Solved

BroadBand and security

Posted on 2004-04-01
18
521 Views
Last Modified: 2010-04-11
I have just had a broadband facitly installed for my organization. we are all on a domain and the devices is hooked to one of the switches. All users connected tot he boradband have antivirus installed and up to date definitions. are my worksstations and server under threat from virus or any form of hacking?
0
Comment
Question by:quarmenna
  • 2
  • 2
  • 2
  • +6
18 Comments
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Worms can get it easy enough now-a-days.
You NEED some sort of firewall protection in place to block unneeded ports.

There are many sites on the net to check your security risks...Try Symantec's:
http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 250 total points
Comment Utility
Corporate XP Professional version has a built-in firewall.  
ZoneAlarm offers a good free firewall, as does Sygate and Blackice:
http://www.zonelabs.com
http://www.sygate.com
http://www.digitalriver.com/dr/v2/ec_MAIN.Entry17c?SP=10007&PN=5&CID=63268&SID=773&PID=259499&DSP=&CUR=840&PGRP=0&CACHE_ID=63268

But if you're on a domain, I'd highly recommend a good hardware firewall.  Read more here: http://www.smallbusinesscomputing.com/webmaster/article.php/3103431

Also:
http://www.lucidata.com/firewall.htm
http://www.uksecurityonline.com/products/hardware/firestarter/
0
 
LVL 1

Expert Comment

by:fcisler
Comment Utility
as long as you have any single one user on your network you are at risk of a virus....thats a given, and for those who say they arent are full of sh*t

hacking is always a problem, usually moreso internal though

if your not going to be doing any type of hosting then just make sure NO ports are forwarded anywhere inside, remote management is turned off on the router


you should be fine, but i do agree on hardware firewall if your budget can handle it
0
 
LVL 14

Expert Comment

by:JohnK813
Comment Utility
The top 3 lines of defense (in my opinion, and in no particular order):

1. AntiVirus, updated daily if possible
2. a firewall, as stated above
3. User knowledge and education:

Either by sitting everyone down in a meeting, or coming up with a written policy, inform your users about opening attachments, those annoying downloads that popup (spyware, etc), regular updates (Windows Update and similar), and the like.

Our company has an Intranet site with tips such as:
-use company email account for business purposes only
-run Windows Update weekly
-don't open attachments you weren't expecting
0
 
LVL 1

Expert Comment

by:fcisler
Comment Utility
JohnK813 - i would love to manage your network. Our site has tips such as "If it's not broken, don't fix it" "If in doubt, get up and call us" "DO NOT ATTEMPT ANY REPAIRS YOURSELF"

and my favorite

"if you dont know how to change the printer cartridge or add paper, do not attempt"

guess thats the stupidity i get from working in gov't....windows update is a foreign thing to them,
we are forced to use patchlink (update software) to push out windows updates and hotfixes for things such as oracle, filenet, and internal apps
0
 
LVL 14

Expert Comment

by:JohnK813
Comment Utility
fcisler -

My situation sounds almost opposite to yours.
You say, "DO NOT ATTEMPT ANY REPAIRS YOURSELF"
We say, "We've explained [very simple thing such as how to find the files you normally leave open all the time but now "aren't there" since you rebooted] to you how many times, and you still have to call us to do it for you?"

Speaking of PatchLink - I saw a question yesterday where somebody asked about completely automating Windows Update for their users (download, install, and reboot if necessary).  Sounds like easy points for you if you can find it.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
All good points. You need a firewall at the infront off all of your machines, or run a FW on all of them. The right suggestions are here, just not the implamentation...

internet-connection -->switch -->all servers and pc's    (NO NO) [unless all pc's and servers are running a fw]

internet-connection ---> FIREWALL ---> Switch ---> All servers and Pc's  (YES YES)  

I would suggest what is called a Hardware Firewall if you have the budget, cisco pix's are great and can handle quite the load, as well as give you VPN abilities. The software firewall is also up there in my opinion, ZoneAlarm is by far my favorite also. It provides you more protection than your typical hardware firewall and antivirus combined. ZA has the ability to pause/deny/allow processes access to the internet. So if you did get hacked, or got a new virus and it wanted to send email, ZA would prompt you telling you this new program "viri.exe" want's access to the internet, or to act like a server, do you want to allow this? So even if you got hacked, or your the first or second person in the world to get a new virus, ZA can help mitigate their damage. You can password protect ZA so that your users can't say yes to anything, or no to anything without the password.

