Skip to main content

This section of the ISM provides guidance on network design and configuration.

Network documentation

It is important that network documentation accurately depicts the current state of a network. This typically includes network devices such as firewalls, data diodes, intrusion detection and prevention systems, routers, switches, and critical servers and services. Furthermore, as this documentation could be used by an adversary to assist in compromising a network, it is important that it is appropriately protected.

Security Control: 0516; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices.

Security Control: 0518; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Network documentation is updated as network configuration changes are made and includes a ‘current as at [date]’ or equivalent statement.

Security Control: 1178; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Network documentation provided to a third party, or published in public tender documentation, only contains details necessary for other parties to undertake contractual services.

Network segmentation and segregation

Network segmentation and segregation is one of the most effective security controls to prevent an adversary from propagating through a network and accessing target information after they have gained initial access. Technologies to enforce network segmentation and segregation also contain logging functionality that can be valuable in detecting an intrusion and, in the event of a compromise, isolating compromised devices from the rest of a network.

Network segmentation and segregation involves separating a network into multiple functional network zones with a view to protecting important information and critical services. For example, one network zone may contain user workstations while another network zone contains authentication servers. Network segmentation and segregation also assists in the creation and maintenance of network access control lists.

Security Control: 1181; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Networks are divided into multiple functional network zones according to the sensitivity or criticality of information or services.

Security Control: 1577; Revision: 0; Updated: Jul-20; Applicability: O, P, S, TS
Organisation networks are segregated from service provider networks.

Using Virtual Local Area Networks

Virtual Local Area Networks (VLANs) can be used to implement network segmentation and segregation as long as the networks are all official networks or all the same classification. In such cases, if a data spill occurs between the networks the impact will be lesser than if a data spill occurred between two networks of different classifications or between an official or classified network and public network infrastructure.

For the purposes of this section, Multiprotocol Label Switching is considered to be equivalent to VLANs and is subject to the same controls.

Security Control: 1532; Revision: 1; Updated: Aug-19; Applicability: O, P, S, TS
VLANs are not used to separate network traffic between official or classified networks and public network infrastructure.

Security Control: 0529; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications.

Security Control: 1364; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
VLANs belonging to different security domains are terminated on separate physical network interfaces.

Security Control: 0535; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks.

Security Control: 0530; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Network devices implementing VLANs are managed from the most trusted network.

Using Internet Protocol version 6

Internet Protocol version 6 (IPv6) functionality can introduce additional security risks to a network. As such, disabling IPv6 functionality until it is intended to be used will minimise the attack surface of the network and ensure that any IPv6 functionality that is not intended to be used cannot be exploited.

To aid in the transition from Internet Protocol version 4 (IPv4) to IPv6, numerous tunnelling protocols have been developed that are designed to allow interoperability between the protocols. Disabling IPv6 tunnelling protocols on network devices and ICT equipment that do not explicitly require such functionality will prevent an adversary bypassing traditional network defences by encapsulating IPv6 data inside IPv4 packets.

Stateless Address Autoconfiguration (SLAAC) is a method of stateless Internet Protocol (IP) address configuration in IPv6 networks. SLAAC reduces the ability of an organisation to maintain effective logs of IP address assignment on a network. For this reason, stateless IP addressing should be avoided.

Security Control: 0521; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
IPv6 functionality is disabled in dual-stack network devices and ICT equipment unless it is being used.

Security Control: 1186; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
IPv6 capable network security devices are used on IPv6 and dual-stack networks.

Security Control: 1428; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Unless explicitly required, IPv6 tunnelling is disabled on all network devices and ICT equipment.

Security Control: 1429; Revision: 2; Updated: Jan-20; Applicability: O, P, S, TS
IPv6 tunnelling is blocked by network security devices at externally-connected network boundaries.

Security Control: 1430; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease information stored in a centralised logging facility.

Network access controls

If an adversary has limited opportunities to connect to a network, they have limited opportunities to compromise that network. Network access controls not only prevent unauthorised access to a network but also prevent users carelessly connecting a network to another network.

