Solved

Secure a network ?

Posted on 2010-08-16
12
298 Views
Last Modified: 2013-12-04
Hello Gurus,
I have a customer who has 7 servers (email/file server /sql server and Remote desktop)
+ 50 users and a wireless network.

for the time being he doesn't have much security on the system.
he is asking from me to propose to him a way to secure his network infrastructure.

any help ?
thanks
PS windows 2008
0
Comment
Question by:ammounpierre
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
a lot of things to look at..
internal v external security.
backup & recovery
do you want logging to be able to look at possible breach attempts.
Password policies
Patching and updating of software
0
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
what routers are being used and what vulnerablities are there.?
also there are risks from internal staff accessing compromising websites and opening up a backdoor.
so you also need to look at workstation protection, antivirus, spyware etc

security isnt a seperate topic - it is a topic that links into every other part of IT.
Every time you look at a new product or software you should look at whether or not it poses a risk and how that risk will be managed.
You can never be 100% protected - as there is always the risk of something like corrupt staff - which is why backup and recovery solutions are part of the picture.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
That's not so simple as wolfcamel wrote. There is many things to check. You have to give as more details (networks configuration, topology, DCs configuration) and of course his needs.
0
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
also - you need to look at it from a risk management point of view.
ie
wiegh up the difference between..
low risk - low impact
low risk - high impact
high risk - low impact
high risk - high impact

look at everything from the point of view of moving it towards low/low and spend your money primarily on the high/high issues.

eg - the chance of a staff member deleting word documents is low - and the impact is low as you can recover from backup, whereas - if you had a completely open firewall and your admin password was password - you would have a high risk and potentially high impact if someone 'hacked' in
0
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
also - work from an outside in approach..
with the data on the server being the innermost layer.
and the physical access to the network being the outermost layer.
0
 

Author Comment

by:ammounpierre
Comment Utility
The issue is that as of now he has nothing.
He only has an old network consisting of an old server win2000 and around 40 worsktations.
He needs from me an assesment of what needs to be done.
He will be installing a sql 2005 solution and an email server (mdaemon) and a windows 2008 servers..
He is more inclined towards having vlans as to limit danages in case something happens.. So I am to lay out for him a topology where by he would have vlans per department (around 5) linked to a main switch/router...
But I need to present him a whole infrastructure solution so we can start implementing step by step..
Thanks for ur help gurus !!
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 3

Expert Comment

by:robertodeacruz
Comment Utility
For wireless, use the hidden ID without broadcast, use a strong password, algorithm WAP2-PSK, preferably. Considered that only registered MAC address to obtain the network address. Enable in the router and access point, the filters of Java applets and internal firewall.

This ensures the security of infrastructure, the rest is security services. Think of firewall, proxy, access control, internet, antivirus, password policies, permissions and rights, etc..

Your question is very generic. Try to be more specific so we can better help you.
0
 
LVL 3

Expert Comment

by:gilm0079
Comment Utility
To me it sounds like the best thing to do in that scenario is to migrate to a UTM network solution (Unified Threat Management).  I've used a handful of different commercial grade firewall UTM products in my time and I would highly recommend looking into Sonicwall.  Depending on the throughput I would recommend either a TZ210W firewall or a NSA series firewall with a SonicPoint-N wireless AP.  The sonicwall products are very flexible and much simpler to configure than equivalent Cisco devices.  I can't give you too many specifics about in what areas it would help you since your description of your customer's network is very vague, but I would recommend something like this that is an all in one solution for your issue.  The sonicwall devices also have subscription services for Content filtering, anti-virus, anti-spyware and intrusion detection.  I have many customers who are very happy with their Sonicwall devices.
0
 
LVL 3

Expert Comment

by:gilm0079
Comment Utility
I agree with robertodeacruz that there are a lot of specific things you can do especially to your wireless.  One thing I would keep in mind is that in a realistic world especially when you have non-tech savvy customers that they don't understand that with increased security usually comes increased complexity.  While I would recommend a strong encryption cipher I would not recommend hiding the SSID or doing MAC filtering.  As long as you use a non-dictionary word for WPA or WPA2 then it should be secure.  

If I wanted to I would be able to find your SSID even if it was hidden and as far as MAC filtering that can be easily compromised by scanning for client associations and doing MAC cloning.  These two things won't help out too much with security, but can be a headache for your customers who want to easily find their wireless network and associate their computers with it.

As a must, I would make sure all their AV subscriptions are up to date.  Viruses and Malware are probably the biggest headaches and security risks these days.  I've been seeing a lot of Malware and have found that most well known AV software does a poor job.  We are either looking at suplimenting our AV with MalwareBytes or getting Kapersky which seems to do a good job and blocking web malware threats.
0
 

Author Comment

by:ammounpierre
Comment Utility
If we were to split the issues so it makes it easier for me to present a full fledged solution I would say (and please correct me)


1-Internal Security : which can be achieved with Active Directory (security and rights )and AV on the PCs connected to the LAN. Moreover ,Ideally a NAC would be the best but extremely expensive. But what can be done is
VLANs (by department , by floors...by group of PCs...etc..). The thing with VLANs is that we can provide internal scanning of PCs via those VLANs, let me explain.
I have VLAN1 and VLAN2 and VLAN3 each has a specific number of PCs.
now on my Firewall. I could set policies and rules as to "control" the communications between those VLANs.
I could set up a policy that would scan for AV and Spams all communications between VLANs...
and of course I could have my servers also in a VLAN.

Of course that is not ideal... but in case I have a pb with a PC ... that VLAN would be "quarantined" till the solution is fixed...
I think that as far as internal Security is required... that should be "fair enough".
coupled with security as to access of data... that should be "ok'.
Please comment...

2-External Security...
He has a mail server that has webmail enabled... Here I need to find a way to "secure" that... in a way that even if someone get access the that mail-server... still he can't access my LAN.. I think this is what is called DMZ.. but how do I set it ? you help would be much appreciated...

3-WIFI. Here things are more complicated since things are more "open" to public...
I would recommend to hide the SSID and put a strong WPA2 password... and put those clients that would connect through wifi in a VLAN by themself...

Your comments /corrections are mostly welcome...

0
 

Author Comment

by:ammounpierre
Comment Utility
?
?
0
 
LVL 1

Accepted Solution

by:
TheXero earned 500 total points
Comment Utility
Hi

To start with, I wouldn't hide the SSID, reason being, the AP might not broadcast it, but all of the workstions will putting the workstations under threat

Secondly WPA2 is the correct way to go
You want an SSID that is unique, as the password is mixed in with the SSID to create a salt etc and thats how wireless penetration tester crack a WPA/WPA2 encryption key, via bruteforce
You will also want to obviously use a stronge password as this will help
and lastly, you will want to use a Radius server for authentication

Follow this guide
http://www.bunkerhollow.com/blogs/matt/archive/2008/06/04/configuring-server-2008-for-radius-authentication.aspx

So

Unique SSID
Strong Password
Radius server

I have recently passed my OSWP so I'm ready to help :D
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now