Welcome! This is the first post of a series that focuses on how to implement NSA best practices when setting up a Small Office / Home Office network.
Hi, I’m Andrew Northam. With over 20 years of experience in IT, I specialize in Retail, Medical, and Education. In this series, we’ll cover the best practices for securing wired and wireless networks, recommended by organizations like NSA and ITIL.
Prepare – Determine your network requirements
For optimal performance, it is recommended to install network cables for stationary devices. To avoid potential problems and expenses in the future, consider pre-wiring your office.
To start, determine the number of WIRED devices you’ll have and their locations. Plan to connect all fixed devices, desktop computers, printers, desk phones, security cameras, and TVs to the wired network. The more devices you connect, the faster and more efficient your WIRELESS network will operate.
Next, identify where you want your wireless access point(s) and run a wire to each location. It’s important to space out access points to ensure good coverage throughout your office.
To install the wiring, hire a qualified Low Voltage Electrician who can pull good-quality cables to all the wired locations. Confirm that they are qualified to terminate and test the cables and make sure they use at least CAT6 cable. (Here is an ABN IT KB Post on designing a wired network best practices)
If adding wiring is too costly or impractical, there are other options available for smaller networks such as MESH technology and all-in-one router+switch+wireless devices. We will delve into these alternatives at a later time.
Choosing an Internet Provider
When choosing a new Internet provider, there are various options to consider such as Cable and Phone Providers, new FTTH providers, wireless, and even satellite options. It’s important to consider several factors when selecting an ISP.
Speed: Internet bandwidth is measured in bps, and the higher the speed, the more devices and users you can accommodate without slowness. There is both a download and upload speed, while traditional providers usually provide significantly faster download speeds, as compared to the upload speed. Newer FTTH providers provide symmetrical download and upload speeds, which is excellent for hosting your VPN or another server.
Equipment: To ensure you have the necessary equipment for your internet connection, it’s best to confirm with your provider what they offer and at what cost. Providers may offer various options, such as a modem or a package that includes a modem, router, and wireless capabilities often for an additional fee. According to NSA best practices, It’s recommended to own your router for maximum administrative control.
Price & Fees: To find the most affordable option, compare prices from different providers. Be sure to check if there’s a contract, how long it lasts, and if there are any installation fees.
IP Addresses: Confirm that your internet provider includes a public IPv4 IP address. Due to the depletion of available IPv4 addresses and the implementation of CGNAT by many ISPs, some customers may not receive a public IPv4 address. Without a public IPv4 address, hosting a VPN or server on your network may not be possible. You can read more about CGNAT in this ABN IT KB article. If your internet provider does not offer a public IPv4 address, they may provide one for an additional fee.
Construction: It’s essential to check with your internet provider about their installation timeframe. Some providers can activate service in a pre-wired building within a day. In other complex scenarios, fiber optic installations can take up to 6 months.
In the coming months, I will be sharing information on various topics related to network security while adhering to the 14 NSA Best Practices. We will discuss important aspects such as selecting a router that is secure and keeping it up-to-date (NSA BP# 2), employing firewall capabilities (NSA BP# 5), and choosing a network switch. We will also delve into building a wireless network, from determining its requirements to implementing Wi-Fi (NSA BP# 3). Additionally, I will guide you through setting up UniFi on a Raspberry Pi (NSA BP# 4) and advanced router topics such as setting up OpenVPN and DDNS, disabling UPnP, and limiting administration to the internal network only (NSA BP# 11).
Furthermore, I will cover computer, phone, and IoT security basics, such as upgrading to a modern operating system and keeping it up-to-date (NSA BP# 1), leveraging security software (NSA BP# 6), scheduling frequent device reboots (NSA BP# 12), and limiting the use of the administrator account (NSA BP# 8). Additionally, I will provide end-user best practices to ensure secure user habits and protect passwords (NSA BP# 10 and NSA BP# 7, respectively).
Lastly, we will discuss how to safeguard against eavesdropping from IoT devices (NSA BP# 9).