White Paper: Network Security for the Small Business

Connected Office Business Organization Solutions Engineering

White Paper: Network Security for the Small Business EDCS-580528 v1.0 Corporate Headquarters Linksys, a Division of Cisco 121 Theory Irvine, CA 92617-3045 USA http://www.linksys.com Tel: (800) 546-5797 (800) 326-7114 (Technical Support) Fax: (949) 823-3007 © 2006 Linksys, a Division of Cisco Systems, Inc.

White Paper: Network Security LINKSYS © 2007

2 EDCS-580528 v1.0

A printed copy of this document is considered uncontrolled

Contents

Contents 2

Introduction 3 Audience 3 Scope 3 Related Documents 4

Network Security Overview 4

Security Concepts and Technologies 5 Perimeter Security 5

Network Address Port Translation (NAPT) 5 Firewall 7 Port Forwarding and Demilitarized Zone (DMZ) Host 7 Access Control Lists 8

Data Privacy 9 Wireless Security 9

SSID Broadcast 9 Inter-Client Privacy 10 Authentication and Encryption 10 Pre-Shared Key (PSK) 11 MAC Address Filtering 11 Encryption 11

Virtual Private Network (VPN) 12 Site-to-Site VPN 13 Remote Access VPN 13

Administration Control 14 Passwords 14 Remote Access 15

Network Monitoring 15 Intrusion Detection and Protection System (IDS/IPS) 15 Wireless Security Monitoring 17 Logging 17

Conclusion 18


3 EDCS-580528 v1.0


Introduction

Implementing network security is something that no one really likes to do. It’s one of those chores that you know you need to do, but it takes time and effort. Unfortunately, the threats to your network are real and typically go undetected until it’s too late. The attacks are varied and go by a number of popular names: computer virus, worm, denial of service, Trojan horse, port scanning and many others. Usually, it boils down to the motivations of a common criminal-- stealing personal or business information for their own use, vandalizing a web site or corrupting data on a hard drive, degrading or disrupting service. Figure 1 below highlights some of the common attacks and the vulnerable points of a typical network.

Figure 1 - Example Network Showing Points of Vulnerability

Linksys Business Series products provide a number of sophisticated security features that help protect the computing assets of the small business. The products come from the factory already configured with most of the security features enabled and working out of the box. For those features requiring user configuration, a set of simple menus help guide the user and instil confidence that the user’s network is secure. This white paper uses an example network built from Linksys Business series products to illustrate how the small business can take advantage of the inherent security features built into the products to protect their network from attack.

Audience This publication is intended to provide guidance to Linksys customers, value added resellers (VARs), Linksys network design engineers and network managers responsible for integrating network security technology into an existing IP infrastructure or building new solutions.

Scope This white paper is focused on securing the network of a Small- to Medium-sized business with less than 100 employees, and uses an example set of products from the Linksys Business Series family. This paper is written with the layperson in mind and with enough

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Lobby Phone

Mobile User

Virus WormsTrojan HorsesDenial of Service Attack

EavesdroppingPort Scanning

Break-in via public accessible connection

EavesdroppingBreak-in via

unprotected Wireless AP

Public

Private

Hijacking Network

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Lobby Phone

Mobile User

Virus WormsTrojan HorsesDenial of Service Attack

EavesdroppingPort Scanning

Break-in via public accessible connection

EavesdroppingBreak-in via

unprotected Wireless AP

Public

Private

Hijacking Network

Network Security Overview


4 EDCS-580528 v1.0


technical detail that the reader should be able to apply the concepts to their own network. Technical terminology is either defined within the paper or avoided whenever possible. Although this paper covers most security concepts and the technologies available within the products, follow-on papers will cover advanced security deployments or other unique environments that may require alternative ways of using the products and technologies for that environment. The security concepts and their underlying technologies covered in the paper are as follows:

• Perimeter Security

Network Address Port Translation

Firewall

Port Forwarding and Demilitarized Zone (DMZ) Host

Access Control List (ACL)

• Data Privacy

Wireless Security

Virtual Private Network (VPN)

• Administration Control

Passwords

Remote Login

• Network Monitoring

Intrusion Detection and Protection Systems (IPS/IDS)

Wireless Security Monitoring

Logging For specific instructions on using the features illustrated in this white paper, please refer to the specific product user manuals found on the Linksys web site (www.linksys.com).

