NSA urges businesses to adopt zero trust principles for network security

The National Security Agency this week issued detailed recommendations for businesses trying to secure their networking infrastructure against attacks, giving safe configuration tips for commonly used networking protocols and urging the use of basic security measures for all networks.

The NSA’s report began by highlighting the importance of zero trust principles for network security, but the bulk of it covers specific steps network administrators should take to keep their infrastructure safe from compromise. Configuration tips for network admins include the use of secure, frequently changed passwords for all administrative accounts, limiting login attempts and keeping potentially vulnerable systems patched and up-to-date. The report also describes safe configurations for SSH (secure shell), HTTP and SNMP (simple network management protocol).

“Improper configuration, incorrect handling of configurations, and weak encryption keys can expose vulnerabilities in the entire network,” the report said. “All networks are at risk of compromise, especially if devices are not properly configured and maintained.”

The NSA, additionally, recommended the use of network access control systems as an extra layer of security for enterprise networks. The idea is to implement a robust system for identifying individual devices on a network, as port security can be difficult to manage and tracking connected devices via MAC address can be circumvented by an attacker.

The use of centralized authorization, authentication and accounting servers are also being highlighted as a strong security measure by the NSA. This helps avoid the use of potentially vulnerable legacy authentication technologies, since they don’t rely on credentials stored on connected devices, which can be relatively simple to compromise. Doubling up on deployment of AAA servers — which handle requests for system resources — provides a level of redundancy and can help detect and prevent malicious activity more easily, according to the agency.

Robust logging techniques are another key technique for keeping enterprise networks safe, ensuring that network infrastructure is capturing a sufficient amount of log data makes identifying and tracking a potential attack much simpler than it would otherwise be, the NSA said. Login attempts, successful or unsuccessful, are particularly important for this, but the agency noted that generating too many messages could complicate log reviews.

The NSA report is available for download. It contains detailed instructions for Cisco IOS users on how to accomplish many of the tasks it suggests, but the general principles are valid for users of any vendor’s networking gear.