Happy Halloween to All!
This month's topic is about what techniques are available to harden or
secure your network perimeter.
We are all aware of how today's Internet based threats can effect our day
to day lives. They can arrive and you have no defense for them. Fortunately,
there are some basic, common sense steps you can take to harden your network
and provide layers of security. You may not know exactly what the threat is,
but you can certainly deploy some proactive steps like these that might
stop such a problem right in its tracks.
Network Access Control
One of the easiest ways for malicious software or Internet users to access
your network is not through holes in your firewall, brute-force password
attacks or anything else that might occur on your network. It is through
your remote, mobile users when they try to connect to your business network
while on the road or through kiosks. Neither of these categories of machines
are subject to your stringent security policies and that is a major problem.
Internet Protocol Security (IPsec)
IPsec encapsulates communications in a layer of encryption that is difficult
to break, but it also allows you to restrict communications to and from
certain machines based on whether their machine certificates are signed and
valid. By doing this, the machines restricted by IPsec would simply ignore
it, even if an exploit was introduced into your network. Using IPsec in this
way also forms the basis for using network access control.
Virtual LANs (VLANs)
VLANs are essentially multiple logical boundaries created within one physical
network. VLANs are an easy way to divide critical areas of your network from
others. For instance, you could have one VLAN for servers and another for
client machines, or ou could segregate machines based on department, or any
other scheme you choose. Creating a VLAN in and of itself doesn't necessarily
create a layer of protection, but it forms the basis for any number of other
hardening techniques, and it provides a way to limit the scope of security
procedures to only the most critical areas of a network.
Intrusion Detection/Prevention system (IDS/IPS)
Intrusion detection/prevention systems often use heuristics that can detect
malicious activity on your network before an actual definition is created by
anti-virus and anti-malware vendors. IDS/IPS systems also provide a solid
foundation for forensic analysis in case you care to examine how an exploit
entered your network or penetrated your network defenses.
Wireless Access Point Encryption
Simply using media access control (MAC) filtering and not broadcasting your
service set identifier (SSID) are methods that just do not cut it anymore
in a corporate setting. WEP has been cracked numerous times and even the
ankle biters will have no trouble gaining access to your wireless network
protected only by WEP. Look into WPA2 to really filter out the bad guys.
Stateful Firewall & Perimeter Defense
This almost goes without saying (which is why I put it at the end of my
list), but perimeter defense is the first, best and most effective way
to protect against zero-day exploits in a variety of forms. To help prevent
your network from being a vector of delivery for a nasty vulnerability,
deploy a firewall immediately. Better yet, deploy a security appliance and
perform regular audits of that firewall if you aren't doing audits already.
There you have it. To better protect your electronic assests, you must
approach this from a layered prospective or principle of least privilege
To respond to this or previous newsletters or to inquire about an on-site
presentation, please feel free to call us at 508-995-4933 or email us at
We Manage Risk, So You Can Manage Your Business
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Michael Desrosiers
© 2009-11-07 Michael Desrosiers