5

We regularly setup small networks for clients in different locations to allow them to work on different products now the question what should be the best security practice.

Currently we have a wifi enabled with WPA2 and most laptops connect to this but some will connect to a cabled switch connecting to the router.

We are thinking on what we should do to increase the security on our small networks - We do have have security on the laptops so you can share directly to the other persons drive by a simple Windows user account.

Some suggestions are:

  1. We get a LAN switch with ACL control and mac filtering for the hard wired connections?

  2. We get acl working on the wifi via a good Cisco router?

  3. ipSec policies on all machines?

  4. IP filtering and fixed IPs?

I suppose people are worried that anyone can plug into the switches and get the access to the network .

Summary:

Maintain a level of decent security that can be replicated easily to every setup that we do for clients

Grimlockz
  • 325
  • 1
  • 2
  • 11
  • 1
    You are entering into a whole world of possibilities here. But typically port-based security is handled by a) physical access restrictions (lock your wiring closet/server room!) b) 802.1X port authentication (this itself is no light undertaking). – gravyface Aug 31 '12 at 15:12

2 Answers2

4

Some suggestions:

Start by attempting to prevent physical access to the network.

  1. Place switches inside locked cabinets to prevent physical access to them.
  2. Deploy 802.1x authentication if possible for medium-sized organizations to force workstations to authenticate to the network.
    In smaller orgs, use port-security on the switches with sticky mac addresses so long as machines don't move around. Disable any unused switch ports.
  3. On your Wireless network, use WPA2 with AES and a long key (> 15)

Next, assume physical access has been obtained and limit further access.

If you do not have resources for a domain and file server and must share files between workstations, create a single (non-admin) account on each workstation with the same password that can be used to access files on different machines.
Do not allow the "everyone" group access to anything.

You can also configure your DHCP servers to deny leases to unknown clients - This doesn't stop someone with physical access from watching traffic and assigning themselves an IP, but it may slow down casual intruders.

Finally, monitor the situation to see if anyone is accessing the network that shouldn't be. One way would be to check your DHCP server leases to see if any unknown machines have requested IPs.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
Paul Ackerman
  • 2,729
  • 1
  • 16
  • 23
  • 2
    The advice Paul has given is excellent - the only downside is it can't be `replicated easily to every setup that we do for clients` -- Each environment will need to be configured appropriately. This is pretty much a given though -- any *decent* security needs to be tailored to the environment it's being deployed in. There is no magic one-size-fits-all solution. – voretaq7 Aug 31 '12 at 16:20
  • I agree Pauls advice is great - IPSEC policy as part of a standard build for all laptops should be easy to maintain I guess – Grimlockz Aug 31 '12 at 16:24
  • It would also help to identify likely attack vectors: physical, unauthorized network access? Likely low. Spam bots/keyloggers/phishing attempts? Very likely. – gravyface Aug 31 '12 at 16:47
0

You didn't specify whether or not you are working in Windows networking environment or not so I will focus on general networking security suggestions.

  1. Control physical access. Ideally your switches, patch panels and servers should be in a secure locking location that has appropriate cooling and power provisions such as an UPS. Keep an on-site key somewhere but resist the pressure to allow your clients access to your equipment - well meaning but ignorant employee's can often create bigger problems out of smaller ones. Make sure you have some kind of access log or audit trail (this can be as simple as incident tracking system). If a network drop is unused, disconnect its patch cable or disable the port on the switch.

    I really avoid using MAC address based security because inevitably someone switches offices or you have to replace a machine and then you have to update the MAC address table again. MAC addresses make bad authentication tokens anyway as an attacker can easily discover a trusted MAC address via packet sniffing and then change their MAC address to match.

  2. Assume that your Wireless Password will be Shared. This is something that smaller deployments really struggle with in my opinion. The "Enterprise" grade solution is 802.1X authentication which requires substantial infrastructure. If you setup a WP2 access point and hand the password over to your clients expect that they will give it out to anyone who asks politely. If the wireless really needs to provide access to the "private" network, then you yourself should setup the client machines and truly keep the secret, well secret. If your clients really need network access for their vendors, contractors and other users setup a separate VLAN and SSID. This can be easily accomplished using Multi-SSID capable access points that understand VLAN tagging.

  3. Use a Firewall. This is pretty basic. Have some sort of Layer-3/4 filtering in place between your client's network and the Big Bad Internet and test it to make sure it is doing what you think it is doing.

  4. Do not allow your clients to self-host services (or if you do, do it judiciously). Small deployments often don't have the infrastructure to safely host publicly accessible services. If you clients need these sorts of services, you will probably be best served by using an external hosting company that specializes in providing these services (for example, have a company that specializes in web hosting host their website, not an old workstation in a closet somewhere).

  5. Do not allow your clients to have Local Administrator (or if you do, do it judiciously). Don't give your clients Local Admin privileges. There are so many good reasons to not do this I won't even bother enumerating them. And do not give them administrator (or any kind of) access to their local server no matter how "experienced" they say their new intern is with technology.

In short keep your network simple and you will keep it secure. The cornerstone of your security plan should be controlling physical network access, the principle of least privilege and resisting implementing systems whose security requires more infrastructure that you have available (publicly accessible services for example).

Community
  • 1