When it comes to network security, you must treat your network in the same fashion as you handle your business as a whole. In most cases, businesses don't allow the general public to navigate every corner of their buildings. Instead, they designate certain areas for customers to use. Similarly, whether it's by a key card, passcode, or simply facial recognition, your employees must follow some sort of security procedure before entering your building and beginning their work.
Keeping your network secure is paramount to your business's success. In fact, if your security systems fail, it may cost you everything. Because of this, you should take network security as seriously as any other business function.
At the forefront of every security policy should be the sanctity of your business premises and the location of your network infrastructure. Your users should be required to authenticate at every level and follow strict guidelines while accessing your business's data. And like your users, your devices should be locked into security policies, too.
The most basic dimension of network security is "protecting your castle." This concept is simple, but important. You don’t want to allow the general public where they don’t belong. If an intruder does make it past the gates, you need to do everything that you can to make it harder for them to get what they want. Here’s a breakdown of securing the physical side of every part of your network.
Secure Your Premises
Your building should be divided into separate levels of access. Access should only be given to those who need it, and no one else. Here are three levels of access that should be included:
- Public access. At some level, the public should be separated from the rest of your business. If your area of business doesn’t involve face-to-face communication with clients, access should be locked down at the front door. Retailers and other customer-facing businesses should separate the areas where customers are welcome from where employees are allowed.
- Employee-only access. The “employees only” area of your building should require some sort of authentication for access. As employees come and go, access should be adjusted in real time. When employees quit or are let go, their access to private areas should immediately be revoked. There are still some areas, such as your network closest, where only specific employees should be granted access.
- Network administrators. One of the locations within your business that should be kept the most secure are the rooms that contain your networking infrastructure. The only people that should be allowed into these rooms are network administrators. Access in and out of this room should be recorded so that when security issues arise, those who have had direct access can be identified.
While physical building security isn’t specific to networking, the two levels of security go hand-in-hand and need to be considered. A tiered access system is the best way to make sure that the right people are given access to the correct locations.
There are security considerations to be made for intruders who make it past your initial levels of security. One effective way to help secure these systems is to disable all unused ports. Disabling these reduces the surface area of attack on your network.
On your managed network switches, disabling unused ports will prevent intruders from plugging a device in and accessing the network. Turning off unused USB ports on your servers and workstations will prevent attackers from stealing data with USB sticks. Similarly, preventing foreign devices from connecting to your access points and stealing data locks down a wireless “port” into your network.
Gone are the days when you could get away with not asking for a password. More and more, user access systems are hacked and exploited. Fortunately, it's quite easy to minimize the risks of your accounts being compromised. Following are best practices for your user authentication policy.
Force Logins at Every Level
At every level of network access, your employees should be forced to have a username and password. It's no longer acceptable to choose not to activate password protection on your PC, no matter how relaxed the work environment is. In addition to this, authentication should not be shared between users. Every employee needs to have his or her own individual username and password.
Enforce a Password Policy
Having a simple but logical password policy helps to prevent security exploits. There are a few standard password policy rules to follow.
- Use complex passwords. Passwords should have a minimum length requirement of at least eight characters. Each password should require at least one number, one letter, and one special character.
- Change your password periodically. Your users should be changing their passwords frequently. Forcing users to pick a new passphrase every two months is a good rule to follow.
- Don't use the same passwords over and over. The best practice is to use a different password for every place that you log in to. To make things simpler, there are a few different secure software packages that can help you keep track of your passwords across systems.
Following these rules will sharply reduce vulnerabilities. In a domain environment, these policies can be enforced with your Active Directory server.
Manage Authentication Properly
As users come into and leave your business, it's important to follow a few key rules to stay on top of authentication security.
- New employees should go through proper security training before receiving access. As new hires come in, you need to know that everyone is on the same page. Proper, uniform security training will help your new employees understand the company's security standards.
- Only allow access to what's needed. Most of your users will need minimal access to the entirety of your company’s data. You shouldn't give employees access to what they don't need. Limit access to what is essential.
- Departing employees should have access revoked immediately. Employees who leave, especially those who are fired, should not have access to data immediately upon being removed from the building. You don't want a disgruntled employee using your data against you.
At all times, your IT staff should be aware of all of these rules. They will be the ones responsible for enforcing them.
Firewalls and Protection Software
You’ve secured your network and user authentication processes. Now it’s time to make sure that traffic in and out of your system is being monitored. All incoming traffic should meet a gateway firewall before being allowed to enter your network. Once it is allowed through, there should be a second level of protection at the device level.
Every network should be protected by a robust firewall. Here's an overview of the standards that each firewall should follow.
- Block all inbound access by default. When your firewall is first set up, all traffic hitting your router should be blocked by default. As requests come in for open access, ports can be opened, one at a time.
- When possible, restrict inbound access by source address. Eventually, you'll have to allow traffic in. If possible, find out where traffic is coming from and restrict it to certain host IP addresses. In some situations, such as VoIP phone systems, this may not be possible.
- Limit outbound access as much as possible. In general, your network is going to need to leave a lot of ports open for outbound access. If possible, block outbound ports that you know you won't be using.
Network firewalls, when combined with PC firewalls, offer a very secure layer of protection for your network.
All of your PCs should be running protection software. The Windows operating system offers a few different options, including Windows Firewall and Windows Defender. Network administrators can add an extra layer of security by using centrally-managed third-party protection software. These software packages can be managed from a central server, maintaining system updates and other aspects.
When to Forbid Outbound Access
On the occasions in which devices on your network fail security protocols, steps should be taken to secure your network. The most effective way to do this is to deny these devices outbound access. Following are a few situations in which this is effective.
- Devices using unfamiliar DNS servers. A list of allowed DNS servers should be kept within your internet gateway. Devices that aren't using these DNS servers should be denied outbound access. Compromised DNS servers could cause a security risk by diverting traffic to risky websites, rather than intended destinations.
- Devices using protection software that has gone out-of-date. Threats on the internet change a lot. There are new vulnerabilities being discovered daily. Because of this, your devices should check for updates and new virus definitions daily. Overlooking these updates can create a security hole in your network.
- Devices running insecure operating systems. Security updates to your operating system are crucial. PCs should be forced to stick to up-to-date, actively supported operating systems and be current with security updates.
Once security issues have been resolved, these devices can once again be allowed outbound access. If these issues were caused by user error, it's good practice to explain the situation to the user and let them know how to prevent it from happening again.
Network security cannot be taken lightly. Any security issues that occur could affect your entire business. There are a few easy rules to follow to keep your network secure.
Be sure to take your building’s physical security seriously and only allow access to those who need it. Make sure every user is forced to use a password to log in for access, and follow general access rules. Finally, be sure to secure your network with firewalls and security software.