A hardware firewall at the priemeter of your network, will help keep you from being scanned by hackers, and with a cisco pix, you can have your users VPN in from home and do work or check email that way also. If you have any linux skill, I recommend a linux iptables firewall, because it can do as much as the pix can, as a pix is just a pc with BSD running on it, with a modigfied kernel and UI.

With M$ you do need AV on every machine, and server. You do also need to keep up on patches and the latest virus definitions, all of these tasks are easily scheduled nowadays. If your internet connection isn't much, you will want to stagger the times when each machine retrieves the updates, or have a machine that DL's them to one place and query the one machine on the lan for the updates (patchlink works this way) I recommend GFI Languard Network Security Scanner, as it can check for missing patches and push them also.

Your users do need education also. You may want to lock them down by placing them in the "users" group on 2000/xp. You need company policies to help itterate and enforce the rules, so that they don't hurt themselves and others in the company. Do not let them run as an Admin, as this is against best-practices for every OS, and with M$ it's even worse. Put them in the Users group. If you have given them a PC with everything they need to do their work, then there is no reason to give them any rights to install programs that may/or may not have anything to do with work. If they need a program, have them justify it, if you think it's justified, go to their PC and use RunAs to install the software. They won't need to be logged out, and the registry entries will be modified for their profile.

Here are some links to what I've mentioned:
http://www.sans.org/resources/policies/  (company policies- easy to make your own)
Why you shouldn't run as an admin
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/windows_security_whynot_admin.asp  
http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadb.mspx (user groups and abilities)
http://support.microsoft.com/default.aspx?scid=kb;en-us;225035 (runas half way down the page, tells you how to right-click and run runas)
http://www.gfi.com/lannetscan/ (languard network security scanner)
http://www.epinions.com/pr-Cisco_PIX_Firewall_506_PIX-506-RF_Firewall (cisco pixen- the 501 adn 506 is what I recommend, if budget allows) http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html
GL!
-rich
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 24

Expert Comment

by:SunBow
Comment Utility
> are my worksstations and server under threat from virus or any form of hacking?

Yes, for network attacks you must run firewall(s) to keep them out, then
Access WindowsUpdate website, ask it to inform about needed upgrades, then install them all. To close known vulerabilies that would otherwise be exploited (ex: RPC). When downloading, adding files (even restores), also run antivirus
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
> are my worksstations and server under threat from virus or any form of hacking?

not mentioned for your system, you must have policy, communicate it, and be firm about what employees can, should not, and better not do. Whether they are interested in porn or winning contests, they continue to load things behind firewalls whether from ad on web or intriguing eMail. In all cases, the originators are unknown as either associates or producers of anything, always highly suspect. Train employees and emphasize that there are malwares trying to trick them, and they need be on guarded good behavior to remain unsupervised diirectly, or they could be responsible for losses at company that could incur downtime, loss of business, and employability.  If you've a continual abuser who's machine needs fixes, make sure you do a good job of restoring it, securing it, such that much time elapses until that employee gets the cpu returned, learning well about downtime being a personal problem.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Agreed. As I stated above, give them limited accounts  by placing them in the "users" or even the  "guests" group. The company policies I linked to above also are very easy to read and understand, I think.
We had our users sign it after reading it. At the time we did not have them locked down as I suggested, to the users group, and when we found offenders, we made them sign the policies again, and them we moved them to the users group. We did this because they didn't follow the rules, that were set in place not to punish, but to protect everyone at the company. One violation could mean a big loss should something bad come from it. Being sued for using P2P programs, downloading a trojan, or running a virus accidentally. This worked quite well, now we have AD and no one is an higher than Users group with their user account.

