{"id":35443,"date":"2019-10-10T20:19:51","date_gmt":"2019-10-10T16:19:51","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=35443"},"modified":"2021-04-05T16:13:13","modified_gmt":"2021-04-05T12:13:13","slug":"network-security-best-practices","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/network-security-best-practices\/","title":{"rendered":"Network Security Best Practices"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">When it comes to network security, you must treat your network in the same fashion as you handle your business as a whole. In most cases, businesses don't allow the general public to navigate every corner of their buildings. Instead, they designate certain areas for customers to use. Similarly, whether it's by a key card, passcode, or simply facial recognition, your employees must follow some sort of security procedure before entering your building and beginning their work.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Keeping your network secure is paramount to your business's success. In fact, if your security systems fail, it may cost you everything. Because of this, you need to follow these network security best practices and take these procedures as seriously as any other business function.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At the forefront of every security policy should be the sanctity of your business premises and the location of your network infrastructure. Your users should be required to authenticate at every level and follow strict guidelines while accessing your business's data. And like your users, your devices should be locked into security policies, too.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Physical Security<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The most basic dimension of network security best practices is \"protecting your castle.\" This concept is simple, but important. You don\u2019t want to allow the general public where they don\u2019t belong. If an intruder does make it past the gates, you need to do everything that you can to make it harder for them to get what they want. Here\u2019s a breakdown of securing the physical side of every part of your network.<\/span><\/p>\n<h3><b>Secure Your Premises<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Your building should be divided into separate levels of access. Access should only be given to those who need it, and no one else. Here are three levels of access that should be included:<\/span><\/p>\n<ul>\n<li><b>Public access. <span style=\"font-weight: 400;\">At some level, the public should be separated from the rest of your business. If your area of business doesn\u2019t involve face-to-face communication with clients, access should be locked down at the front door. Retailers and other customer-facing businesses should separate the areas where customers are welcome from where employees are allowed.<\/span><\/b><\/li>\n<li><b>Employee-only access. <span style=\"font-weight: 400;\">The \u201cemployees only\u201d area of your building should require some sort of authentication for access. As employees come and go, access should be adjusted in real time. When employees quit or are let go, their access to private areas should immediately be revoked. There are still some areas, such as your network closest, where only specific employees should be granted access.<\/span><\/b><\/li>\n<li><b>Network administrators. <span style=\"font-weight: 400;\">One of the locations within your business that should be kept the most secure are the rooms that contain your networking infrastructure. The only people that should be allowed into these rooms are network administrators. Access in and out of this room should be recorded so that when security issues arise, those who have had direct access can be identified.<\/span><\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">While physical building security isn\u2019t specific to networking, the two levels of security go hand-in-hand and need to be considered. A tiered access system is the best way to make sure that the right people are given access to the correct locations.<\/span><\/p>\n<p><span class=\"further-reading \">Further reading<\/span> <a href=\"https:\/\/www.msp360.com\/resources\/blog\/local-cloud-hybrid-network-design\/\">Local, Cloud and Hybrid Network: Which One Should You Opt to?<\/a><\/p>\n<h3><a name=\"port\"><\/a><b>Port Configurations<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">There are security considerations to be made for intruders who make it past your initial levels of security. One effective way to help secure these systems is to disable all unused ports. Disabling these reduces the surface area of attack on your network.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On your managed network switches, disabling unused ports will prevent intruders from plugging a device in and accessing the network. Turning off unused USB ports on your servers and workstations will prevent attackers from stealing data with USB sticks. Similarly, preventing foreign devices from connecting to your access points and stealing data locks down a wireless \u201cport\u201d into your network.<\/span><\/p>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 50%; text-align: center;\">\n<p><img decoding=\"async\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2020\/05\/IT-Security-Assessment-1.png\" alt=\"Whitepaper icon\" \/><\/p>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-6cae84c3-fb62-47b1-a1f2-6744125b00e5\" data-portal=\"5442029\" data-id=\"6cae84c3-fb62-47b1-a1f2-6744125b00e5\"><span class=\"hs-cta-node hs-cta-6cae84c3-fb62-47b1-a1f2-6744125b00e5\" id=\"hs-cta-6cae84c3-fb62-47b1-a1f2-6744125b00e5\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/6cae84c3-fb62-47b1-a1f2-6744125b00e5\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-6cae84c3-fb62-47b1-a1f2-6744125b00e5\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/6cae84c3-fb62-47b1-a1f2-6744125b00e5.