Security in networking is a broad topic. It is also one of the single most impactful. With the growing scope and diversity of networks, devices, and applications, attack vectors are as numerous as ever before. There are many ways for attackers to breach sensitive data whether it is by means of insecure protocols or APIs, brute-forcing wifi, or gaining access using stolen credentials from a phishing campaign. Hackers have never had so many options, but fortunately there have never been more security practices to utilize.

A manufacturing customer had concerns of security having had potential breaches on their network. They also have had network performance issues. They were unsure if the two issues were related so the first step we took was to assess the network. We took a look at both the design of the network with a standard network assessment as well as a secure posture assessment to determine how prepared the network is to withstand attacks.

The network had a fairly flat network but had 3 subnets with each VLAN representing a specific cells of machines on the network. There was no port security in use and there was also a windows PC routing the subnets between the PC's network interface cards. There were also numerous open ports, use of insecure methods for remote access from vendors, and many known vulnerabilities across multiple devices.

Many customers do not consider their own devices and employees as attack vectors but attackers have the most success evading defenses by using credentials of trusted people or gaining access to trusted devices. Phishing attacks can get used to snatch credentials and vulnerabilities in operating systems can be used to gain access to devices. Once we saw the number of vulnerabilities, we created a patch plan to update the firmware and operating systems on every device that we could. Since we could not on every device without affecting compatibility, we decided to mitigate by migrating software that was running on a windows 7 PC to a VM running windows 7 as an extra layer of security. We also implemented the use of Private VLANs. Wait for real?? Yes, we actually found a use for those. Each cell of machines has drives that only talk to a PLC (programmable logic controller). The PLC has no need to talk to any other device on the network but a server where analytic data is collected. To address the issue of security and performance being impacted by heavy broadcast traffic generated from the PLCs, we put each machine cell on a community private VLAN and assigned the uplink port as a promiscuous port. We also placed a Cisco ASA between the plant network and IT network to prevent lateral propagation of threats from the IT network as well as to use for remote VPN access for vendors.

This customer had multiple overlapping needs like many of you do. We prefer to take an approach where we assess the network to look for as many issues we can so that we can address them all in a cohesive, secure, and cost effective way. Please let us know if we can help you with your network or any other technical issues. The beauty of technology is that even though there are many problems that can arise, there are a multitude of solutions out there. Let us help you determine what solutions can help you best.