• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 123
  • Last Modified:

Security for our network

What are some basic steps I could take to ensure our network is secure from outside intrusion?  We have a SonicWall and Sophos Anti virus, but what other things can I do to make our network less apt to be attacked?  What holes can I test and plug?
0
mkramer777
Asked:
mkramer777
  • 3
  • 2
1 Solution
 
JohnBusiness Consultant (Owner)Commented:
One fundamental way is to put yourself behind a strong IPSec VPN . Then you need a strong password to get in. Make sure you gave. strong firewall with your VPN and have top notch AntiVirus.

Make sure your have the best spam control and train users not to open emails from strangers.

Finally have daily backups and keep weekly backups offsite
0
 
Blue Street TechLast KnightCommented:
Hi mkramer777,

There is a ton... so much so that I would not be able to address it in this question.

What model is the SonicWALL?

Here are some very general concepts though.

Firewall Age

First off, if its more than 3-4 years old changes are it will not have the needed capabilities to inspect traffic the way it needs to in order to prevent and mitigate current-day threats. Avoid using SPI (Stateful Packet Inspection) devices...they are worthless to mitigate today's threat landscape.

SonicOS Version

You should makes sure your SonicOS is current on the latest General Release, which will provide security, bug and functionality improvements.

Ingress & Egress Ports

Analyze your WAN>LAN ports and make sure you have all set to discard unless there are services that absolutely require them being open such as Exchange/OWA, MSFT RDS, Web Server, etc. Do not open RDP (Remote Desktop Protocol) on 3389 or any other port as port obfuscation is not security. All unencrypted traffic should be blocked if possible, e.g. port 80 (in which case port redirection on the web server should be invoked). And if you can restrict the Sources. On the Egress side it is good to filter that as well but it is time intensive and requires thorough testing...so at minimum I'd force DNS to authorized servers only.

Licensing

If you want to stop Ransomware, Zero-Day & Unknown attacks at the gateway (before it hits your network) you need to get AGSS (Advanced Gateway Security Suite). You should as a minimum requirement have CGSS (Comprehensive Gateway Security Suite). You procure one or the either as AGSS is just CGSS plus CAPTURE ATD (Advanced Threat Detection). I'd obviously recommend AGSS. AGSS will provide you with machine learning AI (Artificial Intelligence) cybersecurity and the required defenses need to mitigate today's current threat landscape.

Inspection

You need to inspect both unencrypted & encrypted traffic as a security baseline. 72% of traffic is now encrypted and rising. No firewall will inspect this traffic unless you implement specific techniques to do so namely a sanction MitM (Man-in-the-Middle) attack on all packets entering/leaving your network. SonicWALL has this capability built-in to all Gen6 devices and newer but it, as well as everything else I have stated needs to be configured and that is where the security value lays.

VPNs

Avoid Aggressive Mode Proposal Exchanges as they are officially insecure. For C2S (Client-to-Site) VPNs opt for SSL-VPN w/2FA opposed to GVC (Global VPN Client). For S2S (Site-to-Site) VPNs make sure both public IPs are static and use IKEv2 or Main Mode for the Proposal Exchange. Again, do not use Aggressive Mode if one public IP is dynamic. If one public IP is dynamic either implement IKEv2 or DDNS with Main Mode, prioritized accordingly.

Management

Whether you are remotely or locally managing the firewall Sources should be restricted explicitly. Also, if the SonicOS is not current with WAN management enabled you could allow adversaries to compromise the device because older firmware used SHA-1 on SSLv2, SSLv3 and SSLv3.1 (TLS 1.0) all of which are separate attack points that have been officially deemed insecure.

From an inspection or test side you can run port scans on your network externally, which will tell you what ports are listening and will be helpful even though it may seem duplicative since you will have already assessed the required open ports above. The reason it is not duplicative is because how you configure the device can cause unintended results. For example, if you were to mitigate flooding you may setup a proxy for the WAN connection and in doing so that will respond to port scans even if the firewall/port is explicitly set to not respond.

You should really seek a professional to set up the specific security parameters especially if this is for a business.

Let me know if you have any other questions!
1
 
kevinhsiehCommented:
There is so much to do, as Blue Street Tech pointed out.
You can scan your network from the outside in. At the very least, run nmap from some other location against the IP space on your firewall and make sure that you only see services that you are inspecting. Taking that up a level is to have external vulnerability scans from a company like Tenable or Qualys to test the firewall and devices behind it for known vulnerabilities.

You should make sure all your workstations and servers are patched on a regular basis. These days, that might mean weekly.

Train your users to spot phishing and malicious email.

Your firewall should only allow specific traffic outbound. For me that is web browsing, web browsing over TLS, and DNS from servers only, and NTP from servers only. Email servers also have access. Everything else is blocked by default. I also block most countries by default both inbound and outbound.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
JohnBusiness Consultant (Owner)Commented:
A firewall is only once piece of security.

Spam control and training users (as suggested at the beginning) is the best security defense.
0
 
JohnBusiness Consultant (Owner)Commented:
There was far more than one single solution to this big topic.
0
 
Blue Street TechLast KnightCommented:
Glad I could help... thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now