Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Network Security on a Small Business Network

Posted on 2004-04-14
8
Medium Priority
?
448 Views
Last Modified: 2013-11-16
I have a network of 10 PCs, most linked through an old netgear 8 port hub and the rest linked direct, to a cheap Dlink DI604 firewall / router / hub to a 2MB broadband cable modem connection. 6 of the machines are test machines.

I have best practises in place on email, downloads, viruses etc. The network works fine and scalability is ok for the time being. I don't want to lose the 10MB hub because its good to see/test the software running over a slower network.

Some of the machines contain sensitive information including customer data and military data

I just want to know whether the di604 is breakable or hackable and if so can I do anything to secure it.

I would like to run tests but have no machines outside of the firewall and I don't stand a chance of understanding nmap.
0
Comment
Question by:plq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10823250
most of these firewall/routers are safe for direct outside attacks. But this is no guarantee ofcourse as it is possible to gain access through an overflow in your browser or mail program. I am pretty sure that your access is OK for this type of network and if you would like to add a security layer you could put in place some sort of proxy server for your http/https/ftp traffic if not already.
Local firewalls on each of the pc's is also possible but harder to maintain.
Another cheap thing is to create a DMZ between your LAN and your broadband router by placing an extra firewall of choice.
It is clear that security is not cheap but you could achieve it via a Linux or BSD with iptables or any other flavour of a open-source firewall.
Remember security is as strong as the weakest link and most of the time that is the user himself.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 10824211
Given that military data is involved, it seems the whole question of whether this particular router is reasonably secure or not is moot.

Most national militaries, at least in the industrialized countries such as the US, UK, France, Germany, Italy, Isreal, Japan, etc., have strict requirements for security, strict guidelines for determining whether computing systems meet their security requirements, and even stricter guidelines for punishing those that do not meet the guidelines.

The first thing you need to do is find someone that understands these things and have them evaluate your network.
0
 
LVL 8

Author Comment

by:plq
ID: 10824460
I can't really afford to get a security consultant in right now, so its a case of doing the best I can.

The real point is, if its impossible to hack through a simple router like a di604, then thats probably good enough for the time being.

I am confident that human error etc at our end won't introduce any malicious software, here's our current policy

running windows update weekly
keep off web sites we don't know
no downloads
mail server offsite
delete attachments
we have our own sentry software which monitors the registry "run" keys for changes
anti virus software on all machines
use a broadband provider on dhcp so our ip address is incognito
AD domain security

... and the people involved are me and one well trained developer (if there is such a thing)

If you guys are happy that a standard cheap firewall like the DLink DI604 is unbreakable from the outside then I'll be happy to carry on, otherwise I'll split the network so that sensitive data is on machines which are not on the net, which will be a bit inconvenient, we would then need to unplug the cable modem and plug in the second network in order to transfer data between the two networks, probably 5-10 times per week (or buy usb hubs etc etc).

Any ideas or comments around this would be appreciated

thanks
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 1000 total points
ID: 10824514
I would not split the network as it is against all benefits of implementing a network. I would keep it that way and if you can I would place a small firewall appliance like a cisco pix 501 which is around 500$ only so you have 2 firewalls and in between a DMZ.
This way you are sure the bad guys stay out.

As far as your security setup is now it looks fine for such a small company and I would add just a proxy server with user authentication to it because that way you can avoid worms or trojans connecting to internet using your proxy because of the authentication.

Cheers
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 1000 total points
ID: 10824516
It is very difficult to configure Windows to meet the security requirements of most militaries (e.g., Common Criteria, TSEC, etc.). Network disconnection is probably your best bet.

You can use something like USB thumb drives (very cheap these days) to transfer files.
0
 
LVL 8

Author Comment

by:plq
ID: 10824975
Thanks guys.

I'll read up on the Cisco pix (I heard that programming it was a nightmare) and I'll also look into Common Criteria although time wouldn't allow me to setup a huge security operation.

One more question. Does anyone sell "on / off switches" for CAT 5 cables (like a light switch, not a network switch). I was thinking that if we could keep the data off the net, and just connect it when we need to, an on-off switch would be great, and then 99% of the time the sensitive data and ipr will be isolated. What I mean is a network like this...

SECURE_NETWORK_1 --- 8_PORT_FIREWALL2 ---- on off switch ---- INTERNET_NETWORK_2 -------- DLINK FIREWALL

thanks again. I'll split points
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 10825054
We'll, you could physically power cycle one of the components along the way or some such, but if you're going to have the second firewall the other option is to set it up to _only_ allow say FTP (or better yet SSH) connections originating from the inner networ going to the outer networkk. No web browsing, no email, nothing but encrypted connections from the inner network to the outside network.
0
 
LVL 8

Author Comment

by:plq
ID: 10825086
I'll raise another question on the switch in networking

Points coming up...
0

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Check out what's been happening in the Experts Exchange community.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question