As the frequency of cybercrime has increased, there has been a corresponding increase in the demand for information security. Most businesses have a wealth of information within their networks that they need to protect from competitors or cyber criminals. Whether you’re setting up a small/home office on your own, or thinking about best practices to harden a network that is already established, the basic ideas described below can help ensure that your data and equipment stay reliable and accessible to your organization (and only your organization).
Securing the Network Itself
Your first steps in designing your network from a security standpoint (or planning changes) should be to look at the basic physical/logical configuration. If you are using a wireless network, make sure it is using some form of encryption to prevent unauthorized users from being able to read the traffic on your network. The currently accepted best option is Wi-Fi Protected Access 2 (WPA2) as opposed to the more easily cracked “Wired Equivalent Privacy” standard, or WEP. Small businesses can use WPA2 Personal (despite its name) to secure their wireless networks. Larger organizations with resources to set up a separate authentication server can receive additional security benefits with WPA2 Enterprise. Wireless access points can also be configured to not broadcast SSID’s (the names of their networks), so that anyone attempting to connect would need to know the name of the network ahead of time.
Your devices’ Media Access Control, or MAC, addresses are unique; they are “burned in” to the network cards, meaning they do not change (like your IP address) when connected to different networks. These serve as unique identifiers for your devices, and many switches and routers have the ability to direct traffic based on them. For example, if a retail store needed a visible, WPA2-secured, wireless network for its point-of-sale terminals, but didn’t want any other devices using that network, it could configure its wireless routers to only allow the point-of-sale terminals to connect. An employee workstation would not be able to join the network, even if the employee knew the password. On a wired network, a business-grade switch can shut down the ports if unauthorized MAC addresses attempt to connect to them.
If your network will be comprised of more than just a few devices, take some time to consider how your devices will interact and who will be using them. You may wish to create separate networks or subnets to keep similar devices grouped together, i.e., workstations on one, internal file servers on another, web server on another, etc. Routers can then direct the flow of traffic between networks as you see fit. With this strategy, a healthcare provider could keep patient information stored on a separate network from the web server, for example, and the router’s access lists can be configured to discard all external traffic to that network.
Some business-grade routers and switches have firewalls built in, which can prevent unwanted or malicious traffic from entering your network at all. For larger networks, these can also be purchased as standalone pieces of hardware, placed between your ISP connection and the rest of your network.
Securing the Computers on the Network (and the Data on those Computers)
Your network is made of more than just wires, radio waves, and switching equipment – it’s also the workstations, servers, and mobile devices connected to it. As such, when talking about securing your network, you also need to think about how to secure the devices connected to it. Antivirus, malware, and additional security monitoring software should be used on any business system. If you are a Windows user, you are probably well aware of this by now.
Mac users: please note that you, too, can benefit from using such utilities. Despite the generally lower number of virus/malware threats for your platform, they do exist. Also, even if your Mac is not affected by malicious code in an email you received and forwarded out, Windows users might be, and running antivirus on your Mac will add an extra layer of protection for other computers in your organization. Furthermore, most anti-virus software suites these days include firewall and active network threat protection as well, to supplement the firewalls included in your computers’ operating systems.
If your workflow involves sharing files between multiple computers (and, these days, whose doesn’t?), the file permissions on your network shares should be as strict as possible. This means assigning full read/write access only to users who really need it, and either Read-Only or No Access to everyone else. While this can take a while to administer when you have new employees or people moving into different positions, it is worth your while to do this instead of just leaving the door open, so to speak. Even your favorite person in the company could accidentally ruin your day (or week, or month) if they end up in one of your servers’ system folders.
I would be remiss to leave out the usual housekeeping tips: Set your displays to go to the screensaver and lock after a short period of sitting idle. Use long and complex passwords and change them regularly. Yes, they are annoying to type and hard to remember, but they are much harder for any intruder to guess or crack. If your network is on the larger side or if you need to manage a complex system of access roles and settings, consider a directory service like Active Directory, Open Directory, Samba, or one of many alternatives.
If you’re new to working with the various factors that make for a secure network, this can all seem very daunting. There are many resources available online, books available in print and electronically (which are particularly nice for being searchable in a pinch), and classes offered by software and equipment vendors through local schools. With network security being a current hot topic, you might also be able to find a seminar (maybe even a free one!) in your area. Keep in mind, many of these options are available online. There are also networks of consultants available to help you plan for a new setup or enhance an existing one. You’re not without help. So, go forth and secure your network! You’ll thank yourself in the long run, and your users will thank you too.