Solved

Network Security on a Small Business Network

Posted on 2004-04-14
8
439 Views
Last Modified: 2013-11-16
I have a network of 10 PCs, most linked through an old netgear 8 port hub and the rest linked direct, to a cheap Dlink DI604 firewall / router / hub to a 2MB broadband cable modem connection. 6 of the machines are test machines.

I have best practises in place on email, downloads, viruses etc. The network works fine and scalability is ok for the time being. I don't want to lose the 10MB hub because its good to see/test the software running over a slower network.

Some of the machines contain sensitive information including customer data and military data

I just want to know whether the di604 is breakable or hackable and if so can I do anything to secure it.

I would like to run tests but have no machines outside of the firewall and I don't stand a chance of understanding nmap.
0
Comment
Question by:plq
  • 3
  • 3
  • 2
8 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10823250
most of these firewall/routers are safe for direct outside attacks. But this is no guarantee ofcourse as it is possible to gain access through an overflow in your browser or mail program. I am pretty sure that your access is OK for this type of network and if you would like to add a security layer you could put in place some sort of proxy server for your http/https/ftp traffic if not already.
Local firewalls on each of the pc's is also possible but harder to maintain.
Another cheap thing is to create a DMZ between your LAN and your broadband router by placing an extra firewall of choice.
It is clear that security is not cheap but you could achieve it via a Linux or BSD with iptables or any other flavour of a open-source firewall.
Remember security is as strong as the weakest link and most of the time that is the user himself.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 10824211
Given that military data is involved, it seems the whole question of whether this particular router is reasonably secure or not is moot.

Most national militaries, at least in the industrialized countries such as the US, UK, France, Germany, Italy, Isreal, Japan, etc., have strict requirements for security, strict guidelines for determining whether computing systems meet their security requirements, and even stricter guidelines for punishing those that do not meet the guidelines.

The first thing you need to do is find someone that understands these things and have them evaluate your network.
0
 
LVL 8

Author Comment

by:plq
ID: 10824460
I can't really afford to get a security consultant in right now, so its a case of doing the best I can.

The real point is, if its impossible to hack through a simple router like a di604, then thats probably good enough for the time being.

I am confident that human error etc at our end won't introduce any malicious software, here's our current policy

running windows update weekly
keep off web sites we don't know
no downloads
mail server offsite
delete attachments
we have our own sentry software which monitors the registry "run" keys for changes
anti virus software on all machines
use a broadband provider on dhcp so our ip address is incognito
AD domain security

... and the people involved are me and one well trained developer (if there is such a thing)

If you guys are happy that a standard cheap firewall like the DLink DI604 is unbreakable from the outside then I'll be happy to carry on, otherwise I'll split the network so that sensitive data is on machines which are not on the net, which will be a bit inconvenient, we would then need to unplug the cable modem and plug in the second network in order to transfer data between the two networks, probably 5-10 times per week (or buy usb hubs etc etc).

Any ideas or comments around this would be appreciated

thanks
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 250 total points
ID: 10824514
I would not split the network as it is against all benefits of implementing a network. I would keep it that way and if you can I would place a small firewall appliance like a cisco pix 501 which is around 500$ only so you have 2 firewalls and in between a DMZ.
This way you are sure the bad guys stay out.

As far as your security setup is now it looks fine for such a small company and I would add just a proxy server with user authentication to it because that way you can avoid worms or trojans connecting to internet using your proxy because of the authentication.

Cheers
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 250 total points
ID: 10824516
It is very difficult to configure Windows to meet the security requirements of most militaries (e.g., Common Criteria, TSEC, etc.). Network disconnection is probably your best bet.

You can use something like USB thumb drives (very cheap these days) to transfer files.
0
 
LVL 8

Author Comment

by:plq
ID: 10824975
Thanks guys.

I'll read up on the Cisco pix (I heard that programming it was a nightmare) and I'll also look into Common Criteria although time wouldn't allow me to setup a huge security operation.

One more question. Does anyone sell "on / off switches" for CAT 5 cables (like a light switch, not a network switch). I was thinking that if we could keep the data off the net, and just connect it when we need to, an on-off switch would be great, and then 99% of the time the sensitive data and ipr will be isolated. What I mean is a network like this...

SECURE_NETWORK_1 --- 8_PORT_FIREWALL2 ---- on off switch ---- INTERNET_NETWORK_2 -------- DLINK FIREWALL

thanks again. I'll split points
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 10825054
We'll, you could physically power cycle one of the components along the way or some such, but if you're going to have the second firewall the other option is to set it up to _only_ allow say FTP (or better yet SSH) connections originating from the inner networ going to the outer networkk. No web browsing, no email, nothing but encrypted connections from the inner network to the outside network.
0
 
LVL 8

Author Comment

by:plq
ID: 10825086
I'll raise another question on the switch in networking

Points coming up...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now