{"id":122,"date":"2015-04-09T00:36:07","date_gmt":"2015-04-08T22:36:07","guid":{"rendered":"http:\/\/hentati.org\/?p=122"},"modified":"2020-12-06T20:40:33","modified_gmt":"2020-12-06T19:40:33","slug":"how-can-we-improve-wired-network-security","status":"publish","type":"post","link":"https:\/\/hentati.org\/index.php\/2015\/04\/09\/how-can-we-improve-wired-network-security\/","title":{"rendered":"How can we improve wired network security"},"content":{"rendered":"

We sometimes focus more on the wireless side of the network when it comes to security because\u00a0Wi-Fi\u00a0has no physical fences. After all, a war-driver can detect your SSID and launch an attack while sitting out in the parking lot.<\/span><\/p>\n

But in a world of insider threats, targeted attacks from outside, as well as hackers who use social engineering to gain physical access to corporate\u00a0networks, the security of the wired portion of the network should also be top of mind.<\/span><\/p>\n

So, here are some basic security precautions you can take for the wired side of the network, whether you\u2019re a small business or a large enterprise.<\/span><\/p>\n

 <\/p>\n

    \n
  1. Perform auditing and mapping<\/strong><\/span><\/li>\n<\/ol>\n

    If you haven\u2019t recently, you should do some auditing and mapping of your network. Always have a clear understanding of the entire network\u2019s infrastructure, for instance the vendor\/model, location, and basic configuration of firewalls, routers, switches, Ethernet cabling and ports, and wireless access points. Plus know exactly what servers, computers, printers, and any other devices are connected, where they are connected, and their connectivity path throughout the network.<\/span><\/p>\n

    During your auditing and mapping you might find specific security vulnerabilities or ways in which you could increase security, performance and reliability. Maybe you\u2019ll run across an incorrectly configured firewall or maybe physical security threats.<\/span><\/p>\n

    If you\u2019re working with a small network with just a few network components and a dozen or less workstations you might just manually perform the audit and create a visual map on a sheet of a paper. For larger networks you might find auditing and mapping programs useful. They can scan the network and start to produce a network map or diagram.<\/span><\/p>\n

     <\/p>\n

      \n
    1. Keep the network up-to-date<\/strong><\/span><\/li>\n<\/ol>\n

      With new technologies emerging every day, it’s never been easier to propel your enterprise into the future. Discover how CIO collaboration & IoT adoption can help you reimagine your business processes and deliver…<\/span><\/p>\n

      Once you have a basic network audit and map complete, consider diving deeper. Check for firmware or software updates on all network infrastructure components. Login to the components to ensure default passwords have been changed, review the settings for any insecure configuration, and look into any other security features or functionality you currently aren\u2019t using.<\/span><\/p>\n

      Next take a look at all the computers and devices connected to the network. Ensure the basics are taken care of, such as OS and driver updates, personal firewall are active, the antivirus is running and updated, and passwords are set.<\/span><\/p>\n

       <\/p>\n

        \n
      1. Physically secure the network<\/strong><\/span><\/li>\n<\/ol>\n

        Although often overlooked or minimized, the physical security of the network can be just as crucial as say your Internet facing firewall. Just as you need to protect against hackers, bots and viruses, you need to protect against local threats, too.<\/span><\/p>\n

        Without strong physical security of your building and network, a nearby hacker or even an employee could take advantage of it. For instance, maybe they plug a wireless router into an open Ethernet port, giving them and anyone else nearby wireless access to your network. But if that Ethernet port wasn\u2019t visible or at least disconnected, then that wouldn\u2019t have happened.<\/span><\/p>\n

        Ensure you have a good building security plan in place to try and prevent outsiders from entering. Then ensure all wiring closets and\/or other places where the\u00a0network infrastructure\u00a0components are placed have been physically secured from both the public and employees. Use door and cabinet locks. Verify that Ethernet cabling is run out of sight and isn\u2019t easily accessible; the same with wireless access points. Disconnect unused Ethernet ports, physically or via switch\/router configuration, especially those in the public areas of the building.<\/span><\/p>\n

         <\/p>\n

          \n
        1. Consider MAC address filtering<\/strong><\/span><\/li>\n<\/ol>\n

          One major security issue of the wired side of network is the lack of a quick and easy authentication and\/or encryption method; people can just plug in and use the network. On the wireless side you have at least WPA2-Personal (PSK) that\u2019s easy to deploy.<\/span><\/p>\n