Related Documents [1] Linksys Business Series Reference Network Architecture [EDCS-579560 V1.0]

Network Security Overview

Before getting started on defining network security concepts and technologies, first a network connection diagram is in order to orient the user as to where network security is applied. Figure 2 below shows a typical network connection diagram where there is a RVS4000 router (sometimes routers are called gateways) that connects to the Internet Service Provider’s cable or DSL modem. This connection is on the “Public” side of the network. The “Private” side of the network is where a SRW2024P switch provides a fan-out connection to office equipment like PCs, IP Telephones, and Printers. Also shown connected to the switch is a WAP200 wireless Access Point (AP). The Access Point provides the wireless connection to the private network for devices like laptop computers, PDAs, wireless IP phones and cameras.

Security Concepts and Technologies


5 EDCS-580528 v1.0


Note Throughout this paper, references to the terms devices or computers can be considered

interchangeable since from a networking perspective, they behave similarly. It should be noted that although it is not explicitly pointed out in this diagram there are other possible entry points into the private network. For example, there may be an IP telephone placed in the lobby for customer convenience that has a connection into the private network, as well as wireless access that extends outside the businesses’ walls and into the parking lot. Network security as you will see is achieved not by a single technology or tool, but a culmination of technologies working together. The following sections walk through these technologies and describe how they are used to thwart network security breaches.

Figure 2 - Network Connection Diagram


Perimeter Security The goal of applying network security is to keep the “Private” side of the network insulated from the “Public” while not impeding access to the “Public.” On both sides of the “Public” and “Private” networks is the RVS4000 router. This is where we will start to describe the things that need to be done to protect that border. First, we’ll discuss how device addresses are used and translated as they cross the border and how a firewall keeps the public out of your network. Then we will discuss how Port Forwarding and Demilitarized Zone Host features can provide the public access to your internal web server that needs protection but is still accessible to the Internet.

Network Address Port Translation (NAPT) Computers and other devices that connect to the Internet use numeric addresses for identification. The underlying set of rules that govern how these devices communicate with each other using these addresses is called the Internet Protocol or IP for short.

Public

Private

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Lobby Phone

Public

Private

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Lobby Phone



6 EDCS-580528 v1.0


Communication on the Internet is similar to that of the postal service, except the Internet uses IP addresses (instead of street addresses) as the source and destination of the information packets that are sent between computers. As Figure 3 shows, the Internet Service Provider (ISP) assigns the RVS4000 router’s public interface a single IP address that represents your private network’s communication to the rest of the world. On the private side of the network, the RVS4000 is shipped from the factory with the proper settings to automatically provide your private neighborhood of devices (e.g., computers) IP addresses upon connection. This technology that serves up the IP addresses to the connected devices is called Dynamic Host Control Protocol (DHCP). DHCP is also used on the RVS4000’s public interface to receive the IP address from the ISP’s DHCP server. The IP addresses provided to the local computers are assigned from a special pool that is reserved for “Private” networks and are not routed on the public Internet. The ISP only assigns your router a single IP address for communication on the Internet and therefore, only a single computer can use that address. However, the RVS4000 goes one step further by actually translating not only the IP address but the port number used for that communication session. You can think of the IP address as an apartment house address and the port number as the apartment number that the postman uses to deliver your mail. This translation is called Network Address Port Translation (NAPT) and provides the option to connect multiple computers or devices to a single Internet connection, as well as, adding a measure of security by obscuring the devices behind a single public IP address. This many-to-one use of a single IP address makes it more difficult for targeting specific devices for an attack. Now that you’ve grasped an understanding of address translation, you will be happy to know that the Linksys router is already pre-programmed to do address translation automatically and there is nothing for you to do.

