In my previous article, I spoke about the benefits of Network Segmentation as a tool to help improve the security of your organization, however as mentioned this method can require a high level of effort to properly implement. Also simply separating your networks isn’t a complete defense against the most common threats to your organization’s network; As with all security controls the best defense is a layered defense that incorporates multiple Physical, Technical, and Administrative Controls (also known as defense in depth). Tim previously wrote about how User Education (an Administrative Control) can be an effective countermeasure against Business Email Compromise (BEC) Attacks in his article Business Email Compromise: A Growing Threat.
Network Access Restriction
Just because someone can physically enter your building doesn’t mean that you allow them to enter every room. However, without proper network security physical (or remote) access to your network may allow a bad actor to gain access to your entire network, including your most sensitive information. This is why you already require employees to sign-in to their computers. Thankfully, with the implementation of some built-in features of Microsoft Windows Server, most Small to medium businesses can effectively provide an additional level of authorization that can greatly reduce the threat that is largely transparent to your employees.
RADIUS (Remote Authentication Dial-In User Service) is a protocol that can be applied to your wireless network to replace a pre-shared key (PSK) with the username and password that you are already using to log in to your computer. Most business-grade wireless access points like Meraki, Dell Rukus, or Ubiquiti support RADIUS out of the box, and have done so for years.
802.1X is a networking standard for Network Access Control that can be configured to apply the same benefits of RADIUS as described above to your wired devices. Only devices that have authenticated against the RADIUS server will be provided access to the network, all other devices will not be allowed to communicate.
Both of these technologies require the configuration of a feature that is built into the Microsoft Windows server that you likely already have in your environment, it’s simply a matter of leveraging your existing resources.
Most Operating Systems (Including Microsoft Windows Server and Windows 10) ship with a software firewall, this application acts much in the same way that the hardware UTM Firewall you already have in place between the internet and your internal network. While this application is very powerful, it is an often overlooked component of your overall network security toolset. Many organizations opt to simply disable this feature instead of dedicating the time needed to fully configure this firewall for the needs of the devices on the network, potentially degrading the overall security of the systems and networks within the organization.
The built-in Windows Firewall can be configured to only allow access to sensitive resources (such as a database server) from “known-good” devices (for example, Your Servers and necessary Workstations) and prevent non-essential services from being accessed over the network.
This does require a level of effort to identify the resources that are running on each device, as well as the business units that require access to these resources. However, by only allowing the minimum amount of access required you can reduce the potential for inappropriate or malicious access to your systems.
Organizational Unit Based Segmentation
The methods described above do not explicitly require the use of Network Segmentation and can be implemented without segmentation in place while still providing an increase to security. They can also be used in concert with segmentation to improve efficacy. If you already have some level of network segmentation you may opt to additionally segment your vLANs based on department or organizational unit, this can be an effective middle ground between “role-based” and “classification based” network segmentation.
An example of this would be to provide a separate VLAN for your most critical group, for example, your finance department, and implement software firewalls to effectively isolate this group from the rest of the network. This has the potential to protect these sensitive workstations from various types of threats, including ransomware – if your receptionist opens a malicious file that contains a ransomware payload proper segmentation may protect the finance department if your endpoint security were to fail.
Memorialization into Policy
As mentioned, in-depth defense requires the use of Physical, Technical, and Administrative controls used in concert to create an effective security program. As you implement new controls, such as 802.1X to effectively lock-out open network ports to unauthorized users, you should be sure to update or create corresponding corporate policies that identify the new control, detail how this should be used (for example Non-Employees are not permitted to have physical access to the LAN without clearance by the IT department), and detail the potential repercussions for a failure to comply with the policy (generally a dedicated sanction policy).
It is important to understand that policies must be developed based on your organization’s goals and needs &ndash. There is no “shortcut” or “template” that can provide meaningful administrative control for your organization.
Network Security can be a complex but highly effective tool to protect yourself from not only insider threats but also as another layer of defense to compliment your endpoint security. As a bridge between your users and your sensitive data securing the Network is essential to securing your data. While this can require some effort and planning to properly implement it is not out of reach for any organization.