Course taster

What is network hardening?

In computer security, network hardening is the process of reviewing a connected system, identifying its vulnerabilities and implementing mechanisms that reduce its known (surface) vulnerabilities. Single-function systems are often easier to secure, but in our modern, interconnected world, such systems are rarely found, and multi-function systems are present everywhere. Multi-function systems are harder to secure, as they perform multiple (and often complex) operations. Such operations require a high level of connectivity, and the higher the interconnectivity of a system, the more vulnerable the system is. There are a few advantages of system hardening which are:

  • Enhanced computer network functionality
  • Significantly improved security
  • Simplified compliance and auditability

Enhanced computer network functionality

One of the most effective methods to enhance network functionality is concentrating on the practical elements, which will ensure that performance is monitored and areas of inadequate performance are improved. It is advised that within a corporate setup, an organisation should take a five-step approach to enhancing its connected environment (Andrés and Kenyon, 2004), select the following titles to reveal more detail. 

Implementing VLANs involves utilising broadcasting domains to split one physical network into multiple logical networks, which are used as separate networks with their own devices. This ensures that network resources and components are isolated in different layers. Such techniques are usually used to prioritise and control traffic, directing high bandwidth to the resources that need it the most. VLANs improve network security by acting as a barrier from compromised segments and isolating healthy zones (Andrés and Kenyon, 2004).

Computer networks are present in almost all corporate infrastructures. Organisations require a high level of connectivity, and with the demand on the network, the maintenance of user connectivity is critical. Network management is critical to ensure that data is flowing without any issues and that no bottlenecks are present in the system.

Guest networks should be created and assigned to visitors and contractors within an organisation. This will ensure that their activities are contained and the risk of network vulnerabilities is minimised, especially when automatic network monitoring to detect suspicious activities is deployed. It is easier to suspend a user's access to a guest network without disturbing users on the main network (Andrés and Kenyon, 2004).

In computer networks, data compression reduces the bit rate by encoding the transferred data using different encoding schemes. Large files transferred over a network can be reduced in size using multiple compression algorithms, ensuring that network bandwidth is free for critical tasks (Andrés and Kenyon, 2004).

In a rapidly evolving discipline such as information security, software and hardware updates are regularly released by vendors. Such updates often patch known and recently discovered vulnerabilities that could affect the privacy of information. Vendors release updates to ensure that equipment can run to the best of its ability. In addition to software, hardware and firmware, upgrading the network infrastructure itself could be a huge factor, as old hardware can present challenges that cannot be remedied with software updates (Andrés and Kenyon, 2004).

A critical element of network hardening is to utilise performance monitoring tools. These tools are designed to provide a detailed insight into the network's functionality and any errors that occur. They usually have configurable parameters that can be changed by security engineers to specify how a certain protocol or connectivity element operates. A wide range of tools are available, and they are usually deployed throughout the entire network to achieve the following:

  • define the nature of the traffic flowing in the network and its sources
  • locate bottlenecks and review the availability of network components and deployed resources in a network segment
  • monitor and restrict contents on the network
  • locate network errors, define how often they occur and identify what caused them
  • evaluate performance issues and potential downtime due to network misconfiguration

Significantly improved security

System hardening will directly affect the number of attacks targeting a network, which will potentially lead to a reduction in data breaches, unauthorised access and malware.

Simplified compliance and auditability

System hardening enables unused programs and user accounts to be reviewed and removed, leading to a simplified environment. A simplified IT environment can be easily audited for active accounts, active services and available ports, making the network harder to enumerate.

Activity: System hardening and attack surface reduction

Task 1

Time commitment: 30 minutes

Write your definition of the following (up to 250 words):

Define the difference between lossy and lossless data compression. Provide two examples of data compression algorithms using each and discuss if using any of the methods can reduce network bandwidth.

Task 2

Time commitment: 30 minutes

Write your explanation (up to 300 words) of the following:

System hardening is a process used to reduce the attack surface of an organisation. 'Attack surface' is a term used to define all the potential flaws and backdoors in a system that could be exploited by an attacker. Explain at least three methods that can be adopted within system hardening to reduce the attack surface and discuss how they can mitigate the risk to the organisation.