Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Secure a network ?

Posted on 2010-08-16
Medium Priority
Last Modified: 2013-12-04
Hello Gurus,
I have a customer who has 7 servers (email/file server /sql server and Remote desktop)
+ 50 users and a wireless network.

for the time being he doesn't have much security on the system.
he is asking from me to propose to him a way to secure his network infrastructure.

any help ?
PS windows 2008
Question by:ammounpierre
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
LVL 20

Expert Comment

ID: 33445728
a lot of things to look at..
internal v external security.
backup & recovery
do you want logging to be able to look at possible breach attempts.
Password policies
Patching and updating of software
LVL 20

Expert Comment

ID: 33445758
what routers are being used and what vulnerablities are there.?
also there are risks from internal staff accessing compromising websites and opening up a backdoor.
so you also need to look at workstation protection, antivirus, spyware etc

security isnt a seperate topic - it is a topic that links into every other part of IT.
Every time you look at a new product or software you should look at whether or not it poses a risk and how that risk will be managed.
You can never be 100% protected - as there is always the risk of something like corrupt staff - which is why backup and recovery solutions are part of the picture.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33445772
That's not so simple as wolfcamel wrote. There is many things to check. You have to give as more details (networks configuration, topology, DCs configuration) and of course his needs.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 20

Expert Comment

ID: 33445793
also - you need to look at it from a risk management point of view.
wiegh up the difference between..
low risk - low impact
low risk - high impact
high risk - low impact
high risk - high impact

look at everything from the point of view of moving it towards low/low and spend your money primarily on the high/high issues.

eg - the chance of a staff member deleting word documents is low - and the impact is low as you can recover from backup, whereas - if you had a completely open firewall and your admin password was password - you would have a high risk and potentially high impact if someone 'hacked' in
LVL 20

Expert Comment

ID: 33445871
also - work from an outside in approach..
with the data on the server being the innermost layer.
and the physical access to the network being the outermost layer.

Author Comment

ID: 33445940
The issue is that as of now he has nothing.
He only has an old network consisting of an old server win2000 and around 40 worsktations.
He needs from me an assesment of what needs to be done.
He will be installing a sql 2005 solution and an email server (mdaemon) and a windows 2008 servers..
He is more inclined towards having vlans as to limit danages in case something happens.. So I am to lay out for him a topology where by he would have vlans per department (around 5) linked to a main switch/router...
But I need to present him a whole infrastructure solution so we can start implementing step by step..
Thanks for ur help gurus !!

Expert Comment

ID: 33446480
For wireless, use the hidden ID without broadcast, use a strong password, algorithm WAP2-PSK, preferably. Considered that only registered MAC address to obtain the network address. Enable in the router and access point, the filters of Java applets and internal firewall.

This ensures the security of infrastructure, the rest is security services. Think of firewall, proxy, access control, internet, antivirus, password policies, permissions and rights, etc..

Your question is very generic. Try to be more specific so we can better help you.

Expert Comment

ID: 33446740
To me it sounds like the best thing to do in that scenario is to migrate to a UTM network solution (Unified Threat Management).  I've used a handful of different commercial grade firewall UTM products in my time and I would highly recommend looking into Sonicwall.  Depending on the throughput I would recommend either a TZ210W firewall or a NSA series firewall with a SonicPoint-N wireless AP.  The sonicwall products are very flexible and much simpler to configure than equivalent Cisco devices.  I can't give you too many specifics about in what areas it would help you since your description of your customer's network is very vague, but I would recommend something like this that is an all in one solution for your issue.  The sonicwall devices also have subscription services for Content filtering, anti-virus, anti-spyware and intrusion detection.  I have many customers who are very happy with their Sonicwall devices.

Expert Comment

ID: 33446854
I agree with robertodeacruz that there are a lot of specific things you can do especially to your wireless.  One thing I would keep in mind is that in a realistic world especially when you have non-tech savvy customers that they don't understand that with increased security usually comes increased complexity.  While I would recommend a strong encryption cipher I would not recommend hiding the SSID or doing MAC filtering.  As long as you use a non-dictionary word for WPA or WPA2 then it should be secure.  

If I wanted to I would be able to find your SSID even if it was hidden and as far as MAC filtering that can be easily compromised by scanning for client associations and doing MAC cloning.  These two things won't help out too much with security, but can be a headache for your customers who want to easily find their wireless network and associate their computers with it.

As a must, I would make sure all their AV subscriptions are up to date.  Viruses and Malware are probably the biggest headaches and security risks these days.  I've been seeing a lot of Malware and have found that most well known AV software does a poor job.  We are either looking at suplimenting our AV with MalwareBytes or getting Kapersky which seems to do a good job and blocking web malware threats.

Author Comment

ID: 33471885
If we were to split the issues so it makes it easier for me to present a full fledged solution I would say (and please correct me)

1-Internal Security : which can be achieved with Active Directory (security and rights )and AV on the PCs connected to the LAN. Moreover ,Ideally a NAC would be the best but extremely expensive. But what can be done is
VLANs (by department , by group of PCs...etc..). The thing with VLANs is that we can provide internal scanning of PCs via those VLANs, let me explain.
I have VLAN1 and VLAN2 and VLAN3 each has a specific number of PCs.
now on my Firewall. I could set policies and rules as to "control" the communications between those VLANs.
I could set up a policy that would scan for AV and Spams all communications between VLANs...
and of course I could have my servers also in a VLAN.

Of course that is not ideal... but in case I have a pb with a PC ... that VLAN would be "quarantined" till the solution is fixed...
I think that as far as internal Security is required... that should be "fair enough".
coupled with security as to access of data... that should be "ok'.
Please comment...

2-External Security...
He has a mail server that has webmail enabled... Here I need to find a way to "secure" that... in a way that even if someone get access the that mail-server... still he can't access my LAN.. I think this is what is called DMZ.. but how do I set it ? you help would be much appreciated...

3-WIFI. Here things are more complicated since things are more "open" to public...
I would recommend to hide the SSID and put a strong WPA2 password... and put those clients that would connect through wifi in a VLAN by themself...

Your comments /corrections are mostly welcome...


Author Comment

ID: 33494791

Accepted Solution

6006645 earned 2000 total points
ID: 33510317

To start with, I wouldn't hide the SSID, reason being, the AP might not broadcast it, but all of the workstions will putting the workstations under threat

Secondly WPA2 is the correct way to go
You want an SSID that is unique, as the password is mixed in with the SSID to create a salt etc and thats how wireless penetration tester crack a WPA/WPA2 encryption key, via bruteforce
You will also want to obviously use a stronge password as this will help
and lastly, you will want to use a Radius server for authentication

Follow this guide


Unique SSID
Strong Password
Radius server

I have recently passed my OSWP so I'm ready to help :D

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
How does someone stay on the right and legal side of the hacking world?
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question