The network infrastructure solution best practices document referenced in this article guides the network administrator to implement the security best practices to build a foundation to support the organization’s strategy with multiple layers of defense. The document provides the top five security recommendations for hardening the network infrastructure by implementing the secured diversified ALE Operating Software (AOS) in the OmniSwitches. As well as, the requirement to change the default passwords to strong pass phrases; regularly updating the software and sign up to automatically receive ALE security advisories; avoiding the enabling of insecure protocols; and just as important, frequently review the latest US-CERT recommendations and best practices.
The fundamentals of this document are to provide the security best practices and recommendations to security harden the network infrastructure. From the top five security recommendations listed above make certain all insecure ports that may have been enabled for configuring the base configuration are disabled. Another top recommendation is to deploy the OmniVista NMS to manage both the AOS switches and Stellar WLAN equipment from one single ‘pane-of-glass’. OmniVista provides the network administrators the ability to employ a Role-Based Access Control (RBAC) through the definition of user logins and passwords to differentiate and provide different access levels based on the required network administration access by the different stakeholders.
One can further define access with the user role features which can be applied to specify read/write access to specific OmniVista applications and network devices and even using a two-factor authentication to securely harden network. For example, OmniVista users with Admin rights can view and manage every device in the network, and have read/write access for all applications. And through this feature, one can limit the devices a level 2 or 3 administrator can manage and the applications they can configure by creating a role with access to a specific Topology map or network segment.
Other security features and standards are available to be enabled to proactively secure the network; those features include TLS/SSL, SSHv2 and SFTP, SNMPv3, MACsec, LLDP agent security, DDoS filtering triggers, DHCP relay / DHCP snooping, application fingerprinting / visibility, learned port security, and many others; for example, to dynamically allow network access control via User Network Profiles (UNPs).
The access role profiles of users and devices through UNPs can be dynamically enforced with the following classification methods implemented through the UNP functionality and profile criteria to provide the ability to tailor profiles for specific devices:
- MAC-based and 802.1X-based authentication using a RADIUS-capable server
- Redirection for Captive Portal authentication
- Redirection to OmniVista Unified Policy Access Manager (UPAM) for Bring Your Own Devices (BYOD) user device registration, UNP assignment, and policy list assignment
- Network-wide classification rules to classify users based on port and device.
The OmniVista NMS device fingerprinting/ profiling application tool is an enabler to help create containers for those unsolicited, unplanned, headless IoT devices to ensure secure network access through the definition and automatic application of UNPs. With this solution, all stakeholders must cooperate in keeping the IoT devices software security-patched, and use strong passwords to help maintain a clean, mobile, and secure network infrastructure. For configuration options and application of this feature, refer to the Augmented Intelligence and Device Fingerprinting Enabled Network application note.
Use the ALE Security Best Practices and recommendations technical guide document to help architect the most secure network infrastructure to serve your network users with the top quality of experience (QoE) services.