Wash your hands, brush your teeth, take your vitamins, and secure your network.
Article by Eric Geier in Network World.
Emphasis in red added by me.
Brian Wood, VP Marketing
8 ways to improve wired network security
We sometimes focus more on the wireless side of the network when it comes to security because Wi-Fi has no physical fences. After all, a war-driver can detect your SSID and launch an attack while sitting out in the parking lot.
But in a world of insider threats, targeted attacks from outside, as well as hackers who use social engineering to gain physical access to corporate networks, the security of the wired portion of the network should also be top of mind.
So, here are some basic security precautions you can take for the wired side of the network, whether you’re a small business or a large enterprise.
1. Perform auditing and mapping
If you haven’t recently, you should do some auditing and mapping of your network. Always have a clear understanding of the entire network’s infrastructure, for instance the vendor/model, location, and basic configuration of firewalls, routers, switches, Ethernet cabling and ports, and wireless access points. Plus know exactly what servers, computers, printers, and any other devices are connected, where they are connected, and their connectivity path throughout the network.
During your auditing and mapping you might find specific security vulnerabilities or ways in which you could increase security, performance and reliability. Maybe you’ll run across an incorrectly configured firewall or maybe physical security threats.
If you’re working with a small network with just a few network components and a dozen or less workstations you might just manually perform the audit and create a visual map on a sheet of a paper. For larger networks you might find auditing and mapping programs useful. They can scan the network and start to produce a network map or diagram.
2. Keep the network up-to-date
Once you have a basic network audit and map complete, consider diving deeper. Check for firmware or software updates on all network infrastructure components. Login to the components to ensure default passwords have been changed, review the settings for any insecure configuration, and look into any other security features or functionality you currently aren’t using.
Next take a look at all the computers and devices connected to the network. Ensure the basics are taken care of, such as OS and driver updates, personal firewalls are active, the antivirus is running and updated, and passwords are set.
3. Physically secure the network
Although often overlooked or minimized, the physical security of the network can be just as crucial as say your Internet facing firewall. Just as you need to protect against hackers, bots and viruses, you need to protect against local threats, too.
Without strong physical security of your building and network, a nearby hacker or even an employee could take advantage of it. For instance, maybe they plug a wireless router into an open Ethernet port, giving them and anyone else nearby wireless access to your network. But if that Ethernet port wasn’t visible or at least disconnected, then that wouldn’t have happened.
Ensure you have a good building security plan in place to try and prevent outsiders from entering. Then ensure all wiring closets and/or other places where the network infrastructure components are placed have been physically secured from both the public and employees. Use door and cabinet locks. Verify that Ethernet cabling is run out of sight and isn’t easily accessible; the same with wireless access points. Disconnect unused Ethernet ports, physically or via switch/router configuration, especially those in the public areas of the building.
4. Consider MAC address filtering
One major security issue of the wired side of network is the lack of a quick and easy authentication and/or encryption method; people can just plug in and use the network. On the wireless side you have at least WPA2-Personal (PSK) that’s easy to deploy.
Although MAC address filtering can be bypassed by a determined hacker, it can serve as the first layer of security. It won’t completely stop a hacker, but it can help you prevent an employee, for instance, from causing a potentially serious security hole, like allowing a guest to plug into the private network. It can also give you more control over which devices are on the network. But don’t let it give you a false sense of security, and be prepared to keep the approved MAC address list up-to-date.
5. Implement VLANs to segregate traffic
If you’re working with a smaller network that hasn’t yet been segmented into virtual LANs, consider making the change. You can utilize VLANs to group Ethernet ports, wireless access points, and users among multiple virtual networks.
Perhaps use VLANs to separate the network by traffic type (general access, VoIP, SAN, DMZ) for performance or design reasons and/or user type (employees, management, guests) for security reasons. VLANs are especially useful when configured for dynamic assignment. For instance, you could plug in your laptop anywhere on the network or via Wi-Fi and automatically be put onto your assigned VLAN. This can be achieved via MAC address tagging or a more secure option would be to use 802.1X authentication.
To use VLANs, your router and switches must support it: look for the IEEE 802.1Q support in the product specs. And for wireless access points, you’ll likely want those that support both VLAN tagging and multiple SSIDs. With multiple SSIDs you have the ability to offer multiple virtual WLANs that can be assigned to a certain VLAN.
6. Use 802.1X for authentication
Authentication and encryption on the wired side of the network are often ignored due to the complexity involved. It’s IT common sense to encrypt wireless connections, but don’t forget or ignore the wired side. A local hacker could possibly plug into your network with nothing stopping them from sending or receiving.
Though deploying 802.1X authentication wouldn’t encrypt the Ethernet traffic, it would at least stop them from sending on the network or accessing any resources until they’ve provided login credentials. And you can utilize the authentication on the wireless side as well, to implement enterprise-level WPA2 security with AES encryption, which has many benefits over using the personal-level (PSK) of WPA2.
Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.
To deploy 802.1X authentication you first need a Remote Authentication Dial-In User Service (RADIUS) server, which basically serves as the user database and is the component that authorizes/denies the network access. If you have a Windows Server you already have a RADIUS server: the Network Policy Server (NPS) role; or in older Windows Server versions it’s the Internet Authentication Service (IAS) role. If you don’t have a server already you could consider standalone RADIUS servers.
For more about 802.1X authentication, check out two of my previous articles: 6 secrets to a successful 802.1X rollout and 8 no cost/low cost tools for deploying 802.1X security.
7. Use VPNs to encrypt select PCs or servers
If you’re really looking to secure network traffic, consider using encryption. Remember even with VLANs and 802.1X authentication, someone can eavesdrop on the network (VLAN) to capture unencrypted traffic that could include passwords, emails and documents.
Although you can encrypt all the traffic, first analyze your network. It might make more sense to just encrypt select communications you deem the most sensitive that isn’t already encrypted, such as through SSL/HTTPS. You can pass the sensitive traffic through a standard VPN on the client, which could be used just during the sensitive communication or forced to be used all the time.
8. Encrypt the entire network
You can also encrypt an entire network. One option is IPsec. A Windows Server can serve as the IPsec server and the client capability is natively supported by Windows as well. However, the encryption process can be quite an overhead burden on the network; effective throughput rates can drop dramatically. There are also proprietary network encryption solutions out there from networking vendors, many of which use a Layer 2 approach instead of Layer 3 like IPsec to help with reducing latency and overhead.