oozbooz
asked on
security advise for small office (30-40 users): firewall, anti-virus, etc...
I support 30-40 user office with 60/40 split between Linux and MS Wins machines. Here is some of our infrastructure highlights:
1) T1 broadband connection
2) VoIP for inside and outside voice communication
3) email server hosted in-house (scalix) w/ MS Server 2000 running Active Directory for authentication
4) exposed ports are: IMAP, OpenVPN and Web Email
As IT manager I favor Linux-based and/or Open Source solutions. My question to you what would you recommend as a comprehensive security solution for our IT infrastructure:
1) firewall appliance/hardware, do I need a web filtering and mal-ware blocker built-in
2) should I install Anti-virus, firewall, ad-ware washer on individual PCs? (Sophos has one for Linux as well, I've NOT heard much about Linux virus attack recently)
3) network monitoring (to identify bandwidth consumers)
4) should file server be a subject anti-virus scan
Thanks
1) T1 broadband connection
2) VoIP for inside and outside voice communication
3) email server hosted in-house (scalix) w/ MS Server 2000 running Active Directory for authentication
4) exposed ports are: IMAP, OpenVPN and Web Email
As IT manager I favor Linux-based and/or Open Source solutions. My question to you what would you recommend as a comprehensive security solution for our IT infrastructure:
1) firewall appliance/hardware, do I need a web filtering and mal-ware blocker built-in
2) should I install Anti-virus, firewall, ad-ware washer on individual PCs? (Sophos has one for Linux as well, I've NOT heard much about Linux virus attack recently)
3) network monitoring (to identify bandwidth consumers)
4) should file server be a subject anti-virus scan
Thanks
I have worked with;
sonicwall
checkpoint
pix
netgear
raptor(symantec)
watchguard
by far the only one that has produced a fair all in one solution for the price is the watchguard.
you can get a 550e for around 1000 check it out.
sonicwall
checkpoint
pix
netgear
raptor(symantec)
watchguard
by far the only one that has produced a fair all in one solution for the price is the watchguard.
you can get a 550e for around 1000 check it out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One last thing... at the risk of offending a few guys here ... I'm not a great fan of home-made pc with an open source firewall & snort etc etc solutions. For a 40-person business, I would get a commercial solution from a vendor with a proven track record, 24-hour guaranteed swap-out hardware warranty, 24x7 dedicated support & a professional installation. A couple of thousand a year to look after 90% of the (perimeter & client) security in a 40-person office doesn't sound at all over the top to me!
And paradoxengine - not 100% sure what you meant by "With 15 Windows boxes, it's not going to be cost effective to have an enterprise solution with a central AV and such. " but there's several SMB-targeted comprehensive solutions out there that are sold at that level, including the one I mentioned... apologies if I misunderstood what you meant...
And paradoxengine - not 100% sure what you meant by "With 15 Windows boxes, it's not going to be cost effective to have an enterprise solution with a central AV and such. " but there's several SMB-targeted comprehensive solutions out there that are sold at that level, including the one I mentioned... apologies if I misunderstood what you meant...
Granted, using tools like Snort, IPTables etc... can be hard for a novice linux user, but they are infact good tools. They also have proven track records, at least the ones I recommended. IPTables for example is far more robust than even a Pix firewall with what it can do, as a Pix can do layer3 and 4, IPTables can do layer2-4 and layer 7. There are very few commercial router/firewalls that can do layer2, most do 3-4, and seldom do they go beyond that.
Again, it does ultimately boil down to comfort level and ease of use, but I hesitate to say commercial is better than FOSS in any arena.
-rich
Again, it does ultimately boil down to comfort level and ease of use, but I hesitate to say commercial is better than FOSS in any arena.
-rich
Hi Rich,
I agree... though with a caveat. These tools are extremely powerful, stable & customisable in the right hands, but could be a can of worms in other cases! I wasn't suggesting that a commercial solution is necessarily better technically than a number of free/open source solutions, but from a business standpoint, especially for someone who isn't necessarily a security / linux expert, I would definitely recommend the formal support infrastructure, warranty, signature databases & installer base of a commercial product...
cheers
bud.
I agree... though with a caveat. These tools are extremely powerful, stable & customisable in the right hands, but could be a can of worms in other cases! I wasn't suggesting that a commercial solution is necessarily better technically than a number of free/open source solutions, but from a business standpoint, especially for someone who isn't necessarily a security / linux expert, I would definitely recommend the formal support infrastructure, warranty, signature databases & installer base of a commercial product...
cheers
bud.
