How do you secure a network?

D

Drunkard #1

Expert Member
Joined
Aug 15, 2007
Messages
3,668
Reaction score
18
I mean, everyone's concerned with securing their WiFi, but that doesn't help if someone can just unplug an IP camera in a parking garage somewhere, or a VOIP gate-phone in the street, and get full access?

Or are networks never secure, and everything on them needs to be designed as if an attacker is already at a terminal plugged into the same hub as you are?
 
The answer lie in a standard called IEEE 802.1X, and old school MAC authentication.

Easiest way is to setup your switching gear to only allow 1 predefined MAC address on that port. If someone plug a device with any other MAC address in on that port, the switch shut it down. (only the port)
If you really feel you need better security, combine it with 802.1X. In layman terms it authenticate the hardware to connect on then physical network, this allow you to connect anywhere on the network with say your notebook, where the MAC authentication are port based.
 
The attacker spoofs the the MAC address using the device they just unplugged from the network. Now what?
 
gfmalan said:
The answer lie in a standard called IEEE 802.1X, and old school MAC authentication.

Easiest way is to setup your switching gear to only allow 1 predefined MAC address on that port. If someone plug a device with any other MAC address in on that port, the switch shut it down. (only the port)
If you really feel you need better security, combine it with 802.1X. In layman terms it authenticate the hardware to connect on then physical network, this allow you to connect anywhere on the network with say your notebook, where the MAC authentication are port based.
Click to expand...

I unplug the device and spoof the mac using tmac
 
I also think you don't need all this MAC auth etc. If you designed your network propperly, you don't need this security layers.

If you manage to plug the network point for the gate phone in on your device, then you have a connection to the internet with 1 port open, so not so sure what you achived, you can just as well connect to the internet at your home.

If you use the IP camera's cable, then you have access to yourself and the firewall port, again whats the point,

As other has mentioned, if the network is connected, you can be hacked, but when you have a good firewall in place it make it difficult, what Im always thinking, why would someone hack my network, and what info would they gain?
 
gfmalan said:
As other has mentioned, if the network is connected, you can be hacked, but when you have a good firewall in place it make it difficult, what Im always thinking, why would someone hack my network, and what info would they gain?
Click to expand...

Could always be for the sake of vandalism.
 
Serious question, why doesn't your cameras run on a separate lan, or even a VLAN?
 
gfmalan said:
As other has mentioned, if the network is connected, you can be hacked, but when you have a good firewall in place it make it difficult, what Im always thinking, why would someone hack my network, and what info would they gain?
Click to expand...

Necropolis said:
Could always be for the sake of vandalism.
Click to expand...

220V voltage spike down the line? :whistle:
 
1234567 said:
Serious question, why doesn't your cameras run on a separate lan, or even a VLAN?
Click to expand...

That's a very good point.

Segregate your network as much as possible.

And give each segment only as much access to the rest of the network that it needs.
 
Necropolis said:
That's a very good point.

Segregate your network as much as possible.

And give each segment only as much access to the rest of the network that it needs.
Click to expand...
Yup. I've seen ip cameras run on a completely separate network, recording to the NVR. The NVR had multiple NICs to allow access to the NVR from both networks. Reduces the chance of someone connecting to the network sugnificantly.
 
make sure the intercom or ip camera outside uses active PoE, so it pops what ever it plugs into(if not a poe device). :P
 
Last edited:
Been out all day. Thanks for the replies.

MAC restriction, I've heard of, as well as MAC spoofing, so that's DOA.

802.1X I'll have to read up on.

Segregation is a good idea, but let's say you've got two sites with IP cameras, VOIP and PCs at both - to keep them properly segregated, you'd need to have a link for each protocol?

My point is, what if you can't secure the physical wires (at [insecure] location 2), say, from the WiFi on the roof (Ubiquiti Nano Bridges) to the port at someones desk... where do you put the firewall? Makes sense to put it back at the [secure] first location, but then you need to set up some way to pass good traffic and drop bad traffic and distinguish between the two. This requires specialist kit, I'd assume. Is this something an amateur could set up, and are we talking Cisco or Mikrotik (not that I'm too familiar with either)?



access said:
make sure the intercom or ip camera outside uses active PoE, so it pops what ever it plugs into(if not a poe device). :P
Click to expand...

Proper af/at POE wouldn't do that?
 
Last edited:
Drunkard #1 said:
Proper af/at POE wouldn't do that?
Click to expand...

I probably have active and passive mixed around, one of them doesn't check if there is a non-poe device and should damage the non-poe adapter at the other end if plugged in.

It was a joke anyway.

Ive seen people build cages around their cameras or mount them high up and put the cables in pvc pipes inside walls and the ground etc.
 
Drunkard #1 said:
Or are networks never secure, and everything on them needs to be designed as if an attacker is already at a terminal plugged into the same hub as you are?
Click to expand...

The short answer is yes, networks are never really secure. According to the 2015 symantic internet security threat report (I hope thats the right one, I read a lot of reports) they did a study and found that of the networks they were monitoring, something like 97% of those networks were communicating with known command and control servers.

Security is about layers, there is no single solution or technology that is going to protect you. Also if a truly skilled attacker decides to target you, there is very little you can do, thats where the layers come in, it protects against less sophisticated threats and it helps to deter more advanced threats by putting more obstacles in their way, but ultimately, it the advanced threat is persistent and willing to spend days, months or even years targeting you, like some of them do, they will get in eventually.

Like the old saying goes, as a network defender, you have to be sure that you close every possible hole. As an attacker, I just have to find one hole, so the odds are stacked in my favor unless you are one of the very few companies that spends the money to have proper security staff in house that actively works on securing your network.
 
Lolz

Firstly, there's no such thing as a secure network.

It's all about management. If security becomes a real issue for you/you business, inbox me, and I'll advise you ;)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X