Contents
Network Infrastructure Security Guide..............................................................................i
Contents ......................................................................................................................................iii
1. Introduction ............................................................................................................................... 1
1.1 Regarding Zero Trust ........................................................................................................................................ 1
2. Network architecture and design ............................................................................................ 2
2.1 Install perimeter and internal defense devices ....................................................................................... 2
2.2 Group similar network systems ..................................................................................................................... 3
2.3 Remove backdoor connections .................................................................................................................... 4
2.4 Utilize strict perimeter access controls ...................................................................................................... 4
2.5 Implement a network access control (NAC) solution ........................................................................... 5
2.6 Limit virtual private networks (VPNs) ......................................................................................................... 5
3. Security maintenance............................................................................................................... 8
3.1 Verify software and configuration integrity ............................................................................................... 8
3.2 Maintain proper file system and boot management ............................................................................. 9
3.3 Maintain up-to-date software and operating systems ........................................................................ 10
3.4 Stay current with vendor-supported hardware ...................................................................................... 11
4. Authentication, authorization, and accounting (AAA) ....................................................... 12
4.1 Implement centralized servers .................................................................................................................... 12
4.2 Configure authentication ................................................................................................................................ 13
4.3 Configure authorization .................................................................................................................................. 14
4.4 Configure accounting ...................................................................................................................................... 15
4.5 Apply principle of least privilege ................................................................................................................. 15
4.6 Limit authentication attempts ....................................................................................................................... 17
5. Local administrator accounts and passwords .................................................................... 17
5.1 Use unique usernames and account settings ....................................................................................... 18
5.2 Change default passwords ........................................................................................................................... 19
5.3 Remove unnecessary accounts ................................................................................................................. 19
5.4 Store passwords with secure algorithms ................................................................................................ 19
5.5 Create strong passwords .............................................................................................................................. 21
5.6 Utilize unique passwords ............................................................................................................................... 23
5.7 Change passwords as needed ................................................................................................................... 23
6. Remote logging and monitoring ........................................................................................... 24
6.1 Enable logging ................................................................................................................................................... 25
6.2 Establish centralized remote log servers ................................................................................................ 25
6.3 Capture necessary log information ............................................................................................................ 26
6.4 Synchronize clocks .......................................................................................................................................... 27
7. Remote administration and network services .................................................................... 28
7.1 Disable clear text administration services .............................................................................................. 28
7.2 Ensure adequate encryption strength ...................................................................................................... 30
7.3 Utilize secure protocols .................................................................................................................................. 31
7.4 Limit access to services ................................................................................................................................. 31
7.5 Set an acceptable timeout period .............................................................................................................. 32
7.6 Enable Transmission Control Protocol (TCP) keep-alive ................................................................. 33