Skip to main content

3.2 Protecting Networks - Managerial Controls and Wireless Security

Topic 3.2: Protecting Networks: Managerial Controls and Wireless Security

Securing a network effectively requires a combination of robust technical configurations and clear, enforceable managerial controls. These policies provide the framework for how network devices should be configured and how users should interact with the network.

Managerial controls are essential for establishing a baseline of security across the organization. Key policies related to network security include:

  • Router Security Policy: This policy defines the minimum configuration standards for all routers on the network. It may include requirements such as disabling unnecessary and insecure services like Telnet, banning the use of local user accounts in favor of centralized authentication, and mandating specific firewall configurations.
  • Switch Security Policy: This policy governs the configuration of network switches. It often requires that port security be enabled to prevent unauthorized devices from connecting to the network and may mandate the use of MAC filtering to restrict access to known devices.
  • Virtual Private Network (VPN) Policy: For organizations that allow remote access, this policy details the security requirements for using a VPN. It specifies which roles are permitted to use the VPN, the required authentication methods (such as MFA), and often prohibits split tunneling, a practice where a user's traffic is simultaneously sent over both the secure VPN and an unsecure public network.
  • Wireless Security Policy: This policy sets the standards for all wireless networks within the organization. It typically requires strong encryption (like WPA3), mandates that users authenticate through a centralized server using a protocol like EAP (Extensible Authentication Protocol), and may require that SSID beacon frames be disabled to make the network less visible to outsiders.

In addition to these policies, specific technical configurations must be implemented to secure wireless networks. To make a wireless network harder for an adversary to discover, organizations can disable the broadcasting of beacon frames, which contain the network's name (SSID). They can also carefully manage the signal strength and direction of wireless access points (WAPs) to ensure the Wi-Fi signal does not bleed unnecessarily outside the physical boundaries of the building.

The most critical aspect of wireless security is encryption. All wireless traffic should be protected with a strong encryption protocol. Older protocols like WEP, WPS, and the original WPA have known vulnerabilities and should never be used. WPA3 is the current industry standard and provides the strongest level of security for wireless data in transit.

Finally, access to the wireless network should be strictly controlled. Organizations should require users to authenticate before joining, ideally using a centralized system that can be managed and monitored. MAC filtering can provide an additional layer of security by creating an allow-list of devices permitted to connect to the network, though it should not be relied upon as the sole method of protection, as MAC addresses can be spoofed.