The security of a LAN (Local Area Network) is paramount in ensuring the safety of business operations and data from potential cyber-attacks, says Chris Dyke, Sales Director UK & Ireland at Allied Telesis
The security of a LAN (Local Area Network) is paramount in ensuring the safety of business operations and data from potential cyber-attacks.
With the rising number of security threats, it is essential to equip a LAN with technologies and best practices that can help secure it against potential threats.
In this article we will discuss the 5 key points and best practices that businesses should be implementing and considering during the design and configuration of corporate Local Area Networks, specifically technologies relating to configurable protocols on switching and routing network hardware.
1.Removing Default Configuration
As network devices come with default administrator credentials and some standard configuration that is universal across most manufacturers, these need to be amended. The first and one of the most important things to remove is the default credentials used for accessing and then managing the equipment. Typically, these are set-up with a username of ‘Manager’ or ‘Admin’ in conjunction with a very simple password. This needs to be made unique and complex.
Also, Network Switches will ship from manufacturers with all ports belonging to the same network otherwise known as the default VLAN (Virtual Local Area Network). The industry standard ID for the default VLAN is ‘1’ but importantly, this VLAN ID should not be used in a production environment and should be shut down after initial configuration. It is also best practice to shut down any ports that are not being used, as they will typically all be enabled by default, creating a vulnerability for unauthorised users to plug directly into a business’s network and gain access.
2. Network Segmentation
Network segmentation refers to dividing a network into multiple sub-networks. With network segmentation, businesses can isolate specific groups of devices connected to the LAN and control their access to sensitive company information. Networks are typically segmented using VLANs.
Each VLAN has an associated number (VLAN ID) which is applied directly to the port of a switch to give it membership of the particular network. For example, Corporate and Public Networks would be in separate VLANs with unique IDs separating their traffic from one another.
One way to further secure these network segments is by using Dynamic Host Configuration Protocol (DHCP) Snooping. This feature allows the router to verify that assigned IP addresses within each network segment are legitimate and not spoofed. Network management platforms will often allow the visualisation of VLANs across the network so that setup and the associated ongoing maintenance can be a quick and simple task.
3. Access Control
Access control is another essential practice when looking to secure LAN Networks and need to regulate who can access specific parts of a network or its data. One of the most common technologies used for access control on a network is the Remote Authentication Dial-In User Service (RADIUS). RADIUS is a database that typically resides on a server, this allows authorised users to authenticate their network connection credentials, while invalid and unauthorised credentials are rejected.
Administrators would typically require access directly to the CLI (Command Line Interface) of a Network Switch or Router for configuration. This is usually facilitated using a protocol called SSHv2 (Secure Shell Version 2) and an accompanying access control list which matches the incoming SSHv2 connection source IP address to a list of specifically authorised IP address ranges. To gain access, the user would then also have to enter valid credentials. Previously the main protocol used to access a CLI would have been Telnet, but this should be disabled due to its lack of security, primarily its use of non-encrypted communication, making it very susceptible to eavesdrop and interception hacks.
4. Regular Software Updates
Regular software updates are crucial in ensuring that a network is secure. Software updates typically contain patches to security vulnerabilities discovered previously. Hackers search for these vulnerabilities as entry points to networks and therefore updating device firmware must become a regular and scheduled maintenance task for the entire infrastructure. Toolsets are often available to aid with scheduling and minimise the disruption and time taken to keep on top of this very important task.
Encryption is a process that converts readable data into scrambled code for secure transmission between computers or network devices.
Encryption technologies ensure that data transmitted over the network is secure and unreadable. A typical example of this is the use of VPNs when sending data between network devices that traverse the internet. VPNs should be configured using the strongest encryption algorithms that an organisation’s local and remote hardware is capable of using, for the specific use case.
It is also important to take into consideration that some hardware will only be capable of running older and so now weak algorithms, this should be avoided to prevent the potential interception of data.
In most cases the minimum cryptography algorithms businesses should be using for VPNs is AES256 for encryption Algorithms; a hashing algorithm of SHA256; and finally, a minimum Diffie Hellman group of 14.
It is important to note that the stronger the algorithms used the more overhead is incurred on hardware resources. Find a balance between security and performance that provides sufficient protection without compromising efficiency.
Though encryption was designed to be used for site-to-site connectivity across a public network or the Internet, its usage in LAN environments is increasing. This is being driven by either the client/environment requiring additional layers of security such as intelligence, defence, or financial services or where a highly sensitive application is used in a standard environment that requires additional protection.
In conclusion, securing a professional LAN network requires a combination of best practices and technologies. By implementing these practices, businesses can effectively secure their LAN against potential cyber threats and enjoy the peace of mind that comes with knowing their data and operations are secure.