Security Principles

Working with Hardening

Hardening a network is not a one-time simple tick-the-box exercise. It takes time, effort and continuous consideration what should be secured and why.

Dynamic Network Environment

Network environments are inherently dynamic, which make it difficult to perform a “one-and-done” hardening. Examples that contribute to a dynamic network environment include:

  • Evolving threat landscape – new creative ways to break things on purpose
  • Changes being performed to network design or environment – no network is static
  • Feature releases containing new security capabilities applicable for hardening – new cool features

Feature releases including new security capabilities are developed to respond the evolving threat landscape. Therefore, it is important to evaluate currently implemented and new security capabilities on a regular basis.

Proactive Hardening & Attack Surface Reduction

Proactive hardening refers to securing components before any incident occurs. It involves configuring components to minimize potential weaknesses—such as disabling unused services, enforcing strong access controls, and removing default credentials. These measures are implemented in advance to prevent exploitation and ensure resilience against both internal and external threats.

Attack surface reduction is a key outcome of hardening. The attack surface includes all the points where an unauthorized user could attempt to gain access or extract data. By limiting exposed interfaces, restricting access, and eliminating unnecessary functions, the risk of threats such as unauthorized access, misconfigurations, or exploitation of outdated software is significantly reduced.

Use of Secure Protocols

Secure communication protocols are fundamental to protecting data as it travels across networks. These protocols are designed to ensure that information remains confidential, unaltered, and accessible only to authorized parties. They achieve this through mechanisms such as encryption, authentication, and integrity checks.

Confidentiality ensures that data is not readable by unauthorized individuals. This is typically achieved through encryption, which transforms readable data into a format that can only be interpreted by those with the correct decryption key. Integrity guarantees that the data has not been tampered with during transmission, often using cryptographic hashes or checksums. Authentication verifies the identity of the sender and/or receiver, ensuring that communication is taking place between trusted parties.

Protocols such as HTTPS, TLS, SSH, and IPsec are widely used to secure web traffic, remote access, and network communications. These protocols are essential when transmitting sensitive information, especially over public or untrusted networks like the Internet.

However, not all protocols offer these protections by default. Legacy or unencrypted protocols such as HTTP, FTP, and Telnet transmit data in plain text, making them vulnerable to a range of security threats. These include eavesdropping, where attackers intercept and read data; man-in-the-middle attacks, where data is altered or redirected; and spoofing, where attackers impersonate legitimate users or systems.

Risk should be evaluated where secure protocols are not available or cannot be used. Risk reduction in legacy systems can include for example stronger access controls, logging & monitoring and stricter segmentation. One common approach is to use VPNs or Tunnels, which create secure communication channels between networks or devices, however it is not a solution for all use-cases.