Network Security

In most networks, anyone can plug a device into a free network port and get instant access. In offices, clinics, hotels, and shops, these ports are often freely accessible, a security risk that's rarely considered.

A shared Wi-Fi password eventually becomes common knowledge. Former employees, guests, neighbours. Without individual authentication, there's no control over who connects.

An unknown device on the network can intercept data, spread malware, or serve as a gateway for attacks. Without access control, this goes unnoticed.

Every device must authenticate before gaining network access, whether via LAN or Wi-Fi. Without valid credentials or a certificate, the port stays locked. This is the industry standard for network access control.

Only devices with a known MAC address are allowed to connect. Simple to implement and a good first step, especially for environments where 802.1X would be too complex. Important to note: MAC addresses can be spoofed, so MAC filtering alone doesn't provide complete protection.

A central RADIUS server manages all access credentials and decides in real-time whether a device may enter the network and which VLAN it belongs to. This enables centralised access control for the entire network.

Depending on who logs in, the device automatically lands in the correct network segment. An employee laptop goes to the corporate network, a guest device to the guest Wi-Fi, fully automatic.

A strong Wi-Fi password alone isn't enough. With WPA2-Enterprise or WPA3, each user authenticates individually, and shared passwords become a thing of the past. This also makes it traceable who was connected and when.

Network segmentation via VLANs is only half the battle. Without firewall rules between segments, devices in the guest VLAN could potentially still access the corporate network. Clear rules define which traffic is allowed between VLANs and which is not.

Prevents anyone from introducing a rogue DHCP server into the network, which could redirect all traffic.

Protects against ARP spoofing, i.e. attacks where a device impersonates the gateway to intercept traffic.

Limits the number of allowed devices per port. If an unknown device is plugged in, the port is automatically disabled.

Devices on the same network can't see each other. Particularly important for guest Wi-Fi, hotels, and coworking spaces.

Switches, access points, and routers have their own software that needs regular updates. Known security vulnerabilities are patched through updates. Not updating means leaving the door open.