Network Security Doesn’t Have to Be Difficult
The age of information is here and not going anywhere anytime soon. If anything, it will be more prevalent and ever more integrated into our global economy and society. Don’t believe me, read Don & Alex Tapscott’s book “Blockchain Revolution.” Your eyes and mind will be opened forever. Your information, your client’s information, these are real assets and they need to be protected. Technology is evolving at an astounding rate, there is no way for any one person to understand all the areas where you need to be protected.
One of our biggest problems is a lack of education, information, and effort. 90% of IT companies know very little about security, and they operate in a reactive, break, fix, band-aid model. This article focuses on Mid Market & Enterprise business but applies to anyone using a computer up to a large company with many users and locations. There are several different layers where your data could be exposed, and you could be attacked. I will try and cover most areas.
Let’s start with protecting your network at the WAN and LAN. This is where traffic flows in from the Internet and out to the internet. We, nerds, call this ingress/egress. It is also called North/South. The most simple and effective thing you can do here is to use a real firewall. I don’t mean some cheapo that you can buy at Walmart, or whatever your local IT guy is pedaling. We do not need to be thinking cheap here. A real Firewall has a great reputation in the Enterprise world (think Gartner Magic Quadrant), has significant development behind it, and has the processing power to process ingress/egress with little or no notice to the end user. A real firewall will have Firewall, IPS, NGFW, UTM, SSL VPN, Sandbox, and the ability to process all of that at the rate of your internet connection.
We provide, sell, support, and manage Fortigate and Cisco Firewalls. When I say Cisco, I mean Cisco ASA, not the junk you can buy at the store. We choose these vendors for many reasons. They meet and exceed all these requirements, are easy to understand, and are always listed in the upper right of the Gartner Magic Quadrant. There are a few others such as Pala Alto and Checkpoint that are quality Enterprise firewalls with an excellent reputation and constant development. My go-to Firewall is Fortinet Fortigate. They have models to fit needs from the home office all the way up to the largest Enterprise. JMF provides these as a managed service and includes all updates, UTM packages, monitoring, support, and emergency replacement. This, in my opinion, is the way to go because the annual UTM licenses for these firewalls can get expensive, and if you want it set up correctly and updated a good MSP like JMF Networks will do it all for you. There are a few quality-managed service providers and value-added resellers out there, so do your homework and choose the right firewall from the right partner. Support and maintenance are just as important as features and setup.
Once you have the correct Firewall and it is configured by an expert to use all the necessary features, it is time to think about your internal network. The biggest areas of concern deal with local access. Cisco’s recommended settings for switches are for a good reason. They recommend that any unused ports be shut down, and put on a VLAN that is not in use. This is easy to do and just about any managed switch has this capability. We always use Cisco switches for several reasons. If you are just using your firewall for a switch, then it is also easy to do this in any real firewall appliance. To facilitate this properly you need to separate your local LAN traffic into some basic VLANs and protect yourself, your devices, and your guests from each other. I suggest 3 or 4 VLANs with different rules.
- VLAN 100 – Family or Corporate network – Secure rules to protect most users.
- VLAN 200 – Secure Network – Ultra secure with rules for maximum protection. This is where your data sensitive devices go.
- VLAN 300 – Network devices such as VoIP phones & IP Cameras. Protect the physical connection. For example, if you have outdoor network cameras, someone should not be able to plug that cable into their device and get direct access to VLAN 100 or 200.
- VLAN 400 – Guest access – Put all your guests and other unsecured devices on this network. Do not allow any access to anything other than the internet.
Once your VLANs are in place it is time to secure your Wi-Fi network. Once again, use Wi-Fi with enterprise capabilities. I like Ubiquiti and Fortinet. At the minimum, you should have 4 SSIDs tied to your 4 VLANs. Always use WPA2/AES with very secure passwords. Anything less and any “backwards compatibility” settings can be major security risks. If you are an advanced user or corporate user, you may want to use 802.1x EAP. We will not go that deep here. The point is to separate your traffic and use the best encryption possible.
Use IPv6 as much as possible. IPv6 is the new addressing space for the Internet. Every major provider, every major web application, most of your devices, and most ISPs have IPv6 readily available. The JMF network is dual-stacked IPV4 and IPv6 everywhere. IPv6 is more secure for many reasons. One reason is that there are 18 quadrillion IPs per network segment. It is mathematically impossible to scan all of those IPs to find a vulnerable machine. Your computer, iPhone, android phone, and pretty much every other network device is already IPv6 aware. Most people use Windows and your Windows computer can do some cool things with IPv6. It can use multiple addresses and allow specific applications to use multiple addresses. This makes it significantly harder for an attacker, a sniffer, or any other bad actor to figure out information about your computer and your network. IPv6 can also facilitate end-to-end encryption, gets rid of broadcast, and has been redesigned completely for the modern Internet. The great part is that once it is set up, it is totally transparent to the end user.
Get this, there are 4 billion global IPv4 addresses. A powerful computer with a 10Gb connection could scan the entire IPv4 internet in about 30 minutes. IPv6 however has 340 Undecillion addresses. That is one huge number! Even with some very advanced techniques it would take 69,000 years to scan all IPv6 addresses. Using IPv6, it is a must. If your firewall or provider does not support IPv6 then you need to change both.
Use a secure VPN anytime you are not on your own corporate or home network. Take the extra step to force all your traffic to go through the secure network environment you’ve setup to protect yourself. You are doing several things here. You are protecting yourself inherently while on 3rd party networks, and you are encrypting all your traffic all the time. If you are away you need to use your VPN, and that VPN needs to be SSL. A SSL VPN will be included with any enterprise grade firewall. Once setup it is a click of a button to activate it. Your VPN can and should be used on your computer, tablet, and phone. A VPN connects you to your trusted network, utilizes all the protections you have built in, and encrypts all of your traffic.