Solved

security advise for small office (30-40 users): firewall, anti-virus, etc...

Posted on 2006-11-14
20
524 Views
Last Modified: 2013-11-16
I support 30-40 user office with 60/40 split between Linux and MS Wins machines. Here is some of our infrastructure highlights:
1) T1 broadband connection
2) VoIP for inside and outside voice communication
3) email server hosted in-house (scalix) w/ MS Server 2000 running Active Directory for authentication
4) exposed ports are: IMAP, OpenVPN and Web Email

As IT manager I favor Linux-based and/or Open Source solutions. My question to you what would you recommend as a comprehensive security solution for our IT infrastructure:

1) firewall appliance/hardware, do I need a web filtering and mal-ware blocker built-in
2) should I install Anti-virus, firewall, ad-ware washer on individual PCs? (Sophos has one for Linux as well, I've NOT heard much about Linux virus attack recently)
3) network monitoring (to identify bandwidth consumers)
4) should file server be a subject anti-virus scan

Thanks
0
Comment
Question by:oozbooz
  • 7
  • 6
  • 4
  • +2
20 Comments
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
You speak of a comprehensive solution: do you want a single infrastructure to do all the work?
If not, here you are some "ad-hoc" solution

1) This question was answered a lot of times. Barracuda, Sonicwall, choose your flavour. Personally I prefer a small PC with Squid and shorewall.
2) Yes, no and Yes. With 15 Windows boxes, it's not going to be cost effective to have an enterprise solution with a central AV and such.There are a lot of free tools performing very well. About the firewall: I would not install it on individual pc, due to the administrative overhead it's going to add. You should not need it anyway, if you're doing proper filtering at the perimeter.
3) Lots of solutions here too, from nagios to zabbix to many commercial software. Point is: what kind of network infrastructure have you got? If your switches are not going to tell you anything about traffic, you're ending with partial informations.
4) Yes, in my opinion. A file server is the only server that could have an antivirus. Since you're using linux, I strongly suggest you to try Samba, Vscan+Clamav. I won't go in depth details, but it's by far the best server side scanning solution I ever worked with.
0
 
LVL 4

Expert Comment

by:LBACIS
Comment Utility
I have worked with;
sonicwall
checkpoint
pix
netgear
raptor(symantec)
watchguard

by far the only one that has produced a fair all in one solution for the price is the watchguard.

you can get a 550e for around 1000 check it out.


0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
Comment Utility
Linux IPTables is a good firewall, and apps like FWBuilder make them easy to configure. There are other app's like Ntop and Cacti that can show you BW consumed, Ntop has a gainular breakdown based on popular protocols where cacti is simply an in/out BW grapher.

If you can make your users non-admins you can all but eliminate the need for anti-spyware and anti-virus on the PC's your Mail server and probably webservers (unless they are *nix) will be a good place to have AV. ClamAv is a free unix av, and spamassassin is a free opesource spam filter. Barracuda (mentioned above) uses both ClamAv and SpamAssassin and repackages it with some other free opensource utils, it's a good product, you'll spend much less time configuring it than you would each of the packages individually.
Linux viri do exist, but on such a small scale by comparison to M$... If your users run M$ I'd suggest McAfee and or win32 port of ClamAv, in additon I'd remove admin rights where possible, M$ is doing this in Vista, and it's only 15+ years too late, as Linux, Unix, BSD, Mac have done this from the very start
There is also the Snort IDS that is always good to have on your lan...
http://www.betanews.com/article/Allchin_Suggests_Vista_Wont_Need_Antivirus/1163104965
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html (many good links to many good sites)
http://nonadmin.editme.com/RunningAsNonAdmin http://nonadmin.editme.com/WhyNonAdmin
http://www.eweek.com/article2/0,1759,1891447,00.asp

ntop: http://www.ntop.org/overview.html (win32 port of it: http://www.openxtra.co.uk/freestuff/ntop-xtra.php)
Cacti: http://cacti.net/ (just like mrtg if you've worked with that in the past)
ClamAV: http://www.clamav.net/
Snort: http://snort.org/
Spamassassin: http://spamassassin.apache.org/
FirewallBuilder: http://www.fwbuilder.org/
-rich
0
 