Note Numeric IP addresses are typically used by the computers while the more practical use of names (e.g., www.linksys.com) is used by humans. There is a sophisticated Domain Name System (DNS) that lives on the Internet that does name to IP address resolution for the computers. This again, is automatically handled by the RVS4000 and the attached computers so there is nothing that the user needs to set.

Figure 3 - Network Address Port Translation

Public

Private

IntRVS4000Router 192.168.1.2 : 49152

IP Address : Port

65.68.100.1 : 65001



7 EDCS-580528 v1.0


Firewall Similar in function to firewalls found in a home or automobile, the firewall in the RVS4000 router provides a protective barrier. The firewall allows connections originating from the “Private” network to the Internet while blocking all other unsolicited connections coming in from the Internet. Stated another way, the firewall blocks all incoming connections from the Internet except for those that are associated with a session that started from the “Private” network. The firewall senses the outbound connection from the private network and dynamically opens up a hole in the firewall to allow the associated inbound connection. Once the session is finished that hole is then closed. The firewall capability of tracking the state of a connection is called Stateful Packet Inspection (SPI). Figure 4 shows the SPI firewall in action where a user on the private network has requested to see a web page from the Linksys web site. Since the connection originated on the private side of the RVS4000 the associated return connection was allowed through to the user’s PC. Conversely, an intruder trying to connect to or penetrate through the RVS4000’s public interface is blocked. The firewall in the RVS4000 and all other Linksys router products are factory set with this feature already turned on. There’s no need for the user to set this feature.

Figure 4 – Firewall

Port Forwarding and Demilitarized Zone (DMZ) Host The previous sections described how Network Address Port Translation (NAPT) obscures devices on the private network from the public and how the Firewall provides a protective barrier blocking unsolicited incoming connections. What if you’d like to have a computer on your private network exposed to the Internet for say serving web pages or video-conferencing? There are a couple of ways to do this:

1. Port forwarding opens a permanent hole in the firewall for specific ports to be allowed through to a single computer on the private network.

2. The DMZ host feature allows all ports through to a specified computer (computers acting as a server are sometimes called hosts). Remember, ports are that extra number that is appended to the IP address.

When computers want to connect to a specific application (e.g., web server) on the remote computer, there are defined well-known ports that represent that specific application. For example, when a computer wants to connect to the Linksys web server, the address reads

Public

Private

RVS4000Router

www.linksys.com

LinksysWeb

Server

Public

Private

RVS4000Router

www.linksys.com

LinksysWeb

Server



8 EDCS-580528 v1.0


www.linksys.com:80. Notice the port number 80. Port number 80 has been officially assigned to the web server application. Typically, since port 80 is well-known, the web browser doesn’t require the user to type in :80. It just knows to add the port to the IP request that it sends to the web server. As mentioned before, the name www.linksys.com is resolved to a numeric IP address by the computer as well.

Port forwarding and DMZ host solves the public-access-to-internal-computer problem posed by having a firewall but they also open the private network up for potential attack. Special care must be taken on these accessible computers to prevent unauthorized use by a potential attacker. Firewalls should be installed on these computers and they should be locked down by disabling unnecessary processes and programs. There are a number of best practices in books and papers on the Internet that describe how to secure a publicly accessible computer. For Small- or Medium-sized businesses or even Enterprises that don’t have the expertise to confidently secure a public server, outsourcing their web services, including security makes lots of sense. If private network access is required, the use of the more restrictive port forwarding (only allowing the necessary ports) is recommended to limit the exposure of the private network.

