Security Basics mailing list archives
RE: Securing a Local Network
From: "Eric Curbo" <eric.curbo () worldtravelinteractive com>
Date: Wed, 14 Apr 2004 16:40:58 -0400
John, I do not have the answers to all your questions as you will really have to decide them yourself but I will offer some things to consider. First, you did not say what business the company was in but you did state that they balked at the price. I have run into the problem repeatedly and have found a pretty good solution. Basically, document worst case scenerios and possible disaster scenerios and the cost of recovering from them. How much would it cost them if a financial workstation, that is not being backed up, has a hard drive failure and they have to recreate all the financials? Could they even reproduce all the data if they had too? How much would it cost if a virus infected one PC then spread to the rest of the network causing them to be out of commission for 24 or 48 hrs? What would it cost them to close their doors for two days while the virus is cleaned up? What would their loss be if a competitor hacked into their network and was able to access all their data? You know their business so it should be easy for you to detail real world possible disaster scenerios. Additionally, if management rejects these theories or still refuses to allocate funds to rectify them, you have already covered your own rear if that does happen. If you don't mention it beforehand and then a virus brings down the network, you could be blamed for not making them aware of the reprocussion of not taking appropriate steps. Second, "Is a linux domain controller a solution?". Yes it is definitely a solution but will it be a less costly solution is the real question? Yes, Linux initial software costs will be less expensive than Windows but do you have anyone in-house who can administer the software or will you have to pay a consultant to work on it? Will you have to pay for user training on it? Will it create new conflicts with your Microsoft network? Support time and costs should be including in the total costs when making this decision. Third issue is virus protection. On the gateway verse desktop question, you have to consider where your risks of infection come from and how much of the risk does each solution protect you from. True, that majority of viruses will come through email or downloaded directly from the Internet and a gateway solution would protect you there but viruses can infect you from numerous other sources. What if a user unknowingly brings an infected floppy disk in to the office with a document he created on his home PC (which is infected already). If you have desktop level anti-virus then it does not really matter where the virus came from, it will be stopped at the desktop. Conversely, if you just have gateway protection then this user is going to still infect your network from inside the gateway antivirus solution. IMO desktop level virus protection is essential. Gateway and email virus protection are nice additions but insufficient if not used in conjunction with desktop anti-virus solution. Another consideration, on the antivirus is central administration. For a network, you need one central location where you can collect information about virus infections and verify that definitions are up to date. You do not want a solution that requires you to visit every workstation to verify they are not infected and have up to date definitions. You also want a solution that can automatically check for updates and then download and install the updates on all its clients. If I was a consultant for this company, my reccomendations would be as followed: 1) Purchase a Windows Server with tape backup drive. 2) Create a domain and network shares for all users to store their data. 3) Install and configure a backup program to backup the server every night and have at least a 10 tape backup rotation. 4) Install a centralized antivirus solution such as Symantec Antivirus Corporate Edition or Trend Micro. 5) Install a small office firewall such as Cisco Pix 501. If you have no narrow it down, I would focus first on virus protection, then on backups, and finally external security. Take the low hanging fruit away first and work up to the more complicated solutions. You can do the antivirus and backups without a cental server if you must (but administration and support will be significantly more difficult). Hope this helped (and wasn't too long). Eric -----Original Message----- From: John Roberts [mailto:roberts () tridecap com] Sent: Tuesday, April 13, 2004 1:17 PM To: security-basics () securityfocus com Subject: Securing a Local Network I started working as a sys admin at a small company (about 15 people) and they are starting to think it's time to upgrade their network. Right now it's just 20 computers, running a mix of xp and 2000 on a local network, sharing files, with almost no anti virus and the only protection from the outside world is the NAT that the routers perform. I've tried to get the to upgrade to a domain, add a file server for backup, get some office wide virus protection and maybe even take our email in house, but they've balked at the price to setup a legit windows domain. The main goals are access control on the local network and virus / worm protection. I'm suggesting a Windows domain controller to enforce access control and then an centralized anti-virus product. Is this enough, and are there other (easier, cheaper, more effective ways) to make sure that only the people who need to can access the financial records, the computer people can access the all computers when they need to, and some user decides to download a cute little program won't destroy the whole network with a virus. Is a linux domain controller a solution, considering everything else in house is windows? Is an anti-virus solution at the gateway better than an anti-virus solution on each desktop? Basically, what's a good way to set up a solid base of network security, which can then be expanded on? John Roberts ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Securing a Local Network John Roberts (Apr 14)
- RE: Securing a Local Network John Lewis (Apr 14)
- Re: Securing a Local Network webmaster (Apr 15)
- <Possible follow-ups>
- RE: Securing a Local Network Henry, Christopher M. (Apr 14)
- RE: Securing a Local Network Halverson, Chris (Apr 14)
- RE: Securing a Local Network Eric Curbo (Apr 15)
- RE: Securing a Local Network Meidinger Chris (Apr 15)
- RE: Securing a Local Network Meidinger Chris (Apr 19)
- Re: Securing a Local Network Greg (Apr 20)
- RE: Securing a Local Network Meidinger Chris (Apr 19)
- RE: Securing a Local Network Steven Trewick (Apr 24)