Network & Infrastructure Security¶
This one is for the people who run Holmes' networks and servers, not general staff. It sets how networks, wireless, firewalls, servers, and Active Directory are hardened, with weight on the weaknesses that matter most: old authentication protocols, a flat internal network, and services accidentally exposed to the internet.
1. Network devices and segmentation¶
| Ref | Requirement |
|---|---|
| NET.1 | Network devices MUST be hardened to a current benchmark: encrypted management protocols only, management plane restricted by ACL, unique credentials per device, secure time sync, unnecessary services disabled. |
| NET.2 | Telnet and other cleartext management protocols MUST NOT be used. |
| NET.3 | The internal network MUST be segmented, separating at least servers from workstations, guest access, and operational or lab technology such as test equipment, on a risk-prioritised, phased basis. |
| NET.4 | Unauthorised devices SHOULD be prevented from gaining useful network access (network access control or equivalent). Where full NAC isn't justified, the residual risk MUST be documented and accepted by the CIO. |
A flat internal network lets an attacker who reaches one device reach many. Segmentation (NET.3) and device-level access control (NET.4) contain that. Where NAC isn't justified on cost, NET.4 requires the decision to be recorded and accepted, not left implicit.
2. Legacy protocol hygiene¶
| Ref | Requirement |
|---|---|
| NET.5 | Prohibited legacy protocols MUST be disabled across the environment, and the list reviewed at each policy review. The current list: NTLMv1 and LM (enforce NTLMv2-only, refuse LM and NTLM), LLMNR, mDNS where not required, and SMBv1. |
These protocols leak credentials or enable poisoning attacks and have modern replacements. The list is reviewed each cycle so it keeps pace as new weak protocols are identified.
3. Wireless¶
| Ref | Requirement |
|---|---|
| NET.6 | Wi-Fi MUST be installed and maintained by an approved team or vendor, using approved authentication and encryption (WPA2-Enterprise minimum, WPA3 target). |
| NET.7 | Corporate Wi-Fi SHOULD authenticate devices by certificate rather than AD credentials, to remove the rogue-access-point credential-harvesting risk. |
| NET.8 | Guest Wi-Fi MUST be isolated from the corporate network. |
4. Firewalls and perimeter¶
| Ref | Requirement |
|---|---|
| NET.9 | Firewalls MUST default to deny. Permitted paths MUST be documented with justification, logged, and changed only through change management. |
| NET.10 | Firewall rules MUST be reviewed at least annually and strength-tested regularly (10). |
| NET.11 | Administrative access to firewalls MUST be limited to a few trained people, with unique credentials per device, and firewalls physically secured (13). |
| NET.12 | Internet-facing services MUST be inventoried and justified. Anything unneeded MUST be decommissioned or restricted by source IP or VPN. Web applications SHOULD sit behind a WAF or CDN. |
An inventory of internet-facing services (NET.12) is how accidental exposure gets found and closed, rather than discovered by an attacker or an external test.
5. Server and infrastructure hardening¶
| Ref | Requirement |
|---|---|
| NET.13 | Servers MUST be built from hardened baselines, with unnecessary functions, services, and interfaces removed. |
| NET.14 | End-of-life operating systems MUST be on a migration roadmap prioritising internet-accessible and broadly-accessible hosts (10). |
| NET.15 | The certificate authority and PKI MUST be configured to prevent privilege escalation via templates: no requester-supplied subject names with client-auth use without approval and monitoring (03 IAM.27). |
6. Monitoring¶
Network and infrastructure detection is covered centrally in 11 Logging, Monitoring & Detection, which uses endpoint and identity detection and response with automated containment rather than manual log review.
7. Legal & jurisdictional notes¶
There's no direct statutory driver, but segmentation (NET.3) and legacy-protocol hardening (NET.5) are the controls that most limit the blast radius of a breach, which affects whether an incident becomes notifiable (12). Reducing internet-facing services (NET.12) also shrinks the external attack surface that OSINT and client due diligence will scrutinise.
Related policies¶
00 Framework, 03 Identity & Access, 10 Vulnerability & Patch Management, 11 Logging & Monitoring, 13 Physical Security.