Access Control Lists Access Control Lists (ACLs) do what is implied by the name. That is, an ACL is a list of filters that controls access to the network. There are a number of types of ACLs and permutations of how they can be applied. ACLs may or may not go by the “ACL” name. Sometimes they are called filters as you will encounter in the following wireless security section or used as part of a specific security feature, like what was described above using port forwarding. An example of how an ACL is used to secure a connection is described using the Lobby phone connection to the SRW2024P switch. Figure 1 shows an IP phone designated as a lobby phone. This phone has direct connection to the private network and resides in a publicly accessible area of the facility. Although there is a person hired to greet guests as they enter the lobby, which may act as a deterrent to an attacker, the connection to that phone should be there only for the exclusive use of that phone. In other words, a person should not be able to unplug the cable from the phone, connect it to their laptop and gain access to the private network. In addition to permanently wiring that cable to the phone so it’s not easily removed, an ACL can be applied in the SRW2024P switch to only allow data to flow from the hardware address that is burned into the phone at the factory (i.e., MAC address) into the network. So if the cable is removed and a laptop is connected, any packets that are sent from the laptop’s MAC address will be dropped by the switch and not allowed to enter the network. As the ACL name implies, a list of filters could be applied to further restrict the traffic that is allow to flow in from that connection. For example, the list could include filters to only allow audio and signalling (e.g., dialling, ringing, busy tones, etc.) packets from the MAC or IP address of the phone.

Recommendation If MAC address filtering is used, then be sure to remove any stickers on the phone

that shows the MAC address and also to password protect the phone menu so an attacker cannot simply discover the MAC address through the phone’s administration screens



9 EDCS-580528 v1.0


Data Privacy Any time private information moves beyond the confines of the private network and is exposed to the public, maintaining data privacy is a good idea. The next two sections discuss the features available to implement measures to ensure data privacy when your data traverses the air waves or the public Internet.

Wireless Security Wireless hot spots have opened up Internet access in many places: coffee shops, airports, libraries, parks, and even downtown areas in large cities. The ability to check email or surf the web from nearly anywhere offers convenience, but also introduces another opportunity for attack or passive eavesdropping.

To help orient the reader, Figure 5 shows a WAP200 wireless access point connected to the SRW2024P switch on the private side of the network. For the business, this WAP200 may provide conference rooms, lobbies or other public areas with easy access to the Internet or for the employees, convenient access to the private network. Unfortunately, this convenient but invisible wireless access may also reach outside the building and into the parking lot. There are a few protective measures that must be done to secure this wireless extension of the private network:

These measures are the following:

• Obscure the wireless network’s visibility by not broadcasting the Service Set Identifier (SSID)

• Prohibit device-to-device communication within the wireless network.

• Authenticate the device before allowing a connection to the wireless network.

• Encrypt (scramble) the data to make it undecipherable to those who are skilled enough to intercept the transmission.

SSID Broadcast The SSID is a label that is appended to the wireless packets that identify those packets as belonging to a specific wireless network. The Access Point (AP) and end devices use this identifier to initialize their association to each other. The AP can be set to broadcast this SSID out into the airwaves, to make it easier to identify the wireless network name when configuring your PC. But by setting the wireless access point to not broadcast the SSID obscures the wireless network’s presence from the casual wireless user. One thing to be wary of is this invisibility should not be considered strong security. A person with a desire and some basic tools can easily figure out the SSID. With this in mind, this option should only be considered a first step to a more secure wireless network. Figure 5 below shows an example of three visible wireless network SSIDs (HomeNet, cisco, linksys) and one unknown wireless network shown without an SSID.



10 EDCS-580528 v1.0


Private

SRW2024PSwitch

WAP200Wireless AP

SSID: linksys

Private

SRW2024PSwitch

WAP200Wireless AP

SSID: linksys

Figure 5 - Viewing Broadcasted SSIDs

Inter-Client Privacy Inter-client Privacy prevents computers that are wirelessly connected to the access point from communicating directly with each other. Generally, this is a good way to increase the level of security of the wireless network. However, this may turn out to be not feasible if, for example, you wanted to allow calls between wireless IP phones. If communication is only required to the private network or the Internet then turning on Inter-client Privacy would make sense. Figure 6 below illustrates how Inter-client Privacy works.

Figure 6 - Inter-Client Privacy

Authentication and Encryption The previous sections discussed how to start adding some lower level security measures, and this section raises the bar by requiring devices to authenticate before connecting to the AP and encrypting their transmissions. The WAP200 and other Linksys Access Points offer a few choices of how to implement wireless security. This paper focuses on the most simple, secure and appropriate of the options for the Small- or Medium-sized business. The wireless security technology chosen is

Private

SRW2024PSwitch

WAP200Wireless AP

SSID: linksys

Permitted

Prohibited

Private

SRW2024PSwitch

WAP200Wireless AP

SSID: linksys

Permitted

Prohibited



11 EDCS-580528 v1.0


Wireless Protected Access (i.e., WPA) using a Pre-Shared Key (PSK). There is also a next generation of WPA, typically referred to as WPA2 that has further enhancements. If the devices in your network can support WPA2 then it is recommended that that version be used. If not, WPA provides more than adequate security for most businesses.

