Limiting Network Access to Computers and Mobile Devices
Keeping personal networks safe
This topic is intended to provide you with information about how networks should be set up to ensure that your systems and the information they hold are safe. Since the University’s managed networks have been implemented with the considerations contained on this page in mind, your use of the University’s network may not require you to personally take any of the actions described below. However, when you use computers that hold or that can access University data from home or any other off-campus venue that you manage, it is important that you understand the following precautions and apply them appropriately.
Make sure your firewall is turned on and configured appropriately
Most computer systems are delivered with built in firewall software. When you think in terms of a physical building, a firewall is designed to resist the passage of something undesirable, i.e., a fire, from one side to the other. In technology, a network firewall serves a similar purpose. A network firewall is a device that is designed to resist the passage of undesirable network traffic from one side to another.
Out of the box, most computers come with firewall software already installed. If it is activated, it is usually configured to block other devices from initiating any conversations with your computer. This is not a hardship for a vast majority of computer users since most of our interactions with the Internet are us “calling out” to other devices, e.g., our e-mail server, web sites, application systems, rather than some other computer "calling in".
Having the firewall activated and configured as such will reduce the risk of someone on the Internet exploiting any flaws in your system, since the firewall software won’t allow any external connection requests to occur.
Some software-based firewalls also have the ability to stop specific application programs on your system from initiating connections with devices on the Internet. This is done in case a piece of malware is installed on your computer or one of the application programs on your system becomes infected and begins to attack other systems. Usually, the firewall software's default configuration allows known Internet-facing applications on your computer, e.g., your web browser, e-mail client, etc., to communicate with other devices.
For most users, having the firewall active even without configuration changes goes a long way in protecting your system and the information it holds.
Some individuals who manage their own networks, add a physical network firewall to their computing environment. Physical firewalls can provide additional resistance to network attacks, since an attacker would need to penetrate two distinct devices to compromise your system.
Limit your system’s ability to be “discovered” on your home wired or wireless network
To facilitate the sharing of your information across multiple devices on your network, many operating systems, like Windows, Mac OS X, have built-in “discovery” functionality built in, where the computers on your network basically tell each other that they are online. It is important to note that if discovery is turned off, your devices can still communicate with each other – they just cannot be picked from a list but must be selected by entering their assigned computer names.
The benefit of turning off discovery, particularly in wireless environments, is that an intruder who has managed to join your network will not be able to see what devices are available to be attacked.
Effectively manage your wireless routers
Change your wireless router's default password
One if the first things you should do when setting up your wireless router is to replace its extremely well-known default password with a strong one. If you leave the default password in place, anyone who can connect to your device can undo all of the router's security controls that you put in place.
What wireless protocol should be used for your home network?
At this point, most individuals have had some experience in setting up their computers and mobile devices to work with wireless routers at home. However, it is important to note that the devices must be configured properly to be used securely. Part of the wireless router setup process is to select a communications protocol to be used between the router and the computers and mobile devices that will use it. The protocols that may be provided by the router include:
- Open Access – any wireless computer or mobile device can connect to the router with no validation. This should only be used for truly public environments where you believe that anyone within range should be able to connect.
- WEP (Wired Equivalent Privacy) – any device that is configured with a shared key may use the router. The protocol relies on weak encryption methods for privacy, and should be considered obsolete and not used except in cases where the following stronger protocols are not provided.
- WPA and WPA2 (Wi-Fi Protected Access) – these methods also use shared key to authenticate computers and mobile devices that are attempting to connect, but the security controls built into the protocol are far stronger than WEP.
If your wireless router allows you to choose the encryption method that will be used, it is recommended that you use AES encryption (Advanced Encryption Standard). For home use, WPA2 with AES encryption using at least a 256 bit key is the best choice at this time. Using the other protocols may put the systems that legitimately use your router at risk.
Having your wireless router broadcast its identity – or not
Wireless routers will typically broadcast the network name that you set up when configuring the device, so that computers and mobile devices can select the router from a broadcast list when they need to connect. This name is called the “SSID” (Service Set Identifier).
You can configure your router not to broadcast its SSID to keep your network anonymous. If you use this technique, all you need to do to connect is to enter the router’s SSID into your computer’s or mobile device's networking configuration along with its associated shared key. Since these values can be saved on your device, setting up your router to hide itself in this way should not pose much of a hardship and can provide an extra layer of security against an attack targeting your network.
Configuring your wireless router to authenticate each device attempting to connect by its hardware address?
Some wireless routers can be set up to allow only devices whose network hardware address (a.k.a. “MAC address”) is equal to one of the network hardware addresses in an approved list that you set up. While this option would provide a high level of security, it does involve the manual entry of hardware addresses into the wireless router configuration each time you would like a new device to join your network. Using a WPA2 with AES encryption and a strong shared key provides sufficient protection in most cases.
Enhancing security further by adding an intrusion prevention solution
An intrusion prevention product can be thought of as anti-virus for network traffic. Whereas anti-virus software inspects applications and documents for viruses and other forms of malware on your computing devices, intrusion prevention products inspect the data coming in from the network for known attack patterns. Intrusion prevention solutions are not included as part of most standard computer operating systems, so while intrusion protection solutions can provide an excellent, additional layer of protection, purchasing and annual subscription costs should be weighed against the sensitivity of the information that is being processed and stored on your systems.