Sticking with the physical aspect of layered security, you have the actual hardware to look at. Routers and switches need configured. However, as reports and news of the past have shown you, more often than not these devices are left in their default states. Hardware security, or other aspects of the physical layer, also includes workstations, and any physical appliance or device that can access the network.
Layered security - starting with the basics: Physical security. (IMG:J.Anderson)
Most attacks on a network happen because of two things: insiders or poor hardware configurations. Leaving your router set to default, or leaving the services on that are not needed, can cause you some problems should anyone want to take a crack at you. The problem is that most companies and security managers assume no one wants to take that pop shot and attempt anything on their network.
Ask yourself this, would you leave Telnet open on a device when you are using SSH? What about FTP? Would you allow FTP to access a server instead of SCP (Secure Copy Protocol)? There is clearly a wrong answer to the first question. Never use Telnet, you should always use SSH. The FTP is another matter. If your hardware allows FTP access, but you have no use for it, why is it left enabled in the first place?
There are so many network devices for you to use to design a network it can boggle the mind. However, therein lies the problem. With all these devices, and all the options they offer, you can feel like the protocol king. Remember, these options are there for growth, but that does not mean they are useful to your network now. For example, most routers offer the ability to talk with just about every protocol. Do you really need that functionality?
Some services are redundant, and not needed. If that is the case, turn them all off. For example, Proxy ARP, which allows one host to respond to an ARP request in the place of another. Most Cisco routers have this enabled as default. If you don’t need it, and you shouldn’t ever, disable it. Another common feature, again using Cisco as an example, is the HTTP server for management. If you do not intend to manage your router with this option kill it, this goes for HTTPS as well. (Issue: “no ip http server” or “no ip http secure-server” in global configuration.) Finger is another example of a service that is rarely, as in never, needed. TFTP is a great example of a protocol that is disabled and only enabled when needed.
When it comes to businesses physical protection of the hardware is mostly best practice and configuration, trial and unfortunately error. The best way to physically secure a router or network device is to harden it. This can be done several ways. Whole vertical markets are created in IT security for it. There are companies and products that exist simply to help harden the network starting with the physical stuff.
For some extra reading here are two sites that offer some good advice. The first is a standard guide that every Cisco junkie has memorized. (http://tinyurl.com/6jv6y) The second is the NSA list of hardening guides http://www.nsa.gov/snac/downloads_all.cfm.
Desktop hardening is also an aspect of physical security. This is something both the business and home user can deal with. The basics are simple. Always apply operating system updates and patches. Third party software should be patched and updated regularly, and firmware on internal hardware should be managed as well. This can be a daunting task with home or business users, for both there is a company that can offer some help. http://www.updatestar.com/ will keep track of about 75 million products, and ensure that things are kept up to date. Most hardware vendors offer tools for their update releases, and Microsoft as well as Apple each allow automatic updates to their operating systems.
Adding to the hardening and physical security efforts of the desktop PC is software based security, such as programs for Malware protection (Adware or Spyware) and anti-Virus protection. It would be a good idea to use a software based firewall as well. You can use the vendor of your choice, each one has something different and most do the job well. McAfee, Symantec, Kaspersky, AVG, each offer protection to the home computer and business computer.
Like a router, there are services on a computer you can disable if it is not needed. Remove access to remote desktop, drive sharing, folder sharing, and other services that you do not need. CERT has a nice guide for home users: http://www.cert.org/homeusers/HomeComputerSecurity/ it is well worth a look.
The other type if hardware found in both the office and in the home is a wireless router. The brand name of the hardware is moot. All that matters is that it works and it is secured. There have been several articles covered on this type of physical security.
Recently The Tech Herald covered this very topic. The link is below:Security: How to protect your wireless network and debunk myths
The one that matters most with wireless routers is that you NEVER use the default settings. Change the default admin password, and stay away from WEP based security. “Many guides online tell the home or business user that WEP is better than no security at all. The point they are making is that instead of using no security on the wireless network, you should use WEP at the very least. A valid point to make, but the reality is; if you use WEP, you might as well be using no security at all.” I wrote that in the wireless security guide, and it is worth repeating. Do not use WEP.
Physical security is important. The saying that you must walk before you can run will apply here, because thousands spent on complex and really cool network security equipment is only wasted if someone can walk off with your equipment because of poor physical access security, or can take down the whole network because of lax configuration.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)