Note A more advanced and sophisticated form of WPA, called WPA-Enterprise is also available

in the WAP200 but is not discussed here since it is designed for larger Enterprise businesses.

The WAP200 offers the following settings for authentication and encryption:

• Wired Equivalent Privacy (WEP)

• Wifi Protected Access (WPA)-Personal

• Wired Equivalent Privacy (WEP) with RADIUS

• Wifi Protected Access (WPA)-Enterprise (uses RADIUS) The reason that there are a number of choices for implementing wireless security is based on evolving standards and the business environment that the technology best fits. As the standards evolve, they become more secure. The list evolved from WEP to WPA where WPA has fixed many of the flaws in WEP and is the best option for strong security. Although using WEP is better than not using any security, this section focuses on the more modern WPA-Personal implementation. WEP and WPA implementation is very similar and the reader should be able to understand both once WPA is explained.

Pre-Shared Key (PSK) WPA uses a pre-share key for authentication. Think of the pre-shared key as a password that is shared between the Access Point and the connecting device (e.g., your PC). Both WEP and WPA-Personal use a single PSK among all devices. It is very important to make sure that when you create this PSK (password) that it be very strong or in other words, not easily guessed. See the Administration Control section for more information on creating strong passwords.

MAC Address Filtering Using pre-shared keys only provides a single credential for allowing access to the wireless network. It can be thought of as a security guard that is behind the door guarding the entrance to an illegal gambling club. You knock on the door and he asks for the secret password. The guard doesn’t know who you are but as long as you give the correct password, he’ll let you in. A better way for ensuring that law enforcement aren’t on the other side of the door is for the guard to check a list of pre-authorized patrons, in addition to asking for the secret password. MAC-address filtering is similar to the guard checking this pre-authorized list. That is, the WAP200 provides a filtering capability that allows you to determine which devices are allowed to connect to the wireless network based on the hardware address that is typically burned into the device at the factory. Although not fool-proof, MAC address filtering is another impediment to a rogue device connecting to your network.

Encryption Encryption is the scrambling of information such that an eavesdropper cannot easily unscramble and use data for himself. The encryption of data packets uses keys as part of a sophisticated math process to make the message decipherable only by the receiver that possesses the right key. In a wireless network, this encryption happens between the Access



12 EDCS-580528 v1.0


Point and the connected device. Figure 7 below shows encryption in action between a laptop and the WAP200.

Figure 7 - Data Encryption

This section described how to securely extend the private network using wireless technology. Figure 8 shows how the combination of security features makes the private connection secure. The next section describes how to secure a connection across the public Internet.

Figure 8 - Secured Wireless Connection

Virtual Private Network (VPN) The Virtual Private Network (VPN) feature provides a means of securing a connection across the public Internet from a device (e.g., computer) to the private network or between two private networks. The authentication and encryption technologies used are very similar to what was described above in the Wireless Security section so that will not be repeated here in this section. There are primarily two types of VPNs:

1. Site-to-Site VPN

2. Remote Access VPN

WAP200Wireless AP

MATH

PSK

MATH

http://www.linksys.com

PSK


Ks;ad3802-7^&^*(6kjsl

WAP200Wireless AP

MATH

PSK

MATH


PSK


Ks;ad3802-7^&^*(6kjsl

Public

Private

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Device & AP use SSID: linksysPC’s MAC address is permittedDevice uses WPA & authenticates w/ PSKTKIP Encryption is invoked

Connection is secure & “Private”

Public

Private

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Device & AP use SSID: linksysPC’s MAC address is permittedDevice uses WPA & authenticates w/ PSKTKIP Encryption is invoked

