Skip to content

Posts

Implementing Network Security


By: Paul Reissner

Implementing Network Security Post image 1

Table of content

Network Security Implementation:

Wondering how to implement network security for your business? In a previous article about IT perimeter defense security, we outlined the importance of keeping bad actors outside of your network, while touching on the fact that not all bad actors reside outside of your organization’s walls. In another fantastic article about insider threats, we discussed how internal risks are a concern to all organizations. Often overlooked is the security of the backbone to your organization: The Network.

External Network Security Threats

You likely have one or more of these technical solutions in place to help notify you, or act against, common threats from the outside:

  • Web Content Filtering
  • Spam and Malicious Email Filtering
  • Data Loss Prevention (DLP)
  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)

For many small to medium businesses these features are incorporated into appliances or other platforms, Microsoft Office365 can be leveraged to provide your organization with both Email Filtering and DLP. Your Unified Threat Management (UTM) Firewall can also be leveraged to provide IDS, IPS, and Content Filtering. While these technologies can help prevent perimeter threats, they rarely have any impact on the inside of your network, so what tools can small to medium businesses use to protect their sensitive data within the confines of their local network? Are any of the equipment or systems that are already in place be leveraged to provide this network security implementation functionality?

Network Segmentation 

Often “The Network” is seen as an abstract ethereal being (after all, it’s often represented as a cloud on network diagrams) however “The Network” is no more abstract than “The Office”. You likely already track visitors, have secure areas, not all employees are permitted, and may even use RFID badges for access. If so, you are effectively segmenting your office. Now, let’s discuss how to implement network security further using segmentation.

Data Classification

At a high level, your network can be segmented by data classification (restricting access based on a need to know) or by role/function (restricting access based on the device, person, or organizational unit). For many small to medium businesses, it can be burdensome to classify all data residing on the network because frankly, it can be difficult to simply identify all of your data (for example: do you know what kind of data is stored on each employee’s workstations?). Because of this, I’ll focus on attempting to segment a typical small to medium business network based on role, the challenges and intricacies of data classification warrant another series of articles and is a prerequisite to segment your network by classification.

At a minimum, the average small to medium business should have a breakdown similar to this:

  • Guest Wireless
  • Corporate Wireless
  • Servers
  • Workstations
  • Voice and/or Internet of Things (IoT) Devices
  • Device Management

Guest Wireless

Likely, you are already segmenting your Guest Wireless network from your servers, after all, third parties should never be able to communicate with your servers without supervision. However corporate wireless devices are often treated the same as wired devices, while this can make it easy for you to use your laptop wireless in a conference room it also makes it easy for an employee to connect their smartphone (that likely isn’t fully patched and may contain malicious applications) to the network they know. Similarly, your Servers and Workstations have different network access requirements, your employees

Voice and IoT Devices

Often overlooked when planning for network Segmentation are Voice and IoT devices, in today’s information age we often fail to recognize that the phone on your desk, your security cameras, and even that smart speaker are fundamentally no different than the device you’re using to read this article. Each of these devices runs its operating system, complete with its applications and security vulnerabilities. Because these devices are often neglected when applying updates (and manufacturers tend to take much longer to address security vulnerabilities in these devices) it is crucial to ensure that these devices are not permitted to communicate with sensitive systems that are not required for the functionality of these devices.

Servers and Network Equipment

Lastly, your servers and network equipment likely contain dedicated connections that allow IT administrators to securely configure and manage these devices, while these devices may also suffer from the same risks associated with Voice and IoT devices it’s also important to make every effort to only allow authorized parties to access these services. This can be as simple as instructing the firewall to only allow administrative connections from dedicated computers but is often more effective to create a dedicated network used only for the management of systems. 

How to Segment Your Network

Now that you know more about how to implement network security, how do you separate these networks? Operating six unique networks must surely require six times the equipment and significantly multiply the complexity of the server rack, right? Most Small to medium businesses likely already have the necessary equipment to facilitate network segmentation and are already leveraging similar technologies already: Virtualization.

Virtualization

Virtual Local Area Networks (VLANs) are logically separate networks that operate on the same physical hardware in much the same way the server virtualization using VMWare ESXi or Microsoft Hyper-V can be used to logically separate operating systems and servers on the same physical hardware. This can facilitate allowing guests to use your existing wireless infrastructure securely as previously mentioned. Using VLANs you can provide additional barriers between resources within the organization and crucially restrict access between these networks and provide additional data for any Security Monitoring solution. At a high level, you assign VLANs to physical connections, and these connections can be assigned multiple VLANs, this corresponds to the network port on the wall and thus the device plugged into it.

