Basic network security by David Longenecker
Fair use disclaimer: I do not own this content. This post contains excerpts (“highlights”) from a longer article used here solely for educational purposes. All credits go to its rightful owner. Please see Citation information.
<At its most basic, defending a network—whether a simple home network, or a global enterprise network—starts with a few fundamental practices: deliberate use of passwords; keeping devices and software up to date; and managing what communication is allowed in and out of the network.>
You may also be interested in How to break into information security.
Manage passwords
<• Change the default password on all devices and accounts. Out of the box, most devices and network appliances come with an easily found password (often username “admin”/password “admin”). If you don’t change the default password, it’s a veritable invitation for someone else to take control of the device.
• Use unique passwords for every device and account. Reused passwords are a hacker’s dream: all too often, a password will be stolen from say, an unimportant news site, only to be used to break in to one’s bank accounts or take control of network security devices. Unique passwords per device and account ensure that if one password is stolen, only one password is stolen.
• Use a password generator. The human brain has unconscious biases and patterns, which often lead to predictable passwords. In a somewhat dated presentation, professional password cracker Rick Redman showed that a random 9-character password might take a couple of months to crack. However, he is frequently able to crack half of the passwords in a given sample in less than 20 minutes, simply because of the predictable patterns we fall into.>
Manage devices
<• Keep device software and firmware up to date. Android OS, Apple iOS, Windows, Mac OS X, and many software products have automated update features. To a lesser degree (though thanks to FTC action this year, this may be improving), network equipment also has such features. Turn them on. Software developers make mistakes—that’s what the updates fix …
• Turn off unnecessary features … every program and service on a computer is a potential area of exposure to manage. By removing features and services that you do not use, you remove potential avenues for a malicious hacker to compromise the network.
• Choose wireless network names selectively. Most wireless routers have a default SSID, or wireless network name. This is convenient, but can have unintended consequences. Out of the box my router labels its wireless networks as ASUS and ASUS_5G. As does every other ASUS wireless router … it is a good idea to name it something a little less common than the default. Otherwise, any device you connect to your home wireless network will look for that network name everywhere it goes, and may well try to connect with a hacker’s cleverlynamed “ASUS_5G” network outside Starbucks.
• Log in to network devices securely. Many network switches and routers, both commercial and home-oriented, can be managed through HTTPS and SSH, as well as HTTP and Telnet. The former are secured protocols that encrypt communication between you and the device, while the latter are non-secure protocols that communicate in the clear. An unscrupulous user on your network could listen in to the connection and sniff out your username and password, thus enabling them to log in to the device later. If possible, disable the HTTP and Telnet protocols entirely. If a device does not allow disabling these protocols, make a practice of logging in only over HTTPS or SSH.>
Manage network traffic
<• Enable a firewall. The primary purpose of a firewall is to stop undesired traffic from entering or exiting the network. If you have a wireless network, it almost certainly has a built-in firewall. If not, Windows has a built-in firewall that you can turn on by going to the control panel and opening the “Windows Security Center” panel. More and more entertainment devices are becoming Internet-aware, though (game consoles such as the Wii or PlayStation; set-top boxes such as Roku or TiVo; Blu-Ray players; and even televisions themselves). If these devices are connected straight to the Internet, they can become targets for hackers and used as an entry point to access your more valuable systems. If at all possible, they should be connected through either a wireless router or through a hard-wired router that has a built-in firewall.
• Keep logs. And look at them.
• Manage name resolution. A Web filter is commonly found on library and school computers, and frequently on corporate networks as well. It is intended to prevent access to inappropriate content, but in many cases will also prevent access to sites known to host malware. The simplest work by controlling the domain name system (DNS), the “phone book” for the Internet. There are a variety of free* DNS services that simply don’t resolve website addresses that go to known undesirable** or malicious content. More accurately, they resolve such websites to a benign address that warns you about the nature of the site. In terms of “bang for the buck,” this is one of the strongest additions you can make to the security of your home or small business network.>
*Most of the “free” options specify “free for personal use only.”
**Several available services provide the ability to allow or block websites based on categories, allowing the network administrator to tune the blocking to suit your personal or organizational acceptable use policy.
Citation information
David Longenecker. (2016). Basic network security (Ch. 7). In Beginner’s Guide To Information Security (pp. 36-38). Peerlyst. Retrieved from https://www.peerlyst.com/posts/peerlyst-announcing-its-first-community-ebook-the-beginner-s-guide-to-information-security-limor-elbaz
