8 Ways to Improve Wired Network Security

We sometimes focus more on the wireless side of the network when it comes to security, because Wi-Fi has no physical barriers. After all, a war pilot can detect your SSID and launch an attack while sitting in the parking lot.

But in a world of insider threats, targeted attacks from the outside, as well as hackers who use social engineering to physically gain access to corporate networks, securing the wired portion of the network must also be a priority.

So here are some basic security precautions you can take for the wired side of the network, whether you are a small or a large business.

1. Perform auditing and mapping

If you haven’t done so recently, you should audit and map your network. Always have a clear understanding of the entire network infrastructure, e.g. vendor/model, location and basic configuration of firewalls, routers, switches, cabling and Ethernet ports and wireless access points. Plus, know exactly what servers, computers, printers, and other devices are connected, where they’re connected, and their connectivity path on the network.

During your audit and mapping, you may find specific security vulnerabilities or ways to improve security, performance, and reliability. Maybe you will encounter a misconfigured firewall or maybe physical security threats.

If you are working with a small network with only a few network components and a dozen or fewer workstations, you can simply perform the audit manually and create a visual map on a piece of paper. For large networks, you may find auditing and mapping programs useful. They can scan the network and start producing a network map or diagram.

2. Keep the network updated

Once you have a basic network audit and a full map, consider diving deeper. Check for firmware or software updates on all network infrastructure components. Log in to the components to ensure default passwords have been changed, check the settings for any insecure configuration, and review any other security functions or features that you are not currently using.

+ ALSO ON NETWORK WORLD +

Then examine all the computers and devices connected to the network. Make sure the basics are taken care of such as OS and driver updates, personal firewall are active, antivirus is running and updated and passwords are set.

3. Physically secure the network

Although often overlooked or downplayed, the physical security of the network can be just as crucial as, say, your firewall facing the Internet. Just as you need to protect yourself against hackers, bots, and viruses, you also need to protect yourself against local threats.

Without strong physical security of your building and network, a nearby hacker or even an employee could take advantage. For example, perhaps they plug a wireless router into an open Ethernet port, giving them and anyone else nearby wireless access to your network. But if that ethernet port wasn’t visible or at least disconnected, it wouldn’t have happened.

Make sure you have a good building security plan in place to try and keep strangers out. Next, ensure that all wiring closets and/or other locations where network infrastructure components are placed have been physically shielded from the public and employees. Use door and cabinet locks. Verify that the Ethernet cabling is out of sight and not easily accessible; the same with wireless access points. Disconnect unused Ethernet ports, either physically or through a switch/router configuration, especially those located in public areas of the building.

4. Consider MAC address filtering

One of the main security issues on the wired side of the network is the lack of a simple and fast authentication and/or encryption method; people can just plug in and use the network. On the wireless side, you have at least easy-to-deploy WPA2-Personal (PSK).

Although MAC address filtering can be bypassed by a determined hacker, it can serve as the first layer of security. It won’t completely stop a hacker, but it can help you prevent an employee, for example, from causing a potentially serious security breach, such as allowing a guest to log into the private network. It can also give you more control over the devices that are on the network. But don’t let this give you a false sense of security and be prepared to keep the approved MAC address list up to date.

5. Implement VLANs to Separate Traffic

If you are working with a smaller network that has not yet been segmented into VLANs, consider making the switch. You can use VLANs to group Ethernet ports, wireless access points, and users across multiple virtual networks.

Perhaps use VLANs to segregate the network by traffic type (general access, VoIP, SAN, DMZ) for performance or design reasons and/or user type (employees, management, guests) for security reasons. security. VLANs are especially useful when configured for dynamic assignment. For example, you can plug your laptop anywhere on the network or via Wi-Fi and be automatically put on your assigned VLAN. This can be achieved through MAC address tagging or a more secure option would be to use 802.1X authentication.

To use VLANs, your router and switches must support it: look for IEEE 802.1Q support in the product specifications. And for wireless access points, you’ll probably want ones that support both VLAN tagging and multiple SSIDs. With multiple SSIDs you have the option of offering multiple virtual WLANs that can be assigned to a certain VLAN.

6. Use 802.1X for authentication

Authentication and encryption on the wired side of the network is often overlooked due to the complexity involved. It’s common computer sense to encrypt wireless connections, but don’t forget or ignore the wired side. A local hacker could possibly connect to your network without anything preventing him from sending or receiving.

While deploying 802.1X authentication would not encrypt Ethernet traffic, it would at least prevent them from sending over the network or accessing resources until they provided login credentials. And you can also use authentication on the wireless side to implement enterprise-level WPA2 security with AES encryption, which has many advantages over using the personal level (PSK) of WPA2.

Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.

To deploy 802.1X authentication, you first need a Remote Authentication Dial-In User Service (RADIUS) server, which essentially serves as the user database and is the component that allows/denies access to the network. If you have a Windows server, you already have a RADIUS server: the Network Policy Server (NPS) role; or in older versions of Windows Server, this is the Internet Authentication Service (IAS) role. If you don’t have a server yet, you can consider .

To learn more about 802.1X authentication, check out two of my previous articles: and .

7. Use VPNs to encrypt certain PCs or servers

If you are serious about securing network traffic, consider using encryption. Remember that even with VLANs and 802.1X authentication, someone can spy on the network (VLAN) to capture unencrypted traffic that can include passwords, emails, and documents.

Although you can encrypt all traffic, scan your network first. It may make more sense to encrypt only certain communications that you deem most sensitive and that are not already encrypted, for example via SSL/HTTPS. You can pass sensitive traffic through a standard VPN on the client, which could be used only during sensitive communication or forced to be used all the time.

8. Encrypt the entire network

You can also encrypt an entire network. One option is IPsec. A Windows server can act as an IPsec server, and client functionality is also natively supported by Windows. However, the encryption process can represent a considerable overhead for the network; actual rates can drop dramatically. There are also proprietary network encryption solutions offered by network vendors, many of which use a Layer 2 approach instead of Layer 3 like IPsec to help reduce latency and overhead.

Eric Geier is a freelance tech writer — follow his writing on Facebook or Twitter. He is also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, a tech support company.

Join the Network World communities on Facebook and LinkedIn to comment on the topics that matter to you.

Copyright © 2014 IDG Communications, Inc.

Kevin M. Risinger