Security for our network

What are some basic steps I could take to ensure our network is secure from outside intrusion?  We have a SonicWall and Sophos Anti virus, but what other things can I do to make our network less apt to be attacked?  What holes can I test and plug?
mkramer777Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
One fundamental way is to put yourself behind a strong IPSec VPN . Then you need a strong password to get in. Make sure you gave. strong firewall with your VPN and have top notch AntiVirus.

Make sure your have the best spam control and train users not to open emails from strangers.

Finally have daily backups and keep weekly backups offsite
0
Blue Street TechLast KnightCommented:
Hi mkramer777,

There is a ton... so much so that I would not be able to address it in this question.

What model is the SonicWALL?

Here are some very general concepts though.

Firewall Age

First off, if its more than 3-4 years old changes are it will not have the needed capabilities to inspect traffic the way it needs to in order to prevent and mitigate current-day threats. Avoid using SPI (Stateful Packet Inspection) devices...they are worthless to mitigate today's threat landscape.

SonicOS Version

You should makes sure your SonicOS is current on the latest General Release, which will provide security, bug and functionality improvements.

Ingress & Egress Ports

Analyze your WAN>LAN ports and make sure you have all set to discard unless there are services that absolutely require them being open such as Exchange/OWA, MSFT RDS, Web Server, etc. Do not open RDP (Remote Desktop Protocol) on 3389 or any other port as port obfuscation is not security. All unencrypted traffic should be blocked if possible, e.g. port 80 (in which case port redirection on the web server should be invoked). And if you can restrict the Sources. On the Egress side it is good to filter that as well but it is time intensive and requires thorough testing...so at minimum I'd force DNS to authorized servers only.

Licensing

If you want to stop Ransomware, Zero-Day & Unknown attacks at the gateway (before it hits your network) you need to get AGSS (Advanced Gateway Security Suite). You should as a minimum requirement have CGSS (Comprehensive Gateway Security Suite). You procure one or the either as AGSS is just CGSS plus CAPTURE ATD (Advanced Threat Detection). I'd obviously recommend AGSS. AGSS will provide you with machine learning AI (Artificial Intelligence) cybersecurity and the required defenses need to mitigate today's current threat landscape.

Inspection

You need to inspect both unencrypted & encrypted traffic as a security baseline. 72% of traffic is now encrypted and rising. No firewall will inspect this traffic unless you implement specific techniques to do so namely a sanction MitM (Man-in-the-Middle) attack on all packets entering/leaving your network. SonicWALL has this capability built-in to all Gen6 devices and newer but it, as well as everything else I have stated needs to be configured and that is where the security value lays.

VPNs

Avoid Aggressive Mode Proposal Exchanges as they are officially insecure. For C2S (Client-to-Site) VPNs opt for SSL-VPN w/2FA opposed to GVC (Global VPN Client). For S2S (Site-to-Site) VPNs make sure both public IPs are static and use IKEv2 or Main Mode for the Proposal Exchange. Again, do not use Aggressive Mode if one public IP is dynamic. If one public IP is dynamic either implement IKEv2 or DDNS with Main Mode, prioritized accordingly.

Management

Whether you are remotely or locally managing the firewall Sources should be restricted explicitly. Also, if the SonicOS is not current with WAN management enabled you could allow adversaries to compromise the device because older firmware used SHA-1 on SSLv2, SSLv3 and SSLv3.1 (TLS 1.0) all of which are separate attack points that have been officially deemed insecure.

From an inspection or test side you can run port scans on your network externally, which will tell you what ports are listening and will be helpful even though it may seem duplicative since you will have already assessed the required open ports above. The reason it is not duplicative is because how you configure the device can cause unintended results. For example, if you were to mitigate flooding you may setup a proxy for the WAN connection and in doing so that will respond to port scans even if the firewall/port is explicitly set to not respond.

You should really seek a professional to set up the specific security parameters especially if this is for a business.

Let me know if you have any other questions!
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kevinhsiehCommented:
There is so much to do, as Blue Street Tech pointed out.
You can scan your network from the outside in. At the very least, run nmap from some other location against the IP space on your firewall and make sure that you only see services that you are inspecting. Taking that up a level is to have external vulnerability scans from a company like Tenable or Qualys to test the firewall and devices behind it for known vulnerabilities.

You should make sure all your workstations and servers are patched on a regular basis. These days, that might mean weekly.

Train your users to spot phishing and malicious email.

Your firewall should only allow specific traffic outbound. For me that is web browsing, web browsing over TLS, and DNS from servers only, and NTP from servers only. Email servers also have access. Everything else is blocked by default. I also block most countries by default both inbound and outbound.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

JohnBusiness Consultant (Owner)Commented:
A firewall is only once piece of security.

Spam control and training users (as suggested at the beginning) is the best security defense.
0
JohnBusiness Consultant (Owner)Commented:
There was far more than one single solution to this big topic.
0
Blue Street TechLast KnightCommented:
Glad I could help... thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.