I agree with that fully.
-rich
-rich
ASKER
First, thanks for such extensive information.
Second, I've increased points for the question to get your take on the information security. Firewall and anit-virus prevent external attacks. In our case, company's concern is a security of its software and other proprietary information. Can firewall or any other technology prevent uploading files into webmail (Google, yahoo), ssh/ftp/imap to external server, and/or any other file transfer methods?
Thanks
Second, I've increased points for the question to get your take on the information security. Firewall and anit-virus prevent external attacks. In our case, company's concern is a security of its software and other proprietary information. Can firewall or any other technology prevent uploading files into webmail (Google, yahoo), ssh/ftp/imap to external server, and/or any other file transfer methods?
Thanks
no, not at all.
Going into greater details, there is NO WAY to avoid users take informations they can access outside your network. PERIOD.
Actually, you could implement COMPLETE network screening - you have to PREVENT ssl or any encrypted comunication to ever happen or you won't be able to verify the traffic - and a personal check for every person getting inside or outside the structure.
You have to understand that once you are giving access to data, you're giving the person the right (well, the chance) to copy the information. It's very unlikely you'll be able to avoid this completely, and this is a concept given for granted in MAC (Mandatory Access Control) logic.
Should someone try to sell you a solution that will allow you to have complete control on your information, like you describe, just don't trust him.
What you CAN do is: implement strict access control and full logging.
Going into greater details, there is NO WAY to avoid users take informations they can access outside your network. PERIOD.
Actually, you could implement COMPLETE network screening - you have to PREVENT ssl or any encrypted comunication to ever happen or you won't be able to verify the traffic - and a personal check for every person getting inside or outside the structure.
You have to understand that once you are giving access to data, you're giving the person the right (well, the chance) to copy the information. It's very unlikely you'll be able to avoid this completely, and this is a concept given for granted in MAC (Mandatory Access Control) logic.
Should someone try to sell you a solution that will allow you to have complete control on your information, like you describe, just don't trust him.
What you CAN do is: implement strict access control and full logging.
Well there is and there isn't... If the Data is only accessable from a single, or set of PC's that aren't connected to the internet and or Lan, and there are no USB/CD/Floppy drives to copy the info to, and the HD's are under a lock and key, other than that, it's pretty futile. If you need policies on such things as inteliectual property or acceptable use: http://www.sans.org/resources/policies/
-rich
-rich
Under such a policy, rich, users could take pictures of the screen they display the info on or do some tens tricks ;)
Hi oozbooz,
"Can firewall or any other technology prevent uploading files into webmail (Google, yahoo), ssh/ftp/imap to external server, and/or any other file transfer methods?"
At the risk of getting blasted by the others, my answer is yes you can! If you want to tighten things down to such an extent, you will need to lock down a few protocols, which will mean loss of other functionality as well. Depending on your requirements, this may or may not be a problem. Most decent firewalls sitting at the gateway will allow you to configure services and websites that you want to ban on your network (or for certain computers on your network). The administrative overhead can get a bit high, and no one can say that you will have a completely bulletproof 100% solution, but consider the following as a starting point for planning the system:
In your DHCP server (assuming you use DHCP), set up reservations for your servers etc that may not need to be restricted from making ssl/ssh connection, at one end of your DHCP scope. (this assumes that your users don't have access to your servers).
In the firewall, create rules that cover the rest of your DHCP scope that will block SSL, SSH, IMAP, FTP (and any other) traffic (in & out) that you don't want to allow.
In your content filtering solution (depending on the solution), block access to all the categories of sites that you don't want to allow (messaging, personal pages, p2p, personal network storage, remote access, usenet, webmail - a small sample of categories in the solution I use). Manually add other sites that you want to block.
Use a good monitoring solution to keep an eye on what's going on, and keep building up your firewall & banned sites.
This is not a bulletproof solution, but will prevent the casual user from getting access to the most common avenues of escape.
This doesn't handle file transfer that can be done over HTTP. If you want to block this (you didn't mention http, which is unencrypted), then your users won't be able to use the web at all. At which point you may as well deny them any kind of access to the internet, except email through your email servers!
