Public Access Network Security - Part 1

Best Practices For Open Systems

Network security is a process utilizing the concept of layered defenses, with specific functions assigned to various components. The functions include but are not limited to network isolation, access control, egress filtering and AAA (authentication, authorization and accounting).

Many security techniques used in the enterprise can be applied to public access networks, although some may make it too difficult for the average user to connect. One example is wireless encryption, which in an enterprise serves two purposes—authentication and confidentiality.

Wireless encryption in a public access network, however, can not reliably support either purpose. It would be necessary to give the encryption key or passphrase to every user, yet it does not by itself provide positive identification. Once the key or passphrase becomes public knowledge, it allows anyone to eavesdrop on the encrypted communications, eliminating confidentiality.

Additionally, there are now numerous types of encryption (WEP, WPA, 802.1x), key types (ASCII or hexadecimal), key management methods (static, rotating, dynamic) and key or passphrase lengths. If this sounds confusing to you, imagine how difficult it would be for a visitor to configure their settings!

Network Isolation Protects Business And Visitors

The most common form of network isolation is a firewall between the private network and the Internet. A properly configured firewall protects the private network from Internet attacks, and may provide egress filtering to limit outbound traffic. In this scenario the Intenet is considered an untrusted network, while the private network is considered trusted.

From the perspective of a private business network, a public access network consists of untrusted computers. The business owner has no assurance that the visitor is not malicious, or that the visitor's machine is not compromised with malicious software.

The reverse is also true—from the perspective of a visitor, the private business network is also untrusted. The visitor has no assurance that the business owner has properly secured their own machines. To take it a step further, from each visitor's perspective, all other visitor machines are also untrusted.

In order to prevent attacks between the private business network and the public access network, the two must be completely separated. This can be accomplished with specialized routers supporting public/private network segments, IP filtering, VLANs or some combination of these methods.

Whenever possible, visitor computers must also be isolated from each other. This is especially important in conference facilities, where different groups may need Internet access from individual conference rooms. Each group will need to communicate with their own participants, but do not want to be exposed to untrusted machines from other groups or individuals.

In each scenario, the business owner uses best practices to protect their own computers and those of their visitors, which can mitigate claims of negligence.

[ top ]