The biggest security problems are likely to be companies with a double-digit number of display workstations: This is the size of an administrator who is usually not hired, even extremely high-performance or other special devices are rarely required on the hardware side. Instead, the company’s leadership on standard PC hardware also applies to servers and network hardware. The administration is usually divided between an external IT service provider who performs server installations, changes in infrastructure and emergencies, and employees who spend part of their working time on smaller administrative tasks such as creating new users, rolling out updates, or integrating New network printer
Valves create
Unfortunately, only a few company leaders are aware of a proactive security concept, which means that it is useful to first get an overview and to take precautionary measures before, for example, a forgotten Raspberry Pi mutates into a spam sling. In the specific case of the network, which is inventoried with OpenVAS, this usually means that the physical location only works by simply blocking certain physical network segments at the patch panel. This allows the position of the unauthorized device to be restricted. This kind of work has to be carried out, of course, if there is little or no use of the network, since work on the computer workstations would be severely restricted - a typical weekend work,
Probably the biggest risk are unauthorized WLAN access points. This allows employees to integrate any smartphone, tablet and notebook into the network. It is especially risky if access points are set up as a simple WLAN-to-Ethernet bridge, which is the standard. It is therefore useful to provide sufficiently high-speed WLAN hotspots so that there is no desire for your own basic solutions for employees.
This problem can be easily solved with correctly configured billighardware: Take a low-cost OpenWRT-enabled DSL router (for example TP-Link WR841, about 20 euros), install the OpenWRT firmware on it and configure it first as a cable router Own DHCP client on WAN port and DHCP server and other address range for WLAN and Ethernet ports (NAT). As a second measure, the entire secure network is blocked by firewall, and only incoming and outgoing data packets are passed to the gateway. All these settings can be made in the OpenWRT web interface.
If you want, you can also block specific ports via firewall configuration, leaving only those that are needed for Web, mail and VPN, for example. Access to services provided by the enterprise should be governed by the same rules as for the home office, ie access to mail and directory services via VPN only to a few servers. The predictive administrator is well served to configure several such OpenWRT devices as a NAT access point in a single stroke so that they can be deployed quickly in the required corners of their own network if needed.
When it comes to creating a simple Internet access for guests, it is also worthwhile to get in touch with the local Freifunk community and set up an access point with free-standing firmware in the waiting area. In addition to the simple set-up, the biggest advantage of this solution is that you do not have to worry about the interference: Freifunk routes the traffic via its own VPN to Scandinavian exit nodes. Smaller disadvantages of the Freifunk solution are, of course, especially in densely populated areas, that it attracts many surfers in the neighborhood and thereby sometimes neat traffic causes. And the users of the Freifunk solution should be aware that the traffic between the access point and the terminal is not encrypted, so it is a good idea to use SSL-secured connections or an encrypted VPN.
A similar attention to Accesspoints should be placed on WLAN repeaters. In the minds of many administrators, these are purely passive devices. This is wrong: Repeaters also use an embedded Linux in regellfall and have already been targeted by worms.
No comments:
Post a Comment