If you don't want to ban HTTP, then you can just ban encrypted traffic, p2p & IM traffic etc. Then ensure that your proxy / monitoring keeps an eye on what is being sent and where... monitoring is key, and I'm sure others here would be able to suggest very powerful monitoring solutions that can go a long way towards looking at what's happening across your internet connection, and ban all traffic that cannot be monitored.
At the end of the day, the best solution is a mixture of technology & policy. Make sure that technology makes it hard to circumvent the regulations, and make sure that policy: 1. is clearly understood & accepted (signed contract) by all, 2. makes clear that all traffic will be monitored 3. makes very clear the penalties involved in the event of a contravention of policy & guidelines 4. define penalties that are actually going to make anyone think very hard about breaching them.
Block, monitor, improve your technical ability to block unwanted communications, and educate all users.
Sounds a bit Orwellian, but it seems that your concerns are quite above average :-)
"Can firewall or any other technology prevent uploading files into webmail (Google, yahoo), ssh/ftp/imap to external server, and/or any other file transfer methods?"
At the risk of getting blasted by the others, my answer is yes you can! If you want to tighten things down to such an extent, you will need to lock down a few protocols, which will mean loss of other functionality as well. Depending on your requirements, this may or may not be a problem. Most decent firewalls sitting at the gateway will allow you to configure services and websites that you want to ban on your network (or for certain computers on your network). The administrative overhead can get a bit high, and no one can say that you will have a completely bulletproof 100% solution, but consider the following as a starting point for planning the system:
In your DHCP server (assuming you use DHCP), set up reservations for your servers etc that may not need to be restricted from making ssl/ssh connection, at one end of your DHCP scope. (this assumes that your users don't have access to your servers).
In the firewall, create rules that cover the rest of your DHCP scope that will block SSL, SSH, IMAP, FTP (and any other) traffic (in & out) that you don't want to allow.
In your content filtering solution (depending on the solution), block access to all the categories of sites that you don't want to allow (messaging, personal pages, p2p, personal network storage, remote access, usenet, webmail - a small sample of categories in the solution I use). Manually add other sites that you want to block.
Use a good monitoring solution to keep an eye on what's going on, and keep building up your firewall & banned sites.
This is not a bulletproof solution, but will prevent the casual user from getting access to the most common avenues of escape.
This doesn't handle file transfer that can be done over HTTP. If you want to block this (you didn't mention http, which is unencrypted), then your users won't be able to use the web at all. At which point you may as well deny them any kind of access to the internet, except email through your email servers!
If you don't want to ban HTTP, then you can just ban encrypted traffic, p2p & IM traffic etc. Then ensure that your proxy / monitoring keeps an eye on what is being sent and where... monitoring is key, and I'm sure others here would be able to suggest very powerful monitoring solutions that can go a long way towards looking at what's happening across your internet connection, and ban all traffic that cannot be monitored.
At the end of the day, the best solution is a mixture of technology & policy. Make sure that technology makes it hard to circumvent the regulations, and make sure that policy: 1. is clearly understood & accepted (signed contract) by all, 2. makes clear that all traffic will be monitored 3. makes very clear the penalties involved in the event of a contravention of policy & guidelines 4. define penalties that are actually going to make anyone think very hard about breaching them.
Block, monitor, improve your technical ability to block unwanted communications, and educate all users.
Sounds a bit Orwellian, but it seems that your concerns are quite above average :-)
Apologies that my above post doesn't even touch on floppies, USB drives, hard drives, printouts and photos of screens, but then your question was about a firewall!
Actually, a "standard" user could just use one of those forums and upload the file that you are protecting as an attachment.
They could use many means to scramble the traffic so that the proxy won't be able to tell what the file is(javascript, local encryption, whatever).
And I can go on and on and on. As a security consultant, I faced this problem many many times. It's a No-No situation. What you have to understand it's that there is no technological way to do what you want. What you can do, as I said and budchawla pointed out, is use Policies to make clear what can and can't be done, use tech to make things more difficult and most of all implement a good MAC [or any other security logic] policy.
Other solutions are just "fried air" as we say in Italy.
They could use many means to scramble the traffic so that the proxy won't be able to tell what the file is(javascript, local encryption, whatever).
And I can go on and on and on. As a security consultant, I faced this problem many many times. It's a No-No situation. What you have to understand it's that there is no technological way to do what you want. What you can do, as I said and budchawla pointed out, is use Policies to make clear what can and can't be done, use tech to make things more difficult and most of all implement a good MAC [or any other security logic] policy.
