How to make sure your network avoids security risks

When the Internet was created, security was not built in as a fundamental element of its infrastructure. This has created problems and vulnerabilities with a global reach, requiring infrastructure providers and managers, organizations, telecommunications companies and individuals to constantly enact measures that secure their communications.

For example, in 2008, security researcher Dan Kaminsky discovered a flaw in the design of the DNS protocol that allowed the creation of a whole category of vulnerabilities called DNS spoofing or cache poisoning.

More recently, in 2020, an example of BGP hijacking took place, exposing a vulnerability in the Border Gateway Protocol, the gateway protocol that governs the exchange of packet routing information between different networks. Australian telecommunications provider Telstra redirected traffic that should have gone to the encrypted email provider Protonmail to its networks.

These are just two examples of critical network protocol design issues that are sources of vulnerabilities. Therefore, it is always important to increase the security of your connectivity and your routing devices. This is especially true in times of the COVID-19 pandemic, which has increased internet usage across a diverse range of activities, from content streaming platforms and home-working, to the use of telemedicine, as well as other macro trends, such as the increase in the number of Internet of Things devices. Such trends underscore the urgency of implementing basic network security standards. 

Increasing the security of networks and communications 

Total security does not exist. We live in an environment of constant change, in which new vulnerabilities are discovered daily and work is always being done to patch and solve these security issues before an attacker can exploit them. Although it is not possible to achieve total protection, a proactive security attitude in networks with two objectives is essential:

1) Avoid basic security problems.

2) Take a good position, both in terms of infrastructure and processes and preparation, to evolve and react to changes in the security environment and threats.

As we have seen with the aforementioned vulnerability of the Border Gateway Protocol, routing incidents – hijacks, route leaks, spoofing, etc. – can make legitimate networks unreachable or divert them to other destinations, creating a significant economic and security risk.

MANRS, which is supported by the Internet Society, is a global initiative that ensures the security and efficiency in the exchange of routes of internet providers, with the aim of actively protecting the global network. This initiative helps reduce most of the common routing threats.

At Adam we understand that part of our responsibility is to contribute to a more robust, stable and secure internet. That is why we have been pioneers in this initiative in Spain, together with CATNIX, RedIRIS and Nexica.

To comply with the MANRS requirements, four actions must be carried out:

1. Prevent the propagation of incorrect routing information.

2. Prevent spoofed source IP traffic.

3. Facilitate communication and global coordination between network operators.

4. Facilitate the validation of routing information globally

Resource Public Key Infrastructure (RPKI) is another framework for enhancing BGP security. The implementation of this protocol in March 2021 reaches only 18% of networks globally. In Spain, that figure rises to 33%, well above the 6% of the United States, but behind the 45% of France.

What companies can do to improve the security of their networks 

The remote or hybrid work typology is no longer an exceptional case, but a reality that is likely to stay. For teams in charge of managing networks and connectivity this is a challenge, as the points of contact are multiplying. Additionally, hotel, restaurant and distribution chains also face similar challenges.

In both cases, the connectivity of its headquarters with the internet and the interconnection between the other elements are crucial for business continuity. Therefore, it is vital to invest in a more robust security for these networks to avoid incidents.

Strengthening the security of your infrastructure is a continuous process that encompasses connectivity as well as the application and the social layer. With regard to working with networks, there are two major areas in which improvements can be made:

1) Adoption of best practices: in the end, the security of your networks depends above all on your management. Strictly defining and adopting security best practices will allow you to be prepared for the most common security incidents and avoid mistakes that expose your networks to unnecessary risks. Since many attacks rely on social engineering – without exploiting any vulnerability – taking care of the hygiene of the processes is essential.

2) Extend the security of your networks: you can strengthen the security of your connectivity with services such as VPN for remote work, firewalls, and the segmentation of networks with SD-WAN, which facilitates the compartmentalisation of networks to contain possible attacks.

At Adam we work night and day to offer our clients the best security solutions for their connectivity. We have recently launched two new services:

  • Network Manager Express VPN: installation of a VPN routing and tunnelling equipment to establish connectivity through VPN in any of its formats between your customer sites and / or between your sites and Adam’s data centres.
  • Network Manager Managed Firewall: in addition to the routing and VPN tunnelling equipment, this service includes a firewall managed by one of our partners. The service consists of an initial audit and the implementation, installation, and management of the equipment, as well as monitoring services, incident management and provisions.

For clients with hybrid infrastructure and cloud services, we have implemented, together with our partner DE-CIX, the Cloud Connect service, which allows us to connect our clients with the different Public Cloud platforms through a private and guaranteed connection. This also includes Level 2, which enables excellent latencies and improved security and reliability levels. Additionally, we have services that provide direct peering between our centres and Microsoft Office 365 platforms.

Proactively improving network security prevents problems and incidents. It also improves the user experience of our clients by avoiding any service interruptions and security problems that may affect their data.

This article has been written by

Ferran Pons
Coordinador del Área Network Operations Center