Some of our most important networks are in our small offices and home offices. In this video, you’ll learn some of the more common security techniques that we can use to help secure these networks.
The data that is on our small-office and home-office networks is just as important as the data that might be on a large enterprise network. In this video, I’ll take you through a number of best practices for protecting the networks in these small offices and home offices.
If you’re setting up a wireless access point or wireless router in your small office or home office, you want to be sure that you’re managing the SSID properly. SSID stands for service set identifier. When you’re on your computer and listing all of the available wireless networks, this is the name that’s going to appear in that list. Some of the defaults that you probably have already in your wireless access point are LINKSYS, DEFAULT, NETGEAR, and others.
You may want to consider changing this SSID to something that’s not quite as obvious. That way, you can still select it easily from a list, but other people won’t exactly know where that network happens to be. And if you don’t like that name showing up on anyone’s list, you can disable the SSID broadcast completely. There’s probably an option in your wireless router or wireless access point to enable and disable that SSID broadcast.
This is not a security feature. All it does is, really, remove it from a list. If people were looking at a protocol analysis of the wireless network, they would still be able to identify all of the SSIDs that are out there. But it is a way to prevent the name from automatically being listed when somebody is trying to find available wireless networks in their area.
One of the challenges we’ve always had with wireless networks is that all of this information is going over the air. Your computer is acting both as a radio receiver and a radio transmitter. Anyone can listen in to these communications, which is why it’s important to be able to encrypt all of the data that is going over these wireless networks. You should never have any data going over a wireless network that is not encrypted. Everything should always be protected when it’s going through the air.
In a small office or a home office, everyone is provided with the access password to the wireless network, and they can then communicate and send information in an encrypted form. We used to see options to encrypt, like WEP or W-E-P. But today, the encryption type you should always be using on a wireless network is going to be WPA or WPA2.
In a small office or home office, you may not be working in a single place, and you need wireless coverage over a larger area. In those cases, you may be using multiple access points with multiple antennas, to be able to send and receive wherever you happen to be. If you’re planning this in your environment, you want to be sure that you assign access points that have frequencies that will not overlap with the access points that are immediately adjacent to it. For example, if you look at 2.4 GHz frequencies, we know that channels 1, 6, and 11 will not conflict with each other. So we can easily put all of those access points right next to each other.
You want to be sure that you don’t have one device running on a channel, and a device right next to it on the same channel. These are sharing the same frequencies, and if they both tried to communicate at the same time, there would be a conflict and the frequencies would conflict with each other. Instead, you want to put devices next to each other where there could be no frequency overlap. That way, you’re able to communicate as efficiently as possible.
Your wireless access point may give you some options for assigning strength values for the wireless signal. Obviously, you want to set this as low as possible, so that you’re still able to work properly, but people outside of your immediate area are not able to use that wireless network. Determining exactly what that strength value is, though, may take some testing. You want to be sure that you have just the right value set so that everybody has access to the wireless network.
You’re not only going to need to consider what the wireless access point can send, but also consider the antennas that are on the receiving devices. Many antennas are inside of our laptops and mobile devices, whereas others have external antennas and may be able to receive that signal a little bit better than others.
One way to limit who could have access to a wireless network is by filtering out devices based on their physical hardware addresses. These addresses are burned into the devices when they’re manufactured. These are called media access control addresses, or MAC addresses, and it allows you to create a list of filtered addresses for your network. This would automatically keep all of the neighbors and anyone outside of your area from accessing anything on your wireless network, because you are filtering them out before they even gain access to anything that’s on the inside.
Although this helps with managing who’s on the network, this is not a foolproof security method. Anyone with a protocol analyzer can see the MAC addresses that are communicating on your network, and then can simply wait for those devices to leave, and then change their own MAC address to match that one and gain access to your wireless network. This is something we call security through obscurity, which means we’re trying to obscure some information in order to make it secure. But of course, this doesn’t really add any security at all. All it really is stopping are the honest people from getting into your network.
You generally set these filtered MAC addresses in your wireless access point. You would simply add in the MAC addresses in a list, and it would filter those out over the wireless network. Older wireless access points may have a feature called WPS. This stands for Wi-Fi Protected Setup. This used to be called Wi-Fi Simple Config. And the idea is that you could easily set up devices by using a special WPS value to be able to connect to the access point, instead of using a complicated encryption and passphrase process.
This makes it very easy, if someone isn’t familiar with wireless encryption, to be able to connect to a wireless network, but still maintain all of those encrypted capabilities. You could connect to these devices by using a PIN number. You would use a PIN that’s assigned to an access point, and then use the same personal identification number on your mobile device. Or you could push a button near the access point that would then enable access to the device.
Some access points provided near-field communication, where you brought the mobile device close to the access point and it would gain access. And there was also an older method that’s no longer used, which had a USB key that you would connect to your mobile device.
