Is there a template by which one can go to have a pretty safe network (hardware wise)

Posted on 2006-05-22
Last Modified: 2010-04-11
I'm wondering if anyone can give me an idea of what i might need to purchase to get as secure a network as I need and then i can go from there.

For instance,
Do i need a firewall?  If I do, where should this firewall be placed?
Secondly do i need a managed router or can i get away with only a 100$ router?

Stats :

One server
10 - 15 computers depending on laptops

cable modem
Question by:candg
    LVL 3

    Accepted Solution

    Security on a network and management on the network are two different things.

    If all you want is to keep your network free of snooping from the outside world a $100 router will get you by.  If you have to worry about internal problems and you have high level / computer sophisticated users on the network then you need to consider managed equipment to control what access they have to resources on your network.

    As for your network server what role does it play in your organization and what is your current network setup?  Are you connecting to the internet using consumer class connections (cable,dsl, or satellite)?

    Author Comment

    I'm using Cable, the server is the DNS, application server, and IIS for my intranet.  As well as TS server.  I want to be assured that if people who know just enough to download crap don't screw up the network.  I have antivirus, but what else is a good idea to have.  
    LVL 3

    Expert Comment

    Well the best solution to those user problems is a good network admin, if you don't have one in your organization you might look to hiring a consultant to stop on by monthly to do a checkup.

    As for hardware that might help, you can always save some money and throw in Linux based firewall like IPCOP @ which with minimal effort can let you log your internal and external traffic.  Another option is to spring for managed switches that do the same thing at a more sophisticated level allowing you to manage and monitor all network level traffic and connectivity.  If you are afraid of your employee's accidentally spreading the next Windows bubonic plague then managed switching would be a good choice.  If all you want to do is block them from accessing certain types of sites and peer to peer services you can do that inside a IPCOP box.

    Other excellent free Linux firewalls (you still need a PC to throw Linux on) you might consider. – Very similar to IPCOP but with less expandability - Much more advanced and difficult to configure

    Dell offers some fairly well priced managed switches you can find @
    Cisco though is the defacto solution for much of corporate America and many vendors will cut you a deal on pricing if you tell them you are interested in going with an alternative.
    LVL 1

    Expert Comment

    Also, what operating system are your computers running on? Windows 98, 2000, and XP and everything in between have very different security concerns which in turn lead to very different methods of securing a network and everything on it. In addition, good computer practice would have you backing up the main components of your network (i.e your server, and all critical data). After we know the OS, we can go from there to take steps to help secure the network (although there is no such thing as a totally secure network).



    LVL 24

    Expert Comment

    Yes, get a firewall that can stop packets going in each direction by enabling only approved ports. If you do not trust users you could give them each a personal firewall to stop the others, but with so few users, they better be able to trust each other well enough to no need that.

    You are also a little small to suggest need for proxy servers and DMZ. You can give your users regular internet addresses, and give the intranet server a local IP (unroutable/unreachable from internet side)

    > I have antivirus, but what else is a good idea to have.  

    Correct, just remember that A/V is for detection after infection, not a protection. Firewall is not a migic end all, but it is rather opposite that, preventing access and abuse before the fact, stopping some malwares in their track.

    Some may recommend similar detection products, get some for adware, get some for spyware, get some for remote controllers, and both the spam and its address collection method. But there's only so much any can handle at a time, and when there is no known problem. Keep that training up and you may end up with no problems,

    > I want to be assured that if people who know just enough to download

    Best answer is to train them well, tolerate little, and enforce against any major abuse. Any unlicenced SW they download can cost big money when found, possibly leading to discharge of all staff. Major D/L that is constant streaming is to be stopped as well since it eats up all the bandwidth.

    Do not neglect getting regular upgrades for every update, since so many are relevant to stopping another malware type.

    Author Comment

    Right,  Sun Bow those are all good ideas, some of which i've done.   All workstations are running winxp sp2.  And Server is windows 2003.

    Please help me secure network.
    LVL 1

    Expert Comment

    Microsoft has some excelent guides that address the questions you have presented here. I recomend checking them out.
    LVL 38

    Expert Comment

    by:Rich Rumble
    I start with policies:
    Your users "can do little more than download", but that is more than enough!  This is the most crutial part, BEST PRACTICES, please read this:  and do not forget this:

    AV, and regular scheduled AV dat updates, and nightly scans, along with automating M$ Updates are standard fare best practices also. If your users do not NEED to make system changes, like installing or uninstalling software, changing network settings, installing printers... then by all means remove the ADMIN rights that M$ gives them by default. A power user can still some of these things, and this may be necessary for LT users to have, but not always, your milage may vary...

    Firewall good, fire bad.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now