Recommended Security architecture for best practice.
By Dexter Duncan
It is important to realise, no matter how much money you throw at preventing virus, trojans, malware or spam, it only takes one internal user to click on the wrong phishing e-mail and your network is compromised. You can lessen the chances of these security breaches by spending more money on better software, however the best cure is alway prevention through education (See “4 causes of e-mail blacklisting and how to fix it” part one).
If you think you have been blacklisted, read how to remove blacklists first.
Invest in security firewall hardware.
The first upgrade you need to fight and manage blacklists is a hardware based security firewall. Sometimes called a security appliance, this device is connected to your switch and acts proactively to remove and isolate security issues. Most individual PCs have sofrware based firewalls, which are great for small offices of less than five PCs. Additionally, most routers have some limited security firewall protection, however, for larger offices with multiple servers, it is a good idea to have a router, switch and a separate hardware firewall.
For multi-site or large offices, here are the most common places to deploy these security firewalls:
- Between main servers and internet,
- between wired and wireless networks,
- between departments where information is extra sensitive,
- between head/branch offices,
- at your extranet to outside vendors, and
- between applications and database farms in data centre.
The first two are the most critical. Wireless is often the weakest link in a network and any office with more than one server should protect themselves with a network firewall.
At $4,000 to $10,000 for a device, this might be an expensive option for some, but well worth the peace of mind. (A good IT person can sometimes find a used one on e-Bay for under $2,000.)
Enterprise grade Virus protection
The second area to upgrade is your Virus/Spam/Malware protection software. There are many very good free versions of software that protect you from anti-virus, spam, malware and trojans, and these are often great choices for less than 5 PCs. These often give you 95% or better protection per PC. As your network gets larger and/or your core business relies on the security of your computer information/data, we recommend you invest in a regularly updated system that blocks 99% or better of the known issues. Rather than only deploying virus protection on individual computers, a centrally managed virus protection system is a minium for any network with more than five (5) computers. The centrally managed system can monitor all your PCs and push latest software to all end-devices. Trend Micro, Kaspersky and ESET are typical user systems with 99% protection rate.
Indicative prices for Server based protection is $400 per server per year. Additionally, budget to spend $40 per PC.
Invest in a network sniffer
The Network Sniffer is a third area of protection which allows you to find the source of the problem quickly based on a scan of your network for unusual activity. This PC based Security Appliance (see image) costs around $1800 and is mainly used for monitoring and finding issues. The network sniffer is a device plugged into your network that monitors traffic from various IP addresses. This is useful to pinpoint problems in the network such as a user not following the policies or a Trojan that has latched onto your network and is deploying spam e-mails in the middle of the night.
If you do not have enough money for any of the above, the low cost alternative is to change all user and device passwords every 30 days and/or follow password formats in this article. