You should use an out-of-band management network that is physically separate from the operational data flow network. The management of the network infrastructure devices must only come from this management network. This management network may not allow lateral management connections between devices. An out-of-band management can mitigate threat actor TTPs. You ACL strategy should be a default-deny.
You should log all denied traffic. You should use router ACLs, stateful packet inspection, firewalls and DMZ constructs. You can also use a VLAN for separation. DNS, webservers, and mail servers should be placed in a DMZ to provide segmentation from the internal LAN and backend resources. Devices with similar purposes should be placed in the same VLAN.
Only allow device management from trusted devices on trusted networks. You should use end-to-end encryption as much as possible. You should use ACLs to control access to Virtual Teletype VTY lines. You should disable unnecessary discovery protocols. You should also only use TLS-capable protocols to secure data in transit.
Use public key-based certificates instead of self-signed certificates. You should disable IP source routing and SSH version 1. This should be configured with a 3072-bit RSA key and at least a 4096 Diffie-Hellman key size (group 16). Network segmentation can help to prevent the spread of ransomware.[^1] You should scan your network for open ports that aren’t supposed to be open.[^2]
You should deny inbound activity from known anonymization services.[^2] You should also perform regular autdits of new user accounts and administrative user accounts.[^2] keep network activity logs for at least 180 days in case of suspected compromise.[^2] High visibility Network engineering practices monitor, detect and understand traffic, user activity, data flow.[^3] You should store router configurations and edge device configurations locally and push them to the devices.[^3]
Limit the exposure of network management traffic to the internet, it should be from dedicated administrative workstations[^3] Network defenses are pretty good at finding RAT connections or other malicious connections.[^4] Everything on your computer got there through a network at some point.[^4] The network is where things on the internet happen.[^4] The network is the final decision maker of if a system is breached, if data is exfiltrated, or if social engineering could occur.[^4]
Proper network segmentation will limit an attacker’s ability to move laterally through the network.[^3] Security through network engineering involves controlling the environment in such a way that malicious behavior can’t take place, rather than searching out and stopping the malicious behavior.[^] When you block everything, in a zero-trust environment, you also block good services that can be misused.[^5] Conditional access policies based on IP addresses can prevent credential stealing or token theft from compromising an organization.[^5] You should monitor your home network, and disconnect any devices that are suspected of being compromised.[^5]
You should use software whitelists to prevent unauthorized applications from running .[^6] Network segmentation helps to prevent lateral movement.[^6] You need to know your network, your devices, your security technologies, and everything inside of it.[^7] Don’t assume that a crack in your system defenses is too small to be noticed or exploited.[^7] Network boundaries are amorphous due to work-from-home arrangements.[^7]
You should consider network segmentation, wait-listing.[^7] Don’t use system-wide credentials that are hard-coded into scripts or accessible on devices.[^7] You should only use modern protocols to keep passwords and passcodes out of plain text.[^7] Actually look at your logs, they will usually show any breaches.[^7] Application whitelisting makes things very difficult for attackers.[^7]
You should hash every piece of software that you want to execute on your machine and make sure that your computer isn’t the only computer that has ever run this software.[^7] You should limit administrator privileges, segment accesses, limit administrator privileges, and enforce 2fA.[^7] Have an incident response plan and practice executing it.[^7] Your ability to operate and manage infrastructure is directly proportional to your effectiveness in a security engineering position.[^8] You should place all device management services in a dedicated out-of-band management network.[^9]
This network should not have any leakage to customers or peering VRFs and cannot initiate or receive sessions from data-plane or peering address space.[^9] You should also only allow approved IP addresses or jump servers.[^9] For SSH, HTTPS, SNMP, TACACS+/RADIUS, you should only configure strong cryptographic cipher suites and reject all weak suites.[^9] Restrict write access to all folder that contain files served by a webserver.[^10] Restrict access to all ports and administrative panels.[^10]
You can use security-enhanced Linux to help to secure webservers.[^10] You can also use a WAF.[^10] Look for high usage rates of specific IP addresses, strange timestamps, odd internal conections.[^10] Your logs should be protected and stored in a central location and integrated into a SIEM.[^10] Compare hashes of files on webservers to an offline known good list.[^10]
Frequent large data transfers, abnormal encryption are potential IOC.[^10] All internet-facing web servers should be deplyed to a DMZ.[^10] This DMZ should have restricted outbound communications.[^10] use a standalone Domain Controller for the DMZ if necessary.[^10] Use unique admin accounts for webservers.[^10]
Reset all credentials for the DMZ if a compromise is suspected, included the keberos master ticket for the Domain Controller.[^10] Also if a compromise is detected, wipe the server and restore from a known good source.[^10] Use application whitelisting on endpoint workstations.[^10] use web and email filters to block messages from bad domains, sources, and addresses.[^10] Disable HTML formatting from being used in emails.[^10]
Monitor email logs and firewall logs for indicators of a potential attack.[^10] Include DoD blacklists for known bad domains to filter out.[^10] Use a front-end and back-end email server to allow an extra layer of network protection.[^10] This prevents DoS attacks as web traffic is not allowed directly into the network.[^10] This front-end email server does not contain any user data.[^10]
Administrators should never be allowed to browse the internet or open any email program, this prevents the accidental click or download of a malicious program.[^10] Ensure that user accounts are not a part of the local administrators group.[^10] Local administrator accounts should be denied network access.[^10] You should install a security patch within a week before it becomes a threat to the organization.[^11] After each update performed on core computers, it is recommended to reset all passwords and have all users re-connect, this allows for easy identification of unwanted connections.[^11]
US National Security systems should follow the CNSS 15 and other policies including the Diffie-Hellman Group: 16 with 4096 bit Modular Exponential
[[VTY Lines]]
[[SNMP]] – only use SNMP3 with encryption and authentication
[[Cisco Discovery Protocl (CDP)]]
[[Link Layer Discovery Protocol (LDP)]]
[[IP Source Routing]]
[[Network Flow]]
[[Security Information and Event Management (SIEM)]]
[[Cloud Computing]] – cloud computing is a fancy name for someone else’s computer
[[Network Topologies]]
[[Web Application Firewalls (WAF)]] – use a WAF to secure your website
Backlinks
[[Asymmetric Cryptography]]
[[C2 Servers]]
[[Centralized Logging]]
[[Cybersecurity]]
[[Data Exfiltration]]
[[Diffie-Hellman Key Exchange]]
[[Digital Signatures]]
DNS
[[Encryption]]
[[Firewall]]
[[Hash Function]]
[[HTTPS]]
IP Addresses
[[Kerberos]]
[[Linux]]
[[Man-in-the-Middle Attack]]
[[Multi-Factor Authentication]]
[[RSA Algorithm]]
[[Social Engineering]]
[[SSH]]
[[SSL]]
[[TLS]]
[[VLAN]]
[[Wireshark]]
Sources
[1]ic3_250312
[2]i3c_20316
[3]ic3_241203
[4]microsoft_ThreatIntelPodcast
[5]CyberwireDaily
[6]DissectingNSAsSixPhase
[7]joyceDisruptingNationState
[8]levinsonCCDCRealWorld2018
[9]DevelopmentTradecraftDOs
[10]“Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” Aug. 2025. [Online]. Available: https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF
[11] “Enhanced Analysis of GRIZZLY STEPPE Activity.” NCCIC, Feb. 10, 2017.
[12]FoxKittenCampaign2020