Who’s Playing on Your Network?

A Basic Guide to Network Security

Starting with proper network security is the difference between your office’s/facility’s network prospering or malfunctioning. Much of what users utilize is the connecting devices we enjoy and employ in our lives – both for business and leisure. These devices run back to connections that form internal networks or go all the way to the cloud itself, using the internet as a resource. Understanding how much each device or the collection of systems that need the network access could lead to some real fear. Taking steps to avoid collapsing the network or compromising the integrity of the users should be a priority. TCG has several recommendations and options available in its toolbox.

Ready Layer One

Firstly, layer one, the physical layer of the Open Systems Interconnection (OSI), deals with all tangible connections and portions of the network. This includes the system’s power supply, cabling, the unit itself, and more. This section of securing your data may seem easier – as there’s no logic programming, no commands necessary to understand or use layer one security. To secure your networking on the physical side of things, the first step to take is to examine all of the shortcomings. Are the ports of your device physically open? Can anyone plug in? In this case, ethernet locks and fillers will be placed into the switch. What if power is lost to the switch (directly or indirectly)? Power back-ups or Power over Ethernet (PoE) allow for power to pass through devices should one lose electricity. Limitations for layer one, for the most part, are on the networking device itself – but other physical issues will present problems.

Sorry Your Network Security is in Another Castle

Next, a physical connection is one of the main aspects that can afflict a network switch; however, that is not where physical security should stop. Securing a switch alone, by itself, is one thing, but chances are, it’s on a data rack in a room somewhere. There are several factors in examining the placement and security of this switch. First, is it in a room, or out exposed in the office or lobby? Consider network devices to be like doors… who do you want to allow to come in? (*Maybe start with an actual door and secure the switch in a data closet or room.) Now, the door is not enough; locks and access controls (such as card readers and passwords on the door) will add another layer of security to room entry.

Cast Protect on Your Data

Lastly, layer one, within the room, observe and consider, environmental hazards and effects. Housing devices in a specific temperature is a big way to secure your device. Make sure the temperature range of the device is properly set and as going outside of it can lead to hardware damage or failure. Water and electrical hazards are dangerous for networking devices. Elevating devices enough should the room take in water during an emergency event is a must. Applying splash guard above racks to stop water damage from overrunning pipes is great. Finally, security cameras and logs will give the room the security of knowing who was there, why they were there, and when they were there. Should something happen to the network, you will be able to trace it back to an event or person, tremendously reducing troubleshooting time.  Moving to layer two should not happen until securing layer one is properly complete.

Layer Two has Joined the Party

Secondly, layer two, known as the data link layer on the OSI model, is primarily where one’s switch will operate. While it’s possible to limit network access here, using access control lists (ACL) isn’t a real option, as they need layer three support to be fully utilized on a port-for-port basis. There are other things that be applied to a switch configuration in order to lock it down from intruders. Switch port, port-security is a good starting point. With port security, users can choose what VLANs are allowed on what port if they’re access ports. Trunk ports can be configured to pass specific VLAN information or all VLANs. Vlans are virtual local area networks; they can segment connections in a logical pattern, giving users access only to where they need it. Port security can also utilize MAC addresses of devices connected. Dynamically or manually is your choice how switch gets the MAC address information. Once the MAC addresses are present on the switch, the switch ports can turn inactive, alert, or both. Detecting an unauthorized MAC address will allow security features to handle the situation.

No Codes Needed, Just Skill

Following up with some tricks will add to the security of layer two.  By default, a new switch will come with all ports activated and configured for vlan1. A production level switch will need this altered. Turning unused ports off when not in use is a great first line of defense. Setting VLANs for the ports that are in use will direct traffic to appropriate locations.  Configuring ports, not in use with a VLAN containing no route to the internet or anywhere in the network secures ports further, A “black hole VLAN’ is the common term. Programming to dynamically gain MAC address information with alerts, helps the switch gather data on connecting devices. Both practices will bulk up a network’s defenses.

To Continue Please Insert More Coins

Finally, there are 8 layers available – and several options to secure them.  Begin locking down your equipment in the order outlined by the OSI model. Overkill and added security are not bad, triggering some of the utilizing features may never actually happen or need to function. Depending on network performance demands will determine how much security to use. Network failure is a possibility without them. Locking down layer one and two ports will go a long way in securing network communications. Customizing and tailoring solutions for hardware and specific configurations to suit individual needs and situations. Further configuration and protection add security, using the other 6 layers of the OSI model enhance this.  The first two layers is a great start for any network.

About the author: william elias

William Elias is a member of the TCG Engineering Department.
Currently he is into all things technology.
CCNA Route & Switch, BS in Information Technology and BBA in Business Management

Leave a Reply

Your email address will not be published.