As a small business owner, you never know when or where an attack can occur, physical or digital. In the physical world you have tools like deadbolts, locks, metal gates and alarm systems that can keep unauthorized people out of certain areas. If you have an employee only area, an authorized badge or a key can let them in while everyone else is denied access. If you have a safe for high value items and petty cash, then passcodes and biometrics can lock even normal employees out to a select trusted few. Adding these additional walls or layers of security makes perfect sense, you want to make it as hard as possible for someone to penetrate your defenses. The same mentality and approach can be taken for your digital world as well. In this article, I’ll talk about some key features in a DSR VPN Router that you can use to do, which also helps push your business towards PCI Compliance. For more information about best practices from the Payment Card Industry, check out this link here.
VLAN
VLAN – stands for Virtual Local Area Network. In it’s most simplified terms, VLANs allow you to divide an Ethernet switch into separate logical switches. Typically a switch is completely open and any devices connected to a switch can communicate with each other. But what if you have devices that don’t need or shouldn’t talk to each other? Isn’t it wiser to keep them separated in that case? YES, it is! If an attack does occur on one VLAN, the other VLANs shouldn’t be affected. The more separation you can implement in your network while still maintaining all the necessary functions the better. The DSR can accommodate VLANs on its switch ports and also provide separate IP subnets and DHCP servers per VLAN. You can keep your faculty network on VLAN 1, Guest WiFi on VLAN 2, Credit Card Processing (i.e. reader/swiper) on VLAN 3 and your IP Surveillance Network on VLAN 4. The DSR is providing internet access to all VLANs but also keeps all the devices separated from each other so there’s less chance of an attack compromising your entire network at the same time. An honorable mention goes to the DGS-1100-05 EasySmart Switch. In this scenario, you have one port going to the Front Desk, but there you have multiple devices that shouldn’t talk to each other. Rather than expensively deploying multiple cable runs to the same place, you can use a VLAN aware switch to trunk multiple VLANs to the DSR, preserving the VLAN separation end to end. For more information about our DGS-1100 series, click here.
IP/MAC Binding
Each Ethernet device has an identifier called a MAC address, this can usually be found on the belly label of a device or in documentation provided with the device. When setting up a network for the first time, you can lockdown the network to only allow access to such devices where you have identified the MAC address and IP Address combination, similar to a white list. This is an easy way to allow only trusted devices to connect to your network while preventing a random person from connecting to switch port and gaining access. Unfortunately, MAC addresses can be spoofed with enough knowhow, but adding this layer of security is yet another obstacle to overcome for an attacker. Making it a parlay with both MAC Address and IP Address ups the difficulty in spoofing.
VPN
VPN stands for Virtual Private Network. It is the most common and secure way to access any resources on your network from another office (i.e another DSR VPN Router) or a remote location (i.e. hotel WiFi). Punching a hole through your firewall or putting a server on a Public IP address is not recommended, that’s equivalent to leaving your door unlocked. By creating a VPN tunnel, you add 2 types of security. The first is authentication, in order to create the VPN Tunnel back to your main office, you need to provide the right credentials. The second is encryption, your traffic with also be encrypted as it passes through the World Wide Web. Anyone listening will have to dedicate a lot of computing power to defeat that encryption first before knowing the contents of your traffic.
PCI Scan
Although not related to any specific feature on the DSR, working with a PCI Scan vendor to analyze your firewall from the outside is often a requirement for any businesses that store sensitive data like credit card information or patient info. Attacks are always evolving and using this tool will help keep you updated on new threats as they appear.
At the end of the day, you can only do so much against a determined attacker with nothing but time on their hands. The best that you can do is try to implement as many strategies as you can to make it as hard as possible for them to do what they want to do. Hackers are ultimately out there to make a buck as efficiently and discreetly as possible. Here, time is the key, and making it not worth their while goes a long way. The DSR VPN Router can do much more than a consumer router in this area. You owe it to your customers to put effort here to keep their data safe.