- Change default settings
- Install patches
- Don't ignore the wireless threat
- Get physical (security)
- Configure to deliver
Default settings for any system are rarely the most secure and offer an easy route into a network for script kiddies and experienced hackers alike. Adopt a hard approach to security by systematically validating all systems have had their default passwords changed and security settings verified. Otherwise, the entire corporate network may be left vulnerable to a 12-year-old kid who knows how to Google for 'Cisco default router settings,' for example. That applies to all network devices, not just routers, so change the default settings on your switches, access points, firewalls, etc., as well.
Hackers love only one thing more than discovering a new vulnerability, and that's people who do not respond to fixes as soon as they become available. Not applying a system security patch or software security update when it arrives is like waving a red flag before a computer-savvy bull. And this doesn't just mean Microsoft security updates. It is critically important to keep everything up to date, so don't forget to install all available patches and updates immediately after adding anything new to your network -- from router firmware to client software -- and keep doing so until you eventually remove or replace them. The use of appropriate network management tools means this does not have to be painful or overly time-consuming, and all terminals can be updated centrally and simultaneously. Examples of these tools are GFI Software's LANguard, Lumension Security Inc.'s Endpoint Management and Security Suite, and ScriptLogic Corp.'s Patch Authority Ultimate. Importantly, distinguish security updates from simple software updates: The latter are not mission critical and are not a priority, whereas the former are both.
Pre-empt problems by ensuring that policy forbids use of public, unencrypted Wi-Fi access, and prevent guest usage of wireless access points. Just because you have locked down your network with perimeter security measures doesn't mean that someone in a car outside couldn't bypass them by strolling through the open guest WLAN. Again, don't forget to change default wireless router settings (see rule No. 1), and enable wireless encryption; use WPA2 if at all possible, as the insecurities of both WPA and WEP are now widely known. Finally, disable SSID broadcasting to deter drive-by intruders. An unchanged and openly broadcast SSID is not a security risk, per se, but it is an indicator to the hacking community that you probably haven't bothered changing much else when it comes to protecting your wireless network either. Also, don't dismiss this threat on the grounds that the IT team has not deployed a WLAN, because that doesn't necessarily mean your tech-savvy employees haven't done so for their own convenience. These unauthorised WLANs can be detected using a Wi-Fi scanner.
Evident to everyone yet ignored by many, physical security is key. Don't forget to lock the server room door when you pop out for lunch or a short break. Routers should always be kept under lock and key, as anyone with physical access could simply reset them to their insecure default settings. Also, reduce the risk of someone walking away with your data by locking down terminal data access ports to prevent the use of unauthorised USB storage devices. Some people have been known to go as far as using superglue to block USB ports, but that's perhaps getting a little too physical!
Everything, be it hardware or software, needs a touch of system or network hardening to be truly secure: from disabling non-required services, to renaming access accounts and resetting passwords. Any corporate network without a properly configured IDS or firewall is an insecure corporate network. There have been many occasions wherein poorly implemented products have been disabled (or ignored, which amounts to the same thing) after admins got fed up with the false positive warnings. The key to any effective deployment is in understanding what you are trying to protect against and then fine-tuning accordingly. Nothing should be allowed in or out by default: your outgoing rules are just as important as your incoming rules. Also, tuning your firewall policies and removing any unused rules and objects in an ongoing manner are critical for security.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.
This was first published in August 2010