Security for small business

Posted on 2006-10-23
Last Modified: 2013-11-16
I'm a computer consultant specializing in the small office/home office market.  I'm curious to hear from other SOHO consultants regading security for small business.
More often than not the SOHO customer goes for the least expensive solution - especially when the details of a product comparison get technical.  A case in point is the firewall.  As a technical consultant I want my customers to purchase high quality products that are flexible and easy to configure.  I want to sell my customers dedicated firewall solutions that are independently certified and well regarded by the industry.  The problem is the customers wants the $70 Linksys instead of the $500 Watchguard.  Explanations of superior security features and expandability are obscured by price.  Further, it's difficult to encourage customers to invest in gateway security when so many problems are invited in by the end users!  Others must be experiencing this too.  How are you dealing?
Question by:pnkljohnson2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
LVL 39

Expert Comment

ID: 17793029
Hi pnkljohnson2,

Good question, I have found that most small business do not need the functionality provided by the high end firewalls.

They usually do not need a VPN (especially not if they are using Exchange 2003 (or more likely SBS) you are not OS specific here, so this is just my experience).  All they need at most is a NAT router to stop inbound unsolicited traffic, and provides basic port forwarding for email and/or inbound web (443 for OWA)


Expert Comment

ID: 17793287
its tough thats for sure. But limit user capabilities with permissioning, keep anti-virus and application firewalls patched and up to date would be your first step.

How's your knowledge with linux?

Accepted Solution

elusivetech earned 32 total points
ID: 17793678
I dont think simple port forwarding firewall is enough.

Sonicwall or Juniper or Even Cisco do offer firewalls for small businesses. Though its not $100 dollars like Netgear, but for roughly $499 you can get yourself a decent firewall that does more than port forwarding or port triggering.

I think having rule based firewall is necessary even for small business. This gives you a granular control over, and you can control inbout and outbound traffic better than Linksys or Netgear.

If you dont want your customer to pay $499, I would suggest use Linux box. You can setup free rule based firewall with any flavor of Linux.

-- Martin
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 39

Expert Comment

ID: 17793693
Why don't you think a nat router or port forwarding firewall is enough?

Closed ports are closed ports -> whether that is done with a $20 firewall or a $40k router

Expert Comment

ID: 17795438
I usually pose the question this way: If the CTO of the consulted business wants to restrict web access to most of their staff for productivity rise and yet at the same time have himself access to say, security related websites, he needs a firewall that enables more finegrained settings than the cheap NAT router he was eyeballing.

Expert Comment

ID: 17795499
yea, but that option is up to management not the consultant. It could however be a selling point to convince management on buying the more pricey hardware.

Author Comment

ID: 17803425
As I see it the benefits of true firewall appliances over cheap NAT/PAT devices are:

1) Stronger security - more sophisticated packet inspection, better alerting/reporting, egress filtering, more integration
2) More features - VPNs, more users, configuration flexibility, industry certification
3) better support - front line support techs that do more than read from a screen, proactive research and publishing, software/firmware maintenance

These features help keep systems safe to a degree but their security value is being eroded by the simple fact that more malware is transported via open ports.  Firewall vendors are starting to offer more threat management at the gateway for enterprise products but not yet for SOHO products.  I feel like I'm doomed to put out fires all day long and I'm getting tired.  Firewall vendors, are you listening?

Assisted Solution

bigjimbo813 earned 31 total points
ID: 17804031
Consulting consists of a huge grey area vs black and white. Budget with SOHO clients can vary depending on that buisness size and needs.

I have delt with clients that are as cheap as scrooge himself. You just point out a clause stating this is what you reccomend, if this isn't met then I cant guarentee my consulting time/fees.

If they don't like it, walk. Usually these tightwads are also the ones who complain over the smallest things which IMO, isn't worth the stress/money.

Author Comment

ID: 17804156
I agree with you.  Determining which customers to avoid is just as important as determining which customers to accept!   My goals is to serve my customers as well as I am able, to deliver value in my services, and to be a reliable partner for the people who put their trust in me.
It's hard being a one man shop.  There's nobody else to turn to when the going gets tough.
LVL 39

Assisted Solution

redseatechnologies earned 31 total points
ID: 17807733
Sorry, I should have written that better.

I don't use the el-cheapo nasty routers for $20

The cheapest thing I will buy is a Linksys or equivelant for about AUD$90

With that in mind;

1) I am yet to have a small client that outgrew the security of a cheap little linksys router (including the wireless routers) - Reporting is usually a bit dodgy, if it even exists, but generally they don't care - close the ports they aren't using let it run.
2) Linksys can be a bit dodgy with VPNs, allowing only Pass-through (usually from inbound to outbound only) but I don't use the firewalls VPN anyway - RRAS does that, and takes advantage of the windows authentication.  And how flexible does a small business need their router to be?  As long as it port forwards and allows VPNs, what else is there?  I am starting to wonder about your definition of small business :) And Linksys are industry certified (and owned by cisco)
3) Support, yes, that can be lacking - but I consider these routers to be relatively disposable, and generally the online help is there (especially considering they are SOHO, and intended to be managed by consumers)

Now, I am not trying to argue for the fun of it, just trying to really get a handle on what you are doing.  I am also a one man band, and work for large (50 scattered users) and small (3 user) networks.  Where they have the budget, and moreso, the need for greater security - I have pressed for big cisco routers (1760s mainly).  But my small client, sure they are hosting mail, but that is it - everything is shut except port 25, and the router is bolted down by default everywhere else (although I was sure to check that).

No security is designed to stop anything - even locks on doors are only designed to slow down intruders.  Smaller companies (and I have seen it) usually dont even care about backups!  And there is a far greater possiblity of hardware or software problems wiping an install than someone intentionally forcing their way though a soho router.


Assisted Solution

LBACIS earned 31 total points
ID: 17807801
Ok here we go,

                 You can purchase netscreen, sonicwall, watchguard, small appliance for 200 to 500 dollars and get full statfull packet inspection etc, etc.
Example watchguard x50 ebay 400.00. This will even have a web content filtering feature called web blocker. They have always worked great for me...

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Rogue RDP Connections 5 108
2016 Server GPO not applying to 2016 Terminal server 5 94
best opensource encryption 9 64
Run powershell against OU 7 78
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question