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<div class=\"call-to-action__right\" style=\"width: 50%;\">\n<div class=\"call-to-action__title\">IT Security Assessment Checklist<\/div>\n<div class=\"call-to-action__text\">\n<p>Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:<\/p>\n<ul>\n<li>a ready-to-print PDF file<\/li>\n<li>an Excel file to help create a customizable assessment resource<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<h2><span style=\"font-weight: 400;\">User Authentication<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Gone are the days when you could get away with not asking for a password. More and more, user access systems are hacked and exploited. Fortunately, it's quite easy to minimize the risks of your accounts being compromised. Following are a part of network security best practices for your user authentication policy.<\/span><\/p>\n<h3><b>Force Logins at Every Level<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">At every level of network access, your employees should be forced to have a username and password. It's no longer acceptable to choose not to activate password protection on your PC, no matter how relaxed the work environment is. In addition to this, authentication should not be shared between users. Every employee needs to have his or her own individual username and password.<\/span><\/p>\n<h3><b>Enforce a Password Policy<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Having a simple but logical password policy helps to prevent security exploits. There are a few standard password policy rules to follow.<\/span><\/p>\n<ul>\n<li><b>Use complex passwords. <span style=\"font-weight: 400;\">Passwords should have a minimum length requirement of at least eight characters. Each password should require at least one number, one letter, and one special character.<\/span><\/b><\/li>\n<li><b>Change your password periodically. <span style=\"font-weight: 400;\">Your users should be changing their passwords frequently. Forcing users to pick a new passphrase every two months is a good rule to follow.<\/span><\/b><\/li>\n<li><b>Don't use the same passwords over and over. <span style=\"font-weight: 400;\">The best practice is to use a different password for every place that you log in to. To make things simpler, there are a few different secure software packages that can help you keep track of your passwords across systems.<\/span><\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Following these rules will sharply reduce vulnerabilities. In a domain environment, these policies can be enforced with your Active Directory server.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><span class=\"further-reading \">Further reading<\/span> <\/span><a href=\"https:\/\/www.msp360.com\/resources\/blog\/password-management\/\"><span style=\"font-weight: 400;\">Password Management Best Practices<\/span><\/a><\/p>\n<h3><b>Manage Authentication Properly<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">As users come into and leave your business, it's important to follow a few key rules to stay on top of authentication security.<\/span><\/p>\n<ul>\n<li><b>New employees should go through proper security training before receiving access. <span style=\"font-weight: 400;\">As new hires come in, you need to know that everyone is on the same page. Proper, uniform security training will help your new employees understand the company's security standards.<\/span><\/b><\/li>\n<li><b>Only allow access to what's needed. <span style=\"font-weight: 400;\">Most of your users will need minimal access to the entirety of your company\u2019s data. You shouldn't give employees access to what they don't need. Limit access to what is essential.<\/span><\/b><\/li>\n<li><b>Departing employees should have access revoked immediately. <span style=\"font-weight: 400;\">Employees who leave, especially those who are fired, should not have access to data immediately upon being removed from the building. You don't want a disgruntled employee using your data against you.<\/span><\/b><\/li>\n<\/ul>\n<p id=\"last\"><span style=\"font-weight: 400;\">At all times, your IT staff should be aware of all of these rules. They will be the ones responsible for enforcing them.<\/span><\/p>\n<div class=\"perfect-pullquote vcard pullquote-align-full pullquote-border-placement-left\"><blockquote><p><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-df449e72-fcd7-4b67-9343-88ba68962e08\" data-portal=\"5442029\" data-id=\"df449e72-fcd7-4b67-9343-88ba68962e08\"><span class=\"hs-cta-node hs-cta-df449e72-fcd7-4b67-9343-88ba68962e08\" id=\"hs-cta-df449e72-fcd7-4b67-9343-88ba68962e08\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/df449e72-fcd7-4b67-9343-88ba68962e08\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-df449e72-fcd7-4b67-9343-88ba68962e08\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/df449e72-fcd7-4b67-9343-88ba68962e08.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/p><\/blockquote><\/div>\n<div id=\"slidebox\"><span class=\"close\">\u00a0<\/span><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-015aca63-e776-436f-9ef1-337ab4cf6692\" data-portal=\"5442029\" data-id=\"015aca63-e776-436f-9ef1-337ab4cf6692\"><span class=\"hs-cta-node hs-cta-015aca63-e776-436f-9ef1-337ab4cf6692\" id=\"hs-cta-015aca63-e776-436f-9ef1-337ab4cf6692\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/015aca63-e776-436f-9ef1-337ab4cf6692\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-015aca63-e776-436f-9ef1-337ab4cf6692\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/015aca63-e776-436f-9ef1-337ab4cf6692.