Improving Web Application Security: Threats and - CGISecurity

Chapter 15: Securing Your Network 417VLANsVirtual LANs allow you to separate network segments and apply access controlbased on security rules. However, a VLAN enhances network performance, butdoesn’t necessarily provide security. Limit the use of VLANs to the perimeternetwork (behind the firewall) since many insecure interfaces exist for ease ofadministration. For more information about VLANs, see the article “ConfiguringVLANS” on the Cisco Web site.Insecure DefaultsTo make sure that insecure defaults are secured, change all factory default passwordsand SNMP community strings to prevent network enumeration or total control of theswitch. Also investigate and identify potentially undocumented accounts and changethe default names and passwords. These types of accounts are often found on wellknownswitch types and are well publicized and known by attackers.ServicesMake sure that all unused services are disabled. Also make sure that Trivial FileTransfer Protocol (TFTP) is disabled, Internet-facing administration points areremoved, and ACLs are configured to limit administrative access.EncryptionAlthough it is not traditionally implemented at the switch, data encryption over thewire ensures that sniffed packets are useless in cases where a monitor is placed on thesame switched segment or where the switch is compromised, allowing sniffing acrosssegments.Additional ConsiderationsThe following considerations can further improve network security:● Ensure that clocks are synchronized on all network devices. Set the network timeand have all sources synchronized to a known, reliable time source.● Use Terminal Access Controller Access Control System (TACACS) or RemoteAuthentication Dial-In User Service (RADIUS) authentication for highly secureenvironments as a means of limiting administrative access to the network.● Define an IP network that can be easily secured using ACLs at subnets or networkboundaries whenever possible.