Top of Mind: Best Practices and Security Updates
With the Black Hat and DEF CON security conferences last week in Las Vegas, two topics are top of mind for me and those in my organization: best practices for securing the network and the importance of applying software security updates. An event like Black Hat or DEF CON certainly raises awareness, but what’s really important is to take that awareness and embed it into daily management of the network. For the most part, those practices are followed on end points and applications. Unfortunately, our data indicates that patching in the infrastructure is much less consistent. This is usually based on complexity and the demands of uptime placed on the network. Events like Black Hat give my teams an opportunity to deliver training on implementing network-based mitigations and defenses. In many cases, participants in these events are simply unaware of what is available in newer versions of our products.
When it comes to network security best practices there are a number of things that we promote and encourage our customers to use. These best practices go a long ways towards increasing the security of today’s networks. For example, Infrastructure Access Control Lists, or iACLs, greatly restrict traffic to the network while permitting all traffic through the network. The distinction of “to the network” and “through the network” is vital in this context. By limiting who can communicate with our network elements we greatly reduce who can directly attack our network.
There are other best practices we recommend, such as the configuration of Control Plane Policing and the use of AAA, that every network should evaluate and look to implement. There are also the seemingly countless smaller items—strong passwords, anyone?—that should similarly be evaluated and used everywhere appropriate. (Yes, we need to also listen to our own advice here and stop shipping products with easy to guess default or hard-coded passwords.)
Because there are many such best practices, too many to list in a single post, we have created hardening guides for several Cisco network operating systems and solutions. These guides go into great detail to convey the best practices you can use to secure your network. The following hardening guides are currently available:
- Cisco Guide to Harden Cisco IOS Devices
- Cisco Guide to Harden Cisco IOS-XR Devices
- Cisco Guide to Harden Cisco NX-OS Devices
- Cisco TelePresence Hardening Guide
The Cisco Security Center is our primary vehicle for delivering time-sensitive security collateral. It hosts pages dedicated specifically to Best Practices and Service Provider Security Best Practices that contain categorized lists of documents that describe security techniques and practices.
Are there other Cisco product- or solution-specific hardening guides that you would like to see created?
The implementation of best practices is a large part of the network security picture, but not the entire picture. There will always be times when we must update the software that runs in the network to reduce the risk of exploitation of vulnerabilities. Very much like keeping our personal computers up-to-date, keeping our network current is also very important and contributes directly to the security of our information and overall organization.
In addition to obtaining security fixes for the most recently disclosed set of vulnerabilities, it is also important to upgrade because along with security patches we regularly add defensive improvements into our software. Cisco has a robust secure development lifecycle that drives the lessons of vulnerability escapes into our product development lifecycle.
The most effective way to manage this process is to have a regularly scheduled update cycle that evaluates and deploys newer software throughout your network. This cyclic process should include the following items at a minimum:
- Review of any Security Advisories for relevant products
- Evaluation of new software releases including review of product Release Notes
- Testing of the protocols and features used in the network
- The phased deployment of updated software
Is this something that every organization should do every month? Certainly not. However, we do believe it’s important to establish regular update schedules. It was exactly this type of process we had in mind when we moved the disclosure of Cisco IOS Software Security Advisories to a predictable twice-yearly schedule.
Which network security best practice or security update deployment processes are top of mind for you?