NSA publishes guidance for best practices in network design configuration
In furtherance of its new public-facing security posture, the National Security Agency released a report Tuesday guiding network architects and administrators on best practices for establishing their networks.
The report was developed by the NSA’s Cybersecurity Directorate, which was created to use the agency’s unique intelligence capabilities to share threat information with companies and the defense industrial base in a timely fashion to ensure they stay ahead of the most sophisticated threats.
While the NSA has previously been pejoratively referred to as “no such agency” given the little to no information it would release publicly, officials acknowledged it had to “up its game” after a series of high profile hacks and breaches from sophisticated nation-states and establish an organization to aid the private sector.
“Network environments are dynamic and evolve as new technologies, exploits, and defenses affect them. While compromise occurs and is a risk to all networks, network administrators can greatly reduce the risk of incidents as well as reduce the potential impact in the event of a compromise,” a release from NSA states. “This guidance focuses on the design and configurations that protect against common vulnerabilities and weaknesses on existing networks.”
The report notes that following the guidance will assist network defenders with putting in place best cybersecurity practices, lowering the risk of compromise and ensuring a more secure network.
NSA’s guidance falls under nine broad buckets: network architecture and design; security maintenance; authentication, authorization and accounting; local administrator accounts and passwords; remote logging and monitoring; remote administration and network services; routing; interface ports, and; notification and consent banners.
NSA said it developed the guidance based upon its experience in assisting customers with evaluating their networks and providing recommendations to harden devices.
The report also makes reference to zero-trust architectures, a security model that assumes threats exist inside and outside the network and validates users, devices and data continuously. Guidance from the White House stipulates that all federal agencies must adopt such a security model, placing the utmost importance on it.
NSA states that it also fully supports the zero-trust model, but as system owners introduce new network designs to achieve more mature zero-trust principles, the guidance in the report might need to be modified.