Again, a FW at the preimeter of your network is a best practice, as well as keeping up2date with softare patches and AV dats. I recommend Mcafee btw.
-rich
0
 
LVL 1

Expert Comment

by:weguardyou
Comment Utility
Here are some of my past examples:
Example Number 1:
You can use what is a simple “Linux” based firewall. This is a firewall that will reside between your corporate / office / even home LAN and the unfriendly Internet.
This type of firewall is very common, and fairly simplistic to describe, and build.
It’s my first choice in protections for a network.

Example Number 2:
This is somewhat the same as the above example of a “Linux” based firewall, and adds what is called a DMZ network.
You ask… What is a DMZ?
DMZ stands for Demilitarized Zone.
A demilitarized zone, commonly referred to as a DMZ, allows for an additional layer of protection between Internet-facing services and back-end corporate resources. Traditionally, web servers and mail gateways are located in the DMZ and are accessible and published from internet resources, like DNS, but are still somewhat protected via firewall routing filters. These servers may certainly speak to back-end corporate resources, but would do so via another layer of firewall filters, further segmenting these resources from the outside world.
Now here are some requirements for a server that is to rest in the DMZ area (zone).
1.      The server (computer) or even network addressable machine must serve a single purpose.
What this means that is a machine purpose is to be a web server, only services that are required for the web server are run. Any service that are not required to support the systems primary functions are to be uninstalled or disabled.
2.      All required patches, service packs should be updated and continuously updated to ensure the best performance of your systems.
3.      Any administration of the machines (computer’s or network devices) should be only (and I stress this…) “ONLY” managed though a secure channel, i.e. VPN, SSH, or equivalent.
Note: All systems that reside in the DMZ should support the same method and level of security.
4.      All accounts on the systems should be kept to a limited amount of users and only used by approved personnel.
5.      Now the machines in the DMZ may have a trust with the internal machines (and others such as DNS, Domain Controllers), no internal machine should trust a machine that is located in the DMZ.
6.      No DMZ Machine should reference an internal machine directly or indirectly.
Example:  web servers must not have html code calling internal web servers.

I can go on forever and would… but its time to get back to work… Good luck and stay secure.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
> are my worksstations and server under threat from virus or any form of hacking?

Yes.  You will always be exposed to viruses that do not yet have signatures - ie, a virus hits the wild, it takes at least a few hours for AV writers to understand the virus and release a signature, and then a further few hours for you to manually update your AV signatures.  Look at something like Finjan or Cisco CSA to fill this gap.

As for hacking, probably not.  Hackers have far more interesting targets to go for !! ;)
0
 

Expert Comment

by:shautayl
Comment Utility
Now using broadband for any one is a good choice since it usually is rather easy to maintain and generally quick.

my suggestion for protecting your computers as well as servers is to setup a hardware firewall.   Since most broadband providers now a days are setup for DHCP service only, it is rather easy to get it going for your network.  The router (when properly setup) will block all incoming attacks since people don't know that you are there.  it will allow you to get online anyway.   With a firewall you can allow certain ports to be open or to allow specific IP's through.  so VPN/Direct Connect could be used easily.

now for the novice user,  This would be a rather complex installation to specifically setup routers and ports.  the best recommendation over and above all is to setup firewalls on the computers and other devices,  and with a little bit of user education for all the staff that you have,  you could easily slow down or prevent viruses/ or attacks to your system or network

Using the suggestions also from JohnK813 would be a great start to the whole situation.

ShauTayl
0
 

Expert Comment

by:malir
Comment Utility
> install firewall  (close those ports that you rarely use.)
> monitor inbound and outbound traffic and block those you don't recognize.


   
0
 
LVL 1

Expert Comment

by:weguardyou
Comment Utility
It almost seems that the person who opened this isn’t satisfied with anyone’s answer.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now