Connection is secure & “Private”



13 EDCS-580528 v1.0


Site-to-Site VPN The Site-to-Site VPN provides a secure connection across the public Internet between two locations or in this case, they’re called Sites. Figure 9 shows a Site-to-Site VPN tunnel between two RVS4000 routers. Technically speaking, the Site-to-Site VPN connects the Private Network A and Private Network B such that devices on each of their respective private networks can communicate directly over the VPN tunnel. The term tunnel is typically used to describe this encrypted connection between the endpoint devices. Some of the main attributes of a Site-to-Site VPN tunnel are as follows:

• IP Security (IPSec) is the protocol (set of rules) used for governing this secure connection. The IPSec settings must match on both sides of the tunnel.

• Similar to using authentication in WPA, a pre-shared key must be programmed into the RVS4000 routers for authenticating the IPSec connection.

• 3DES (Data Encryption Standard, the 3 indicates a higher level of encryption) is the recommended encryption algorithm to be used for scrambling the data.

• Private Network IP address pools must be unique (i.e., Private Network A IP addresses must be different from Private Network B).

Note The other equipment that is also part of each site’s network is not shown in order to remove unnecessary clutter in the diagram

InternetRVS4000Router

Public

RVS4000Router

Private Network

A

Site BSite A

Private Network

B

Site-to-Site VPN Tunnel

InternetRVS4000Router

Public

RVS4000Router

Private Network

A

Site BSite A

Private Network

B

Site-to-Site VPN Tunnel

Figure 9 - Site-to-Site VPN

Remote Access VPN Remote Access VPN provides a secure connection across the public Internet between an employee’s corporate office and his laptop when he is on the road. There are two options that can be used depending on the router purchased and the desired login flexibility, IPSec VPN and SSL VPN.

Remote Access VPN attributes:

• Typically used by mobile workers on the road or at home.

• Requires username and password and access can be customized or restricted to the specific user. For example, a user can be configured with access only to a specific internal server.

• IPSec VPN requires installation of the free Linksys QuickVPN software program on the mobile workers computer and is supported on the RVS4000. (Figure 10).

• SSL VPN requires an ActiveX-enabled web browser (i.e., Microsoft IE and Netscape) and is supported on the RVL200. (Figure 11).



14 EDCS-580528 v1.0


Figure 10- Remote Access VPN using Linksys QuickVPN Client to the RVS4000

Figure 11 - Remote Access VPN using SSL VPN to the RVL200

Administration Control The first thing that should be secured is the device’s administration control. It can be as simple as changing passwords and if desired, enabling secured remote access. This task often gets overlooked and opens up the network and the valuable data assets of the business to denial of service attacks, sabotage, or theft.

Passwords Linksys uses simple and well-known usernames and passwords to ease the administrator’s effort to get into the devices and to configure them. Because the factory default usernames and passwords are well-known, it also makes it easy for an attacker to quickly identify and login to devices that have not had the passwords changed. It is very important to make sure that when you create a password that it be very strong or in other words, not easily guessed.

Internet

Public

RVL200Router

Private Network

A

Site A Remote Access SSL VPN Tunnel

Mobile User Laptop

No need for VPN client software. User simply logs

into the Router and an ActiveX client is

downloaded.

Internet

Public

RVL200Router

Private Network

A

Site A Remote Access SSL VPN Tunnel

Mobile User Laptop

No need for VPN client software. User simply logs

into the Router and an ActiveX client is

downloaded.

Internet

Public

RVS4000Router

Private Network

A

Site A Remote Access IPSec VPN Tunnel

Mobile User Laptop

LinksysQuickVPN

Internet

Public

RVS4000Router

Private Network

A

Site A Remote Access IPSec VPN Tunnel

Mobile User Laptop

LinksysQuickVPN



15 EDCS-580528 v1.0


This means that the password should be of sufficient length (greater than 8 characters) and composed of a random combination of numbers, letters, and non-alphanumeric characters. There are some good sites on the Internet that give sound advice on how to create strong passwords, as well as, free programs that will help create and securely store them on your PC or a removable USB key.