Other solutions are just "fried air" as we say in Italy.
paradoxengine -
Agreed!
And I just re-read your previous post and realised that I partially re-iterated what you had posted (although in about 10 times as many words!). I must have missed it the first time - to be quite honest I got a bit put off with the "No, not at all" opener!
Although I totally agree & understand that a 100% technical solution isn't possible, I prefer to approach it the other way & say yes it's possible, to a certain extent, but there are caveats... and I think we're all agreed on the rest in terms of a combination of technical / policy / monitoring / enforcement...
...and I prefer my air grilled ;-)
cheers,
budchawla
Agreed!
And I just re-read your previous post and realised that I partially re-iterated what you had posted (although in about 10 times as many words!). I must have missed it the first time - to be quite honest I got a bit put off with the "No, not at all" opener!
Although I totally agree & understand that a 100% technical solution isn't possible, I prefer to approach it the other way & say yes it's possible, to a certain extent, but there are caveats... and I think we're all agreed on the rest in terms of a combination of technical / policy / monitoring / enforcement...
...and I prefer my air grilled ;-)
cheers,
budchawla
Yes, like I said also, there is and there isn't... it's all about how motivated and skilled the theif is. I've seen the entire computer/server stolen, the back-up tapes, the harddrives etc... Security is a Process, not a Program. There are always tradeoffs with securing data, be it digital or otherwise. Budget and Ease of Use are the main factors in security the world over.
Policy and monitoring are truely the way to go. You should take other measures for sure, but it all boils down to making sure your users know their are being watched when it comes to company secrets and information, as well as following through with violations of policies, they need to know your serious.
-rich
Policy and monitoring are truely the way to go. You should take other measures for sure, but it all boils down to making sure your users know their are being watched when it comes to company secrets and information, as well as following through with violations of policies, they need to know your serious.
-rich
ASKER
Here is a strategy I was contemplating: all communication tools (email, browser, etc) are installed on employee's local machine that connected to corp network and internet. In turn, source code, proprietary info and development tools are installed on server that isn't connected to the outside world. The employee's only access to the server is via virtual desktop or other virtual environment means (vmware comes to mind, vnc-like software). The server file system is not visible otherwise. Buffering for virtual session is disable so user can not cat/paste info to local desktop.
Let me know what wrong with this picture.
Thanks
Let me know what wrong with this picture.
Thanks
It's a start, and should prove to be a good one, just remember if they have to motivation they will get the info. While copy/paste is disabled in the remote control progam, remember it's a two way street, they can VNC/TerminalService to the server, the server can also connect back to their own user machine, to their C$ or other shared drive, you can still drag files and use copy an paste that way. You may be able to disable Rdpclip, or use VNC with no clipboard, but you really can't disable move/copy from M$ explorer. Make sure users know the policies, or if you don't have them get them in place.
http://www.sans.org/resources/policies/
-rich
http://www.sans.org/resources/policies/
-rich
hi oozbooz,
your strategy does indeed mitigate your risks, and when used along with the other precautions makes it technologically harder to circumvent your security. As richrumble, paradoxengine & I have mentioned, we would also have strong policies in place to persuade users to not want to push their luck!
thanks for the A!
- bud
your strategy does indeed mitigate your risks, and when used along with the other precautions makes it technologically harder to circumvent your security. As richrumble, paradoxengine & I have mentioned, we would also have strong policies in place to persuade users to not want to push their luck!
thanks for the A!
- bud
If not, here you are some "ad-hoc" solution
1) This question was answered a lot of times. Barracuda, Sonicwall, choose your flavour. Personally I prefer a small PC with Squid and shorewall.
2) Yes, no and Yes. With 15 Windows boxes, it's not going to be cost effective to have an enterprise solution with a central AV and such.There are a lot of free tools performing very well. About the firewall: I would not install it on individual pc, due to the administrative overhead it's going to add. You should not need it anyway, if you're doing proper filtering at the perimeter.
3) Lots of solutions here too, from nagios to zabbix to many commercial software. Point is: what kind of network infrastructure have you got? If your switches are not going to tell you anything about traffic, you're ending with partial informations.
4) Yes, in my opinion. A file server is the only server that could have an antivirus. Since you're using linux, I strongly suggest you to try Samba, Vscan+Clamav. I won't go in depth details, but it's by far the best server side scanning solution I ever worked with.