8 ways to improve wired network security

We sometimes focus more on the wireless side of the network when it comes to security because Wi-Fi has no physical fences. After all, a war-driver can detect your SSID and launch an attack while sitting out in the parking lot.

But in a world of insider threats, targeted attacks from outside, as well as hackers who use social engineering to gain physical access to corporate networks, the security of the wired portion of the network should also be top of mind.

So, here are some basic security precautions you can take for the wired side of the network, whether you're a small business or a large enterprise.

1. Perform auditing and mapping

If you haven't recently, you should do some auditing and mapping of your network. Always have a clear understanding of the entire network's infrastructure, for instance the vendor/model, location, and basic configuration of firewalls, routers, switches, Ethernet cabling and ports, and wireless access points. Plus know exactly what servers, computers, printers, and any other devices are connected, where they are connected, and their connectivity path throughout the network.

During your auditing and mapping you might find specific security vulnerabilities or ways in which you could increase security, performance and reliability. Maybe you'll run across an incorrectly configured firewall or maybe physical security threats.

If you're working with a small network with just a few network components and a dozen or less workstations you might just manually perform the audit and create a visual map on a sheet of a paper. For larger networks you might find auditing and mapping programs useful. They can scan the network and start to produce a network map or diagram.

2. Keep the network up-to-date

Once you have a basic network audit and map complete, consider diving deeper. Check for firmware or software updates on all network infrastructure components. Login to the components to ensure default passwords have been changed, review the settings for any insecure configuration, and look into any other security features or functionality you currently aren't using.

+ ALSO ON NETWORK WORLD 8 free Wi-Fi security tools +

Next take a look at all the computers and devices connected to the network. Ensure the basics are taken care of, such as OS and driver updates, personal firewall are active, the antivirus is running and updated, and passwords are set.

3. Physically secure the network

Although often overlooked or minimized, the physical security of the network can be just as crucial as say your Internet facing firewall. Just as you need to protect against hackers, bots and viruses, you need to protect against local threats, too.

Without strong physical security of your building and network, a nearby hacker or even an employee could take advantage of it. For instance, maybe they plug a wireless router into an open Ethernet port, giving them and anyone else nearby wireless access to your network. But if that Ethernet port wasn't visible or at least disconnected, then that wouldn't have happened.

Ensure you have a good building security plan in place to try and prevent outsiders from entering. Then ensure all wiring closets and/or other places where the network infrastructure components are placed have been physically secured from both the public and employees. Use door and cabinet locks. Verify that Ethernet cabling is run out of sight and isn't easily accessible; the same with wireless access points. Disconnect unused Ethernet ports, physically or via switch/router configuration, especially those in the public areas of the building.

4. Consider MAC address filtering

One major security issue of the wired side of network is the lack of a quick and easy authentication and/or encryption method; people can just plug in and use the network. On the wireless side you have at least WPA2-Personal (PSK) that's easy to deploy.

Although MAC address filtering can be bypassed by a determined hacker, it can serve as the first layer of security. It won't completely stop a hacker, but it can help you prevent an employee, for instance, from causing a potentially serious security hole, like allowing a guest to plug into the private network. It can also give you more control over which devices are on the network. But don't let it give you a false sense of security, and be prepared to keep the approved MAC address list up-to-date.

5. Implement VLANs to segregate traffic

If you're working with a smaller network that hasn't yet been segmented into virtual LANs, consider making the change. You can utilize VLANs to group Ethernet ports, wireless access points, and users among multiple virtual networks.

Perhaps use VLANs to separate the network by traffic type (general access, VoIP, SAN, DMZ) for performance or design reasons and/or user type (employees, management, guests) for security reasons. VLANs are especially useful when configured for dynamic assignment. For instance, you could plug in your laptop anywhere on the network or via Wi-Fi and automatically be put onto your assigned VLAN. This can be achieved via MAC address tagging or a more secure option would be to use 802.1X authentication.

To use VLANs, your router and switches must support it: look for the IEEE 802.1Q support in the product specs. And for wireless access points, you'll likely want those that support both VLAN tagging and multiple SSIDs. With multiple SSIDs you have the ability to offer multiple virtual WLANs that can be assigned to a certain VLAN.

6. Use 802.1X for authentication

Authentication and encryption on the wired side of the network are often ignored due to the complexity involved. It's IT common sense to encrypt wireless connections, but don't forget or ignore the wired side. A local hacker could possibly plug into your network with nothing stopping them from sending or receiving.

Though deploying 802.1X authentication wouldn't encrypt the Ethernet traffic, it would at least stop them from sending on the network or accessing any resources until they've provided login credentials. And you can utilize the authentication on the wireless side as well, to implement enterprise-level WPA2 security with AES encryption, which has many benefits over using the personal-level (PSK) of WPA2.

Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.

To deploy 802.1X authentication you first need a Remote Authentication Dial-In User Service (RADIUS) server, which basically serves as the user database and is the component that authorizes/denies the network access. If you have a Windows Server you already have a RADIUS server: the Network Policy Server (NPS) role; or in older Windows Server versions it's the Internet Authentication Service (IAS) role. If you don't have a server already you could consider standalone RADIUS servers.

For more about 802.1X authentication, check out two of my previous articles: 6 secrets to a successful 802.1X rollout and 8 no cost/low cost tools for deploying 802.1X security.

7. Use VPNs to encrypt select PCs or servers

If you're really looking to secure network traffic, consider using encryption. Remember even with VLANs and 802.1X authentication, someone can eavesdrop on the network (VLAN) to capture unencrypted traffic that could include passwords, emails and documents.

Although you can encrypt all the traffic, first analyze your network. It might make more sense to just encrypt select communications you deem the most sensitive that isn't already encrypted, such as through SSL/HTTPS. You can pass the sensitive traffic through a standard VPN on the client, which could be used just during the sensitive communication or forced to be used all the time.

8. Encrypt the entire network

You can also encrypt an entire network. One option is IPsec. A Windows Server can serve as the IPsec server and the client capability is natively supported by Windows as well. However, the encryption process can be quite an overhead burden on the network; effective throughput rates can drop dramatically. There are also proprietary network encryption solutions out there from networking vendors, many of which use a Layer 2 approach instead of Layer 3 like IPsec to help with reducing latency and overhead.

Eric Geieris a freelance tech writer -- keep up with his writings on Facebook or Twitter. He's also the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, a tech support company.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Networkingsecuritywirelessanti-malware

More about AES EnvironmentalFacebookIEEE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Eric Geier

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place