If you’re in charge of creating some kind of security barrier between your local networks and the internet, the challenge is to decide where on the spectrum you’re going to land with regard to the network traffic you are going to allow or deny.
For that barrier to have any work value, it almost certainly cannot be the cherubim with the fiery sword that guards the Garden of Eden. But you also don’t want it to be the George Washington Bridge, either.
Take heart, there are billions of devices and users that are connected to the internet, and if you’ll allow the punchline of the joke about the bear chasing two friends to paint a picture for you, “I just need to be faster than you.”
I’m going to encourage you to stop, take a moment to put on some running shoes, and take some small steps that will put your network security at a different level than other easier targets.
No go, “Joe”
The first thing to change on any system that sees the internet is the use of a common user name and simple passwords.
Contrary to popular thought, hackers rarely focus on a single system. They have computer scripts that knock on thousands of network doors all at once with a list of the most common user names, passwords and combinations thereof and attempt to gain access to computer system in the hopes that they’ll hit a one and get access.
Do you have user accounts with names like “admin,” “owner” or “joe”? What about password security? A recent report from Microsoft revealed that on some specialty honeypot servers that help them recognize trends, only 6% of brute-force attacks tried a password that was 10 characters, only 7% tried passwords with special characters in them.
This simple change alone helps you to avoid nearly 93% of username password attacks.
It is relatively simple to create secure passwords. Up-shift characters to the left or right so that the password securenetwork becomes w3d743h35294i (up-shifted to the left) or string a sentence together: IloveJifpeanutbutter!
Very secure, but still easy to remember.
Another simple suggestion is to make a point of running updates on your machines at least once a week. A number of exploits that run loose on the internet are weeks or months old. Although router firmware doesn’t get updated as frequently, it still gets updated, and those bug fixes may be the difference between your system be safe or getting overrun by traffic.
The model for most software vendors in the modern era is that some bugs are show-stoppers and some can be fixed with an update. As long as no show-stoppers are present, it gets packaged and sent.
It is imperative that updates are run on a regular basis. While we’re on that subject, make sure you’re getting those updates from a legitimate source.
This is particularly true for hardware drivers. As long as a hardware manufacturer is supporting their hardware, updated drivers should be a part of their support page.
It is worthwhile to check semi-regularly to see whether updated BIOS patches, display, network, audio or other drivers have been created to fix their issues or nullify problems seen in the operating system they run on.
Get behind the wall
A third step to securing your network is the use of firewalls. This may be a firewall that is on your router or another machine that sits right behind the router that stands as a guardian between the internet and anything on your network.
Newer routers are robust and often contain a high level of security burned into their firmware. You can also reference an article about ClearOS that I wrote 10 years ago (!) for Radio World.
We still use ClearOS in all of our markets and it has been invaluable for helping us to filter internet cruft from getting on our networks.
There are also companies that offer firewall services that you can purchase that redirect your internet traffic through their filters before it gets handed off to your network, what some call “sandboxing.”
What about the firewall on your local machine? It actually may be time to turn on your operating system firewall, and if it is already on, take a close look at what services the firewall is letting through. In the name of network security, the days of blindly clicking the “allow” button so that you can get onto using a particular program need to become a chapter in history.
After the firewall step has been accomplished, the closely related next step is to make take a hard comparative look at what ports and services are open versus which ones really need to be open.
The idea is to limit the attack surface that your network is presenting to the internet by minimizing the number of service ports you have available.
Accomplishing that task is done in several ways. At one time, you may have needed that port forwarded to a device behind your firewall, do you still have that piece of hardware and is it being used? More commonly, is that employee still with us that needed the service, or do we still need access that way?
Are you using standard port numbers for those services (80/HTTP, 443/HTTPS, 22/SSH, 21/FTP …)? So are the hackers that are trying to gain access to your network or devices.
Firewall port forwarding allows use of non-standard ports to be translated to those normal ports. For instance, forward the port 41022 on the outside to port 22 on your LAN. This is another fantastic way to cut down unwanted incursion into your networks significantly.
There is a myriad of other things that can be done regarding network security that also increase by several factors of difficulty. The simple steps outlined above can go a long way toward taking a giant leap forward in securing your network. They have worked well for us and have kept our network free from attacks that might have crippled them otherwise.
The author is an engineer for Crawford Broadcasting and is based in Birmingham, Ala.
Got an IT tip? Share your own good ideas. Email [email protected].