Chapter 14. Network Infrastructure

It is easy to focus our attention on application and operating system security, and to overlook fundamental building blocks of an environment such as the network infrastructure. We should always be cognizant that attacks against this infrastructure can be very effective. Networks can be attacked for the purposes of disruption, such as Denial of Service (DoS) attacks, which cause unexpected outages. Networks can also be attacked as a means of redirecting the flow of traffic on a network to achieve goals such as bypassing security technologies or steering traffic toward compromised systems, which could be used by an attacker for the interception or modification of traffic elsewhere in the network.

A well-designed and maintained network will hamper an attacker’s efforts to move laterally within a network or to exfiltrate data, and it will aim to keep him contained within a particular area of the network in the event that a breach should occur.

In this chapter we will discuss good practices you can employ within your environment to harden network infrastructure against a range of attacks.

Firmware/Software Patching

As with other infrastructure, network equipment runs software or firmware, and that requires patching to stay up-to-date in the same way that servers, desktops, and your cellphone do. There is often a tendency to incorrectly believe that firmware contains special properties that somehow make it less susceptible to vulnerabilities. In ...

Get Defensive Security Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.