For network segmentation management, you may opt to restrict access in the following manner:

  • Permit your Workstations to Communicate with the Server VLAN but not with other Workstations or the Wireless vLANs
  • Deny your Voice/IoT vLANs communication to your Workstations, Wireless Devices, and possibly even Servers
  • Only permit specific Workstations or Servers the ability to communicate with the Management Network

Layered Network Defense

Network Access Restriction

Just because someone can physically enter your building doesn’t mean that you allow them to enter every room. However, without proper network security implementation, physical (or remote) access to your network may allow a bad actor to gain access to your entire network, including your most sensitive information. This is why you already require employees to sign-in to their computers. Thankfully, with the implementation of some built-in features of Microsoft Windows Server, most Small to medium businesses can effectively provide an additional level of authorization that can greatly reduce the threat that is largely transparent to your employees.

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a protocol that can be applied to your wireless network to replace a pre-shared key (PSK) with the username and password that you are already using to log in to your computer. Most business-grade wireless access points like Meraki, Dell Rukus, or Ubiquiti support RADIUS out of the box and have done so for years.

802.1x

802.1X is a networking standard for Network Access Control that can be configured to apply the same benefits of RADIUS as described above to your wired devices. Only devices that have authenticated against the RADIUS server will be provided access to the network, all other devices will not be allowed to communicate.

Both of these technologies require the configuration of a feature that is built into the Microsoft Windows server that you likely already have in your environment, it’s simply a matter of leveraging your existing resources.

Software Firewalls

Most Operating Systems (Including Microsoft Windows Server and Windows 10) ship with a software firewall; this application acts much in the same way that the hardware UTM Firewall you already have in place between the internet and your internal network. While this application is very powerful, it is an often overlooked component of your overall network security toolset. Many organizations opt to simply disable this feature instead of dedicating the time needed to fully configure this firewall for the needs of the devices on the network, potentially degrading the overall security of the systems and networks within the organization.
The built-in Windows Firewall can be configured to only allow access to sensitive resources (such as a database server) from “known-good” devices (for example, Your Servers and necessary Workstations) and prevent non-essential services from being accessed over the network. 

Configuring a firewall during network security implementation requires a level of effort to identify the resources that are running on each device, as well as the business units that require access to these resources. However, by only allowing the minimum amount of access required, you can reduce the potential for inappropriate or malicious access to your systems.

Organizational Unit-Based Segmentation

The methods described above do not explicitly require the use of Network Segmentation and can be implemented without segmentation in place while still providing an increase in security. They can also be used in concert with segmentation to improve efficacy. If you already have some level of network segmentation, you may opt to additionally segment your vLANs based on department or organizational unit, this can be an effective middle ground between “role-based” and “classification-based” network segmentation.

An example of this would be to provide a separate VLAN for your most critical group, for example, your finance department, and implement software firewalls to effectively isolate this group from the rest of the network. This method of network security implementation has the potential to protect these sensitive workstations from various types of threats, including ransomware – if your receptionist opens a malicious file that contains a ransomware payload, proper segmentation may protect the finance department if your endpoint security were to fail.

Memorialization into Policy

As mentioned, in-depth defense requires the use of Physical, Technical, and Administrative controls used in concert to create an effective security program. As you implement new controls, such as 802.1X, to effectively lock out open network ports to unauthorized users, you should be sure to update or create corresponding corporate policies that identify the new control, detail how this should be used (for example, Non-Employees are not permitted to have physical access to the LAN without clearance by the IT department), and detail the potential repercussions for a failure to comply with the policy (generally a dedicated sanction policy).
It is important to understand that policies must be developed based on your organization’s goals and needs. There is no “shortcut” or “template” that can provide meaningful administrative control for your organization. 

Network security implementation can be a complex but highly effective tool to protect yourself from not only insider threats but also as another layer of defense to complement your endpoint security. As a bridge between your users and your sensitive data, securing the Network is essential to securing your data. While this can require some effort and planning to properly implement it is not out of reach for any organization.

Tags

Recent Tweets

INSIGHTS

Want the latest IT insights?

Subscribe to our blog to learn about the latest IT trends and technology best practices.