151
Chapter 11:
Securing Your Network
to provide external users access to the company's accounting server, you can make it
nearly impossible to access that system from outside the LAN.
You can separate network resources through a number of measures. You can set
up the firewall router to decline any access through the router to that server's IP or
IPX address. If the server doesn't require IP, you can remove that protocol. You can
set up the server to disallow access outside normal working hours. Depending on the
network operating system running on the server, you can restrict access to Ethernet MAC
addresses for machines on the LAN that should be able to access the server. You can also
set the server to allow each user only one login to the server at a time. The specific steps
that you can take depend on the server in question and its network operating system, but
the principle holds true: Segregate internal resources from external resources whenever
possible.
Here are some other steps you might take to stymie front-door threats:
Control which users can access the LAN from outside the LAN. For example,
you might be running VPN software for your traveling or home-based users to
access the LAN remotely through the Internet. You should enable this access
only for users who need it and not for everyone.
Consider setting up remote access accounts for remote users who are separate
from their normal accounts, and make these accounts more restrictive than
their normal LAN accounts. This might not be practicable in all cases, but it's
a strategy that can help, particularly for users who normally have broad LAN
security clearances.
For modems that users dial in to from a fixed location, such as from their
homes, set up their accounts to use dial-back. Dial-back is a feature whereby
you securely enter the phone number of the system from which users are
calling (such as their home phone numbers). When the users want to connect,
they dial the system, request access, and then the remote access system
terminates the connection and dials the preprogrammed phone number to
make the real connection. Their computer answers the call and then proceeds
to connect them normally. Someone trying to access the system from another
phone number won't be able to get in if you have dial-back enabled.
If employees with broad access leave the company, review user accounts
where they might have known the password. Consider forcing an immediate
password change to such accounts once the employees are gone.
NOTE
An important aspect of both internal and external security is physical security. Make sure
that the room in which your servers are located is physically locked and secure.
People trying to access the network who have not been associated with the company
at some point often try a technique euphemistically called social engineering, which is
where they use nontechnological methods to learn user accounts and passwords inside
the company. These techniques are most dangerous in larger companies, where not all