Hardening your perimeter

More Articles

Happy Halloween to All!

This month's topic is about what techniques are available to harden or secure your network perimeter.

We are all aware of how today's Internet based threats can effect our day to day lives. They can arrive and you have no defense for them. Fortunately, there are some basic, common sense steps you can take to harden your network and provide layers of security. You may not know exactly what the threat is, but you can certainly deploy some proactive steps like these that might stop such a problem right in its tracks.

Network Access Control

One of the easiest ways for malicious software or Internet users to access your network is not through holes in your firewall, brute-force password attacks or anything else that might occur on your network. It is through your remote, mobile users when they try to connect to your business network while on the road or through kiosks. Neither of these categories of machines are subject to your stringent security policies and that is a major problem.

Internet Protocol Security (IPsec)

IPsec encapsulates communications in a layer of encryption that is difficult to break, but it also allows you to restrict communications to and from certain machines based on whether their machine certificates are signed and valid. By doing this, the machines restricted by IPsec would simply ignore it, even if an exploit was introduced into your network. Using IPsec in this way also forms the basis for using network access control.

Virtual LANs (VLANs)

VLANs are essentially multiple logical boundaries created within one physical network. VLANs are an easy way to divide critical areas of your network from others. For instance, you could have one VLAN for servers and another for client machines, or ou could segregate machines based on department, or any other scheme you choose. Creating a VLAN in and of itself doesn't necessarily create a layer of protection, but it forms the basis for any number of other hardening techniques, and it provides a way to limit the scope of security procedures to only the most critical areas of a network.

Intrusion Detection/Prevention system (IDS/IPS)

Intrusion detection/prevention systems often use heuristics that can detect malicious activity on your network before an actual definition is created by anti-virus and anti-malware vendors. IDS/IPS systems also provide a solid foundation for forensic analysis in case you care to examine how an exploit entered your network or penetrated your network defenses.

Wireless Access Point Encryption

Simply using media access control (MAC) filtering and not broadcasting your service set identifier (SSID) are methods that just do not cut it anymore in a corporate setting. WEP has been cracked numerous times and even the ankle biters will have no trouble gaining access to your wireless network protected only by WEP. Look into WPA2 to really filter out the bad guys.

Stateful Firewall & Perimeter Defense

This almost goes without saying (which is why I put it at the end of my list), but perimeter defense is the first, best and most effective way to protect against zero-day exploits in a variety of forms. To help prevent your network from being a vector of delivery for a nasty vulnerability, deploy a firewall immediately. Better yet, deploy a security appliance and perform regular audits of that firewall if you aren't doing audits already.

There you have it. To better protect your electronic assests, you must approach this from a layered prospective or principle of least privilege model.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Regards,

Michael Desrosiers
Founder
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business
(O)508-995-4933
(C)774-644-0599
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com

More Articles by Michael Desrosiers

Macworld Mac Security Superguide $9.99

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.