Solved

Network Security on a Small Business Network

Posted on 2004-04-14
8
445 Views
Last Modified: 2013-11-16
I have a network of 10 PCs, most linked through an old netgear 8 port hub and the rest linked direct, to a cheap Dlink DI604 firewall / router / hub to a 2MB broadband cable modem connection. 6 of the machines are test machines.

I have best practises in place on email, downloads, viruses etc. The network works fine and scalability is ok for the time being. I don't want to lose the 10MB hub because its good to see/test the software running over a slower network.

Some of the machines contain sensitive information including customer data and military data

I just want to know whether the di604 is breakable or hackable and if so can I do anything to secure it.

I would like to run tests but have no machines outside of the firewall and I don't stand a chance of understanding nmap.
0
Comment
Question by:plq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10823250
most of these firewall/routers are safe for direct outside attacks. But this is no guarantee ofcourse as it is possible to gain access through an overflow in your browser or mail program. I am pretty sure that your access is OK for this type of network and if you would like to add a security layer you could put in place some sort of proxy server for your http/https/ftp traffic if not already.
Local firewalls on each of the pc's is also possible but harder to maintain.
Another cheap thing is to create a DMZ between your LAN and your broadband router by placing an extra firewall of choice.
It is clear that security is not cheap but you could achieve it via a Linux or BSD with iptables or any other flavour of a open-source firewall.
Remember security is as strong as the weakest link and most of the time that is the user himself.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 10824211
Given that military data is involved, it seems the whole question of whether this particular router is reasonably secure or not is moot.

Most national militaries, at least in the industrialized countries such as the US, UK, France, Germany, Italy, Isreal, Japan, etc., have strict requirements for security, strict guidelines for determining whether computing systems meet their security requirements, and even stricter guidelines for punishing those that do not meet the guidelines.

The first thing you need to do is find someone that understands these things and have them evaluate your network.
0
 
LVL 8

Author Comment

by:plq
ID: 10824460
I can't really afford to get a security consultant in right now, so its a case of doing the best I can.

The real point is, if its impossible to hack through a simple router like a di604, then thats probably good enough for the time being.

I am confident that human error etc at our end won't introduce any malicious software, here's our current policy

running windows update weekly
keep off web sites we don't know
no downloads
mail server offsite
delete attachments
we have our own sentry software which monitors the registry "run" keys for changes
anti virus software on all machines
use a broadband provider on dhcp so our ip address is incognito
AD domain security

... and the people involved are me and one well trained developer (if there is such a thing)

If you guys are happy that a standard cheap firewall like the DLink DI604 is unbreakable from the outside then I'll be happy to carry on, otherwise I'll split the network so that sensitive data is on machines which are not on the net, which will be a bit inconvenient, we would then need to unplug the cable modem and plug in the second network in order to transfer data between the two networks, probably 5-10 times per week (or buy usb hubs etc etc).

Any ideas or comments around this would be appreciated

thanks
0
Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 250 total points
ID: 10824514
I would not split the network as it is against all benefits of implementing a network. I would keep it that way and if you can I would place a small firewall appliance like a cisco pix 501 which is around 500$ only so you have 2 firewalls and in between a DMZ.
This way you are sure the bad guys stay out.

As far as your security setup is now it looks fine for such a small company and I would add just a proxy server with user authentication to it because that way you can avoid worms or trojans connecting to internet using your proxy because of the authentication.

Cheers
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 250 total points
ID: 10824516
It is very difficult to configure Windows to meet the security requirements of most militaries (e.g., Common Criteria, TSEC, etc.). Network disconnection is probably your best bet.

You can use something like USB thumb drives (very cheap these days) to transfer files.
0
 
LVL 8

Author Comment

by:plq
ID: 10824975
Thanks guys.

I'll read up on the Cisco pix (I heard that programming it was a nightmare) and I'll also look into Common Criteria although time wouldn't allow me to setup a huge security operation.

One more question. Does anyone sell "on / off switches" for CAT 5 cables (like a light switch, not a network switch). I was thinking that if we could keep the data off the net, and just connect it when we need to, an on-off switch would be great, and then 99% of the time the sensitive data and ipr will be isolated. What I mean is a network like this...

SECURE_NETWORK_1 --- 8_PORT_FIREWALL2 ---- on off switch ---- INTERNET_NETWORK_2 -------- DLINK FIREWALL

thanks again. I'll split points
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 10825054
We'll, you could physically power cycle one of the components along the way or some such, but if you're going to have the second firewall the other option is to set it up to _only_ allow say FTP (or better yet SSH) connections originating from the inner networ going to the outer networkk. No web browsing, no email, nothing but encrypted connections from the inner network to the outside network.
0
 
LVL 8

Author Comment

by:plq
ID: 10825086
I'll raise another question on the switch in networking

Points coming up...
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question