Some Security is Free and Easy, and We Still Don’t Use it!

The biggest concern in Information Technology today is the security posture of your systems. Servers, switches, routers, clients, and a whole host of devices are under constant attack. We have to secure the network and the systems on it, but it costs too much and it is too difficult. That is partially true. First thing to remember is, we do not have to build Fort Knox. We need to make it difficult for attackers to get in. The time it takes for an attacker to get what they want has to be worth the cost of the time. So, you do not have to make it impossible to get, just not worth their time.

The most important thing you can do is patch your systems. Most exploits are based on vulnerabilities due to a lack of patching of the OS or third-party software. Microsoft has a free tool called WSUS (Windows Server Update Service). It is free if you own the OS and most of you do. This server pushes OS updates to systems it controls. It is easy to manage and setup in an AD environment. If you have a small business, make sure Windows Updates is enabled and that it actually is doing updates once a week. Most third-party software has an auto update feature and all you need to do is turn it on. If you want to manage this installation, you can use a tool like SCCM (System Center Configuration Manager). This is a Microsoft tool that does patching, software, and configuration deployment. It is a bit difficult to build the packages, but is a necessity in large environments.

Now on to my favorite place, the network. There are several things we can do to secure the network that are free and easy. First is get rid of Telnet. If you are still running Telnet, you are wrong. Setup SSH, test it, and then cut off Telnet. Too easy! Now we can move on to things like DHCP snooping, BPDU Guard, and Port Security. DHCP Snooping helps to stop rouge DHCP servers from issuing out bogus IP Addresses into your network effectively causing a DoS attack. BPDU Guard looks for BPDUs on a port. If it sees a BPDU from another switch, it can put the port in an error-disabled state. Port Security, stops unknown devices from gaining access to your network. It does this by locking down a port to a specific MAC Address and only allows a specific number of new addresses to be added. For example, if port 1 is set to allow one MAC Address, the first device that connects has its address added to the database. Any other device that tries to connect to that port is denied access. I know you can spoof a MAC Address, but remember it is not about stopping them, it is about making it hard for them. The last thing is Access Lists (ACLs). These can be difficult at times but are free. If you start simple and work your way up, it will be easier. Start by restricting who can access the management of the devices by SSH and SNMP. Then move to securing Guest access and critical networks. Then move to ports and protocols. This is easily done with a firewall, but they cost money.

For wireless security, it is usually either free and hard or easy and cost money. The first and most important thing I will say about wireless is do not have an open SSID. You might as well let them come in and plug up to the network and be left alone. I know that WEP and WPA can be broken, but it is about their time and this is a good speed bump. These things may not stop some script kiddie from trying to break your keys, but they are usually not stealing information or doing damage. If you have an AD network, you can easily secure access with a version of EAP. EAP can be done with certificates (harder) or passwords (easier) to help secure and ease the access to the wireless network.

In conclusion, there are a lot of things you can do to help put speed bumps in the road for attackers. I will say that Antivirus and anti-malware are also necessary, but they are also not free and usually not easy to keep up to date. Firewalls on devices like Windows Firewall are a free speed bump as well. Security does not have to be the impossible task. Take it one piece at a time. Something is always better than nothing.

 

David Ellis
Systems Engineer
Ruckus Networks/Brocade

Leave a Reply

Your email address will not be published. Required fields are marked *

Leave a Reply

Your email address will not be published. Required fields are marked *