Securing Networks: Wired & Wireless Attacks

TL;DR

Simultaneous wired and wireless networks create multiple attack paths. This guide details how to identify vulnerabilities, strengthen security configurations, and monitor for suspicious activity on both network types.

1. Understand the Risks

Having both wired and wireless networks active increases your overall attack surface. Attackers can potentially:

• Gain initial access via weaker wireless security (e.g., WPA2-PSK) then move laterally to the wired network.
• Exploit vulnerabilities in either network type and use that as a foothold.
• Conduct Man-in-the-Middle attacks on both networks simultaneously.

2. Wireless Network Security Hardening

1. Use WPA3 where possible: This offers stronger encryption and authentication than older standards like WPA2.
2. Strong Passphrases: Use long, complex passphrases (at least 14 characters) for your wireless network key. Avoid easily guessable words or personal information.
3. MAC Address Filtering (with caution): While not foolproof, it can add a layer of security by only allowing known devices to connect. Be aware this is easy to bypass and can cause administration overhead.
4. Disable WPS: Wi-Fi Protected Setup (WPS) has known vulnerabilities. Disable it in your router settings.
5. Guest Network: Create a separate guest network with limited access for visitors. Isolate it from your main network.
6. Hidden SSID (with caution): Hiding the SSID doesn’t provide strong security but can deter casual attackers. It won’t stop determined ones.

3. Wired Network Security Hardening

1. Network Segmentation: Divide your wired network into smaller segments (VLANs) to limit the impact of a breach. For example, separate departments or sensitive systems onto different VLANs.
2. Port Security: Configure port security on your switches to restrict which MAC addresses can connect to each port. This prevents unauthorized devices from plugging in. Example configuration for Cisco switch:

   interface GigabitEthernet0/1
    switchport mode access
    switchport port-security
    switchport port-security maximum 1
    switchport port-security mac-address sticky
   

3. 802.1X Authentication: Implement 802.1X authentication for stronger user identification and authorization. This requires a RADIUS server.
4. Disable unused ports: Shut down any switch ports that are not currently in use.

4. Firewall Configuration

1. Strict Access Control Lists (ACLs): Configure ACLs on your firewall to only allow necessary traffic between networks and the internet. Block all other traffic by default.
2. Intrusion Detection/Prevention System (IDS/IPS): Deploy an IDS/IPS to monitor network traffic for malicious activity and automatically block threats.
3. Network Address Translation (NAT): Use NAT to hide your internal IP addresses from the internet, making it more difficult for attackers to target specific devices.

5. Monitoring & Logging

1. Centralized Logging: Collect logs from all network devices (routers, switches, firewalls, wireless access points) in a central location for analysis.
2. Security Information and Event Management (SIEM): Use a SIEM system to correlate events from different sources and identify suspicious patterns.
3. Regular Security Audits: Conduct regular security audits of both your wired and wireless networks to identify vulnerabilities and ensure that security controls are effective.
4. Wireless Intrusion Detection System (WIDS): Deploy a WIDS to detect rogue access points and other wireless threats.

6. User Education

Educate users about the risks of connecting to untrusted networks and the importance of strong passwords. Train them to recognize phishing attempts and other social engineering attacks.