SolarWinds MSP is becoming N-able

Read more
Backup data container archiving

Business IT providers and MSPs must design secure networks

Imagine a scenario in which one of your employees is sitting at their desk, diligently working on a document when they receive an urgent call from the “IT Department.” They’re told that their system has been compromised, and they need to take immediate corrective action to save their company (and their job) from ruin. So, the employee dutifully hands over highly confidential information like IP addresses and passwords, for how could they not trust the IT Department in an emergency? This results in a malicious and devastating cyberattack on the company’s core assets.

This risk and others can be mitigated with the right measures.

It support person working with laptop

First: inventory systems and policies

Think of this as examining the two great physical assets most organizations possess: their systems and their people.

  • Examine systems (on-site or off) to document what assets you manage. Many IT managers are shocked at what they find (e.g., applications that are not currently in use or servers that are extremely under allocated). As the MSP or IT provider, you need this information, and it will likely enlighten your client as well.
  • Interview employees to learn what they know and what kind of guidance they’ve received. What policy documentation is in place? What kind of training on IT security have they received?

A systems inventory is critical, for how you can protect assets you didn’t know you have? And how can you optimize environments without knowing what they contain?

Policies and training are also important, as employees are often the “weakest link”, and are the least controllable asset in a company’s possession.

Backup - data protection

Second: workshop needs & plans

This is a step that is easily missed, and it’s the job of the MSP to point out to upper management that there is a need for your services. When MSPs point out a need, they also need to provide the solution. Once there is buy-in from the decision makers, MSPs need to communicate what needs to be done, the steps to do it, and any internal resources that are needed for alignment and execution.

The best way to do this is:

  • Interview key management
  • Run workshops with managers

Carefully document these meetings and ask management to review and approve your mutual conclusions.

IT support - girl working on laptop

Third: audit to identify vulnerabilities

To prevent intrusions to your clients’ networks, it is critical that an audit is executed. Security gaps need to be identified, defined, and classified in terms of severity.

An audit accomplishes many things, including the following:

  • Provides the most comprehensive understanding of your overall security posture
  • Prioritizes risks and fixes to those risks to reduce exposure
  • Increases the integrity of your entire environment (physical assets and employees)
Fast ticketing for IT company

Get comprehensive layered security with N-able

After you’ve extracted as much value from the above plan, the next step in keeping your network secure is the use of multiple layers of protection to shield your assets from intrusion.

Problem Solution
Sophisticated layered IT security is expensive. Uncover risk exposure with Risk Intelligence to help mitigate costs.
User base is visiting malware sites. Use the blocklist web protection feature to enforce browsing policies.
New malicious software is created daily. Deploy managed antivirus for leading malware detection.
Software requires frequent security patches. Use patch management to stay up-to-date.
Hackers attack email often by using spear-phishing. Use Mail Assure or the mail protection feature in RMM to aggressively combat spam, malware, ransomware, and phishing.
If there is an intrusion after taking all precautions, there needs to be quick, reliable recovery. Recover quickly after disasters with Backup, which is optimized for data recovery.

 

Risk Intelligence scans for three types of threats:

  • Sensitive data
  • Vulnerabilities
  • Unapproved access permissions

It also assesses an exact cost for the level of liability a client is assuming in their environment.

Focus on these areas for a secure network design

Frequently Asked Questions

Physical security

Physical security

You might not chart physical security on a technical diagram, but physical security policy needs to be as specific as possible and communicated broadly – especially when the policy changes.

  • Organizations should set terms for accessing physical assets (stationary, like servers, or mobile, like cell phones and tablets).
  • Policy documents should be tailored to those employees that have a need to access the hardware. Non-eligible employees should be alerted by emphasizing consequences for non-compliance.
  • Technologies that enhance physical security include RFID cards, premium locks, fingerprint reading devices, PIN pads, and retinal scanners. Management may need to be advised that the company should not skimp on purchasing quality devices to enhance physical security.

Not to be overlooked: Any physical protection guarding sensitive areas around servers that hold critical business data.

  • If servers are off-site, the facility should provide documents containing their most recent security audits.
  • If servers are on site, multiple barriers to entry need to be created to protect data.

