One of the more impressive sessions that I have attended at HP Discover was the “Hitchhiker’s Guide to Network Security” presented by HP Senior Technologist John Wieland. Not only was the information usable and understandable for anyone in the room, being a relative security novice, I appreciated that Wieland made great lengths that members of his audience would understand acronyms and other jargon to be able to get the most out of the presentation. This really was the prefect session for anyone new to security. There weren’t any gaps in the content and Wieland was both engaging and entertaining to listen to. He is a great presenter, so if you are still at HP Discover, look up some of his other sessions today and tomorrow.
But to the nuts and bolts of the session – Wieland presented a session about leveraging your existing features of HP network gear, combined with some best practices to enhance the security of your networks. HP’s network gear comes with a robust set of security features to keep ports secured and locked down, report any incidents and issues to logging servers and that combined with establishing good corporate policy will enable securing the network properly in any corporation.
Wieland presented the three tenants of network security:
Process represents corporate policies and processes surrounding how data is secured. Wieland strongly emphasized that the first place to design network security is in policy, and that technology can only implement what is planned and backed in policy. In addition to creating security policy, the security policy should also be available to the company’s general population (though not the outside world).
Once process is fleshed out, then you can implement the technology and this became the meat of the session. I am just going to quickly recap some of the capabilities that exist in the HP networking gear that will increase your security.
- Centralized authentication for the network devices using RADIUS or TACACS – by having centralized login, password changes can and should be easily enforced and passwords may be changed on all devices easily and often. As for a single local account in case centralized authentication is unavailable, a limited number of staff should know this password.
- 802.1x authentication for switch ports – using the same RADIUS or Microsoft IAC, you can enable port authentication which will not allow users to connect to the network except with a valid user name and password. You can also enable guest access to route guests out of a VLAN directly to the internet with no connection to the corporate network.
- MAC port security is also an option which allows you to lock down a particular port to a particular MAC address or group of MAC addresses and enforce limits on this.
- Logs may be shipped off to a Syslog server and should be inspected and monitored for malicious attempts to break into the network.
Finally, people is the last piece and it includes not only the security staff, but training and behavior changes for all of the corporate employees. This may include training classes to instruct users what they should not do, it should include general best practices such as asking unidentified strangers if you can help them (as a way to find out what they are doing in the building), and it can include establishing a way to report any breaches that may occur to the appropriate security staff.
All in all, it was a good session with some great information. A resource that Wieland pointed us to is the HP Networking and Cisco CLI Reference Guide. This CLI guide gives you instructions on how to do many common tasks from CLI and how to setup all the security that is talked about in this post and in the session.
In the interest of full disclosure, HP and Ivy Worldwide invited me and paid for my trip to HP Discover. Even though, I am trying to relay the information as impartially as possible.