Best Practices to Secure a Distributed Network Infrastructure
Best Practices to Secure a Distributed Network Infrastructure
In the post-pandemic era, more and more employees are forced to work
primarily from home, thus the way people get connected and the way people
accessing corporate resources has changed forever. Now that the network
perimeter is no longer fixed in the office, securing a distributed network
infrastructure to support a more fluid type of working has become a challenge
for IT professionals.
A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Administrators should implement the following recommendations to secure your network infrastructure
1. Secure setup for restricted remote management
- When possible, disable the access from HTTP, HTTPS, PING, SSH, SSL VPN, and TELNET services to your firewall
Default_Allow_WAN_To_ZyWALL and remove all unnecessary services
- Restrict access from trusted host
If you allow the remote access for Web management and SSL VPN service, Zyxel firewall auto scans your current device settings and returns security warning windows after login if the security risk found. To reduce the attack surface:
- Restrict access to trusted hosts/geolocations only. Change the service's
listening port to a non-standard port number
- Configure 2FA authentication for your administrative login will add extra layer of security Zyxel firewalls support 2FA for VPN connection and admin access. Here it is the tutorial about how to implement 2FA feature Case 1: 2FA for SSL VPN connection Case 2: 2FA for admin access
2. Privilege account control, monitoring, and alerts
- Keep monitoring all the user accounts on your device.
- Be aware of built-in and user-defined users account:
Built-in user account: created by device helps you get access the device
(admin account) or easily manage the external and guest users
(ad-users/ldap-users/radius-user/ ua-users). These users can’t be deleted.
User-defined user account: created by device administrator, and can be
modified or deleted.
- Privileged accounts should be monitored and reviewed continuously in order
to identify outsiders leveraging stolen credentials. Remove unused and
unauthorized accounts, and limit the administrative account to as few people as
Zyxel device separates local administrator and other users (local user, external user, limited administrator) into two tables for simple privileged access management. With local administrator, you can setup and monitor the password expiration date.
- Detect the suspicious account by scanning the user name or create date. If you found any unknown account on your device, review and adjust your security settings to keep your network secure.
- Keep an eye on login user
Zyxel device provides the login users page helps administrator easily discovers information of the current login users, like username, IP address, access type, and physical location
-Monitor > System Status > Login Users
- Setup email alert for suspicious login activity
Zyxel device also supports to send email alert if user account changes or suspicious login activities are detected.
- Go to Configuration > Log & Report > Log Settings, configure mail server,
sender and recipient email address
- Then enable alert for User log category
Here is an example of email alert device notifies user for a suspicious login activity
3. Periodical reminder for admin password change
recommended to change administrator account passwords regularly. Not only
enforce local administrator to change their password periodically, but Zyxel
device also is able to check the new password must meet complexity requirements
- Configuration > Object > User/Group > Setting
Local administrator will get the notification about the last password change and expiration date when login
4. Firmware upgrade push and alert (patch, patch, patch)
An essential part of keeping your infrastructure safe from cyber threats is to ensure device firmware always up to date.
shows notification icon on Web GUI once a new firmware is available. You can
click to the icon to read the new enhancements before deciding to upgrade
- Maintenance > File Manager > Firmware Management
5. Use Two-Factor Authentication (2FA)
2FA is an extra layer of security to the authentication process by making it harder for attackers to gain access your network, even if the victim's password is hacked. With 2FA, users must not only enter username/password but also submit the verification code to get the access. Zyxel devices provide 2FA for local administrator, local user and VPN access.
- Local administrator and users can select either Google Authenticator or
Email/SMS to retrieve their verification code
-Configuration > Object > User/Group > User
For administrator, you can apply 2FA for Web, SSH, and Telnet accesses-Configuration > Object > Auth. Method > Two-factor Authentication
VPN users can get the authorized link URL with verification code via Email/SMS for SSL, IPSec, and L2TP/IPSec VPN accesses.
-Configuration > Object > Auth. Method > Two-factor Authentication
6. Back up the device configuration
We recommend that you schedule the device configuration backups for that period. With backups of the configuration file, you can quickly replace the functionality of a piece of network equipment after a failure.
Zyxel device offers fully automated configuration backup, it is able to send a backup of running configuration by mail at scheduled times. Device also can encrypt configuration file in a ZIP file with a user-defined password.
-Maintenance > File Manager > Configuration File > Schedule Backup
You also manually select specific configuration file to download or send
-Maintenance > File Manager > Configuration File > Configuration
- 6K All Categories
- 1.2K Nebula
- 16 Nebula Ideas
- 13 Nebula Status and Incidents
- 3.4K Security
- 186 Security Ideas
- 598 Switch
- 24 Switch Ideas
- 428 WirelessLAN
- 6 WLAN Ideas
- 4.2K Consumer Product
- 56 Service & License
- 191 New and Release
- 46 Stories
- 24 Security Advisories
- 452 FAQ
- 209 Nebula FAQ
- 99 Security FAQ
- 65 Switch FAQ
- 63 WirelessLAN FAQ
- 20 Nebula Monthly Express
- 32 About Community
- 20 Security Highlight