Five keys to designing secure networks for SMEs

A secure network is one whose design protects the confidentiality, integrity and availability of data from unauthorized access. To achieve this goal, a number of key aspects must be taken into account to minimize the possibility of becoming a victim of cybercrime. Below are the ones we consider most important.

1. Planning and preliminary steps

It is necessary to have a good understanding of the organization’s context, so that the necessary resources are perfectly aligned to achieve its objectives. Regarding the network, it is important to have a diagram of it and a complete inventory of its devices (routers, switches, firewalls, etc.).

This will provide a better understanding of how a network is configured and the potential problems to which it is exposed. Not surprisingly, security standards such as ISO 27001 require this aspect to be documented as a prior step to the implementation of other measures.

Having up-to-date maps that identify and locate the devices that make up the network is essential for anticipating performance issues such as a interference that may occur or lack of access in certain areas.

The network topology refers to the structure of its constituent elements, both physically (location) and logically (the way in which data flows). Once defined, it is crucial to implement different levels or layers of protection.

2. Network monitoring

Monitoring requires hardware and software tools that collect data on various aspects, such as detecting connected devices. By recording how data flows through the network, illicit access attempts or other critical points related to cybersecurity, an understanding of the problems a company is exposed to at that level is obtained.

Having a SIEM (Security Information and Event Management) service in place allows you to protect your organization by providing quick responses to threats. The volume of information to consider is so overwhelming that expertly trained professionals are needed to manage it effectively.

In this regard, our company JakinCode provides an excellent solution that prioritizes the security of the data that feeds the daily operations of any entity. The SIEM as a Service tool we have developed allows for the effective detection and mitigation of threats, identifying any trends or patterns out of the ordinary so that action can be taken as soon as possible. Our highly qualified and specialized professional team provides its extensive experience in order to strengthen a company’s network and systems, a key and essential aspect.

3. Implementing VPN

Virtual Private Networks (VPNs) provide an encrypted communication channel that, when properly configured, protect with data encryption the connections established. The features offered by this service make it a suitable means for sending data securely, privately and anonymously.

In the current work context, the possibility of companies incorporating teleworking has burst onto the scene. Such scenario implies taking the utmost care in the way in which a professional workforce accesses business assets from various off-site locations.

Through a VPN connection, it becomes difficult for a malicious agent to intercept network traffic, thus minimizing the risk of exposing company data to unauthorized persons. For this purpose, connections are routed through a network of servers configured for this purpose, masking information such as physical location, and so on. 

When opting for this technology, factors such as browsing speed, use of reliable security protocols, encryption used, etc. must be taken into account.

4. Network segmentation

In the SME ecosystem, where not all companies are able to allocate the desired resources to network security, scenarios may arise where default protection parameters are not updated (standard passwords, etc.). Such a situation facilitates cyber-attacks on a very basic, or even inadequately addressed, state of security.

Proper network segmentation is an effective mechanism to prevent taking advantage of a design exposed to serial propagation of exploits that, with little complexity and technical sophistication, allow entry into the system through lateral movements that easily enable a malicious agent to extend its damaging impact, gaining control over critical assets.

By applying a fundamental key to network design such as segmentation, networks are divided into independent sections that operate under the principle of zero trust. As the name suggests, this is a strategy that eliminates the presumption that there is no need to carry out checks on elements that, supposedly, are not subject to suspicion within the network itself.

Physical segmentation can be carried out through the use of switches that divide the network. Another way is the creation of virtual networks or VLANs. These allow for a logical division that prevents direct communication between devices from different networks unless a number of defined security protocols are met beforehand.

The so-called demilitarized zone (DMZ) is another segmentation tactic. The DMZ operates as a portion of a network outside the security perimeter established within it, so that the former can be accessed without compromising the latter.

In addition to the above, consideration should also be given to the creation of an intranet (a private network for the exclusive use of the company, accessible only to authorized internal personnel), an extranet (a private network accessible only to authorized customers, vendors or partners), or a guest network (a separate, open network accessible to anyone).

5. Access control and hardening

Along with the design or construction of the structure, SMEs must also pay attention to the security of their network in terms of management, operation and maintenance of each of the elements that make it up.

Limiting network administration rights to the minimum possible is the starting point from which to begin incorporating protection measures. SMEs need to have secure network access policies and procedures in place to help mitigate any aunauthorized penetration attempts.

It is very important to assign different levels of privilege in the use of the networks. For this purpose, the implementation of identity authentication methods, authorization and registration of the activity generated will be taken into account.

Resources such as multi-factor authentication (MFA) make it difficult for credentials to be stolen and used by unauthorized persons for illicit purposes. To this end, when validating access, in addition to entering a password, another action is required, either by means of a second device in the person’s sole possession, or by using biometrics. In addition to these types of precautions, other complementary strategies must be added, the number of which requires qualified personnel to be able to supervise them.

For many SMEs, having someone on staff exclusively dedicated to cybersecurity tasks may not be feasible. Fortunately, today it is possible to outsource this need through practical solutions such as having a CISO as a Service.

Another advantage of this solution is to ensure experience and up-to-date knowledge through a person capable of, among other things, following best practices (recommended both by the manufacturers of the installed devices and by security organizations ).

There are many configuration details that need to be addressed in terms of the hardening of the devices that make up a network. Among other measures, it is necessary to disable access protocols to administration levels that are not encrypted; disable services that are not necessary; implement adequate security guidelines; etc.

As can be seen, the secure design of networks in SMEs is a complex issue that requires attention to a wide range of fundamental details. In addition to the points mentioned above, it is important to always bear in mind the need for audits and penetration tests to test the security of the network.