Isolating Networks To Protect Data

Network isolation provides a barrier that hackers must surmount to gain access to your data. The advantage of isolation is that penetration of one of your networks doesn’t necessarily mean that other more sensitive areas have been compromised.

Indeed, one of the favored approaches to managing hackers is to create honeypots, systems that are specifically set up to be hacked and to identify the method of penetration.

You can use many different methods to isolate your wireless networks from one another, including: addressing, filters, bringing down links, and using different challenge and response mechanisms.

Addressing

You may want to consider creating a separate set of IP addresses or a domain for your wireless LAN, and additional ones for each of your extra wireless LANs. This helps give you some measure of control over traffic flow because traffic must authenticate itself as it travels from domain to domain.

There’s also a performance benefit for additional domains. There are network devices that broadcast packets continually on an Ethernet network. One such device might be a cluster looking for each computer’s “heartbeat.”

Another might be a management console that is sending out “discovery” packets, and there are many others. When you are in a situation where there is a lot of this traffic (typically very large deployments) you may find that these broadcast packets rob you of much of your wireless network’s available bandwidth.

By creating a domain for your wireless network and separating it from your wired LAN by a router or through a virtual LAN or VLAN network, you can remove this network overhead from your wireless traffic.

A common recommendation is that each wireless network be put on its own subnet. A subnet is a set of IP addresses in the same domain where the subnet mask is set up to restrict the available address range and pool size. You’ll find a subnet tutorial at ralphb.net and at learntosubnet.com.

With subnetting, you can restrict which devices are allowed access by specifying a range. For larger wireless networks, consultants often suggest that each of your wireless networks be a different domain that is a set of computers with different IP address ranges.

For wireless networking, different domains means that each wireless domain has its own SSID. When you have an IP domain interface, you can add additional barriers for hackers. The first barrier is address complexity.

It’s not that easy to figure out private addresses on one NIC card when you are probing from a network using a different NIC. So install a firewall of some kind, or a proxy server. Many access points and routers offer this capability.

Creating multiple network domains in the classic sense means that you have different domain servers on each side of a link. Different domains have their own different security databases and network directories, which translate into different challenge and response mechanisms, and the requirement for different passwords.

When you start to deal with this level of complexity you have to consider trust relationships, pass through authentications, single password logon software, and other systems that really aren’t part of any home or small businesses’ capabilities.

For home networks and small business networks where only a portion of the range of available IP addresses are being used, we strongly encourage you to use static IP addresses for devices and clients.

Disabling DHCP means that a hacker can’t just jump onto your network and get the network address (IP) provided for them, they have to know the address range. With static IP addresses, you can filter traffic based on the IP address at your firewall or proxy server.

You can also create what is called protocol isolation. With wireless technology this translates to using one protocol for one side of the connection, such as 802.11b for the outsiders, and another, such as 802.11g, for insiders. This doesn’t afford a lot of protection, but anyone without a g card won’t get in to test things.

More traditional network protocol isolation has one transport protocol like IP on one side of a firewall, and another like NetBEUI, AppleTalk, or IPX on the other. With IP networking as pervasive as it is, these days most people just run IP on both sides of the firewall.

Still, you can use encryption and have different keys on each network, and that further complicates the task of someone trying to gain entry to you network. A better form of isolation is attained using MAC filtering.

That is, you enter the numbers of known MAC addresses for your network’s wireless devices and only those devices with the right MAC addresses can gain entry to the network.

MAC filtering or Media Control Access Filtering isn’t foolproof. A skillful hacker can spoof a MAC address, but doing this adds to the complexity of the job required to break into your networks. Some wireless devices let you name them so that they can be discovered using things like SNMP or Simple Network Management Protocol.

SNMP is the engine behind most of the software that “discovers” network devices. If you can disable SNMP, you should, and you should be careful to avoid names that people can guess for your wireless networks.

Limiting Signal Coverage

Whenever possible you should test to see that your signal isn’t leaking out into areas where people outside of your control can access it. That’s part of any wireless site survey.

When you have multiple networks, this becomes even more critical. You can also limit access by disabling your device’s SSID broadcasts so that only those people who know what the wireless network is named can access it.

Try to right size your coverage area by having the signal essentially end at your building’s outer wall. There are several ways to do this. Probably the easiest is to take a site survey to assess your signal strength and adjust the position of your wireless devices to bring the coverage out of any public areas.

You can also purchase antennas that aim your wireless signal away from a wall or corner, both directional and highly directional antennas. If it’s possible, you can lower your security risks by turning off wireless access points when you don’t use them.

We mentioned PoE management software as one solution to programming times when devices shut down, but you can use automated switches, building control software, X10 devices, and other systems to perform this function.

Suffice it to say that if you need to connect two distant LANs wirelessly, you want to purchase a narrow beamwidth antenna such as a Yagi, or for very long distances perhaps a parabolic dish reflector antenna.

With a highly directional antenna only devices close to the center of the beam will be able to pick up the signal. Positioning and antennas are certainly low cost, low hassle partial solutions to the security issue; and they should be part of your arsenal.

Securing Multiple Networks

Multiple networks introduce additional complexity and points of attack, but they also offer tools that you don’t have with a single network. All of the things you do with your systems to protect them from the bad guys should still be done for one or more networks, including:

  • Turn on encryption such as WEP and do not accept default settings such as usernames of “admin”.
  • Use virus software and update it regularly.
  • Run scans with anti-spam software like Spam Sweeper, Ad-Aware, Spybot, or your choice.
  • Update your software to the current versions and be particularly attentive to applying all OS patches.
  • Run regular tested backups.
  • Use a firewall, either software or hardware.
  • Consider closing your broadband connection at night when not in use; a network without an Internet connection isn’t particularly appealing to a war driver.
  • Update the firmware of your wireless devices; many times improved security is one of the major features of this upgrade.
  • Don’t open unexpected e-mail attachments

Performing each of these steps takes time—but you won’t regret doing them. On the day you have to restore systems or chase someone down for ID theft, you’ll be patting yourself on the back for following the preceding guidelines.

For a larger set of connected networks, and for enterprise use, you may want to consider installing a VPN or Virtual Private Network. A VLAN forces wireless clients to authenticate themselves in order to tunnel through the VPN, and uses Layer 3 encryption to secure the communication.

You’ll find VLAN technology on some of the devices meant for the small office such as the SOHO TZW or the similar Netgear FVM318. For less expensive solutions you can purchase VPN software.