Unapproved access to encryption codes, network schemes, IP addresses, or administrative user IDs and passwords could have a devastating effect on your company. MSPs and IT providers are encouraged to help their clients truly think through all of these physical components, even if the MSPs rarely visit the physical business location.

Get into VLANS with subnets and QoS

Get into VLANS with subnets and QoS

VLAN (Virtual Local Area Network) refers to the splitting off of devices in your clients’ network infrastructure logically, while keeping them unchanged physically. VLANs can reduce the overhead of the network, make administration easier, and improve security.

Add subnets

A subnet is like a VLAN in that it is also a logical separation in the network. Any network that has just one subnet in which a device is compromised, has all devices compromised. This compromise could be a virus or a hacker. If this happens, you’ll try to recover this one subnet all at once, but by the time you’ve secured one device, more may be compromised.

Subnets break the network into more places in which you can secure or segregate. These can take the form of packet filters or complete firewalls. IDS (Intrusion detection systems) have less work to do as there is less traffic to track.

Any intrusions into subnets are going to be more isolated and easier to troubleshoot. You can shut down access from that subnet to the rest of the network, for example, to prevent a virus or hacker from spreading. It is generally a good idea to have your most sensitive data, that from the HR and finance departments, on their own networks. This gives you far more control on machines with critical data.

Engage QoS

Quality of Service (QoS) is the third element to implement in a secure network design.

QoS acts like a traffic cop (within routers and switches) by giving priority for some VLANs over others. This is important not just for security, but also for any VoIP (Voice over IP) implementations. This is because, without QoS, latency can degrade the transmission of VoIP until dropped calls and other issues develop. QoS can hold the “stop” sign to data traffic to enable full transmission of voice data.

Add more and better firewalls

Add more and better firewalls

Firewalls direct traffic like QoS; they’re just a bit more definitive. Rather than focus on priority, they give the “thumbs up” or “thumbs down” sign to traffic based on preset parameters.

Firewalls should not be used just for perimeters — they should wall off any critical data in the network, even a single server. Your HR and Finance department servers might be good places to implement firewalls.

Use the DMZ

Use the DMZ

In computer security, a DMZ or demilitarized zone is a subnetwork that exposes a company’s external-facing offerings to a larger, less trusted network (typically the internet).

Some obvious examples are websites and email systems. By isolating these systems, you’re reducing the number of the overall assets or services that need to be managed securely. This can substantially lighten your administrative load and enhance security.

Design for hierarchy

Design for hierarchy

The prototype for network hierarchy is the three-layer (or three-tier) model. It has been adopted industry wide as a model for being reliable, scalable, and cost-efficient. The three-layer design includes:

  • Core
  • Distribution
  • Access

This allows for data to take a direct path to a particular layer, which improves efficiency and adds another layer of security.

Add port security

Add port security

Port security is a capability in most switches that gives a device permission to use that switch. When the switch flags a violation, it can automatically shut down by disabling that port to further network access.

Port security allows for the limiting of both the number and type of devices that are allowed on the individual switch ports.

Evaluate wireless

Evaluate wireless

Wireless security has become a critical IT priority due to its growth and importance. Smart phones, tablets, and mobile POS (point of sale) devices have overtaken previous fixed wire technologies, yet have brought a new level of vulnerability to organizations deploying them. You’ve got to protect against basic intrusions into the network to safeguard cardholder data, critical network data, and every user’s privacy.

Depending on the size and scope of your wireless network, you may decide to pursue the following:

  • Strategy plan for overall wireless security
  • Risk/compliance plan to help you manage risk vis-à-vis regulatory requirements
  • Threat management investigation including a thorough wireless security assessment
  • Incident management plan, detailing how you’ll respond to incidents
  • Architecture evaluation to assess your current plan and draft improvements
  • Training and awareness to address the human behavior (to help reduce risk)
  • Identity and access management plan so only trusted users (employees/partners/consumers) can efficiently access services on your network using approved wireless devices

About N-able

  • Provides the best IT security available today, with a mix of proactive, detective, and reactive security
  • Deployed on millions of endpoints across hundreds of thousands of networks
  • Get access to the many tools that make designing a secure network easier and more efficient