Remote Access Remote access is the ability to login remotely into the RVS4000 and other devices from the public side of the network or Internet. Remote access eases configuration and troubleshooting of the network, but also may be exploited by an attacker if not properly secured. The factory default setting for remote access in all Linksys gateway devices is disabled. This is the most secure setting but it does force the administrator to be connected to the local or private network in order to troubleshoot or modify any settings. A sound compromise between not allowing remote access (most secure) and convenience is to use an encrypted VPN connection and strong passwords. As mentioned in the Remote Access VPN section, an encrypted connection not only allows access to the RVS4000 gateway but also to all the devices on the private network including the SRW2024P switch and WAP200 Access Point.

Figure 12 - Remote Administrative Access via VPN

Network Monitoring Many homes and businesses have alarm systems that use smoke, heat, or motion sensors to monitor for potential trouble. Upon sensing an abnormal event, the alarm system alerts the home or business owner, and the authorities to the potential trouble at the premises.

Linksys Business Series offers a set of products that also have monitoring and alerting capabilities. For example, the built-in Intrusion Detection and Protection System (IDS/IPS) in the RVS4000 can act as the sensor looking for suspect data traffic, but unlike a typically passive home alarm system, the intrusion protection system actually mitigates the attack and logs it for later review. In addition, most products offer email alerts and logging for a number of different conditions such as number of unsuccessful login attempts, unexpectedly high port utilization, or high-level system alerts.

Intrusion Detection and Protection System (IDS/IPS) The integrated IDS/IPS in the RVS4000 router watches the data traffic that traverses the device, monitors it for signatures of malicious network activity and blocks a set of threats that are defined in the signature file.

Internet

Public

RVS4000Router

Private Network

A

Site A Remote Access VPN Tunnel

Mobile User Laptop

Internet

Public

RVS4000Router

Private Network

A

Site A Remote Access VPN Tunnel

Mobile User Laptop



16 EDCS-580528 v1.0


Linksys updates the signature file monthly as new attacks are invented so it is best practice to mark your calendar to remind yourself to download and update the RVS4000 with the latest signature file. The file can be downloaded from the Linksys web site under the RVS4000 web page. Download the file to your computer's hard drive and then use the IPS web page in the RVS4000 to browse to that downloaded file to update the IPS signature file.

Note Check the Information tab on the RVS4000 web page to verify that you have the latest

version loaded.

Figure 13 - IPS Screenshot

Figure 14 below shows an example report from the IPS that logs the attacks that have been detected and blocked.

Figure 14 - IPS Report Showing Attack Information

Enable IPS

Download the file to your desktop and then browse to it for updating the signature file



17 EDCS-580528 v1.0


Wireless Security Monitoring Wireless Security Monitoring is a feature available in the WAP4400N and WAP200 that provides a scanning and classifying service that alerts the network of wireless users that a suspicious network event has been sensed.

The WAP200 working in concert with the Linksys 200 series wireless client adapters, and the WAP4400N working with the WPC4400N client adapters, alert the users of network events such as the following:

• Intrusion Alarms (e.g., Rogue Client Detected, Spoofed MAC address).

• Denial of Service Alarms (e.g., Duration Attack, Association Table Full).

• Vulnerability Alarms (e.g., AP is not using encryption, AP is broadcasting SSID).

• Other Alarms (e.g., Low speed connection).

Figure 15 - Wireless Security Monitoring

Logging Logging is a good way to keep tabs on what is happening in the network. It is the second line of defence after the automated tools have done their job. In the example set of equipment used in this network, there are a number of alerts that can be enabled. There are email alerts, syslog alerts, as well as Simple Network Management Protocol (SNMP) traps that can be sent to an Administrator’s PC or to a dedicated network management station.

