Best Practices for Workbench Network Security

Written by Jeremy Oaks. Jeremy is a computer science graduate who works in managed IT and programs computer utilities in his free time.

It’s surprising how insecure the average technician’s network is. For being experts in technology and security, technicians are just as guilty as customers in lax network security. While technicians rarely have issues, it is not because of a proper configuration; they have just been lucky so far. However, today’s threats require a revamp of workbench and office network security.

Before I dive in to common issues and solutions, I’d like to take a moment to identify what a technician needs to protect against, and how far things need to be locked down. After all a $10 lock on a $5 item is counterproductive. I believe that technicians need to protect against malware and network intrusion. Any experienced computer technician can identify scams, social engineering, and similar items. However, many technicians will hook a malware infected computer up to the primary bench network without batting an eyelid, and run their workstation without anti-virus and firewall. This is dangerous. With that said, it’s time to dive into the nuts and bolts of designing a malware resistant workbench network, with the right balance of protection and practicality.

Workbench Networks

The most common issue I see in technician networks is a lack of segmentation. A common configuration is to have everything from infected customer computers to technician workstations to office accounting computers on the same subnet. This is an inherently bad idea, especially with the rise of encrypting malware. While it’s possible to lower the risk of the single subnet approach, it will never be a good configuration.

The solution is to segment your network. Managed switches with VLAN capability make doing this easy. Otherwise, physically separating workbench and non-workbench networks with at least NAT device is a prudent idea. While a person must be practical, the smaller the network segments the better (such as each technician having a VLAN). This includes wireless networks as well.

Dedicated malware cleanup networks are a very useful tool in securing your workbench network, which can be used for malware cleanups or as a quarantine network until a machine has been scanned. In these networks, hardening is the name of the game. Instead of network shares for tools, I’d suggest write protected flash drives or a simple web server. I’d also suggest making any technician workstations on a malware cleanup network linux based so they are immune to Windows based malware. This network should be totally isolated from the other networks in your office, and a UTM device should be placed between this network and the Internet.

Another good-measure item is basic protection on technician workstations. Most technicians are running as administrator on their workstation, and this is more or less a requirement for doing technical work. This being the case, it is inherently dangerous to run a technician workstation with “shields down.” I suggest running technician workstations with the same anti-virus and firewall and anti-malware protection as you install on your customer computers. I also suggest using an ad blocker in the primary web browser on technician workstations as an additional security layer.

Office Networks

Now, lets talk about network intrusion, and clarify what the threat is. I’m using the term network intrusion to mean a human trying to access information on your network or online accounts, not unsolicited network traffic coming in and getting past the gateway device. So, with this definition I’m looking to target anyone who would brute force your wireless to see what you have on your network, or who would dig through your trash for PII and then try to log into accounts that you have (like your domain registrar).

The areas that technicians are most vulnerable in this regard are password habits, two-factor authentication, and device encryption. Single subnet users normally have the wireless on the same subnet too, so anyone on the wireless can see all the network shares, and this is an issue, but I’ll assume that the discussion above was sufficient for the topic, and that the office wireless (if it exists) is not on the same subnet and has a secure password.

Now, without further ado, passwords. We all know that we need strong passwords, but our everyday passwords that protect our ticketing systems, email, accounting, etc. seem to not be the strongest. They are either easy to guess, some variation of a default password, or not changed enough for the average technician. Some passwords need to protect against brute force robots, and others against malicious or disgruntled employees. One tool I find useful for this is PWGen. It is an open source tool that can generate passwords of a specified length and complexity in bulk. Most password managers have functions to generate and to change passwords, so if you are not using a password manager for your Internet based accounts, I suggest using one. I use LastPass on a daily basis, and it is a good place to start.

In addition to a good password, two-factor authentication is a powerful security tool. It is very simple to setup, and it can stop an intrusion dead in its tracks. This is useful for keeping business accounts (such as DNS registration, social media, etc.) secure from disgruntled or malicious employees. This is cheap insurance, and it should be turned on for every account that supports it. For easy management of two-factor authentication, try Authy (available on both Android and iOS).

Any device that holds customer data or important internal information should be encrypted. While the common thief may just be looking to sell stolen hardware, the potential liability of an identity thief stealing business or customer information is too great of a risk to be ignored. For computers with a TPM built in, BitLocker integrates seamlessly. For devices that do not support BitLocker, DiskCryptor is a open source utility for whole disk encryption. While it may not be practical to encrypt NAS devices, encrypted containers can be stored on the NAS and mounted on another device and shared on the network if shared secure storage is required.

Whole Network

All networks in your office should be protected by a UTM device. I suggest putting these devices at the outermost network edge, and enabling malware and spam filtering on them. While it may seem like overkill, I have had systems infected that were sending out spam email, and the gateway device stopped the traffic. Dedicated malware scanning networks should have a stateless firewall, only allowing HTTP, HTTPS, and DNS traffic (and blocking all other ports in and out). Many UTM devices are available, but the free version of Untangle is easy to setup, and free for commercial use. You can install it on your own hardware, or purchase Untangle appliances.

As an additional layer, secure DNS servers (like OpenDNS) should be used. This should be configured on all devices, in all networks. This will prevent almost all communication with known malicious networks, as the DNS look up for the malicious network will be blocked. While the direct benefits are dependent on what requested the DNS look up (encrypting malware, a botnet, etc.) secure DNS is a good-measure protection that is easy to setup and offers impressive protection. Simply set the DNS server that your local DNS server uses to the secure DNS server IP and you are set.

It’s time to mention something that doesn’t fit nicely into security, but is an important aspect: backups. Even if your workbench network did get hit by a zero day encrypting malware threat that came in on a customer computer, you could just re-install your operating system and restore from backup, right? Well, as technicians we seem to be so busy backing up customer systems that we don’t backup our own systems properly. However, even if your workstations are backed up, what about your NAS?

Since most people backup to a NAS, backing up the NAS seems unnecessary and cumbersome. However, a useful tool that many NAS devices support is versioning or snapshots. Thus, if your NAS (which probably holds data from customer systems that can’t be replaced) was hit by encrypting malware or an employee who deleted the wrong folder, you could simply roll the NAS back to the most recent snapshot. While it does take some overhead in terms of disk space, it is cheap insurance, and it is a one time setup.

Everyone will run into a security issue eventually; its just a matter of time. However, if your bench and office networks are properly secured, you can prevent a large number of issues, and minimize the impact of those issues you can’t prevent. This will pay dividends in up time and stability, so why roll the dice?