Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

8 ways to improve wired network security

Eric Geier | March 18, 2014
Here are some basic security precautions you can take for the wired side of the network, whether you're a small business or a large enterprise.

Though deploying 802.1X authentication wouldn't encrypt the Ethernet traffic, it would at least stop them from sending on the network or accessing any resources until they've provided login credentials. And you can utilize the authentication on the wireless side as well, to implement enterprise-level WPA2 security with AES encryption, which has many benefits over using the personal-level (PSK) of WPA2.

Another great benefit of 802.1X authentication is the ability to dynamically assign users to VLANs.

To deploy 802.1X authentication you first need a Remote Authentication Dial-In User Service (RADIUS) server, which basically serves as the user database and is the component that authorizes/denies the network access. If you have a Windows Server you already have a RADIUS server: the Network Policy Server (NPS) role; or in older Windows Server versions it's the Internet Authentication Service (IAS) role. If you don't have a server already you could consider standalone RADIUS servers.

For more about 802.1X authentication, check out two of my previous articles: 6 secrets to a successful 802.1X rollout and 8 no cost/low cost tools for deploying 802.1X security.

7. Use VPNs to encrypt select PCs or servers
If you're really looking to secure network traffic, consider using encryption. Remember even with VLANs and 802.1X authentication, someone can eavesdrop on the network (VLAN) to capture unencrypted traffic that could include passwords, emails and documents.

Although you can encrypt all the traffic, first analyze your network. It might make more sense to just encrypt select communications you deem the most sensitive that isn't already encrypted, such as through SSL/HTTPS. You can pass the sensitive traffic through a standard VPN on the client, which could be used just during the sensitive communication or forced to be used all the time.

8. Encrypt the entire network
You can also encrypt an entire network. One option is IPsec. A Windows Server can serve as the IPsec server and the client capability is natively supported by Windows as well. However, the encryption process can be quite an overhead burden on the network; effective throughput rates can drop dramatically. There are also proprietary network encryption solutions out there from networking vendors, many of which use a Layer 2 approach instead of Layer 3 like IPsec to help with reducing latency and overhead.


Previous Page  1  2  3 

Sign up for MIS Asia eNewsletters.