Low-Cost Ways to Make Your Network More Secure

Monday, November 26, 2012

Marc Quibell


Believe it or not, there are IT Security improvements you can introduce to your network that are seamless, low-cost , don't present a new burden to your users, and/or are easy to implement. So, in between your major IT Security projects that may or may not happen, why not improve you security posture and lower your overall risks?

Warning: These suggestions may cause your IT staff to work a little harder.


Implement email TLS encryption between business partners, others

Enabling opportunistic TLS on your email servers is really just a matter of turning on a switch. Hit the "ON" radio, set it to opportunistic mode so that TLS will be negotiated when available between hosts. It's really that simple and no one even notices, except you.

If you have a large enough network, implement VLANs within your network

Help contain the spread of broadcast-based viruses. The key here is to decrease the size of your broadcast domains. Look, implementing VLANs on an existing flat network is not a big deal and you can always move things gradually to their own assigned VLANs. All you need are switches/routers that support VLANs and VLAN routing/trunking. Follow these simple ITSEC segmentation guidelines for your internal network:

  • Workstations in their own VLAN (could also be divided, depending on your size)
  • File Servers in their own VLAN
  • Internal Web Servers in their own VLAN
  • Database Servers in their own VLAN
  • SOX, PCI, HIPPA and/or other "servers containing sensitive information" servers in their own VLAN (this makes it much easier to implement additional security controls and logging, AND because it makes it easier for everyone to identify those "kid gloves" resources)
  • You know, VLANs are free so, use them.

Prevent rogue wireless access points and other rogue LAN devices/computers

Implement port security, or at least turn off the ports that are not in use. You only want your company devices on your network, not personal devices, personal hubs or switches or wireless access points. This will lessen your risk of malware infection or even malicious intent significantly. No one should be able to walk into your business and plug something in without your permission. Just as well, no one should be able to connect to your private wirelsss.

Put at least ONE Intrusion Prevention/Anti-Malware appliance in-line

Put an IPS on your Internet edge, and put it in blocking mode! I installed IPS appliances ten years ago and turned on blocking right at the start. I never had any serious issues. But WOW! the things that were blocked... This will add a significant security layer to your network and even allows you to decrease your overall risk score. IPS appliances are not very expensive and yet here is a device that can lower your risk score overall. Just remember it wouldn't be very effective against internal malware versus internal targets, but it helps mitigate the risks associated with any malware reaching the internal network in the first place. 


Develop a patching process/procedure that works for all machines, all operating systems, all services. The more you stay patched, the less chances there are of being exploited. Again, this just takes time and effort, and not really a whole lot of money.


Not a really high risk, but just for best practices, no one should be running telnet, ftp, or anything involving clear-text logins. Even on the internal network. Use the encrypted alternatives.

Do not make your users local admins of their workstation

And if users are already admins, plan to move them out.

This is probably the most annoying, ugly, and/or nasty recommendation I would make. It can be highly burdensome on the users. It may also be annoying, but sometimes that is necessary. If you value your company data, your customers' data, you would heed this advice. You can save your company a lot of money and heartache by making this simple, necessary, step, if it's feasible (and usually it is). You can easily take your time and migrate the users gradually. 

Get checked out

And finally, you wouldn't believe how many things I find wrong with customers' websites and even internal networks that have allowed me to just waltz right in... You can never know how easy or difficult it is to get into your network unless you hire reliable people to occasionally scan you, internally and externally. And it's not very expensive at all. Hire a reliable, third-party, penetration testing organization (such as the company I work for Redspin.com, or make your own choice)  that will put your controls to the test. With the results, you can prioritize and concentrate on the areas that need the most work.  





Possibly Related Articles:
Information Security
Encryption Budgets Access Control Network Security
Post Rating I Like this!
Beau Woods I agree with most of these recommendations and have made many of the same myself in an upcoming book. A couple of these, as you say, will have IT staff working a bit more up front, with the trade off being reduced support costs in the long run. It's important too with the potentially workflow-changing recommendations (taking away Local Administrator rights, for example), to clearly communicate with the organization, get their feedback and to work closely with potential problem areas so things don't just break all of a sudden. And that's a great opportunity for the IT staff and management to humanize themselves to the business.

But the recommendation to implement VLANs can potentially be one of the largest and longest IT projects an organization can undertake. This can be a massively complex process that has the potential to break lots and lots of mission critical systems and applications. Aside from just assigning new IPs to systems that may not cope well (think hard-coded IP addresses in custom applications), you can also run into tons of delays and unexpected issues with your Access Control Lists (...you are going to put ACLs on those VLANs, right? Otherwise what's the point?). Yes, it can hugely increase security, but it's hardly cheap for an organization of any size. And in many cases it can actually INCREASE organizational risk. Think availability and/or mechanisms that fail silently and aren't discovered for weeks/months.

But as I said, all-in-all a good set of recommendations.
Marc Quibell Hey Beau - good thoughts! My main purpose for VLANs is this: Increase network peformance, decrease the size of broadcast domains (for performance and to limit the spread of broadcast-based worms), and of course security (Limit access, applications of security controls (both of these would use ACLs) and to isolate for monitoring purposes/logging). I agree VLAN implementation can be a real pain in some cases, and that is why perhaps a gradual shift is in order. VLANs could easily, slowly, become introduced into the network where new machines could take advantage of them. At least start creating them and populate them gradually! Thanks again!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.