For network security, we are going to assume you’ve got a modern unified threat management (UTM) firewall doing deep packet inspection, assume you’ve got signature-based antivirus running on your servers, desktops and laptops, and assume you’ve got a comprehensive, managed patching system in place that covers both Microsoft and third-party patches for servers, desktops and laptops. You might even be going that extra mile and training your users!
But there is so much more to truly securing your network, your systems and your data. Network Security is neither a product, nor a service, but an ongoing process. And remember, without proper and regular user training the most secure network is like a submarine with a screen door. Say it after me: security is products, services and procedures. This is the first article in a series; we’ll drilldown on each of these “twelve steps” to network security in the weeks following:
1) Better Passwords. This may seem “done to death” but the reality is that most passwords are still too simple to guess or crack w/software tools, are used too broadly across devices or sites and are changed far too infrequently. Every year the list of top ten passwords still include such gems as “password” and “12345” so this is a pretty low bar to clear. Getting serious about passwords is the quickest step you can take to improving security.
2) Two Factor Authentication (TFA). This is the next step beyond passwords. TFA is usually described as something you know plus something you are (biometrics) or something you know plus something you have (token based). These solutions can be as simple as issuing “one-time passwords” by text or email upon every remote connection. Many UTM Firewalls and/or SSL VPN remote access devices have these capabilities built in.
3) UTM Firewalls – The Simple Stuff. Very few businesses get the most out of their UTM firewalls. For example, many UTMs can do “geo IP filtering” allowing you to block packets originating from any country. Do you really need traffic from Belarus or Moldova? You can also filter your traffic at “Layer 7” on some, so you can block such potentially harmful and
bandwidth wasting traffic as chat streams, software downloads and more.
4) UTM Firewalls – The Harder Stuff. Firewalls do not scan encrypted traffic by default. This means every connection to Dropbox, OneDrive, or any other SSL site bypasses scanning! The answer is DPI SSL, a feature of better UTM firewalls. Separately, you can protect your road warriors on “open” wireless connections by tunneling traffic from your remote users through your Internet connection. This is also provided by better UTMs.
5) Advanced Wireless. You can manage wireless access points and add a layer of security to your wireless implementations. You can force encryption of the entire data stream, scan for “rogue” access points or even shut them down completely. You can setup “wireless guest services” that control who can connect and when. You can have multiple “virtual SSIDs” so that some users get out to the Internet only, while some have network access, and more.
6) Network Access Control and Proximity. Let’s touch on managing access to your network internally. Yes, you’ve got credential authentication (username and password) protection in place. Did you know that you have built-in MAC address filtering in the DHCP Manager of Windows 2012/R2? And you HIPAA folks, did you know you can set a machine to automatically log out a user that moves away from their machine (think RFID)?
7) Outsourced Email Filtering. Everybody knows spam is more than an annoyance – it is a prominent source of phishing and other “social engineering” attacks. So email filtering is a must; and by moving it to the right external vendor you gain the advantage of being able to lock your email server down to just one range of receiving addresses, better management of
your bandwidth and an email spooling location should your email server be offline.
8) Clean DNS & Web Filtering. Just by using one of the “clean DNS” sites around the web as your primary and secondary external DNS references you can protect yourself against an ever-growing list of sites that can attack you simply by visiting the site – the “click-by” attack. Web filtering is usually done in the firewall, but did you know you can also extend that to devices not behind the firewall, such as laptops in the field with the right softaware?
9) Data Encryption At Rest. This refers to encrypting your data in place, on your server, your desktops and laptops, on your phones and your backups. This can be done at the
hardware level on the server (right in the RAID controller and on the drives), at the OS level for your desktops, laptops and portables, and in software for tape or disc backups. This protects you both against physical site thefts and loss of data on portable devices.
10) Data Encryption In Motion. This refers to data that moves outside the perimeter of your building(s), on laptops, tablets and phones. We are also talking about the “streaming” of data over the Internet that you experience whenever someone connects remotely, when you upload data to other locations and when your automated off-site backup (you do have that,right?) happens. For the most secure sites, this includes all wireless (WiFi) traffic as well.
11) Data Security at Rest. This refers to your ability to backup and keep safe your site’s live data, and its configuration data (server configuration, user and site setup, device config and more. Nearly everyone believes they have backup handled, but the reality is very few do. Having effective backup is complicated and few businesses understand that real backup is about data, server imaging, off-site storage, business continuity, disaster recovery and more.
12) Data Security In Motion. This refers to data that travels with you, data that gets created outside your network and data moving in and out of your network through that leaky mechanism known as the Internet. Scanning encrypted data is tough and cumbersome for most UTM Firewalls, but absolutely necessary. And finding a way to enforce scans on machines that move outside the network is crucial as well.
Summing it All Up
Obviously, securing your business is complicated. There is always a trade-off between ease of
use and time, effort and expense. There are no secure networks any more than there are safe drivers. But there are certainly more secure networks. It all comes down to figuring out how far you want to take your network security efforts and building the right products and procedures around that decision. Call for Net Sciences and let us guide you through the network security maze, making the right and most cost effective decisions to protect your network, your data, and your business!
