📖 Secure Configuration Benchmarks

Hardening your systems begins with baseline configurations:

• CIS Benchmarks: Well-documented, community-driven secure configuration standards for OS, browsers, servers, and cloud platforms.
• NIST National Checklist Program: Offers federal-level security configurations.
• DoD STIGs: Department of Defense configurations for government systems.
• Vendor templates: Microsoft, Cisco, AWS, etc. publish secure baseline guides for their platforms.

🔧 Hardening Concepts

Hardening your systems begins with secure configurations. Learn more about secure configurations on Application Security Techniques.

• Least functionality: Disable unused services and ports.
• Baseline configuration: Establish approved starting point with auditing tools like SCAP or Group Policy.
• Templates: Use system roles (e.g., Web Server, Database Server) to apply consistent permissions and services.
• Immutable infrastructure: Deploy new instances rather than modifying live systems.

📶 Wireless Authentication and Security

Modern Wi-Fi standards have evolved to support stronger authentication and encryption. Learn more about wireless security on Cisco.

• WPA3: Latest encryption standard supporting SAE (Simultaneous Authentication of Equals).
• WPA2-Enterprise: Uses 802.1X and RADIUS servers for credential-based authentication.
• EAP methods: EAP-TLS, PEAP, and EAP-FAST ensure secure communication between clients and authentication servers.
• Evil twin prevention: Monitor for rogue SSIDs and enforce network isolation.
• Disassociation protection: Use management frame protection (802.11w) to resist de-auth attacks.

🔍 Network Access Control (NAC)

NAC ensures that only healthy, compliant devices are allowed on the network:

• Agent-based NAC: Installs software on endpoints to check compliance (AV, patch level).
• Agentless NAC: Uses network scans or integrations with DHCP to identify devices.
• Dynamic VLANs: Assign users to isolated or trusted segments based on role or compliance.
• Posture checking: Validates endpoint health before granting full access.
• Quarantine networks: Redirect noncompliant devices to a remediation zone.

🛡️ Network Security Monitoring

Monitoring tools provide visibility into network traffic and allow for detection and response. Learn more about network monitoring on SolarWinds.

• IDS: Intrusion Detection System — alerts on suspicious activity but does not block. Learn more about IDS on Wikipedia.
• IPS: Intrusion Prevention System — blocks malicious traffic in real time. Learn more about IPS on Palo Alto Networks.
• Next-Gen Firewall (NGFW): Combines traditional firewall with content filtering, app control, and threat intel.
• UTM (Unified Threat Management): Appliance offering AV, firewall, IDS/IPS, email filtering in one box.
• Port mirroring/taps: Copy traffic to a monitoring interface for analysis via packet capture tools (e.g., Wireshark).

🌐 Web Filtering

Web filtering protects users from malicious or inappropriate content. Learn more about web filtering on Forcepoint.

• SWG (Secure Web Gateway): Cloud or on-prem proxy filtering for malware, botnets, inappropriate content.
• Reputation-based filtering: Blocks URLs/IPs with bad history (e.g., PhishTank, Cisco Umbrella).
• Keyword filtering: Blocks pages containing certain keywords (e.g., gambling, hate speech).
• Agent-based filtering: Deployed to mobile and remote devices for off-network enforcement.