LVL 10

Accepted Solution

by:
budchawla earned 300 total points
Comment Utility
Hiya...
1) Firewall appliance: see below - it comes with content filtering and a full UTM suite. Do you need web filtering? that's probably something you should decide! Do your users need to be watched / controlled? See more about this in point 3
2) IMHO, AV & antispyware must be present & enforced on all clients - see below
3) Again, included in the CGSS is a 1yr ViewPoint subscription. This is a comprehensive syslog server that will give you as much detail (and more) than you could want, drilling down per IP address per hour per service etc. And since it's reported to by your internet gateway, it won't miss anything.
4) Definitely, especially if you're talking about your windows box... again, included as an integrated option in your unit below...

I personally have used SonicWALLs in such scenarios with great success. Even though they don't recommend it, I have the baby TZ170s running 35-40 users without a problem. For price/value, I don't think anything beats these, since they are full UTM devices (I believe Sonicwall are the no.1 UTM vendor) and offer pretty much every feature you could want for an RRP of about £600 although they are available on the web for about £450 or so. The UTM suite (called the CGSS - comprehensive gateway security suite) is more expensive, but I do believe you get what you pay for.

If you have the budget, go for a Pro1260 with the UTM suite. One of the nicest things about the sonicwall solution for me is not the gateway anti-virus, gateway anti-spyware, intrusion detection, deep packet inspection, content filtering etc... it's the simple matter of being able to ENFORCE client AV and manage client AV centrally. You get enterprise features at VERY SMB prices. They bundle a version of the McAfee Total Protection suite (AV & anti-spyware) & the unit will push it out to clients (needs clicks) and also make sure that out of date clients can't access the internet. It'll keep track of outbreaks and won't let users get out until the patch is installed. You get a centralised web-based admin console for all your client AV & anti-spyware. You also can get server AV for your windows servers as part of the deal (McAfee again). And obviously all the features are configurable, so you can be as paranoid or lax as you want.

Personally, I feel that the most important thing isn't so much what solution you go for, since there's several vendors out there with excellent products. The crucial thing is to make sure that it has been set up correctly, and is patched / updated / monitored regularly. No offence, but you don't sound like a security guru (I'm not either, by a long shot) - I would suggest you get hold of a reputable security consultant to at least do the initial setup, and watch him/her well! The number of times we come across businesses with all the right gear & big fat holes left open because they bought it online & nobody knew how to configure it properly (even though they thought it was FINE) is crazy. It would be nice if security were a fit-and-forget thing, but I don't think it is, and I don't think it will be anytime soon. Advice - get a good solution (preferably not an open source linux firewall running on a 'spare' 6-yr old on-it's-last-legs PC), make sure it's set up correctly, learn it well & monitor it & your network regularly. And make sure that the vendor of whatever solution you buy has a solid pedigree & 24x7 support (not in a 3rd world call centre).

As a final note, this is a product that makes my monitoring tasks a fair bit easier: Firewall Dashboard (http://www.scorpionsoft.com/products/fwdashboard/ )

Phew, HTH!
0
 
LVL 10

Expert Comment

by:budchawla
Comment Utility
One last thing... at the risk of offending a few guys here ... I'm not a great fan of home-made pc with an open source firewall & snort etc etc solutions. For a 40-person business, I would get a commercial solution from a vendor with a proven track record, 24-hour guaranteed swap-out hardware warranty, 24x7 dedicated support & a professional installation. A couple of thousand a year to look after 90% of the (perimeter & client) security in a 40-person office doesn't sound at all over the top to me!