          Although MAC address filtering can be bypassed by a determined hacker, it can serve as the first layer of security. It won\u2019t completely stop a hacker, but it can help you prevent an employee, for instance, from causing a potentially serious security hole, like allowing a guest to plug into the private network. It can also give you more control over which devices are on the network. But don\u2019t let it give you a false sense of security, and be prepared to keep the approved MAC address list up-to-date.<\/span><\/p>\n

           <\/p>\n

            \n
          1. Implement VLANs to segregate traffic<\/strong><\/span><\/li>\n<\/ol>\n

            If you\u2019re working with a smaller network that hasn\u2019t yet been segmented into virtual LANs, consider making the change. You can utilize VLANs to group Ethernet ports, wireless access points, and users among multiple virtual networks.<\/span><\/p>\n

            Perhaps use VLANs to separate the network by traffic type (general access, VoIP, SAN, DMZ) for performance or design reasons and\/or user type (employees, management, guests) for security reasons. VLANs are especially useful when configured for dynamic assignment. For instance, you could plug in your laptop anywhere on the network or via Wi-Fi and automatically be put onto your assigned VLAN. This can be achieved via MAC address tagging or a more secure option would be to use 802.1X authentication.<\/span><\/p>\n

            To use VLANs, your router and switches must\u00a0support\u00a0it: look for the IEEE 802.1Q support in the product specs. And for wireless access points, you\u2019ll likely want those that support both VLAN tagging and multiple SSIDs. With multiple SSIDs you have the ability to offer multiple virtual WLANs that can be assigned to a certain VLAN.<\/span><\/p>\n

             <\/p>\n

              \n
            1. Use 802.1X for authentication<\/strong><\/span><\/li>\n<\/ol>\n

              Authentication and encryption on the wired side of the network are often ignored due to the complexity involved. It\u2019s IT common sense to encrypt\u00a0wirelessconnections, but don\u2019t forget or ignore the wired side. A local hacker could possibly plug into your network with nothing stopping them from sending or receiving.<\/span><\/p>\n

              Though deploying 802.1X authentication wouldn\u2019t encrypt the Ethernet traffic, it would at least stop them from sending on the network or accessing any resources until they\u2019ve provided login credentials. And you can utilize the authentication on the wireless side as well, to implement enterprise-level WPA2 security with AES encryption, which has many benefits over using the personal-level (PSK) of WPA2.<\/span><\/p>\n

              Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.<\/span><\/p>\n

              To deploy 802.1X authentication you first need a Remote Authentication Dial-In User Service (RADIUS) server, which basically serves as the user database and is the component that authorizes\/denies the network access. If you have a Windows Server you already have a RADIUS server: the Network Policy Server (NPS) role; or in older Windows Server versions it\u2019s the Internet Authentication Service (IAS) role. If you don\u2019t have a server already you could consider\u00a0standalone RADIUS servers.<\/span><\/p>\n

               <\/p>\n

                \n
              1. Use VPNs to encrypt select PCs or servers<\/strong><\/span><\/li>\n<\/ol>\n

                If you\u2019re really looking to secure network traffic, consider using encryption. Remember even with VLANs and 802.1X authentication, someone can eavesdrop on the network (VLAN) to capture unencrypted traffic that could include passwords, emails and documents.<\/span><\/p>\n

                Although you can encrypt all the traffic, first analyze your network. It might make more sense to just encrypt select communications you deem the most sensitive that isn\u2019t already encrypted, such as through SSL\/HTTPS. You can pass the sensitive traffic through a standard VPN on the client, which could be used just during the sensitive\u00a0communication\u00a0or forced to be used all the time.<\/span><\/p>\n

                 <\/p>\n

                  \n
                1. Encrypt the entire network<\/strong><\/span><\/li>\n<\/ol>\n

                  You can also encrypt an entire network. One option is IPsec. A Windows Server can serve as the IPsec server and the client capability is natively supported by Windows as well. However, the encryption process can be quite an overhead burden on the network; effective throughput rates can drop dramatically. There are also proprietary network encryption solutions out there from networking vendors, many of which use a Layer 2 approach instead of Layer 3 like IPsec to help with reducing latency and overhead.<\/span><\/p>\n

                   <\/p>\n","protected":false},"excerpt":{"rendered":"

                  We sometimes focus more on the wireless side of the network when it comes to security because\u00a0Wi-Fi\u00a0has no physical fences. After all, a war-driver can detect your SSID and launch …<\/p>\n","protected":false},"author":1,"featured_media":189,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/122"}],"collection":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/comments?post=122"}],"version-history":[{"count":5,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions"}],"predecessor-version":[{"id":626,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions\/626"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media\/189"}],"wp:attachment":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media?parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/categories?post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/tags?post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}