply to internal services. Organizations should write into their agreements language that specifies required security controls, limitation of access by provider’s employees, confidentiality statements, the right of the Organizations to audit security controls, and any other provisions that reduce risks of data disclosure, alteration, or loss.
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.