Is your physical security system protected from cyber threats?
Any established or growing business will have communication hardware components, mainly switches and routers. These devices have software that manages network transmission and communication but also creates vulnerability to outside attackers. Understanding how attackers can take advantage of this should be considered when designing or optimizing a network. Your network security is especially crucial if you are planning to set up a dedicated network for your security system.
Below are some best practices when installing a switch in a network for your security system:
Set the Default Route or Gateway
Without a management IP address, you can't manage a device on the network. But often, the default route or gateway is forgotten. This can cause issues down the line, such as the switch becoming unmanaged because network management tools can't identify the switch or find it on the network. Traffic can reach the switch, but without a defined default route or gateway, the packet will not be transferred onwards out of the LAN.
Set the Correct Time
Without the correct time on a switch, your log entries from that switch will not indicate the actual time and date of the logs. This will make troubleshooting more complicated than it needs to be. There are three common ways to set the time on a switch: (1) manual time, (2) Simple Network Time Protocol, and (3) TimeP/Network Time Protocol. It’s also recommended that you have a time server to keep your network in sync. Depending on your environment, you can quickly configure a time server with a few clicks.
Set Up Logging Feature
Properly setting up your network logging and monitoring features are vital to maintaining a secure network environment. This is also a key component to being able to monitor and be aware of the activity on your network, including any suspicious activity. These data logs will be sent to a destination server (for example, your monitoring environment) using SNMP (Simple Network Management Protocol).
Set Up Neighbor Discovery
If your switch can't communicate with other network components or cannot identify other equipment, it creates a blind spot in the network. Setting up neighborhood discovery protocols allow network management tools to see everything on the network. Each switch manufacturer supports a different mix of protocols. The most commonly used are the Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP). It's recommended that you enable all neighbor discovery options.
Set Up SNMP Communities
We’ve mentioned SNMP when talking about logging and monitoring devices on the network, but it is also used to define communities with different access rights. These typically include a read-only string or a read-write string. Read-only lets monitoring tools recognize and gather information from the switch. Read-write also allows management tools to make configuration changes and other changes to the switch. By properly configuring the strings in advance, it will enable the network management applications to monitor the network properly while also avoiding unnecessary risk.
Security Best Practices for Network Switches
Once you have configured your switches according to the basic set up instructions above, it’s time to think about security.
Set Usernames and Passwords for Console and CLI Access – Configure strong, unique passwords for CLI Access method and levels of authorization. While usernames aren't required, it's an excellent opportunity to set them up to avoid any complications with third-party management tools that may have an issue with blank username fields.
Secure SNMP with Custom Strings – Communications sent via SNMP are not encrypted and can be intercepted or sniffed unless you set up custom strings. Also, disable any default strings. Update your network management tools once you’ve changed the strings.
Enable SSH and Disable Telnet – SSH encrypts communications between the terminal and the switch to prevent man-in-the-middle attacks. Create a public/private SSH key for each switch. Test to make sure it’s working and then disable Telnet.
Enable HTTPS and Disable HTTP – Create a certificate that the switch will use to authenticate with the browser. HTTPS ensures that management traffic, including login and other sensitive information on the web, will be encrypted.
Ask your Systems Integrator about how they are ensuring that your network is properly set up against standard vulnerabilities. Additionally, ensure there is a handover of all passwords once the project is finished. After a project is complete, you should consider changing all the passwords. If you are outsourcing the maintenance of your network, ask your service provider how they are managing and safeguarding the passwords for your network and systems.
If you believe you may have vulnerabilities in your network, you can order a limited penetration testing on your network. The penetration testing report would outline all your existing and possible risks you may have on your network.
BluOcean Security can offer this service and advice about your security systems network. Feel free to contact our Head of Technology, Mr. Avichai Sery, at for additional information on how we can help you.