5 Easy Tips for Protecting Your SMB Network

Implement these common-sense—but rarely heeded—network suggestions

Your servers and the applications they run are probably well maintained and thoroughly documented. But if you're like most organizations, your network—that is, the switches, routers, access points (APs), and cabling that make up the physical infrastructure backbone of your organization—might be overlooked. Most networking equipment, when it's configured correctly at the start, "just works," requiring little day-to-day intervention.

Until something goes wrong.

Having a well maintained and well documented network is crucial to easing the burden of recovery in the event that something does go wrong. This is especially true in today's always-connected, Web 2.0, cloud-based world. In this article, I'll highlight some of the best practices that I often see in strong SMB networks. Many, if not all, of these practices are steps you can start taking today with minimal effort.



A critical piece of documentation that you must have in your environment is a network diagram. Network diagrams range in size from scratches on the back of a napkin to multipage Microsoft Office Visio diagrams that show every last piece of hooked-up equipment, including serial number, IP address, name, location, and color. For SMB networks, keeping things simple often works best. Highlighting the major components and how they're connected in a high-level diagram is the most crucial aspect.

So, it's time to buckle down and draw a diagram. I recommend illustrating your connection(s) to the Internet, any and all routers and firewalls, and any switch that supports 24 or more ports. If you have smaller desktop switches, consider highlighting them on a separate diagram that shows nothing but these switches and their uplinks to your larger switches. If you have only smaller desktop switches, include them in the primary diagram. Having diagrams that you can refer to that show the entire physical switching topology of your network is critical, especially if you're not utilizing the Spanning Tree Protocol (STP) to protect your network from switching loops.

Figure 1 shows an example of a high-level diagram, and Figure 2 shows an example of a diagram consisting of smaller desktop switches and their uplinks.

Figure 1: High-level network map
Figure 1: High-level network map

Figure 2: Granular network map
Figure 2: Granular network map

Although you can perform this task manually, several tools are available for simplifying the process. If you have Microsoft Office Visio, plug-ins such as SolarWinds LANsurveyor Express will attempt to sniff your network and determine the devices you have and their location. Free tools, such as the uber-management tool Spiceworks, also include the ability to create a network map. Be aware, however, that such tools might not be able to detect all your devices. In my case, when I ran Spiceworks' mapping tool, it omitted some unmanaged desktop switches, which I then had to manually add to the diagram. So, these kinds of tools are a great starting point, but make sure you reconcile their output and not consider their findings 100 percent accurate.

Once you have your diagram created, commit yourself to keeping it up to date. By doing so, you ensure that you have a document that you can easily refer to when you need to make topology changes—and you'll no longer have to just guess how your equipment is interconnected. Likewise, if you're subject to any type of audit that requires a topology diagram, you’ve already accomplished one part of the audit requirements!



You also need to maintain a list of statically assigned IP addresses—often assigned to servers and fixed equipment such as large printers and APs, as opposed to desktops—that you can refer to and keep updated. Again, simplicity is best: A Microsoft Office Excel spreadsheet is ideal for this purpose.

Resist the urge to be too simple, however, by including only the name of the server or equipment and the IP address you assigned to it. You should also consider including details such as any DHCP scopes you've assigned, public IP addresses assigned by your ISP that you've mapped with NAT to private IP addresses assigned by you within your network, as well as Internet hostnames (e.g., the hostname for your mail server—mail.youdomain.com, for example—and web server). Figure 3 shows a sample Excel spreadsheet that displays the information you might consider including.

Figure 3: IP address list
Figure 3: IP address list

Software is available to help with this task. Vendors such as Colasoft and SolarWinds would love to sell you a suite of appropriate network-management tools, but they also offer free utilities that can help you. Colasoft offers a free MAC address scanner that scans entire subnets and provides a list of IP and MAC address pairs, and it attempts to determine the equipment manufacturer based on the first 24 bits of the MAC address. If you don't want to use Excel at all, you don't have to! SolarWinds offers a free IP address management tool that scans your network to determine the IP addresses in use, then provides a report. You can rerun the scanner to stay up to date without having to remember to update your spreadsheet. This solution helps you avoid any "fat finger" errors.

