Question

You are a systems engineer and your new company Sundial decides to connect your company network to the Internet for the first time. Describe precautions you might recommend they take prior to implementing the solution and draw a design/architecture that would be appropriate

Answer 1

Before connecting to the internet, some basic precautions need to be taken:

1. Use stronger encryption
   • It's essential to use some variant of WPA (Wi-Fi Protected Access) protection, either WPA or the newer WPA2 standard.
   • For smaller companies and households, it may be practical to use WPA with a pre-shared key. That means that all employees or family members use the same password to connect, and network security depends on them not sharing the password with outsiders.
   • The password should be changed every time an employee leaves the company.
2. Use a secure WPA password
   • ​​​​​​​Make sure that any password (or passphrase) that protects your Wi-Fi network is long and random so it can't be cracked by a determined hacker.

3. Check for rogue Wi-Fi access points

   • ​​​​​​​Rogue access points present a huge security risk. These aren't any company's "official" Wi-Fi access points, but ones that have been brought in by employees (perhaps because they can't get a good Wi-Fi signal in their office) or conceivably by hackers who have entered the building and surreptitiously connected one to an Ethernet point and hidden it.

   • To detect rogue access points we need to scan the office and the area around it on a regular basis using a laptop or mobile device equipped with suitable software such as Vistumbler (a wireless network scanner) or airodump-ng. These programs allow the laptop to "sniff" the airwaves to detect any wireless traffic travelling to or from a rogue access point and help identify where they are located.

4. Provide a separate network for guests

   • ​​​​​​​If we want to allow visitors to use the Wi-Fi, it's sensible to offer a guest network. This means that they can connect to the internet without getting access to the company's or family's internal network.

   • One way to do this is by using a separate internet connection with its own wireless access point. In fact, this is rarely necessary as most business-grade wireless routers have the capability of running two Wi-Fi networks at once - the main network, and another for guests (often with the SSID "Guest".)

5. Hide the network name

   • ​​​​​​​Wi-Fi access points are usually configured by default to broadcast the name of the wireless network - known as the service set identifier, or SSID - to make it easy to find and connect to. But the SSID can be also be set to "hidden" so that anyone wanting to connect has to know the name of the network before they can connect to it.

   • It's important to note that hiding the SSID should never be the only measure one take to secure the Wi-Fi network because hackers using Wi-Fi scanning tools like airodump-ng can still detect the network and its SSID even when it is set to "hidden."

6. Use a firewall

   • ​​​​​​​Hardware firewalls provide the first line of defence against attacks coming from outside of the network, and most routers have firewalls built into them, which check data coming into and going out and block any suspicious activity. The devices are usually set with reasonable defaults that ensure they do a decent job.

7. Enable MAC authentication for the users

   • ​​​​​​​We can limit who accesses your wireless network even further by only allowing certain devices to connect to it and barring the rest. Each wireless device will have a unique serial number known as a MAC address, and MAC authentication only allows access to the network from a set of addresses defined by the administrator.

   • This prevents unauthorised devices from accessing network resources and acts as an additional obstacle for hackers who might want to penetrate your network.

8. Use a VPN

   • ​​​​​​​A VPN or virtual private network will help one stay safe and secure online while above all keeping their private stuff private. They keep one's data hidden from prying eyes one end to the other by encrypting it. In theory, hackers could penetrate their network and they'd still not be able to do any harm to their system assuming that a VPN is running permanently.