Via Network World comes an interesting article from Eric Geier about wired network security, 8 ways to improve wired network security. The article is somewhat unfortunately named in a click-baiting sort of way, but given that the topic is the patently unsexy wired network security, I felt safe giving it a look. I am grateful that it was not in slide show form.
I say the article is interesting, but that’s really only because I’m a nerd; for the most part the article is as interesting as a booklet on dental hygiene. But it is also as important as a book on dental hygiene, and does a great job of giving a progressive list of steps one can take to improve network security. It is also really refreshing to see a “peas & carrots” sort of article on this topic, instead of the “flashy new box that will save the world” vendor-orchestrated promo pieces that form an appalling large portion of the IT trade press.
Let’s dig to the nitty-gritty:
1. Perform auditing and mapping – there is no better way to find where you opened up a port “just for a minute to get this done”…two years ago. Basically take your network out for a spin, and find the items that even a script-kiddie would be able to find if they lucked into your network.
2. Keep the network up-to-date – this is an item that is forgotten all too often. How far out of date is your router firmware? Did you ever change the default password on that switch? Take an opportunity to look at who has login access to your network devices; remove old accounts and change passwords.
3. Physically secure the network – this gets lost in all the panic about wireless access, but this is an easy one. Have an intern go around looking for open ports, and try ’em out. (I found one in a casino once, but figured I wasn’t up for THAT big a gamble.) Shut that stuff down!
4. Consider MAC address filtering – OK, we start to get a little more resource intensive here, though since we’re talking wired there shouldn’t be much in the way of regular changes. Basically this lets you code each switchport with the MAC address of the device that’s on it, and shutdown if someone tries to plug in a different device. This is actually mandated on Defense Department networks, and it’s a relatively easy win, especially when using a sticky mode to model the current network state.
5. Implement VLANs to segregate traffic – Yep. The guys at Target are wishing they’d done this one. But this does require substantially more planning and modeling, which is probably why it’s done less often than one would suspect.
6. Use 802.1x for authentication – 802.1x is a cryptographic authentication system that checks individual devices and users, and actually allows the sorting of users into VLANs based on their credentials. 802.1x is more commonly associated with wireless networks, but it fully capable on wired networks as well. This is definitely a step up in complexity though, since it requires configuration on the device as well as the network.
7 and 8. Encryption – The last two recommendations involve encrypting connections within a wired network. I’m always skeptical of encryption solutions like this. The benefit seems to be “it’s encrypted”, with no appreciation taken of how low the risk of interception was anyway (most of us don’t have hubbed networks). The cost is loss of the capability to monitor the traffic. Some would argue you could use SSL decryption solutions for that, but this gets a little too meta for me, since for free I can just leave the traffic alone. Of course, the second your traffic passes outside your administrative domain, it’s a whole different ballgame.
It’s an interesting juxtaposition that this article comes out at almost the same time as an article in Computerworld about how the late 2013 Target data breach could potentially have been mitigated if Target had paid attention to malware alerts. Specifically, the article mentions that Target paid $1.6 million to install FireEye, which apparently worked as advertised. Of course, they didn’t follow up on the alert.
How much “network hygiene” could $1.6 million buy? Quite a lot, I think. Certainly Target could have hired a small team of young cybersecurity professionals to drive exactly the sort of improvements outlined here. Except: IT politics, CIO budgets, user pushback, FUD…yada yada yada. So the next time you hear about a major hack, don’t jump to the conclusion that it’s a technology failure…that failure had a lot of parents.