Today I want to discuss about the most common mistakes made during LAN configuration. These mistakes usually occur in company, academic and campus networks. It is hard to do something wrong in home network, however I know a few cases. What is the root cause of these failures? There are three possibilities:
lack of knowledge, omission or overdoing. Who knows, maybe some of these cases also occur in your network.
Firewall opened for everyone – all to all
In my opinion, this mistake inexcusable! It is even worse than not making backups! Every time when I see all to all entry, I can not control myself. What does this entry do? It means that the firewall passes traffic from any source address to any target address. You have to realize how big a threat is this kind of rule. All firewall rules have to be restrictive, only then your firewall can provide safety. Additionally, more exposed rules should be logged.
Which DNS should we use in our network? Of course, the trusted one! If you trust yourself, as an administrator, you should use your own DNS server. If not (yep, it may happen), you can use your’s provider DNS or DNS from Google (e.g. 18.104.22.168).
I do not want to do an upgrade…
If you do not want to do it, you should find another job. Maybe folding boxes, would be a better thing to do. Upgrades are mandatory! Errors are in every software and only upgrades can solve known issues. Lately, I have had god working production server. I think that I do not have to describe how I was surprised, when I have discovered that Debian Lenny 5.0 is installed on this server.. I have one idea. Maybe, developers should introduce “new” branches for conservative administrators called Archaic Stable or Mammoth Stable :/
User name/password: admin/admin
Empty password, standard login and password, spouse or pet name.. How many times did you see it? The worst thing is the fact that users do not respect password policies. When you send 10 chart randomly generated password, they will take offence and they will ask about “something simpler”, e.g. wife’s name. I do not have to mention, that dictionary attack will be shorter than making a coffee.
Network traffic without any control
Ok, we are not at home. We take care of several production servers (for a lot of important customers). We have to monitor our network, check logs and control what come in and out. It is a good practice to use sometimes network tools (e.g. wireshark, iperf, iptraf and netstumbler). Specially, if we observe “a jam” in our network.
Pipes without limits
Sometimes it is good to limit throughput for some services. It is needed not only in big corporation networks, but also in small networks. The most problematic are p2p applications (e.g. torrent). Very interesting solution is configuration of tunnels on the router for selected services. If you use iptables, you can configure e.g. pipes.
Uncontrolled access to the network
Unprotected company AP, DHCP in local network… These are the ideas of admins to “simplify their life”. They do not have to configure IP addresses, check MAC addresses or send security keys for every user. I wonder, who will be responsible when company data will leak?!