Secure a network ?

Hello Gurus,
I have a customer who has 7 servers (email/file server /sql server and Remote desktop)
+ 50 users and a wireless network.

for the time being he doesn't have much security on the system.
he is asking from me to propose to him a way to secure his network infrastructure.

any help ?
PS windows 2008
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

a lot of things to look at..
internal v external security.
backup & recovery
do you want logging to be able to look at possible breach attempts.
Password policies
Patching and updating of software
what routers are being used and what vulnerablities are there.?
also there are risks from internal staff accessing compromising websites and opening up a backdoor.
so you also need to look at workstation protection, antivirus, spyware etc

security isnt a seperate topic - it is a topic that links into every other part of IT.
Every time you look at a new product or software you should look at whether or not it poses a risk and how that risk will be managed.
You can never be 100% protected - as there is always the risk of something like corrupt staff - which is why backup and recovery solutions are part of the picture.
Krzysztof PytkoSenior Active Directory EngineerCommented:
That's not so simple as wolfcamel wrote. There is many things to check. You have to give as more details (networks configuration, topology, DCs configuration) and of course his needs.
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

also - you need to look at it from a risk management point of view.
wiegh up the difference between..
low risk - low impact
low risk - high impact
high risk - low impact
high risk - high impact

look at everything from the point of view of moving it towards low/low and spend your money primarily on the high/high issues.

eg - the chance of a staff member deleting word documents is low - and the impact is low as you can recover from backup, whereas - if you had a completely open firewall and your admin password was password - you would have a high risk and potentially high impact if someone 'hacked' in
also - work from an outside in approach..
with the data on the server being the innermost layer.
and the physical access to the network being the outermost layer.
ammounpierreAuthor Commented:
The issue is that as of now he has nothing.
He only has an old network consisting of an old server win2000 and around 40 worsktations.
He needs from me an assesment of what needs to be done.
He will be installing a sql 2005 solution and an email server (mdaemon) and a windows 2008 servers..
He is more inclined towards having vlans as to limit danages in case something happens.. So I am to lay out for him a topology where by he would have vlans per department (around 5) linked to a main switch/router...
But I need to present him a whole infrastructure solution so we can start implementing step by step..
Thanks for ur help gurus !!
For wireless, use the hidden ID without broadcast, use a strong password, algorithm WAP2-PSK, preferably. Considered that only registered MAC address to obtain the network address. Enable in the router and access point, the filters of Java applets and internal firewall.

This ensures the security of infrastructure, the rest is security services. Think of firewall, proxy, access control, internet, antivirus, password policies, permissions and rights, etc..

Your question is very generic. Try to be more specific so we can better help you.
To me it sounds like the best thing to do in that scenario is to migrate to a UTM network solution (Unified Threat Management).  I've used a handful of different commercial grade firewall UTM products in my time and I would highly recommend looking into Sonicwall.  Depending on the throughput I would recommend either a TZ210W firewall or a NSA series firewall with a SonicPoint-N wireless AP.  The sonicwall products are very flexible and much simpler to configure than equivalent Cisco devices.  I can't give you too many specifics about in what areas it would help you since your description of your customer's network is very vague, but I would recommend something like this that is an all in one solution for your issue.  The sonicwall devices also have subscription services for Content filtering, anti-virus, anti-spyware and intrusion detection.  I have many customers who are very happy with their Sonicwall devices.
I agree with robertodeacruz that there are a lot of specific things you can do especially to your wireless.  One thing I would keep in mind is that in a realistic world especially when you have non-tech savvy customers that they don't understand that with increased security usually comes increased complexity.  While I would recommend a strong encryption cipher I would not recommend hiding the SSID or doing MAC filtering.  As long as you use a non-dictionary word for WPA or WPA2 then it should be secure.  

If I wanted to I would be able to find your SSID even if it was hidden and as far as MAC filtering that can be easily compromised by scanning for client associations and doing MAC cloning.  These two things won't help out too much with security, but can be a headache for your customers who want to easily find their wireless network and associate their computers with it.

As a must, I would make sure all their AV subscriptions are up to date.  Viruses and Malware are probably the biggest headaches and security risks these days.  I've been seeing a lot of Malware and have found that most well known AV software does a poor job.  We are either looking at suplimenting our AV with MalwareBytes or getting Kapersky which seems to do a good job and blocking web malware threats.
ammounpierreAuthor Commented:
If we were to split the issues so it makes it easier for me to present a full fledged solution I would say (and please correct me)

1-Internal Security : which can be achieved with Active Directory (security and rights )and AV on the PCs connected to the LAN. Moreover ,Ideally a NAC would be the best but extremely expensive. But what can be done is
VLANs (by department , by group of PCs...etc..). The thing with VLANs is that we can provide internal scanning of PCs via those VLANs, let me explain.
I have VLAN1 and VLAN2 and VLAN3 each has a specific number of PCs.
now on my Firewall. I could set policies and rules as to "control" the communications between those VLANs.
I could set up a policy that would scan for AV and Spams all communications between VLANs...
and of course I could have my servers also in a VLAN.

Of course that is not ideal... but in case I have a pb with a PC ... that VLAN would be "quarantined" till the solution is fixed...
I think that as far as internal Security is required... that should be "fair enough".
coupled with security as to access of data... that should be "ok'.
Please comment...

2-External Security...
He has a mail server that has webmail enabled... Here I need to find a way to "secure" that... in a way that even if someone get access the that mail-server... still he can't access my LAN.. I think this is what is called DMZ.. but how do I set it ? you help would be much appreciated...

3-WIFI. Here things are more complicated since things are more "open" to public...
I would recommend to hide the SSID and put a strong WPA2 password... and put those clients that would connect through wifi in a VLAN by themself...

Your comments /corrections are mostly welcome...

ammounpierreAuthor Commented:

To start with, I wouldn't hide the SSID, reason being, the AP might not broadcast it, but all of the workstions will putting the workstations under threat

Secondly WPA2 is the correct way to go
You want an SSID that is unique, as the password is mixed in with the SSID to create a salt etc and thats how wireless penetration tester crack a WPA/WPA2 encryption key, via bruteforce
You will also want to obviously use a stronge password as this will help
and lastly, you will want to use a Radius server for authentication

Follow this guide


Unique SSID
Strong Password
Radius server

I have recently passed my OSWP so I'm ready to help :D

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.