Network Security on a Small Business Network
I have a network of 10 PCs, most linked through an old netgear 8 port hub and the rest linked direct, to a cheap Dlink DI604 firewall / router / hub to a 2MB broadband cable modem connection. 6 of the machines are test machines.
I have best practises in place on email, downloads, viruses etc. The network works fine and scalability is ok for the time being. I don't want to lose the 10MB hub because its good to see/test the software running over a slower network.
Some of the machines contain sensitive information including customer data and military data
I just want to know whether the di604 is breakable or hackable and if so can I do anything to secure it.
I would like to run tests but have no machines outside of the firewall and I don't stand a chance of understanding nmap.
I have best practises in place on email, downloads, viruses etc. The network works fine and scalability is ok for the time being. I don't want to lose the 10MB hub because its good to see/test the software running over a slower network.
Some of the machines contain sensitive information including customer data and military data
I just want to know whether the di604 is breakable or hackable and if so can I do anything to secure it.
I would like to run tests but have no machines outside of the firewall and I don't stand a chance of understanding nmap.
Given that military data is involved, it seems the whole question of whether this particular router is reasonably secure or not is moot.
Most national militaries, at least in the industrialized countries such as the US, UK, France, Germany, Italy, Isreal, Japan, etc., have strict requirements for security, strict guidelines for determining whether computing systems meet their security requirements, and even stricter guidelines for punishing those that do not meet the guidelines.
The first thing you need to do is find someone that understands these things and have them evaluate your network.
Most national militaries, at least in the industrialized countries such as the US, UK, France, Germany, Italy, Isreal, Japan, etc., have strict requirements for security, strict guidelines for determining whether computing systems meet their security requirements, and even stricter guidelines for punishing those that do not meet the guidelines.
The first thing you need to do is find someone that understands these things and have them evaluate your network.
ASKER
I can't really afford to get a security consultant in right now, so its a case of doing the best I can.
The real point is, if its impossible to hack through a simple router like a di604, then thats probably good enough for the time being.
I am confident that human error etc at our end won't introduce any malicious software, here's our current policy
running windows update weekly
keep off web sites we don't know
no downloads
mail server offsite
delete attachments
we have our own sentry software which monitors the registry "run" keys for changes
anti virus software on all machines
use a broadband provider on dhcp so our ip address is incognito
AD domain security
... and the people involved are me and one well trained developer (if there is such a thing)
If you guys are happy that a standard cheap firewall like the DLink DI604 is unbreakable from the outside then I'll be happy to carry on, otherwise I'll split the network so that sensitive data is on machines which are not on the net, which will be a bit inconvenient, we would then need to unplug the cable modem and plug in the second network in order to transfer data between the two networks, probably 5-10 times per week (or buy usb hubs etc etc).
Any ideas or comments around this would be appreciated
thanks
The real point is, if its impossible to hack through a simple router like a di604, then thats probably good enough for the time being.
I am confident that human error etc at our end won't introduce any malicious software, here's our current policy
running windows update weekly
keep off web sites we don't know
no downloads
mail server offsite
delete attachments
we have our own sentry software which monitors the registry "run" keys for changes
anti virus software on all machines
use a broadband provider on dhcp so our ip address is incognito
AD domain security
... and the people involved are me and one well trained developer (if there is such a thing)
If you guys are happy that a standard cheap firewall like the DLink DI604 is unbreakable from the outside then I'll be happy to carry on, otherwise I'll split the network so that sensitive data is on machines which are not on the net, which will be a bit inconvenient, we would then need to unplug the cable modem and plug in the second network in order to transfer data between the two networks, probably 5-10 times per week (or buy usb hubs etc etc).
Any ideas or comments around this would be appreciated
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys.
I'll read up on the Cisco pix (I heard that programming it was a nightmare) and I'll also look into Common Criteria although time wouldn't allow me to setup a huge security operation.
One more question. Does anyone sell "on / off switches" for CAT 5 cables (like a light switch, not a network switch). I was thinking that if we could keep the data off the net, and just connect it when we need to, an on-off switch would be great, and then 99% of the time the sensitive data and ipr will be isolated. What I mean is a network like this...
SECURE_NETWORK_1 --- 8_PORT_FIREWALL2 ---- on off switch ---- INTERNET_NETWORK_2 -------- DLINK FIREWALL
thanks again. I'll split points
I'll read up on the Cisco pix (I heard that programming it was a nightmare) and I'll also look into Common Criteria although time wouldn't allow me to setup a huge security operation.
One more question. Does anyone sell "on / off switches" for CAT 5 cables (like a light switch, not a network switch). I was thinking that if we could keep the data off the net, and just connect it when we need to, an on-off switch would be great, and then 99% of the time the sensitive data and ipr will be isolated. What I mean is a network like this...
SECURE_NETWORK_1 --- 8_PORT_FIREWALL2 ---- on off switch ---- INTERNET_NETWORK_2 -------- DLINK FIREWALL
thanks again. I'll split points
We'll, you could physically power cycle one of the components along the way or some such, but if you're going to have the second firewall the other option is to set it up to _only_ allow say FTP (or better yet SSH) connections originating from the inner networ going to the outer networkk. No web browsing, no email, nothing but encrypted connections from the inner network to the outside network.
ASKER
I'll raise another question on the switch in networking
Points coming up...
Points coming up...
Local firewalls on each of the pc's is also possible but harder to maintain.
Another cheap thing is to create a DMZ between your LAN and your broadband router by placing an extra firewall of choice.
It is clear that security is not cheap but you could achieve it via a Linux or BSD with iptables or any other flavour of a open-source firewall.
Remember security is as strong as the weakest link and most of the time that is the user himself.