The equipment depicted in this paper offers the following alarms or ways to alert an Administrator:

• Local Logs on the device that can be viewed via a Web Browser

• Email Alerts

• Syslog messages sent to a Syslog server

Private

SRW2024PSwitch

WAP200Wireless AP

Laptop with WPC200

Rogue Client

Rogue AP that employee innocently

installs for convenience

Private

SRW2024PSwitch

WAP200Wireless AP

Laptop with WPC200

Rogue Client

Rogue AP that employee innocently

installs for convenience

Conclusion


18 EDCS-580528 v1.0


• SNMP traps sent to an SNMP-capable Network Management System

Conclusion

This whitepaper used an example network built with Linksys Business Series products to walk the reader through the process of how to use each product’s inherent security features to secure the Small- or Medium-sized business. The goal of applying network security is to keep the “Private” side of the network insulated from the “Public” while not impeding access to the “Public.” With that goal in mind, a variety of security features were utilized.

• Perimeter Security

NAPT for obscuring the private network from the Internet.

SPI Firewall for shunting any unsolicited inbound connections.

ACLs were used in the form of the DMZ host feature and MAC address filtering for restricting access to only those devices that were authorized.

• Data Privacy

Wireless security with its sophisticated WPA authentication and encryption maintained data privacy and limited access to only authorized devices.

Site-to-Site and Remote Access VPN provided a secure connection across the public Internet to those resources located on the private network.

• Administration Control

Use of strong passwords to thwart dictionary attacks for guessing Administration passwords.

Use of VPN for Remote Access to the equipment for administration.

• Network Monitoring

Intrusion Detection and Protection Systems (IDS/IPS) for identifying and proactively blocking network attacks on the wired network.

Wireless Security Monitoring alerting connected wireless users of suspicious activity on the wireless network.

Logging to keep the administrator informed and in a good position for minimizing the impact of any breach of network security.

Obtaining Technical Assistance


19 EDCS-580528 v1.0


Figure 16 - Network Security (The Big Picture)

Linksys Business Series products provide an enterprise-class set of security features at a competitive price targeted for the small business. As referenced throughout this whitepaper, Linksys engineers have predetermined the best feature settings to be set at the factory on each product which lowers the required technical skill level to configure the equipment, minimizes the amount of work that the administrator has to perform while increasing their confidence that the network is secure.

Note This paper is one element of the overarching Linksys Business Series reference architecture so for more information on other subjects like Quality of Service, Voice deployments, Network Attached Storage (NAS) and many others follow the link to www.linksys.com.

Obtaining Technical Assistance

Linksys provides this white paper as a starting point for using Linksys Business Series Products. Linksys partners can obtain online documentation and access to technical support resources on the Linksys Partner Web Site at www.linksys.com, or by opening a case with the Linksys Business Assistance Center (BAC) at: (800) 326-7114.

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Lobby Phone

NAPT and FW to protect the Perimeter

Non-Broadcasted SSIDMAC Filtering used to limit accessWPA for Authentication & EncryptionInter-Client Privacy EnabledWireless Security Monitoring

Alarms being logged MAC ACL allowing only

the phone to connect

Mobile User

VPN for secure network access

Internet

RVS4000Router

SRW2024PSwitch

WAP200Wireless AP

Modem

Lobby Phone

NAPT and FW to protect the Perimeter

Non-Broadcasted SSIDMAC Filtering used to limit accessWPA for Authentication & EncryptionInter-Client Privacy EnabledWireless Security Monitoring

Alarms being logged MAC ACL allowing only

the phone to connect

Mobile User

VPN for secure network access

Corporate Headquarters Linksys, a Division of Cisco 121 Theory Irvine, CA 92617-3045 USA http://www.linksys.com Tel: (800) 546-5797 Fax: (949) 823-3007

European Headquarters Cisco Systems Europe 11 Rue Camille Desmoulins 92782 Issy-Les-Moulineaux Cedex 9 France www-europe.cisco.com Tel: 33 1 58 04 60 00 Fax: 33 1 58 04 61 00

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883

Asia Pacific Headquarters Cisco Systems Australia, Pty., Ltd Level 9, 80 Pacific Highway P.O. Box 469 North Sydney NSW 2060 Australia www.cisco.com Tel: +61 2 8448 7100 Fax: +61 2 9957 4350

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the

Cisco-Linksys Web site at www.linksys.com.

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic Denmark • Dubai, UAE Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Singapore • Slovakia • Slovenia South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe