how-to block ads
Need help with business DSL security!
We have a small business with 20 workstations that runs 24 hrs a day.Right now most of the stations have dial-up and we are wanting to go to DSL. A local ISP has suggested a router and another computer running a firewall before the server. We have some rather sensitive and valuable data on our server and we need max security. No e-commerce or connections outside the network. We use the internet to do research and transmit data to other networks.
Any affordable ideas?
A good firewall/proxy server might be in order for you. The firewall will block attempts from the outside, and the proxy will hide your internal network, and offer some logging capabilities
Check out »www.tinysoftware.com/winpro.php.
There are many others, but Tiny seems to have a well balanced solution
|reply to geiger |
You may want to consider a hardware firewall such as the SonicWALL SOHO2 (buy online for about $850 in 50-user version)
or SonicWALL XPRS2 if you need a DMZ (about $1400 unlimited users)
I use the SOHO2 in a two-user home office, but the product can handle many more users.
Also, some good general reading at
SteveI know your IP addressConsultant
Yorba Linda, CA
|reply to geiger |
Don't fool with software-based firewalls or proxy servers unless you're really comfortable with them or value your time at minimum wage. These are fine for a home user on the cheap, but a much better solution for a business is to use a hardware router with NAT built in, and you set it up once and forget about it.
NAT is Network Address Translation, and it means that all the "inside" machines are on a private IP address range, and the router translates the address on the fly, and they form a kind of inherent security that is excellent. Virtually all routers, even low-end ones, provide very good NAT capabilities. NAT does sometimes cause problems with exotic protocols (Netmeeting, for instance), but for "standard" surfing it works just fine.
The router selection is sometimes made for you by the DSL provider. Higher end services such as Pac*Bell business DSL include a Cayman GatorSurf modem/router combo, and it does everything in a single unit. Very easy to set up and manage via a web browser.
Other services provide just a DSL modem (usually in bridging mode) that requires another box, and for this I very much like the Netopia R9100 Ethernet-to-Ethernet router. These cost around $400 on the street, and though there are much cheaper routers out there, I've found the Netopia to be very capable with excellent support. I and my customers have used these routers for years.
On the medium end there are units like the Sonicwall Pro-VX (street price ~$3500), which are positively outstanding for a larger network with higher throughput, and they also provide a DMZ port for isolating a web server. I don't believe that most DSL circuits have enough throughput to require these units.
Regardless of what solution you go with, be VERY careful about exporting any services through it. This is where a small "hole" is made in the router to permit inbound connections to a limited number of services, most commonly a web server. Do not do this unless you are exceptionally aware of security issues, because web servers are notorious for security bugs -- especially IIS -- and I've penetrated many networks behind high-end firewalls that exposed a buggy web server. I don't permit any of my customers to have a web server inside a firewall for this very reason.
Also: most hardware units permit web or telnet-based administration, often from the "outside" interface. Always set a strong password on these, and try to disable outside admin. If you leave things open, the bad guy can reconfigure your router to expose all your services and hack you like mad.
Consider a hardware solution with VPN support. This will let you work from home and connect to the office with complete security. The two main technologies are IPSec and PPTP, and support for this is varied. Probably the easiest for a single home user is to use PPTP (built into Windows), but IPSec is a bit better regarded. Many very low-end units support PPTP only, but better units such as the Netopia support both. I really hate exposing PPTP on an internal NT server for this: VPNs should be done by hardware, not by software.
Finally, no matter what you do, have your network checked by somebody competent in security. It's a bummer to have a great fast DSL connection and accidently leave something important exposed; This happens a lot, and most of these can be very easily cleaned up.
Disclaimer: happy-customer testimonials only. I'm not a reseller of anything.
Stephen J. Friedl / Software Consultant / Tustin, California USA / firstname.lastname@example.org
What we use at our office is Checkpoint. This is a high end solution and requires unix box (preferred) or NT to run. It's superb and robust in it's security, but also pricey. If you are going DSL, then get the best connection you can. You don't want your personnel screaming at you because of lost connections. Better to go with a T1 if the data is that important and let your personnel use DSL at home.
"There's no such thing as a pretty good alligator wrestler." - an
unnamed, surprisingly veteran alligator wrestler
|reply to AS400Dave |
Personally, for a corporate connection, I would get a hardware firewall; one that does not depend upon any given system running at any given time. One with some sort of secure remote administration - and someone who knows about security issues to administer it. After all, a firewall is only as secure as it is setup to be.
You should probably use separate routers and switches as well. I say separate because you do not want to be out of commission if the firewall/router/switch fails and it is an all-in-one solution. A SOHO router should be sufficient for 20 workstations, provided you will not have any servers running. Get at least a 24 or 48 port switch, though, to make room for expansion.
Also, remember that DSL connections in this setup will share bandwidth. You can expect that the average bandwidth per system will be ~4% (80%/20 workstations) of your connection due to overhead associated with TCP/IP and bandwidth sharing. You may want to ensure that your router has features like Quality of Service and Port Priorities so you can set which systems need the bandwidth more than the others.
Likewise, I would make sure that the vendor you go through can guarantee quick repair/replacement of your computer/network equipment in case of a failure.
You may also want to consider:
1. A UPS to ensure the key equipment remains powered on during power failures.
2. A secondary Internet connection, if your access will be "mission critical", from a different provider JIC the primary provider's network goes down.
3. A Proxy Server to lessen the bandwidth required by locally caching frequently accessed web sites, etc.
4. The usual slew of security applications: Anti-Virus, Trojan Detectors, software firewalls per system, etc. (Per system firewalls will allow you to set rules per system regarding what traffic each should accept/allow. A centrally managed solution would most likely work best.)
5. An experienced Network Administrator, and/or network staff, to be a single POC for all things network related.
6. A method of remote access (VPN, SSH, etc), JIC your key players need to access the network from remote locations.
7. A networked backup solution to ensure the integrity of your data. It is preferred to do a full backup at least once per week with daily incremental backups.
8. Depending if you have field personnel, or people who may need network access from internal locations without an Ethernet drop, perhaps a wireless segment to your network would be beneficial.
9. At least one server for the central storage of data and/or networked applications, remote access, shared network peripherals, etc.
10. A networked black and white and color printer. Non-critical print jobs should be forced to the B&W printer, while those requiring color printouts have access to the color printer. This can save seemingly trivial supply costs; which can and will add up over time. (Unless you can find a printer in which you can restrict users to B&W/color modes.)
I am sure there are probably things I am forgetting, but others will most likely chime in with the things I have not mentioned.
If man can think it, man can achieve it...
Saint Paul, MN
|reply to geiger |
My suggestion is the Cisco PIX firewall.
The PIX 506 should meet your needs.
The 506 is VPN capable.
Check ot this link:
Listen....do you smell something?
|reply to geiger |
well, I'm not sure what exactly affordable means in your books but my assumption is that since you have 20 workstation and perhaps as many or more employees you can easily afford a few thousand Dollars.
I personally don't think the idea of running a firewall on a separate computer would be the best choice. In fact relying on NAT alone whether it's on a computer or a router is not a good idea. NAT does not equal firewall although it offers good protection.
I find Cisco's PIX firewall to be the best suggestion yet. The price is right for a business your size and the level of protection is excellent. Now if you want to, you can set up a separate server to act as a proxy server for your Network. This will do some intelligent caching for your Network to speed up your Internet connection. It will also provide you with an additional layer of protection for your Network. You can also have more control over your employee's browsing habits and you can keep a record of all activities.
All of that will provide an excellent protection for inbound attempts and most of outbound leaks. If you are concerned that your employees may not be very responsible when using the Internet and they may pick up a few Trojans and spyware here and there, then you may want to invest about an additional $400 and equip each workstaion with a copy of Zone Alarm . Not the Pro version, just the regular ZA. It's free for home users but you pay about $19 for use in business. That will provide a third layer of protection. This one will stop outbound leaks by Trojans and Spyware before they start.
If you don't want to go with all of that, as a minimum I suggest the Cisco PIX 506 and a proxy server. Of course as suggested before by others, a good administrator of the whole thing is worth his/her price in gold. You can either hire someone full time or you can find people who maintain your systems on a contractual basis and check up on your Network from time to time. Good luck.
You can catch the Devil, but you can't hold him long.
|reply to geiger |
I use a Personal Ravlin II from »www.redcreek.com for DSL connections. It is a small hardware device that sells for around $600 that provides a stealth firewall to the outside world and an encrypted VPN tunnel for remote offsite access. They also make 5100 and 7100 series units for higher (than DSL) bandwidth applications, but why waste the money unless you are running 10+ meg or 100+ meg connections.
Linux and Windows NT firewalls are hackable. BSD is better for a software solution. All of the above require a dedicated server, thus a dedicated hardware device like the Rav is a good choice.
|reply to geiger |
said by geiger:i only visit this forum occasionally. not trying to get flamed, just presenting an alternative to save some $$$
Right now most of the stations have dial-up and we are wanting to go to DSL.
we need max security
Any affordable ideas?
i don't understand why so many feel an expensive hardware box is the only answer
there are excellent, easy to use, linux software solutions for this situation that can run on an inexpensive box
for example, e-smith server has these features and doesn't require a linux/unix guru to use
quote:e-smith also includes a proxy server and NAT
IPchains rules and IP masquerading provide packet filtering.
All non-essential network services are disabled.
Standard Unix security features are enabled (such as TCP wrappers).
quote:i just want to present another option for geiger to consider
Is the e-smith server and gateway a firewall?
Yes - starting with version 4.1, the e-smith server and gateway includes a full firewalling configuration. This includes IPChains rules on top of IP masquerading, for services which are only accessible via the internal LAN. In addition, all non-essential network services are disabled, TCP wrappers are enabled, server programs are configured to communicate only with machines on the local network (where that is appropriate), sendmail has been replaced with qmail to increase security and performance, and all remote login facilities are disabled.
have a nice day!
[text was edited by author 2001-03-14 22:29:58]
|reply to geiger |
Re: Need help with business DSL security!
Geiger there is lots of good advice here.
Normally for a business your size it normally means there is either one person who does everything for IT (hardware, software / networks) or you get outside contractors in and pay them a lot.
If the first is the case I would suggest something like the SOHO product mentioned by wingman. It's easy to configure as pretty much works out of the box. You can secure it much further with a bit of configuration work but that is not something done by reading for 5 mins it does take a bit of effort.
The bit that concerns me here is that you state that you have rather sensitive and valuable data. Well if that is the case I would suggest going the whole hog and using Checkpoint software configured by a professional security person. You might also look at PIX as an alternative.
If you are paying a contractor for your regular IT services I would not suggest getting them to do the configuration work for either PIX or checkpoint. IT Consultants serviceing a company your size will rairly have enough skills to correctly configure these products, use an expert.
Right now your dialup connections are a security concern that you need to fix very quickly. If you replace this with just a shared dsl line then performance will drop and you will find staff using the dialup connections again with or without your permission. Make sure you are buying enough bandwidth for your staff. So other previous suggestions for a proxy server are a good recommendation as this will improve performance for commonly hit web sites. Although I can't personally advise you on a decent proxy server.
Fobots suggestion of a dedicated linux box is valid and will save you heaps of money. He is expecting to get flamed over it and I have to admit I'd be one to argue against this option but if you have an "expert" who recommends this kind of solution and will support it, then go for it.
Dedicated hardware for firewalling is a must for company your size especially if there is sensitive data but what type of hardware depends on your needs.
You have to make the decision as to how valuable your data is. If in doubt pay a professional - spend the money. Don't rely on advice given over the internet. Although it doesn't hurt to post any advice given by a professional here for a second opinion.
Gomezha ha, charade you arePremium,Ex-Mod 06-11
Ditto to what Iced_Frog said. ("Iced_Frog"? That my require a whole new topic someday )
If the data is important, I would guess that you have someone who at least wears a part time IT hat to maintain the servers, do backups and all those other IT things. There are several mid-range solutions which are solid products, intuitive to configure, and do the job quite well. I won't recommend any products due to my bias (I worked on one). Read up, get some reviews.
PIX and Checkpoint are great products, Checkpoint is high end, and usually ends up to be the solution for companies that are having performance problems with the midrange products due to the high volume. I haven't looked at PIX in a while as they weren't in our market space. I'm sure it's a fine product, but likely requires complete understanding of TCP/IP to configure it correctly. If that isn't the case, I'm sure someone will be happy to correct me .
Please remember a firewall is not an end-all security solution. It is merely a gateway which should be part of your security policy. Virus protection, and user education are a couple of often ignored items.
Best of luck,
Let us know what you come up with!
Before you criticize a man, walk a mile in his shoes. Then criticize, you're a mile away, and you have his shoes.