Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

Network Security on a Small Business Network

I have a network of 10 PCs, most linked through an old netgear 8 port hub and the rest linked direct, to a cheap Dlink DI604 firewall / router / hub to a 2MB broadband cable modem connection. 6 of the machines are test machines.

I have best practises in place on email, downloads, viruses etc. The network works fine and scalability is ok for the time being. I don't want to lose the 10MB hub because its good to see/test the software running over a slower network.

Some of the machines contain sensitive information including customer data and military data

I just want to know whether the di604 is breakable or hackable and if so can I do anything to secure it.

I would like to run tests but have no machines outside of the firewall and I don't stand a chance of understanding nmap.
0
plq
Asked:
plq
  • 3
  • 3
  • 2
2 Solutions
 
bloemkool1980Commented:
most of these firewall/routers are safe for direct outside attacks. But this is no guarantee ofcourse as it is possible to gain access through an overflow in your browser or mail program. I am pretty sure that your access is OK for this type of network and if you would like to add a security layer you could put in place some sort of proxy server for your http/https/ftp traffic if not already.
Local firewalls on each of the pc's is also possible but harder to maintain.
Another cheap thing is to create a DMZ between your LAN and your broadband router by placing an extra firewall of choice.
It is clear that security is not cheap but you could achieve it via a Linux or BSD with iptables or any other flavour of a open-source firewall.
Remember security is as strong as the weakest link and most of the time that is the user himself.
0
 
chris_calabreseCommented:
Given that military data is involved, it seems the whole question of whether this particular router is reasonably secure or not is moot.

Most national militaries, at least in the industrialized countries such as the US, UK, France, Germany, Italy, Isreal, Japan, etc., have strict requirements for security, strict guidelines for determining whether computing systems meet their security requirements, and even stricter guidelines for punishing those that do not meet the guidelines.

The first thing you need to do is find someone that understands these things and have them evaluate your network.
0
 
plqAuthor Commented:
I can't really afford to get a security consultant in right now, so its a case of doing the best I can.

The real point is, if its impossible to hack through a simple router like a di604, then thats probably good enough for the time being.

I am confident that human error etc at our end won't introduce any malicious software, here's our current policy

running windows update weekly
keep off web sites we don't know
no downloads
mail server offsite
delete attachments
we have our own sentry software which monitors the registry "run" keys for changes
anti virus software on all machines
use a broadband provider on dhcp so our ip address is incognito
AD domain security

... and the people involved are me and one well trained developer (if there is such a thing)

If you guys are happy that a standard cheap firewall like the DLink DI604 is unbreakable from the outside then I'll be happy to carry on, otherwise I'll split the network so that sensitive data is on machines which are not on the net, which will be a bit inconvenient, we would then need to unplug the cable modem and plug in the second network in order to transfer data between the two networks, probably 5-10 times per week (or buy usb hubs etc etc).

Any ideas or comments around this would be appreciated

thanks
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
bloemkool1980Commented:
I would not split the network as it is against all benefits of implementing a network. I would keep it that way and if you can I would place a small firewall appliance like a cisco pix 501 which is around 500$ only so you have 2 firewalls and in between a DMZ.
This way you are sure the bad guys stay out.

As far as your security setup is now it looks fine for such a small company and I would add just a proxy server with user authentication to it because that way you can avoid worms or trojans connecting to internet using your proxy because of the authentication.

Cheers
0
 
chris_calabreseCommented:
It is very difficult to configure Windows to meet the security requirements of most militaries (e.g., Common Criteria, TSEC, etc.). Network disconnection is probably your best bet.

You can use something like USB thumb drives (very cheap these days) to transfer files.
0
 
plqAuthor Commented:
Thanks guys.

I'll read up on the Cisco pix (I heard that programming it was a nightmare) and I'll also look into Common Criteria although time wouldn't allow me to setup a huge security operation.

One more question. Does anyone sell "on / off switches" for CAT 5 cables (like a light switch, not a network switch). I was thinking that if we could keep the data off the net, and just connect it when we need to, an on-off switch would be great, and then 99% of the time the sensitive data and ipr will be isolated. What I mean is a network like this...

SECURE_NETWORK_1 --- 8_PORT_FIREWALL2 ---- on off switch ---- INTERNET_NETWORK_2 -------- DLINK FIREWALL

thanks again. I'll split points
0
 
chris_calabreseCommented:
We'll, you could physically power cycle one of the components along the way or some such, but if you're going to have the second firewall the other option is to set it up to _only_ allow say FTP (or better yet SSH) connections originating from the inner networ going to the outer networkk. No web browsing, no email, nothing but encrypted connections from the inner network to the outside network.
0
 
plqAuthor Commented:
I'll raise another question on the switch in networking

Points coming up...
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now