Network access controls are also useful in segregating information for specific users with a need-to-know or limiting the flow of information between network segments. For example, computer management traffic can be permitted between workstations and systems used for administration purposes but not permitted between standard user workstations.

Security Control: 0520; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
Network access controls are implemented on networks to prevent the connection of unauthorised network devices.

Security Control: 1182; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Network access controls are implemented to limit traffic within and between network segments to only those that are required for business purposes.

Network device register

Maintaining and regularly auditing a register of authorised network devices can assist in determining whether devices such as switches, routers, wireless access points and internet dongles on a network or connected directly to workstations are rogue or not. The use of automated discovery and mapping tools can assist in this process.

Security Control: 1301; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS
A network device register is maintained and regularly audited.

Default accounts for network devices

Network devices can come pre-configured with default credentials. For example, wireless access points with an administrator account named ‘admin’ and a passphrase of ‘admin’ or ‘password’. Ensuring default accounts are disabled, renamed or have their passphrase changed can assist in reducing the likelihood of their exploitation by an adversary.

Security Control: 1304; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Default accounts for network devices are disabled, renamed or have their passphrase changed.

Disabling unused physical ports on network devices

Disabling unused physical ports on network devices such as switches, routers and wireless access points reduces the opportunity for an adversary to connect to a network if they can gain physical access to network devices.

Security Control: 0534; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Unused physical ports on network devices are disabled.

Functional separation between servers

Implementing functional separation between servers can reduce the security risk that a server compromised by an adversary will pose an increased security risk to other servers.

Security Control: 0385; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
Servers maintain effective functional separation with other servers allowing them to operate independently.

Security Control: 1479; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Servers minimise communications with other servers at both the network and file system level.

Management traffic

Implementing security measures specifically for management traffic provides another layer of defence on a network should an adversary find an opportunity to connect to that network. This also makes it more difficult for an adversary to enumerate a network.

Security Control: 1006; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
Security measures are implemented to prevent unauthorised access to network management traffic.

Use of Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) can be used to monitor the status of network devices such as switches, routers and wireless access points. The first two iterations of SNMP were inherently insecure as they used trivial authentication methods. Furthermore, changing all default SNMP community strings on network devices and limiting access to read-only access is strongly encouraged.

Security Control: 1311; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
SNMP version 1 and 2 are not used on networks.

Security Control: 1312; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
All default SNMP community strings on network devices are changed and have write access disabled.

Using Network-based Intrusion Detection and Prevention Systems

A Network-based Intrusion Detection System (NIDS) or Network-based Intrusion Prevention System (NIPS), when configured correctly and supported by suitable processes and resources, can be an effective way of identifying and responding to known intrusion profiles.

In addition, generating alerts for information flows that contravene any rule in a firewall rule set can help security personnel respond to suspicious or malicious traffic entering a network due to a failure or configuration change to firewalls.

Security Control: 1028; Revision: 7; Updated: Aug-20; Applicability: O, P, S, TS
NIDS or NIPS are deployed in all gateways between an organisation’s networks and other networks they do not manage.

Security Control: 1030; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets.

Security Control: 1185; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
When deploying NIDS or NIPS in non-internet gateways, they are configured to monitor unusual patterns of behaviour or traffic flows rather than internet-based communication protocol signatures.

Further information

Further information on wireless networks can be found in the wireless networks section of these guidelines.

Further information on functional separation of servers using virtualisation can be found in the virtualisation hardening section of the Guidelines for System Hardening.

Further information on implementing network segmentation and segregation for administration purposes can be found in the system administration section of the Guidelines for System Management.

Further information on event logging and auditing can be found in the event logging and auditing section of the Guidelines for System Monitoring.

Further information on gateways can be found in the Guidelines for Gateways.

Further information on network segmentation and segregation can be found in the Australian Cyber Security Centre (ACSC)’s Implementing Network Segmentation and Segregation publication at https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-network-segmentation-and-segregation.

Further information on network plans can be found in the United States’ National Security Agency’s Manageable Network Plan Guide (version 4.0) publication at https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/networks/manageable-network-plan.cfm.