Unfortunately, WPS didn’t last very long, because in December of 2011 a significant design flaw was found with the implementation of WPS, as part of the wireless standard. The personal identification number used for WPS isn’t a digit number, but this is really seven digits. And it also included a checksum, which means you only really needed to find seven digits, which would be 10 million possible combinations.
Also with WPS, it’s evaluating the first half of the number and then evaluating the second half of the number. That means that you’re really trying to find a four-digit number and a three-digit number, because that last digit was the checksum. That means you need to go through the first half of the numbers, which is 10,000 possibilities, and the second half of the number, which is only 1,000 possibilities. That’s much smaller than trying to find it in 10 million possible combinations.
That means if you did connect and try to go through every possible iteration, you could easily go through the entire list in about four hours. So you could sit outside someone’s house with a laptop, and simply connect to the wireless network. And after four hours, you would be guaranteed access to that device, if the wireless access point had WPS enabled. This is why all modern wireless access points don’t include WPS as an option, and it’s highly recommended that if you have an older access point, that you make sure WPS is not an enabled option on that device.
When you first connect your wireless access point, you’ll notice there’s a default username and password. And this is the default that’s used on every model of this particular wireless access point. If you have the username and password for your access point, then you effectively have administrative access and can configure and set up access for any of your devices on the network.
That’s why it’s so important to always change this default username and password. It’s very easy to find out what the defaults might be. Somebody knows what kind of access points you’re doing, they can use one of these sites like RouterPasswords.com, that will list out every manufacturer, all of the different models, and tell you what the default username and password is for every single device.
Most wireless routers will assign IP addresses in your SOHO through DHCP, which is an automatic IP addressing mechanism. You could, of course, set up manual IP addressing in your environment, where you are administratively setting the IP address on every, single one of your devices. If you’re in a network that is not using encryption for your wireless network, it’s very, very easy to see what these IP addresses might be. If you are performing encryption and somebody does manage to find your passphrase and get into your wireless networks, they’ll also be able to see the IP addresses, as well.
Assigning IP addresses automatically or assigning them manually is not really a security feature. It might make you feel better to make it a little more obscure. But that, of course, is not providing any additional security for your network.
Most of the routers that you use in a small office or a home office are not only a router, but they also have firewall functionality built in. There are also a number of third parties that make firewalls that are specifically designed for the SOHO environments. Most of these have a wireless access point on them. They have a router built into them. There’s firewall capabilities. There might also be content filtering, for filtering on URLs or URL categories.
Of course, this doesn’t provide every possible feature that you might need in a small office or home office. For example, these devices generally don’t provide any type of dynamic routing support. And there may not be a way to easily provide support for third parties to be able to help you.
One best practice for any of these devices is to always make sure you have the latest firmware installed. You want to check all of your firewalls, your routers, your switches, and other components, and make sure they’re using the latest version of software from the manufacturer.
If you have servers on the inside of your SOHO network that you need to make available to people that are on the outside, then you’ll probably want to configure some different firewall settings for inbound traffic. You generally have a number of different options for setting up filtering and firewall rules for this inbound traffic. You obviously want to limit the inbound traffic to only the required types of traffic. You don’t want to simply open the door and let everyone in.
For instance, you want to configure port forwarding to map a very specific TCP or UDP port number or port number range to a specific IP address that’s on the inside of your network. And if you find yourself doing this a lot, you may want to consider creating a DMZ that’s not on the inside of your network, and it still provides you control from people that are coming from the outside of your network.
For outbound traffic, there are a couple of different philosophies. One is that you allow all traffic, but you only stop unwanted traffic by using a blacklist. The other side is to reverse that, where nothing is allowed out, and you would only allow access to certain locations by using a white list.
In most SOHOs, you’re not going to have a separate conference room or break room. But it’s still a good best practice to disable any interfaces on a switch or router that you don’t plan on using. This is a little bit more work to administer, but it makes it very secure, so that nobody can walk into your environment, plug into an available port, and gain access to your network.
In larger environments, we provide more control by using network access control, or NAC. This 802.1X protocol is one that requires people to authenticate before they can communicate on the network.
Many of our small office and home office devices give us options for configuring content filtering. This allows us to control what is being sent inside of the data that goes across our networks. This might allow us to control information going inbound and outbound. And we can filter for sensitive data, and make sure that it doesn’t traverse our firewall. Or maybe we can control someone from going to a website that might contain inappropriate content. This might also be used for things like parental controls. And if you’re concerned about viruses and malware, some of these content filtering devices can scan the data as it’s passing through the network device.
If you have physical access to a server or a network device, it becomes very easy to gain unauthorized access into that device. That’s why you always see these behind a locked door, inside of our large data centers. And we should do the same thing in our SOHO environments. One of the easiest ways to do this is to have everything behind a locked door. We can gain access to all of our systems by using a traditional key, with a lock. Or maybe we use a keyless entry, or an electronic form to gain entry into that room.
You might also want to combine this with biometrics. So you’re using something like a fingerprint to help unlock that door. This should be a process that’s well-documented. And you want to be sure that all of your components are behind these locked environments.