Putting Up General Network Defenses
Use stateful inspection rules that monitor traffic sessions for firewalls. This can help ensure that all traffic traversing the firewall is legitimate and can prevent DoS attacks and other spoofing attacks.
Implement rules to perform packet filtering based on traffic type, TCP/UDP ports, IP addresses, and even specific interfaces on your routers before the traffic is allowed to enter your network.
Use proxy filtering and Network Address Translation (NAT) or Port Address Translation (PAT).
Find and eliminate fragmented packets entering your network (from Fraggle or another type of attack) via an IPS.
Include your network devices in your vulnerability scans.
Ensure your network devices have the latest vendor firmware and patches applied.
Don’t use IKE aggressive mode pre-shared keys for your VPN. If you must, ensure the passphrase is strong and changed periodically (such as every 6–12 months).
Always use TLS (via HTTPS, etc.) or SSH when connecting to network devices.
Disable SSL and weak ciphers and only use TLS version 1.2 and strong ciphers such as SHA-2 where possible.
Segment the network and use a firewall on the following:
- The DMZ
- The internal network
- Critical subnetworks broken down by business function or department, such as accounting, finance, HR, and research