An insecure network is an open door to misuse. In this video, you’ll learn ways to help secure your wired and wireless networks.
<< Previous Video: Disposing of Sensitive DataNext: Comparing Android and iOS >>
If you want to secure a network, then you need to secure all of those infrastructure devices that make up the network. And an easy way to do that is to put it into a closet or a data center and lock the door, a relatively easy thing to do. And if you prevent people from gaining access to those infrastructure devices, it’s that much more secure.
Maybe it’s something like a door access with a lock and key or maybe it’s something electronic, where I can simply type in a few numbers. I don’t have to carry a key around. Sometimes we’ll even use biometrics. There will be a fingerprint reader or a palm reader so that you can gain access through the door that way. Regardless of what method you use, you want to be sure that it’s well documented and that it’s well established so that you can limit the people who have access to those resources,
Whether you’re on a wired or a wireless network, you need to be very careful about using the default login credentials to your infrastructure devices. There are usernames and passwords that come from the factory, out of the box. But you don’t want to leave them with those usernames and passwords.
Make sure you change them the instant you configure that device. That’s because whenever you log into the device, you have full control. These devices sometimes don’t have different levels of access. You either have no access or you have complete administrator access of the device.
And it’s very easy to find the factory defaults for these. In fact, this is a website, one of many, called RouterPasswords.com, you put in the router manufacturer that you’re interested in, it will list out all of the different models and it will tell you all of the usernames and all of the passwords that are the factory defaults.
On your wired network, you have a built in level of security because you have to be connected to the wire. But on a wireless network, everybody can hear everything that is sent across the network. Anyone can listen in, gather packets, and see what’s going back and forth. So the solution to protect the data is to encrypt all of the information that’s going back and forth over that wireless network and make sure that everybody is using credentials to log in or that everybody has that shared password. Only people who have that password or that have the proper credentials can listen in and see what’s going on over that link.
There’s two different kinds of encryption methods. One that you should not be using any longer, but it’s still available on some very old pieces of equipment, is WEP or W-E-P. The latest type of encryption, in fact the kind that you usually find today on all of the latest infrastructure devices, is one called WPA2.
Your wireless network is defined with a name. You configure this when you initially configure your wireless access point. Sometimes it’s the name of the wireless network, Building 1, Building 7. Or maybe it’s related to the manufacturer’s name. There’s a lot of access points out there that are still called LINKSYS and DEFAULT and NETGEAR. You probably want to give it something other than the default, because if it’s still the default name, it may even still be the default username and password.
Maybe you want to be sure the SSID is not something that points directly to you. Maybe you want it to be something very generic or nonobvious. Maybe you want to disable the SSID. The SSID is the name that’s listed whenever you ask your computer to give you a list of all of the available wireless networks. If you don’t want to show up in the list, you can disable your access point from broadcasting itself.
Now, this doesn’t necessarily mean that you’re restricting access at all to the network. All it’s doing is making it invisible in these lists. Somebody who knows how to look at wireless networks can very easily still find that access point. So it’s not really a security feature. But it is something that can help you clean up the list of all of those networks that you would view on your wireless access.
On both wired and wireless networks, you can restrict who accesses your network through something called a Media Access Control address or a MAC address. This is the hardware address of the network devices that are connecting on your network. By setting up filters in your infrastructure devices, you’re limiting who can use the network based on where the network is originating from.
If we don’t see your MAC address, you aren’t able to use the network. This might keep the neighbors out of your wireless network. Or if it’s a private network, it keeps visitors from plugging into an available network port and seeing and accessing information across the network.
Keep in mind that this is very easy to spoof. Many network interface cards allow you to configure manually the MAC address inside of your computer. So all you have to do is use free software from the internet, plug-in, see what types of MAC addresses are communicating already, make sure that one of them leaves the network, and now you can use that MAC address to communicate.
And we call this the security through obscurity. It’s not completely obvious how you get around that problem, but it’s also not really a security feature.
Here’s an example of a wireless access point where I might want to define the MAC addresses that are allowing access. So I can simply add them to my list and now I can limit what MAC addresses are going to communicate through my network.
On a wired network, you know exactly where your signal is going. It’s start at this end of the cable and it goes to the other end of the cable. But on a wireless network, we are sending information out into the air and it can travel anywhere.
That’s why many access points allow you to adjust the amount of power that’s being used to transmit that signal. That way you can maybe limit just how far that signal is able to go. Maybe restrict it from going into the parking lot, where you don’t have a lot of control and instead limit it to the size of the building that you happen to be in.
The amount of power that you use may be something that you have to do some studies on. Maybe set it to a certain value and then move around the network and see if you’re still able to communicate on the wireless network.
You also have to think about the type of receivers that are in use. There are a number of antennas that can receive, even from a very, very far distance from your access point. So think about where your signal is going and think about how much power is being put behind that signal strength.
Of course if it’s a very large environment, you may have to put multiple access points. So you may have to set different strengths depending on where the access points might be. If you’re evenly distributing the access points across the entire floor, then maybe you could make them all the same signal strength. Or maybe the access points are in different places, depending on what you have available in the room. So you might want to set some access points to be more power and other access points to have less power.
Another technique that some security administrators use is a static IP addressing instead of using the automated DHCP type of addressing. And this applies whether you’re on a wired network or a wireless network.
In an unencrypted network, the IP addresses are in the clear. I can see all of the IP schemes that are in place. So now it becomes very easy for someone to plug into my network, automatically get an IP address, and they’re now communicating on my network.
Now if there’s not any encryption, IP addresses are going to be very obvious. So this really is not a security feature as much as it might be something used for a little bit of access control. Again, security through obscurity. Because if somebody is plugging in and they’re not getting address automatically, somebody who really knows what they’re doing can manually set addresses on their computer and still gain access to the network.
In larger environments, it’s hard to keep track of everybody who is going in and out of the business. So you may want to disable physical ports on your switches that aren’t currently in use. You don’t want somebody walking into an empty cube, plugging in, and gaining access to your entire network.
This becomes a little more difficult to maintain because every time you need to enable a port or disable a port, you have to manually go into your switch and administratively perform that function. But it does make your network more secure. So adding that additional business process does have some security benefits.
In larger environments, you can automate this process through something called Network Access Control. You’ll hear this referred to as NAC. This is using a protocol called 802.1X. And it allows you to integrate user login credentials with the network access. So before anybody can gain access to either a wired network or a wireless network, they first have to put in their user credentials. Without user credentials, even if the port is active and alive and getting a signal, you still won’t to be able to communicate across the network.