A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Setting Up a Secure Network in the Office

Advice for securing the office network for your small business.

A secure office network is the first step towards secure computing. Following are a few suggestions to secure networking at work.

Staying Wired

When possible and convenient, use a wired network. Wired networks, whose signals are contained within wires, are much safer than wireless networks, whose signals are broadcast into the air. One can be safe from a number of malicious attacks by connecting a computer to the router (a device that connects networks, in this case, your local network to the Internet) via an ethernet cable, instead of connecting via wireless. Appropriate network settings, of course, must be entered into the computers.

Taking the Office Wireless

If a wireless network is desired, use the following recommendations.

  • Change the default router password, if you install a wireless router. The router's manual should tell you how to do this, as it should be one of the first steps when installing a new router. The default passwords for various vendors' routers are well known, so a router is unsecure when using the default password.
  • Place the wireless router at a location at the approximate center of the premises. Doing so restricts the signal of the network to the office premises and avoids potential snoopers. Also, the network is accessible from almost anywhere in the office rather than in a particular area.
  • Enable encryption. Preferably enable Wi-Fi protected access (WPA), which is a relatively strong encryption technique for establishing secure connections. The other common alternative, wired equivalent privacy (WEP), is a weaker technique that is easier to crack. WPA and WEP are the two most commonly used encryption techniques implemented in wireless routers. Enabling encryption makes the connection between the users and the router secure because only users having the passkey can then access the router. Your router manual gives instructions on how to enable encryption in the router.
  • Change the name of your network, known as the service set identifier (SSID), from the default value. While not increasing security substantially, this step will hide certain details, even if only to a small extent, and it is still recommended.
  • Enable MAC address filtering in the router. Every network card in a computer has a unique identifier called the MAC address. Using this ID for membership in the network is a good way to keep unwanted people out. MAC filtering lets only those nodes communicate on the network that have their MAC address registered with the router. Authenticated nodes are registered by adding a list of MAC addresses for all computers allowed access to the network in the router settings. Although it is possible for MAC addresses to be spoofed, this method makes it hard for the malicious user to gain access. An alternative technique, DHCP (Dynamic Host Control Protocol), assigns every new user an IP address from a pool of available addresses, letting other users in unchecked.
  • Install a firewall. A firewall provides an increased level of security and can be implemented on either the router or the Internet-facing node of the network.
  • Enable network address translation (NAT). As a final step to securing the network infrastructure, NAT can be implemented on either the router or the firewall node in the network.

Securing Each Network Node

Next, security must be implemented on the computers that will connect to the network, known as the "network nodes."

  • Set user groups and policies in the user account settings of the operating system. Following the principle of least privilege, where every user is given only privileges sufficient and appropriate for his or her role in the network. For more details, refer to Keeping Security in Mind When Granting Access Privileges.
  • Require passwords to be changed regularly. Configure the password policy such that login passwords must be changed periodically in all the nodes. This ensures that the same passwords are not used for a very long period of time. Also, passwords must be set to match a minimum strength criteria.
  • Set remote access policies. If users are provided with remote access into the network, suitable remote access policies must be set in the access rights of the user group.
My home page