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<h2><span style=\"font-weight: 400;\">Firewalls and Protection Software<\/span><\/h2>\n<h3><b>Network Firewalls<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Every network should be protected by a robust firewall. Here's an overview of the standards that each firewall should follow.<\/span><\/p>\n<ul>\n<li><b>Block all inbound access by default. <span style=\"font-weight: 400;\">When your firewall is first set up, all traffic hitting your router should be blocked by default. As requests come in for open access, ports can be opened, one at a time.<\/span><\/b><\/li>\n<li><b>When possible, restrict inbound access by source address. <span style=\"font-weight: 400;\">Eventually, you'll have to allow traffic in. If possible, find out where traffic is coming from and restrict it to certain host IP addresses. In some situations, such as VoIP phone systems, this may not be possible.<\/span><\/b><\/li>\n<li><b>Limit outbound access as much as possible. <span style=\"font-weight: 400;\">In general, your network is going to need to leave a lot of ports open for outbound access. If possible, block outbound ports that you know you won't be using.<\/span><\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Network firewalls, when combined with PC firewalls, offer a very secure layer of protection for your network.<\/span><\/p>\n<h3><b>PC Software<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">All of your PCs should be running protection software. The Windows operating system offers a few different options, including Windows Firewall and Windows Defender. Network administrators can add an extra layer of security by using centrally-managed third-party protection software. These software packages can be managed from a central server, maintaining system updates and other aspects.<\/span><\/p>\n<h3><b>When to Forbid Outbound Access<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">On the occasions in which devices on your network fail security protocols, steps should be taken to secure your network. The most effective way to do this is to deny these devices outbound access. Following are a few situations in which this is effective.<\/span><\/p>\n<ul>\n<li><b>Devices using unfamiliar DNS servers. <span style=\"font-weight: 400;\">A list of allowed DNS servers should be kept within your internet gateway. Devices that aren't using these DNS servers should be denied outbound access. Compromised DNS servers could cause a security risk by diverting traffic to risky websites, rather than intended destinations.<\/span><\/b><\/li>\n<li><b>Devices using protection software that has gone out-of-date. <span style=\"font-weight: 400;\">Threats on the internet change a lot. There are new vulnerabilities being discovered daily. Because of this, your devices should check for updates and new virus definitions daily. Overlooking these updates can create a security hole in your network.<\/span><\/b><\/li>\n<li><b>Devices running insecure operating systems. <span style=\"font-weight: 400;\">Security updates to your operating system are crucial. PCs should be forced to stick to up-to-date, actively supported operating systems and be current with security updates.\u00a0<\/span><\/b><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Once security issues have been resolved, these devices can once again be allowed outbound access. If these issues were caused by user error, it's good practice to explain the situation to the user and let them know how to prevent it from happening again.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Conclusion<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Network security cannot be taken lightly. Any security issues that occur could affect your entire business. There are a few network security best practices to follow.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Be sure to take your building\u2019s physical security seriously and only allow access to those who need it. Make sure every user is forced to use a password to log in for access, and follow general access rules. Finally, be sure to secure your network with firewalls and security software.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When it comes to network security, you must treat your network in the same fashion as you handle your business as a whole. In most cases, businesses don&#8217;t allow the general public to navigate every corner of their buildings. Instead, they designate certain areas for customers to use. Similarly, whether it&#8217;s by a key card, [&hellip;]<\/p>\n","protected":false},"author":75,"featured_media":44381,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[889,878],"tags":[919],"class_list":["post-35443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-msp-business-guides","category-msp-university","tag-guide-to-network-design"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/35443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/75"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=35443"}],"version-history":[{"count":0,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/35443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/44381"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=35443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=35443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=35443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}