Join Mark Jacob for an in-depth discussion in this video Understanding network device security, part of Understanding Device Security.
- View Offline
Now that, perhaps, you've got some experience on setting up, configuring your network, another thing that you have to keep in mind, whether you like it or not, is Network Device Security. If the world was a wonderful place and utopia existed everywhere, it would be "Well, "just leave it on, anybody can access it." And, of course, that does not match reality at all. You have to do what's called "due diligence" and make sure you're taking steps to try to prevent unauthorized access, unauthorized changes, moving of data into incorrect paths, somebody subverting or doing a man-in-the-middle attack on your network.
These are all issues that confront today's network admin. One of the things to think about is what we'd call "physical security." In other words, who has the ability, or does anyone have the ability, to just walk up to your network devices, and, to use a phrase, "put their hand on it?" There's a common phrase that says if somebody can get their hand on your network device, they own your network device. Or a computer, same thing. No matter what kind of security you have, if they can access it, they can defeat it.
"I'll just reboot it and boot it from "a USB or a boot disk, something." Same kind of idea exists in the networking world with your network device. In fact, many of them have buttons on them that if you press that button, you can erase the device, you can cause configuration changes, so starting at that layer is physical security. A good suggestion there is if you're a big enough company where you're gonna have a whole data room set aside for your networking gear, that means that if somebody wants to access your networking gear, they should have to pass through a locked door and you should know who has keys to that door.
Now, if you work for a company that's not so particularly large, another suggestion would be to install it high enough where they have to have a ladder to get to it. Because that's pretty obvious; you see somebody up on a ladder, you say, "Does that guy belong here?" Nevertheless, the idea is physical security. Another thing to keep in mind is there are people who will get jobs as maintenance or custodial type craft, not because they particularly enjoy cleaning floors, but because they know they have access to companies' internal stuff for all hours of the night with nobody there.
Of course, again, nowadays, they have cameras everywhere, and you've got to be careful who's watching you. But this is one of the reasons why, still talking about Network Device Security, the users are told, don't take your password and write it on a piece of paper and tape it to the bottom of your keyboard. Because if you have a maintenance crew that comes in and looks at the bottom of the keyboard and says, "Ah, okay, I know the password." And then they have a password that's authorized to be on the network. So that's another layer of security. In fact, to delve into it a little bit deeper, password security.
You ought to know who has the ability to access your devices. And if you have taken care of physical security, so that it's behind a locked door, or, think back to the great movie scene where they had to access the device hanging on a fishing line inside a room because there was no network access. That's the kind of perimeter you want to have. It's, "Hey, if they're gonna get in, they "can't get through that door, so there "has to be some other means to get there." And if it's a network device, perhaps you have enabled Telnet or SSH, some means of accessing the device remotely, which most network admins appreciate.
They think "hey, if there's a problem, "I could be home on a Saturday and "I could log in and address the issue "without having to drive all the way to work." So, good stuff. That's another issue that has to be addressed: "How do I provide connectivity at a distance "without infringing upon security?" Well, that would be another case where you have to have passwords in place, not just for the device itself. For instance, if I want to get into a mode that allows me to make changes to that device, I should have to know a password to do that.
And if I want to be able to access that device remotely, I should have to know a password for that, as well. So, as I mentioned, these are steps you can take which are called "due diligence." Obviously, if somebody is absolutely focused on hacking your network, then they're gonna spend a lot of time. Because think about it, your job as a netowork admin, you go to work in the morning, do your eight hours, go home, you have to pick up the kids from daycare, help with homework, arrange having a meal with your family. Something like that.
Where, in other words, life happens, where you're not really thinking about the network at work anymore, neither should you have to. But if somebody's hammering away against your network, if you've got one of these people living on Jolt Cola and Twinkies, they'll hammer away against your network for 48 hours straight, just for the fun of it. So you realize, who are your adversaries, who are you up against? That they're gonna be persistent. You do your due diligence. The idea is like this: I heard a guy talking about he used to be a car thief. He says, "Well, I got into comedy, "I make better money at comedy, "but I used to be a car thief." And he said what he would do is go through the parking lot and look for cars that were easy to steal.
An example, he says "if I have one "really nice car, pick the Maserati. "Maserati's sitting here and it's got a blinking light "on it, it's got a club on it, it's got the warnings "on the windows, and all that kind of stuff. "And the one right next to it has the door open, "the keys in the ignition, and the engine running, "which one do you suppose is gonna be easier to steal?" Clearly the one with the keys in the ignition and the engine running. So the idea with network security is you try to make your network less desirable, because a lot of times it's just a happenstance: "Oh, I was hacking and this network "was open and I went in there." That's why I say, that's different from if you are the actual target.
If somebody focuses on your company, then of course, you're gonna have to have bigger steps in place. In fact, if you interview a network admin and say, "Hey, what network device are you using "in your network to provide for security?" A lot of times the answer will be something like an ASA, a firewall, something like that. Which, of course, is a great solution because you're protecting the perimeter of your network from people being able to access you from outside your network in. But one of the things to keep in mind, kind of a last thought on network security, is imagine you are the firewall.
You're standing at the edge of your network. You think, "Alright, nobody's getting in here." You turn around and look behind you and the company is in shambles and ruins because, if you read about it, most of the attacks, most of the negative things that happen inside a company's network, don't come from out there. No, no, no, percentage-wise, if you look at it, it's about 80-20. Eighty percent of the damage comes from behind you. In other words, those users back there. That doesn't mean they wake up in the morning and say, "What can I do "to destroy my company today?" But they can do things by accident that cause damage to the network.
So when you're focusing on Network Device Security, you don't want to have all of your attention focused on the outside, kind of like a castle where you built the mote and "nobody's getting in here." Because you still have to be concerned with what's going on behind you, as well. Hopefully this gave you a little bit deeper understanding of Network Device Security.