And paradoxengine - not 100% sure what you meant by "With 15 Windows boxes, it's not going to be cost effective to have an enterprise solution with a central AV and such. " but there's several SMB-targeted comprehensive solutions out there that are sold at that level, including the one I mentioned... apologies if I misunderstood what you meant...
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Granted, using tools like Snort, IPTables etc... can be hard for a novice linux user, but they are infact good tools. They also have proven track records, at least the ones I recommended. IPTables for example is far more robust than even a Pix firewall with what it can do, as a Pix can do layer3 and 4, IPTables can do layer2-4 and layer 7. There are very few commercial router/firewalls that can do layer2, most do 3-4, and seldom do they go beyond that.
Again, it does ultimately boil down to comfort level and ease of use, but I hesitate to say commercial is better than FOSS in any arena.
-rich
0
 
LVL 10

Expert Comment

by:budchawla
Comment Utility
Hi Rich,
I agree... though with a caveat. These tools are extremely powerful, stable & customisable in the right hands, but could be a can of worms in other cases! I wasn't suggesting that a commercial solution is necessarily better technically than a number of free/open source solutions, but from a business standpoint, especially for someone who isn't necessarily a security / linux expert, I would definitely recommend the formal support infrastructure, warranty, signature databases & installer base of a commercial product...
cheers
bud.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
I agree with that fully.
-rich
0
 
LVL 1

Author Comment

by:oozbooz
Comment Utility
First, thanks for such extensive information.

Second, I've increased points for the question to get your take on the information security. Firewall and anit-virus prevent external attacks. In our case, company's concern is a security of its software and other proprietary information. Can firewall or any other technology prevent uploading files into webmail (Google, yahoo), ssh/ftp/imap to external server, and/or any other file transfer methods?

Thanks
0
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
no, not at all.
Going into greater details, there is NO WAY to avoid users take informations they can access outside your network. PERIOD.
Actually, you could implement COMPLETE network screening - you have to PREVENT ssl or any encrypted comunication to ever happen or you won't be able to verify the traffic - and a personal check for every person getting inside or outside the structure.
You have to understand that once you are giving access to data, you're giving the person the right (well, the chance) to copy the information. It's very unlikely you'll be able to avoid this completely, and this is a concept given for granted in MAC (Mandatory Access Control) logic.

Should someone try to sell you a solution that will allow you to have complete control on your information, like you describe, just don't trust him.

What you CAN do is: implement strict access control and full logging.

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Well there is and there isn't... If the Data is only accessable from a single, or set of PC's that aren't connected to the internet and or Lan, and there are no USB/CD/Floppy drives to copy the info to, and the HD's are under a lock and key, other than that, it's pretty futile. If you need policies on such things as inteliectual property or acceptable use: http://www.sans.org/resources/policies/
-rich
0
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
Under such a policy, rich, users could take pictures of the screen they display the info on or do some tens tricks ;)
0
 
LVL 10

Expert Comment

by:budchawla
Comment Utility
Hi oozbooz,
"Can firewall or any other technology prevent uploading files into webmail (Google, yahoo), ssh/ftp/imap to external server, and/or any other file transfer methods?"

At the risk of getting blasted by the others, my answer is yes you can! If you want to tighten things down to such an extent, you will need to lock down a few protocols, which will mean loss of other functionality as well. Depending on your requirements, this may or may not be a problem. Most decent firewalls sitting at the gateway will allow you to configure services and websites that you want to ban on your network (or for certain computers on your network). The administrative overhead can get a bit high, and no one can say that you will have a completely bulletproof 100% solution, but consider the following as a starting point for planning the system:
In your DHCP server (assuming you use DHCP), set up reservations for your servers etc that may not need to be restricted from making ssl/ssh connection, at one end of your DHCP scope. (this assumes that your users don't have access to your servers).
In the firewall, create rules that cover the rest of your DHCP scope that will block SSL, SSH, IMAP, FTP (and any other) traffic (in & out) that you don't want to allow.
In your content filtering solution (depending on the solution), block access to all the categories of sites that you don't want to allow (messaging, personal pages, p2p, personal network storage, remote access, usenet, webmail - a small sample of categories in the solution I use). Manually add other sites that you want to block.
Use a good monitoring solution to keep an eye on what's going on, and keep building up your firewall & banned sites.
This is not a bulletproof solution, but will prevent the casual user from getting access to the most common avenues of escape.
This doesn't handle file transfer that can be done over HTTP. If you want to block this (you didn't mention http, which is unencrypted), then your users won't be able to use the web at all. At which point you may as well deny them any kind of access to the internet, except email through your email servers!

