Securing a SOHO Wired Network

While a wired network can be more secure than a wireless one, there are still a number of procedures you should follow to leave as little to chance as possible. Among them, change the default usernames and passwords to different values and secure the physical environment. You should also disable any ports that are not needed, assign static IP addresses, and use MAC filtering to limit access to only those hosts you recognize.

Change Default Usernames and Passwords

Make sure the default password is changed after the installation of any network device. Failure to do so leaves that device open for anyone recognizing the hardware to access it using the known factory password.

In Windows, the Guest account is automatically created with the intent that it is to be used when someone must access a system but lacks a user account on that system. Because it is so widely known to exist, it is recommended that you not use this default account and create another one for the same purpose if you truly need one. The Guest account leaves a security risk at the workstation and should be disabled to deter those attempting to gain unauthorized access.

Change every username and password that you can so they vary from their default settings.

---

Enable MAC Filtering

Limit access to the network to MAC addresses that are known and filter out those that are not. Even in a home network, you can implement MAC filtering with most routers and typically have an option of choosing to allow only computers with MAC addresses that you list or deny only computers with MAC addresses that you list.

If you don’t know a workstation’s MAC address, use IPCONFIG /ALL to find it in the Windows-based world (it is listed as physical address) and ifconfig in UNIX/Linux.

---

Assign Static IP Addresses

Static IP addresses should be used (avoid having them dynamically issued by DHCP) on small office, home office networks to keep from issuing addresses to hosts other than those you recognize and want on the network.

Disabling Ports

Disable all unneeded protocols/ports. If you don’t need them, remove the additional protocols, software, or services or prevent them (disable them) from loading. Ports not in use present an open door for an attacker to enter.

Many of the newer SOHO router solutions (and some of the personal firewall solutions on end-user workstations) close down the ICMP ports by default. Keep this in mind because it can drive you nuts when you are trying to see if a brand-new station/server/router is up and running.

---

Physical Security

Just as you would not park your car in a public garage and leave its doors wide open with the key in the ignition, you should educate users to not leave a workstation that they are logged in to when they attend meetings, go to lunch, and so forth. They should log out of the workstation or lock it: “Lock when you leave” should be a mantra they become familiar with. A password (usually the same as their user password) should be required to resume working at the workstation.

You can also lock a workstation by using an operating system that provides file system security. Microsoft’s earliest file system was referred to as File Allocation Table (FAT). FAT was designed for relatively small disk drives. It was upgraded first to FAT-16 and finally to FAT-32. FAT-32 (also written as FAT32) allows large disk systems to be used on Windows systems.

FAT allows only two types of protection: share-level and user-level access privileges. If a user has write or change access to a drive or directory, they have access to any file in that directory. This is very unsecure in an Internet environment.

New Technology Filesystem (NTFS) was introduced with Windows NT to address security problems. Before Windows NT was released, it had become apparent to Microsoft that a new file system was needed to handle growing disk sizes, security concerns, and the need for more stability. NTFS was created to address those issues.

With NTFS, files, directories, and volumes can each have their own security. NTFS’s security is flexible and built in. Not only does NTFS track security in access control lists (ACLs), which can hold permissions for local users and groups, but each entry in the ACL can also specify what type of access is given—such as Read-Only, Change, or Full Control. This allows a great deal of flexibility in setting up a network. In addition, special file-encryption programs can be used to encrypt data while it is stored on the hard disk.

Microsoft strongly recommends that all network shares be established using NTFS. While NTFS security is important, though, it doesn’t matter at all what file system you are using if you log in to your workstation and leave, allowing anyone to sit down at your desk and use your account.

Because NTFS and share permissions are operating system specific, they were discussed in the chapters on operating systems.

---

Last, don’t overlook the obvious need for physical security. Adding a cable to lock a laptop to a desk prevents someone from picking it up and walking away with a copy of your customer database. Every laptop case we are aware of includes a built-in security slot in which a cable lock can be added to prevent it from being carried off the premises easily, like the one shown in Figure 17-8.

Figure 17-8: A cable in the security slot keeps a laptop from being taken easily.

When it comes to desktop models, adding a lock to the back cover can prevent an intruder with physical access from grabbing the hard drive or damaging the internal components. You should also physically secure network devices, such as routers, access points, and the like. Place them in locked cabinets, if possible, for if they are not physically secured, the opportunity exists for them to be absconded with or manipulated in such a way to allow someone unauthorized to connect to the network.