Wired networks offer a form of security that wireless networks lack. That security is the direct physical connection to a wired or cabled network. A hacker requires physical access to your facility or building. Usually, access control of the building can sufficiently prevent most external parties from accessing your private LAN.

Realize, however, that if you allow remote connection via telephone modem, high-speed broadband, or even basic Internet service, then you lose the advantage of a physical access limitation. Once remote access is allowed, the benefits of physical isolation disappear.

The same is true if you allow wireless connections into the network. Wireless networking grants valid and unknown users the ability to interact with the network. This eliminates the need to be physically present in the building to connect to the network. Many organizations are allowing—even encouraging—employees, contractors, and visitors to Bring Your Own Device (BYOD). This is cost effective and often improves efficiency, but it places the end users’ devices at risk of control. With the right type of antenna, an attacker could be more than a mile away from your office building and still be able to affect your wireless network.

To regain some of the security offered by physical isolation, try to incorporate physical isolation into your network design. Isolate all remote access and wireless access points from the main wired network. You can achieve this by using separate subnets and by filtering communications using firewalls. Although design does not offer the same level of security as physical isolation, the arrangement provides a significant improvement over having no control over remote or wireless connections.

All remote connections should go through a rigorous gauntlet of verification before you grant access to the internal LAN. Think of a castle design in the Middle Ages that used multiple layers of defense: a moat, a drawbridge, thick riveted walls, an inner battlement, and finally, a strong keep or inner fortress. Your multilayer defensive design should include multifactor authentication and communication encryption, such as a VPN. Additional checks can include verification of operating system and patch level, confirmation of physical or logical location origin (such as caller ID, MAC address, or IP address), limitations to time of day, and limitations on protocols above the Transport Layer. Any intruder would need to circumvent layer after layer, making intrusion more and more difficult. This is often called a layered defense or defense in depth.