Chances are you're also counting in your head right now, "We have this many employees, so that will be about...".
You can't overstate the final number enough. Or do you know exactly how many network printers, smartphones, tablets, IoT devices, smart presentation screens, VoIP and conferencing tools, camera systems, smart speakers, smart watches, access points, switches, servers, smart switches, virtualized devices, firewalls... are in your network?
We regularly find that network administrators dramatically underestimate this figure. And that is alarming, because any network device can be an attack vector. You will have to anticipate at least 4 factors to guarantee the security of your network even more.
1. NAC with Conditional Access
To measure is to know. Network Access Control (NAC) maps the hundreds, if not thousands, of devices within your network. You can protect them and give or take away access to the network. It is virtually impossible to do this manually. Fortunately, with NAC you can set some conditions yourself and you can let this process run automatically. For example.
- Is it in your domain?
- In the right VLAN?
- Are the right certificates present?
- Have all the patches been applied?
- Are the antivirus and EDR active?
- Where is the device located?
A device outside your NAC that wants to connect to your internet (e.g. visitors or a colleague's smartwatch) is either refused by definition, or cannot connect to your company network anyway.
With deepscan (Deep Packet Inspection) the network traffic of all devices is routed through your firewall inspected and checked for malware or suspicious actions. But it's not possible to inspect encrypted SSL/TLS traffic just like that. And that is easily 70% of all traffic in your network. With a well-designed NAC, your firewall will be able to inspect and secure encrypted traffic from known devices, because in this case, you are managing the certificates yourself.
But encrypted traffic cannot be inspected by visitors or external devices that are not within NAC.
3. Patch management
Now that all devices in your network are known, it is of utmost importance to keep their soft- and firmware up to date. You want to avoid at all costs that a known vulnerability, for which a patch has been available for some time, is exploited by hackers or ransomware to gain access to your company network.
Updating all your devices manually as soon as a new patch is rolled out is a gigantic, never-ending task. Thanks to 'patch management' this can be done largely automatically. You can find this service in our Managed Services. Of course, there are also uncovered leaks, the so-called zero-days. How to protect yourself as good as possible against these, you can read here.
Now that all devices in the network are known and optimally protected, there is only one additional security measure left.
How can you be sure that the people using the devices or services are indeed your colleagues? Passwords are a vulnerability; they can be leaked, guessed or forced, and people often use the same password...
You can set up stricter password policies, but this is often counterproductive (post-its...) and causes a lot of frustration and time loss. The best solution is Multi-Factor Authentication (MFA). Users have to login to this system with 2 or more unique keys: some examples:
- Their password + their fingerprint.
- Via facial recognition + a temporary, uniquely generated code on their smartphone.
- A smartcard + face recognition + a pin code
A hacker - even with a stolen device from a colleague, with the right credentials and within your company walls - still can't log in this way.
Of course, there are still plenty of ways to make your network even more secure, but these tips will get you a long way. Would you like to know how we can completely map out your network and/or how you can configure all these other things? Then we would like to help you.