Evaluate Network Security Capabilities

📖 Secure Configuration Benchmarks

Hardening your systems begins with baseline configurations:

▸ CIS Benchmarks: Well-documented, community-driven secure configuration standards for OS, browsers, servers, and cloud platforms.
▸ NIST National Checklist Program: Offers federal-level security configurations.
▸ DoD STIGs: Department of Defense configurations for government systems.
▸ Vendor templates: Microsoft, Cisco, AWS, etc. publish secure baseline guides for their platforms.

Hardening your systems begins with secure configurations. Learn more about secure configurations on Application Security Techniques.

▸ Least functionality: Disable unused services and ports.
▸ Baseline configuration: Establish approved starting point with auditing tools like SCAP or Group Policy.
▸ Templates: Use system roles (e.g., Web Server, Database Server) to apply consistent permissions and services.
▸ Immutable infrastructure: Deploy new instances rather than modifying live systems.

Modern Wi-Fi standards have evolved to support stronger authentication and encryption. Learn more about wireless security on Cisco.

▸ WPA3: Latest encryption standard supporting SAE (Simultaneous Authentication of Equals).
▸ WPA2-Enterprise: Uses 802.1X and RADIUS servers for credential-based authentication.
▸ EAP methods: EAP-TLS, PEAP, and EAP-FAST ensure secure communication between clients and authentication servers.
▸ Evil twin prevention: Monitor for rogue SSIDs and enforce network isolation.
▸ Disassociation protection: Use management frame protection (802.11w) to resist de-auth attacks.

NAC ensures that only healthy, compliant devices are allowed on the network:

▸ Agent-based NAC: Installs software on endpoints to check compliance (AV, patch level).
▸ Agentless NAC: Uses network scans or integrations with DHCP to identify devices.
▸ Dynamic VLANs: Assign users to isolated or trusted segments based on role or compliance.
▸ Posture checking: Validates endpoint health before granting full access.
▸ Quarantine networks: Redirect noncompliant devices to a remediation zone.

Monitoring tools provide visibility into network traffic and allow for detection and response. Learn more about network monitoring on SolarWinds.

▸ IDS: Intrusion Detection System — alerts on suspicious activity but does not block. Learn more about IDS on Wikipedia.
▸ IPS: Intrusion Prevention System — blocks malicious traffic in real time. Learn more about IPS on Palo Alto Networks.
▸ Next-Gen Firewall (NGFW): Combines traditional firewall with content filtering, app control, and threat intel.
▸ UTM (Unified Threat Management): Appliance offering AV, firewall, IDS/IPS, email filtering in one box.
▸ Port mirroring/taps: Copy traffic to a monitoring interface for analysis via packet capture tools (e.g., Wireshark).

Web filtering protects users from malicious or inappropriate content. Learn more about web filtering on Forcepoint.

▸ SWG (Secure Web Gateway): Cloud or on-prem proxy filtering for malware, botnets, inappropriate content.
▸ Reputation-based filtering: Blocks URLs/IPs with bad history (e.g., PhishTank, Cisco Umbrella).
▸ Keyword filtering: Blocks pages containing certain keywords (e.g., gambling, hate speech).
▸ Agent-based filtering: Deployed to mobile and remote devices for off-network enforcement.