You’re working at home. Only YOU should be able to access the company data. It also crops up in offices with different divisions or departments. Not just anyone and everyone should be able to view, copy, edit or worse, DELETE, the files that don’t pertain to them.
You’ve Gotta Keep ‘Em Separated
We all do it. We are told we should do it. Keep ’em separated. Don’t put all of your eggs in one basket. Keep the hot side hot and cold side cold. We do it in school. We divide groups so that they don’t mix with each other, when it’s really important to keep things pure.
A fundamental tenet of security is to keep minimize access to just those who need it. Health and Human Services tells health providers through HIPAA requirements to give people, including staff, access to the “minimum necessary”.
Why It Matters – Real Life Implications
Dividing computers or workers from each other into groups is a way to minimize the risk that the wrong people view data they shouldn’t. It also keeps people from altering data they shouldn’t. And it one of the strongest ways of keeping hackers from getting access to the whole kingdom once they get through one tiny crack in the wall.
Reflecting back on some of the largest data breaches on record, we see a common pattern. Hackers get access to one computer. Then they move out and over to other computers and shared devices – file folders, data bases, etc. Target’s breach of 70 million credit card users that took place on Black Friday is a poignant example of hackers getting to one computer and moving up, over, and into other data systems. Ultimately from one computer at a subcontract air conditioning service company into the Target financial systems.
Separate Physical Networks
Physical Local Area Network (LAN)
Easy enough to imagine a large office building with different networks that employees log into. Sure. Big offices often have numerous file servers. And the most basic method for keeping things split art is to hard wire the network cables that connect each computer to a specific server. Physical separation makes sense and is easy to understand. But it’s not always the most practical.
Virtual Networks
Virtual Local Area Network (VLAN)
What Does Virtual Network Mean?
Virtual networks share the same physical network connections – same wires, same routers and switches. But they are kept separate through software. Sophisticated server software, now routine for big businesses, allow networks to be created virtually. Once done, users on one VLAN have no ability to connect with users on another VLAN. They’re kept apart even though they use the same hardware.
Isn’t That the Same As My Home Guest Network?
No. Yes. Maybe. Sort of. It depends on details of the router and how the networks are set up on the router. Most “Guest” networks are not functioning as separate VLANs. In most cases, guest network users have the same resource access as primary network users. And everyone is on the same domain and ultimately, hackers can move from Guest to the Ring doorbell, Alexa or your computer with the family financial portfolio on it.
A guest network puts into place an ACL (access control list) that prohibits users from that SSID from accessing any network that is private.
10.x.x.x/8, 192.168.x.x/16, or 172.16.x.x/12
2.4GHz, 5GHz, and Guest WiFi Networks
Your 2.4 GHz and 5 GHz primary and “guest” network settings on that router from AT&T, Cox, Spectrum or Comcast all tie to the same “Home” network. Depending on the router make and model, your Guest WifFi network could be set by default (factory settings) to only allow internet traffic, and not to allow it to share other Home network resources. So, for the casual user, it means they can’t see your IP camera or your printer. But advanced users and hackers can scan other addresses on the network and get access.
Separation with VLAN and Managed Switches
A Managed Switch is the piece of hardware that allows us to create virtual or logical separate groups. A managed switch is not the same as a Router. A Router is a Layer 3 network device and it connects the outside world – the internet – with the devices inside.
Get Your VLAN at Home
VLANs can be developed with more advanced network components than the typical home parts. Combine a Managed Switch with a wireless access point (AP) and you’ve got the hardware for creating a true VLAN. You don’t need an expensive 48-port commercial grade managed switch, but you do want a managed switch. And APs like Ubiquity offers are more what you’re looking for instead of your typical WiFi-Router. It does take more time to setup and learn, but the results are real network security and real separation of resources.
Separate Kids, Parents Personal, and Business
The real security pay-off is in creating separate areas where kids can user the internet with their bad judgement and ask-questions-later enthusiasm for web surfing. You can create KIDS, PARENTS, and WORK networks and truly keep them separated.
Professional Guidance
Aditi Group can provide the hardware and installation and setup of home and small business networks including VLANs, VPNs, Firewalls, and more. Call us if you need help keeping your business secure for your Work At Home office.