Once you've created your list of IP addresses, commit yourself to keeping it current. As with your network diagram, you're ensuring that you have a document that you can easily refer to when changes are necessary. Nothing is more frustrating than assigning an IP address that’s already in use to the new server you just bought!

 Taking Inventory

Quick! The router in the first-floor wiring closet has a bad fan and needs service. You need its model number and serial number to open a support case. Don't know what they are? Can't find out without walking down five flights of stairs?

An accurate inventory of your current networking equipment is essential to easing your administrative overhead, even if you have a small amount of equipment and don’t think the effort to create the inventory is worth your time. By creating this document, you'll familiarize yourself with in-place equipment you might have forgotten about. You will also have created a document that others can refer to when you're out of the office or if you leave the position. And like your network topology diagram, this document can also be handy during an audit.

Again, simplicity is best. Consider including such details as the make/model of the equipment, its location, its serial number, the installed software version, the software filename, and the date the last software update was performed. If you have an extended service contact on any of your equipment—such as a Cisco SMARTnet contract or an Extreme Networks ExWorks agreement—include the contract number and expiration date. In the event that you have to open a support case with a vendor, this information will save you valuable time: You'll have all the equipment details you need to open a case. Figure 4 shows an Excel spreadsheet of a sample network inventory.

Figure 4: Network inventory
Figure 4: Network inventory

You can use some excellent software tools for this task. With your network map and IP address list in hand, you can use a free tool such as Spiceworks or Lansweeper to query all your equipment and provide details about hardware inventory. Unfortunately, like network-mapping software, most of these products—free or not—are unable to query unmanaged devices because they don't respond to SNMP queries or offer SSH or Telnet access. I experienced this problem while using Spiceworks to take an inventory of my network. Spiceworks can interrogate only network devices that support SNMP, and none of my small desktops switches support SNMP. I had to manually add these devices.


 Staying Secure

Now that you know where all your equipment is, can you be sure it's up to date? Just as the software running on your servers needs to be kept current, the software running on your networking equipment must be maintained and kept up to date. Often, this software can exhibit security vulnerabilities that can subject your network equipment to Distributed Denial of Service (DDoS) attacks, allow unauthorized logons, and allow unauthorized individuals to make configuration changes. Your inventory is a good starting point for this: You can check your installed software versions, then contact the vendor to determine whether you're running the most current release.

Also, take the time to see if the vendor offers an email list or RSS feed that provides notification of potential security issues. Almost all vendors provide such a subscription service.

One of your goals—unless you have a particular reason to do otherwise—should be to have all your similar equipment running the same software version. Doing so ensures consistency in your available software features and gives you the confidence of knowing that all your equipment is running a software version that doesn't have any known security vulnerabilities. Bottom line: You don’t want to neglect the software that runs your network any more than you want to neglect the software that runs your servers.


 Thinking Big

Your network might be small today, but some day it could be quite extensive. When you purchase new equipment, always consider your future plans and potential. For example, don't skimp and buy a 24-port switch without support for Power Over Ethernet (PoE) when you know that you're going to use 22 of the 24 ports—and one of your planned projects for next year is installing new wireless APs that support PoE.

Likewise, many small networks that don't consist of multiple wire paths spanning multiple wiring closets often don't implement the Spanning Tree Protocol (STP) to prevent switching loops. Despite the small size of the network, it's very possible for a loop to be introduced by having more than one physical path between two switches—especially if there are many small desktop switches installed throughout the environment.

A broadcast storm can bring even the largest of networks to a grinding halt, and almost all switching gear includes STP. Take a look today and see if yours does. If it does, take the time to implement it. While you’re doing so, see if there are other features that your networking equipment offers that you might not be taking advantage of.


 Being Proactive

Most of these pointers might seem pedestrian, but IT admins rarely actually put them into practice. If you're one of the guilty, take some time to run through these common-sense suggestions. Use the figures as starting points. By doing so, you'll save your time and your temper down the road.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.