If you don't want to ban HTTP, then you can just ban encrypted traffic, p2p & IM traffic etc. Then ensure that your proxy / monitoring keeps an eye on what is being sent and where... monitoring is key, and I'm sure others here would be able to suggest very powerful monitoring solutions that can go a long way towards looking at what's happening across your internet connection, and ban all traffic that cannot be monitored.

At the end of the day, the best solution is a mixture of technology & policy. Make sure that technology makes it hard to circumvent the regulations, and make sure that policy: 1. is clearly understood & accepted (signed contract) by all, 2. makes clear that all traffic will be monitored 3. makes very clear the penalties involved in the event of a contravention of policy & guidelines 4. define penalties that are actually going to make anyone think very hard about breaching them.

Block, monitor, improve your technical ability to block unwanted communications, and educate all users.

Sounds a bit Orwellian, but it seems that your concerns are quite above average :-)
0
 
LVL 10

Expert Comment

by:budchawla
Comment Utility
Apologies that my above post doesn't even touch on floppies, USB drives, hard drives, printouts and photos of screens, but then your question was about a firewall!
0
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
Actually, a "standard" user could just use one of those forums and upload the file that you are protecting as an attachment.
They could use many means to scramble the traffic so that the proxy won't be able to tell what the file is(javascript, local encryption, whatever).
And I can go on and on and on. As a security consultant, I faced this problem many many times. It's a No-No situation. What you have to understand it's that there is no technological way to do what you want. What you can do, as I said and budchawla pointed out, is use Policies to make clear what can and can't be done, use tech to make things more difficult and most of all implement a good MAC [or any other security logic] policy.
Other solutions are just "fried air" as we say in Italy.
0
 
LVL 10

Expert Comment

by:budchawla
Comment Utility
paradoxengine -
Agreed!
And I just re-read your previous post and realised that I partially re-iterated what you had posted (although in about 10 times as many words!). I must have missed it the first time - to be quite honest I got a bit put off with the "No, not at all" opener!
Although I totally agree & understand that a 100% technical solution isn't possible, I prefer to approach it the other way & say yes it's possible, to a certain extent, but there are caveats... and I think we're all agreed on the rest in terms of a combination of technical / policy / monitoring / enforcement...
...and I prefer my air grilled ;-)
cheers,
budchawla
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Yes, like I said also, there is and there isn't... it's all about how motivated and skilled the theif is. I've seen the entire computer/server stolen, the back-up tapes, the harddrives etc... Security is a Process, not a Program. There are always tradeoffs with securing data, be it digital or otherwise. Budget and Ease of Use are the main factors in security the world over.
Policy and monitoring are truely the way to go. You should take other measures for sure, but it all boils down to making sure your users know their are being watched when it comes to company secrets and information, as well as following through with violations of policies, they need to know your serious.
-rich
0
 
LVL 1

Author Comment

by:oozbooz
Comment Utility
Here is a strategy I was contemplating: all communication tools (email, browser, etc) are installed on employee's local machine that connected to corp network and internet. In turn, source code, proprietary info and development tools are installed on server that isn't connected to the outside world. The employee's only access to the server is via virtual desktop or other virtual environment means (vmware comes to mind, vnc-like software). The server file system is not visible otherwise. Buffering for virtual session is disable so user can not cat/paste info to local desktop.

Let me know what wrong with this picture.

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
It's a start, and should prove to be a good one, just remember if they have to motivation they will get the info. While copy/paste is disabled in the remote control progam, remember it's a two way street, they can VNC/TerminalService to the server, the server can also connect back to their own user machine, to their C$ or other shared drive, you can still drag files and use copy an paste that way. You may be able to disable Rdpclip, or use VNC with no clipboard, but you really can't disable move/copy from M$ explorer. Make sure users know the policies, or if you don't have them get them in place.
http://www.sans.org/resources/policies/
-rich
0
 
LVL 10

Expert Comment

by:budchawla
Comment Utility
hi oozbooz,
your strategy does indeed mitigate your risks, and when used along with the other precautions makes it technologically harder to circumvent your security. As richrumble, paradoxengine & I have mentioned, we would also have strong policies in place to persuade users to not want to push their luck!
thanks for the A!
- bud
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now