There it is … that little jack on the wall that's connected to a world of information, ranging from the Internet to your company's payroll system. One click of a network cable into the jack and they're on their way! Who, you might ask? Let's start with the curious one who finds an active network jack in a nice, quiet conference or training room. What are the real issues with this, and how do you combat them?
Private facilities have always had an advantage over public facilities, in that they are easier to physically secure. Public areas, such as hospitals, universities and libraries, can be a real challenge to secure because of the lack of physical security. Public or private, there will always be some level of security risk wherever a network jack is active. Classrooms, communications closets and conference rooms are a few of the problem areas commonly found unlocked and accessible to anyone curious enough to peek inside.
Let's get down to the real issue. Suppose a hacker connects a laptop to a network jack in your building. Most network jacks are active, meaning they are connected to a functioning piece of network equipment. If you are running a DHCP server, which hands out IP addresses to any device that is plugged into the network, one will be handed to the hacker's laptop as well. If DHCP is not used, the hacker can simply launch a sniffer and find an unused IP address for his laptop. Once connected, a few simple commands can locate some of your key servers, after which the enumeration of user accounts and services begins. In a matter of minutes, passwords will likely be compromised, a service or two may be exploited and the game is over. You've now got a real mess on your hands.
What do you do? There are a couple of ways to help prevent hackers, or even vendors and contractors for that matter, from connecting computers to your network when they find a network jack. One thing you can do is disable network jacks in conference rooms and classrooms until people need them. Keeping these rooms locked whenever possible is another best practice. A third defense is to require your network switches to only allow network cards with specific addresses, called MAC addresses, to connect to your network. Every network card is programmed with a unique MAC address, which can be altered via spoofing software. Even more stringent is the option of configuring network servers to require a valid computer certificate before a user can logon. Keep in mind, if you want to keep unauthorized people from using computers already connected to your network, such as classroom PCs, you should enforce bootup and screensaver passwords to lock the PC at both ends, as well as requiring a user certificate. To learn more about certificates, contact a vendor of Public Key Infrastructure systems, such as RSA or Microsoft.
Most of the above recommendations require the involvement of server and network administrators, who may or may not immediately see the value in these changes until you explain the reality of these security risks. Active network jacks are the entrance to a hacker's playground, and can result in a major cleanup effort if ignored.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
