Protecting your business network
-
OK there's tons of posts around here telling people to avoid VLANs and instead using /23 or /22 networks if you need more than 256 devices on a network, and because of the way switches work, I can understand that...
So what about securing networks against unsecured devices?
I'm now being asked to put more and more medical equipment on the network - these devices just like their IOT brethren are rarely updated, often running some ancient version of Windows, etc.
What do you guys think you should do to protect against these devices?
Mind you we aren't at a LANLess setup yet.
-
IMO, this is one of the prime use cases for VLANs. Keep the insecure devices off the main network... and use your router/firewall to not allow them access to the internet.
-
- Get LANless.
- Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
- Get LANless. You should not be depending on the LAN barriers for security.
-
That's just it.. they require access to the internet.
-
@Dashrender said in Protecting your business network:
That's just it.. they require access to the internet.
Eww... Guess you'd have to allow that. Do any of your PCs need access to the devices?
-
@Dashrender said in Protecting your business network:
That's just it.. they require access to the internet.
Not really an issue. Once they don't give you the option to secure them, they aren't yours to secure. If they get hacked, not your concern.
-
@scottalanmiller said in Protecting your business network:
- Get LANless.
- Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
- Get LANless. You should not be depending on the LAN barriers for security.
LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.
-
@dafyre said in Protecting your business network:
@scottalanmiller said in Protecting your business network:
- Get LANless.
- Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
- Get LANless. You should not be depending on the LAN barriers for security.
LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.
Exactly...
It's not that Windows file servers don't have security, it's just that the IOT crap has a foothold inside the LAN that they can use to attack the file servers, etc. And I'm sure there are other services that are traversing our network that aren't encrypted...
-
@Dashrender said in Protecting your business network:
@dafyre said in Protecting your business network:
@scottalanmiller said in Protecting your business network:
- Get LANless.
- Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
- Get LANless. You should not be depending on the LAN barriers for security.
LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.
Exactly...
It's not that Windows file servers don't have security, it's just that the IOT crap has a foothold inside the LAN that they can use to attack the file servers, etc. And I'm sure there are other services that are traversing our network that aren't encrypted...
So are they secure or not? That's the big question
If they are really secure, why do we fear the IoT devices? -
@scottalanmiller said in Protecting your business network:
@Dashrender said in Protecting your business network:
@dafyre said in Protecting your business network:
@scottalanmiller said in Protecting your business network:
- Get LANless.
- Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
- Get LANless. You should not be depending on the LAN barriers for security.
LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.
Exactly...
It's not that Windows file servers don't have security, it's just that the IOT crap has a foothold inside the LAN that they can use to attack the file servers, etc. And I'm sure there are other services that are traversing our network that aren't encrypted...
So are they secure or not? That's the big question
If they are really secure, why do we fear the IoT devices?I wasn't talking about the IOT things, I'm talking about my production network.
For example, printers aren't talking over a secure connection.
-
A NAC could also automate what is done with different types of devices.
-
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
Yeah, at what kind of expense?
-
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
And what kind of setup is needed for that? I mean, do I have to manage each thing that's plugged in? OK things on this port can get the internet, but no where else, i.e. can't talk to printers, or other PCs or servers, etc.
-
@Dashrender said in Protecting your business network:
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
And what kind of setup is needed for that? I mean, do I have to manage each thing that's plugged in?
You don't have to manage anything, but the NAC will begin can identify devices by many different factors (ports, services, MAC addresses, etc). You can create rules to manage each device.
-
@Dashrender said in Protecting your business network:
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
Yeah, at what kind of expense?
It's not exactly cheap, but the cost is worth the security.
-
@IRJ said in Protecting your business network:
@Dashrender said in Protecting your business network:
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
Yeah, at what kind of expense?
It's not exactly cheap, but the cost is worth the security.
Depends on the business of course. They aren't cheap for sure and the value of the security would have to be determined by the business. For most SMBs I don't think a full on NAC is going to be worth the investment. For larger scale organizations, or highly secure ones, then yes it will be.
-
@IRJ said in Protecting your business network:
@Dashrender said in Protecting your business network:
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
Yeah, at what kind of expense?
It's not exactly cheap, but the cost is worth the security.
Ya we run ISE. Its pretty nice as every machine is auto joined to the correct VLAN.
-
@IRJ said in Protecting your business network:
@Dashrender said in Protecting your business network:
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
Yeah, at what kind of expense?
It's not exactly cheap, but the cost is worth the security.
What is not exactly cheap? We talking $5K? no way that would be purchased here. Managing it via VLAN would definitely be the choice.
-
@stacksofplates said in Protecting your business network:
@IRJ said in Protecting your business network:
@Dashrender said in Protecting your business network:
@IRJ said in Protecting your business network:
A NAC could also automate what is done with different types of devices.
Yeah, at what kind of expense?
It's not exactly cheap, but the cost is worth the security.
Ya we run ISE. Its pretty nice as every machine is auto joined to the correct VLAN.
We use ISE here as well. Very nice tool. Not something I see small doctors offices or SMBs using very often.
-
Why not just put them on a VLAN and limit what protocols they can use between VLANS?
