3 minute read
2 Network Security Policy
At all connection points between the internal network and an insecure external network (such as the Internet) effective measures, such as a firewall, must be put in place to ensure that only authorised network traffic is allowed.
Where possible, multiple layers of protection will be used to ensure that the failure of a single device does not expose the network to attack. For example, network firewalls (for example on a router) will be supplemented by host-based software firewalls on servers and client computers in order to provide several levels of firewall protection.
Servers that are intended to be accessed from the Internet (such as web servers) must be connected to a separate area of the firewall (referred to as a De-Militarised Zone, or DMZ) in order to provide additional protection for the internal network.
Where information is to be transferred over a public network such as the Internet, strong encryption techniques must be used to ensure the security of the data transmitted.
Access to wireless networks must be secured using a strong password. A guest wireless network may be provided for visitors. This must be physically separate from all internal networks (including internal wireless networks) and secured using a firewall.
The ability to connect devices to a wireless network using the WPS (Wi-Fi Protected Setup) button on the access point or router itself must be disabled.
Wireless access point admin logon passwords must always be changed from the default to a strong password.
Network equipment in remote offices will be housed in secure cabinets, which must be locked at all times.
Wireless access points located in public areas must be hidden from view where possible and must be placed in positions where access by the public is difficult, for example in or near the ceiling. A lockable protective casing must be installed where an access point is located in an unprotected public area, such as a car park.
Where there is a requirement for remote access across the Internet to the internal network (for example by homeworkers), a Virtual Private Network (VPN) will be used. In such cases multi-factor authentication (MFA, for example using a phone app or via a text message) is a prerequisite so that knowledge of a password on its own is not enough to gain access. Remote access must be granted on an “as required” basis rather than for all users by default.
Admin passwords to network devices must be changed on installation of the device to a strong password of at least eight characters if additional controls such as MFA or common password blocking is used, or twelve characters if a password is used on its own Passwords must be changed in the event that they are compromised, or there is a reasonable suspicion that this is the case. Access to router and firewall settings across the Internet must be restricted to defined IP addresses, or using MFA, or where available, both. Such access must be supported by a documented business case which is approved by management.
Where possible, a single supplier policy will be used for network hardware. An exception will be made where the use of multiple vendor hardware may increase the level of security provided, such as by using two different firewalls.
Network routing will be based on [Insert manufacturer, for example, Cisco] routers. [Insert manufacturer, for example, Cisco] Gigabit switches will be used as standard for connecting devices to the network. Switch ports will be configured to be disabled until required. More basic network devices, such as hubs, will not be used due to their inherent security weaknesses.
The network protocol IPv4 (Internet Protocol Version 4) will be used on internal networks. However, new network devices purchased must support IPv6 (Internet Protocol Version 6, its successor) in preparation for the future.
The internal network address range used will be 192.168.0.0 – 192.168.254.254. IP addresses and associated network information for desktop and laptop computers will be automatically assigned using a DHCP (Dynamic Host Configuration Protocol) server.
Only network protocols and ports that are explicitly required on a specific server will be enabled by default in order to reduce the attack surface. These must be supported by a documented business case which is approved by management and reviewed on regular basis. This is especially true for servers within the DMZ of the firewall(s).
