Finding and Fixing Security On Your Network Perimeter

When I last wrote on the risk to your network security from the fax feature in multifunction devices, it was a surprise to many readers that the telephone line could be a means of attacking network security. In fact, there were some readers who never realized their multifunction devices even had a fax function and that an analog phone line might be connected. But if that made you feel uncomfortable, then get set to feel your skin crawl: that's just one potential hole in your network security; there are many others.

The fax vulnerability exists on the perimeter of your network, which is the part that faces the outside world. This is the part of your network where your primary router communicates with the internet. It's also the part that you definitely try to protect with a firewall. If all were going according to plan, then that connection to the internet would be the entirety of your perimeter. But things don't always go according to plan.

A Menu of Common Security Holes

That's because we live in the age of the rogue router. While your primary router is supposed to be the gateway to the outside world and your internal routers serve to segment your network, there are sometimes routers that exist on your network that you didn't put there or that weren't shut down as your network evolved. In some cases, there are routers that just showed up because nobody realized they were routers.Many rogue routers are the result of someone in your company wanting better Wi-Fi coverage, so they go to the store and buy a router that they put in their office and attach to the wired network. They get the fast Wi-Fi they wanted and you get a router you didn't authorize, and that almost certainly doesn't comply with your security policy. If you look up "network security hole" in your Encyclopedia of Network Problems, there's a picture of this router.

Unfortunately, there are many other ways to punch holes in your network security. For example, if you have employees who use a virtual private network (VPN) to connect to your network remotely but who are also on a network at the remote site, then the router at the remote end could be a means of access into your network. This problem hearkens back to the days before personal VPNs became ubiquitous. Back then, IT staffers would sometimes initiate a VPN between an employee's home router and a router in the data center. This is a basic version of remote access and there are many variations on it, but the upshot is that now the employee's home router is actually on your network. Even with a VPN tunnel protecting traffic between those two points, it's still possible for the home router to be used as an access point from which to compromise the corporate network.

And then there's the problem of the dual-homed computer. This happens when a computer with multiple network interface cards is attached to separate networks and one of those networks is outside of your perimeter. One example that you hear about frequently is when someone has a laptop connected to both the Wi-Fi network and the wired network, though this isn't necessarily a security problem if both networks are inside the same perimeter. Then again, if the user is in a hotel, for example, and connects using both his or her wired and wireless connections and establishes a VPN connection using just one of those interfaces, then you've got a user with one foot outside the perimeter.

And, of course, there's the cloud, which is likely attached to your internal network either through servers that reach them through the internet or through a VPN from your network. While most cloud sites are no less secure than your internal network (likely more secure) you have to remember to enable perimeter security on your cloud service. That means including firewalls and other cloud security options as part of your cloud configuration.

Security Hole Whack-a-Mole

Since it's likely that you have at least a couple of these perimeter problems in your network, the next becomes finding them. The short answer is that there's no single way to find all of them, but there are a couple of things you can do and they involve sniffers.

First, use a network monitoring application, and let it create a detailed map of your network. This can take a while as the app listens to your network traffic, and from that, discerns what nodes exist on your network and what sort of network exists beyond them. When I ran the Spiceworks Network Monitor during my upcoming review of these kinds of tools, I found that, not only does it find everything on the network, but it also finds what's outside of the network (if there's any sort of traffic coming from there). Even better, once it's gathered all of that information, it displays it on a graphical network map.

Finding Wi-Fi networks is made easier by using devices such as the Netscout AirCheck G2 Wireless Tester, which can ferret out any Wi-Fi signal, even those that aren't broadcasting their service set identifier (SSID). The Netscout AirCheck GF2 Wireless Tester will let you drill down into the details of the Wi-Fi device so you can tell if it's a Wi-Fi device you've authorized. Because it can tell you where the signal is coming from, it can help you locate it.

And then there's the network hole called the Internet of Things (IoT). By now you're aware that many, if not most, IoT devices are devoid of any security. These create a risk because they're easily compromised and because it's not always easy to detect that until they're used to attack you. The best thing you can do is to keep IoT devices on their own network that's separate from everything else.

There's been a lot said about the limitations of perimeter security, and for the most part, they're true. You can't simple protect your perimeter and then assume you're completely protected, especially considering the many new ways that malware can use to sneak inside. The fact is, either bad guys or bad software will probably find a way past your perimeter defenses at some point, so you need to assume that that's the case and protect everything inside your network as well. That's a separate set of steps, however, which I'll cover in an upcoming column.

For now, focus on protecting your perimeter. That's step one. What you don't want is everyone who comes within range of your WiFi signal being able to take a crack at your data because, while that isn't as common as it used to be in the golden age of war driving, it does still happen, especially in densely populated areas. The secret is to have strong perimeter defenses, and in addition, have strong layered defenses so that, when the bad guys do get in, they can't hurt you.

This article originally appeared on PCMag.com.