Network cybersecurity is a broad topic, but here we’ll talk about ways to improve the security of your enterprise networks.
These concepts include strengthening WiFi and VPN networks, establishing more secure connections to sensitive data, and dividing networks with VLAN segmentation.
WiFi Network Security
A best practice in WiFi network security is requiring unique credentials for each user, rather than using shared credentials (or none at all). Admins can achieve this through the use of RADIUS, which enables centralized authentication to various networking infrastructure points, including WAPs.
Through RADIUS, users are required to enter their core credentials to access the company network, rather than using shared credentials that are passed around the office. This approach reduces the chance that a bad actor can easily get a set of credentials and use the office WiFi to expose organizational data. Further, admins can quickly administer and revoke WiFi access from their central identity provider.
IT organizations can spin up a RADIUS server themselves or seek a RADIUS-as-a-Service provider to host the server for them, which allows them to achieve the same capabilities without the configuration and upkeep work.
VPN and SSH Key Security
Admins should also urge employees to use only secure networks and not do sensitive work over open networks, such as from the corner coffee shop. If for any reason employees need to use a public network, though, VPNs help protect against the vulnerabilities associated with them. VPNs allow users to create a secure connection regardless of where they’re working.
VPNs don’t just obscure network traffic on public WiFi networks — they’re also used to securely connect users to production servers in the cloud. VPNs are an important tool for users to connect securely to servers in AWS®, GCP™, and other Infrastructure-as-a-Service providers. Admins who route VPN authentication through a RADIUS or LDAP identity provider ensure, again, that users enter their unique credentials for access.
In addition to providing VPN access in the first place, particularly for DevOps teams, admins can require multi-factor authentication (MFA) to provide an added layer to ward against VPN compromise. That way, even if a bad actor gets ahold of a user’s credentials, they can’t access production servers or other critical data.
SSH keys, too, lock down access to cloud servers and other remote resources through public/private key pairs. Organizations need SSH key management policies and a solution to distribute and retain visibility of those keys.
Network Virtualization: VLAN Segmentation
Another networking security method is VLAN tagging, which allows admins to segment networks and tighten access. For example, access to certain IT resources could be allowed through only one segment of the network, and only certain users (i.e. one department in an organization) could have access to that segment.
This is typically done through a RADIUS server, too, and by creating separate VLANs within your network through wireless access points and switches by assigning RADIUS reply attributes to users.
A Comprehensive Approach to Cybersecurity
Fundamentally, the key to cybersecurity and networking is a centralized identity and access management provider. Security comes down to verifying users are who they say they are, ensuring they use secure and clean devices, providing secure access only to the authorized resources they need for their specific roles, and creating a secure tunnel/network to connect to those IT resources — which is best achieved through a central IAM solution capable of authentication and authorization across resources.
From this type of solution, admins have one place to centrally manage all aspects of user access in their environment.
If you’d like to get a more holistic view of cybersecurity, including frameworks to guide your work and advice on employee training programs, browse our cybersecurity due diligence checklist next.