RE: Securing a Local Network

["Eric Curbo" <eric.curbo () worldtravelinteractive com>]

John, 

I do not have the answers to all your questions as you will really have
to decide them yourself but I will offer some things to consider.

First, you did not say what business the company was in but you did
state that they balked at the price.  I have run into the problem
repeatedly and have found a pretty good solution.  Basically, document
worst case scenerios and possible disaster scenerios and the cost of
recovering from them.  How much would it cost them if a financial
workstation, that is not being backed up, has a hard drive failure and
they have to recreate all the financials?  Could they even reproduce all
the data if they had too? How much would it cost if a virus infected one
PC then spread to the rest of the network causing them to be out of
commission for 24 or 48 hrs? What would it cost them to close their
doors for two days while the virus is cleaned up?  What would their loss
be if a competitor hacked into their network and was able to access all
their data?  You know their business so it should be easy for you to
detail real world possible disaster scenerios.  Additionally, if
management rejects these theories or still refuses to allocate funds to
rectify them, you have already covered your own rear if that does
happen.  If you don't mention it beforehand and then a virus brings down
the network, you could be blamed for not making them aware of the
reprocussion of not taking appropriate steps.

Second, "Is a linux domain controller a solution?". Yes it is definitely
a solution but will it be a less costly solution is the real question?
Yes, Linux initial software costs will be less expensive than Windows
but do you have anyone in-house who can administer the software or will
you have to pay a consultant to work on it?  Will you have to pay for
user training on it?  Will it create new conflicts with your Microsoft
network?  Support time and costs should be including in the total costs
when making this decision.

Third issue is virus protection.  On the gateway verse desktop question,
you have to consider where your risks of infection come from and how
much of the risk does each solution protect you from.  True, that
majority of viruses will come through email or downloaded directly from
the Internet and a gateway solution would protect you there but viruses
can infect you from numerous other sources. What if a user unknowingly
brings an infected floppy disk in to the office with a document he
created on his home PC (which is infected already).  If you have desktop
level anti-virus then it does not really matter where the virus came
from, it will be stopped at the desktop.  Conversely, if you just have
gateway protection then this user is going to still infect your network
from inside the gateway antivirus solution.  IMO desktop level virus
protection is essential.  Gateway and email virus protection are nice
additions but insufficient if not used in conjunction with desktop
anti-virus solution.  Another consideration, on the antivirus is central
administration.  For a network, you need one central location where you
can collect information about virus infections and verify that
definitions are up to date.  You do not want a solution that requires
you to visit every workstation to verify they are not infected and have
up to date definitions.  You also want a solution that can automatically
check for updates and then download and install the updates on all its
clients.  

If I was a consultant for this company, my reccomendations would be as
followed:  
1) Purchase a Windows Server with tape backup drive.
2) Create a domain and network shares for all users to store their data.

3) Install and configure a backup program to backup the server every
night and have at least a 10 tape backup rotation.
4) Install a centralized antivirus solution such as Symantec Antivirus
Corporate Edition or Trend Micro.
5) Install a small office firewall such as Cisco Pix 501.  

If you have no narrow it down, I would focus first on virus protection,
then on backups, and finally external security.  Take the low hanging
fruit away first and work up to the more complicated solutions.  You can
do the antivirus and backups without a cental server if you must (but
administration and support will be significantly more difficult).

Hope this helped (and wasn't too long).
Eric



-----Original Message-----
From: John Roberts [mailto:roberts () tridecap com] 
Sent: Tuesday, April 13, 2004 1:17 PM
To: security-basics () securityfocus com
Subject: Securing a Local Network


I started working as a sys admin at a small company (about 15 people)
and they are starting to think it's time to upgrade their network.
Right now it's just 20 computers, running a mix of xp and 2000 on a
local network, sharing files, with almost no anti virus and the only
protection from the outside world is the NAT that the routers perform.  

I've tried to get the to upgrade to a domain, add a file server for
backup, get some office wide virus protection and maybe even take our
email in house, but they've balked at the price to setup a legit windows
domain.  The main goals are access control on the local network and
virus / worm protection.  I'm suggesting a Windows domain controller to
enforce access control and then an centralized anti-virus product.  Is
this enough, and are there other (easier, cheaper, more effective ways)
to make sure that only the people who need to can access the financial
records, the computer people can access the all computers when they need
to, and some user decides to download a cute little program won't
destroy the whole network with a virus.


Is a linux domain controller a solution, considering everything else in
house is windows?  Is an anti-virus solution at the gateway better than
an anti-virus solution on each desktop?  Basically, what's a good way to
set up a solid base of network security, which can then be expanded on?

John Roberts


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------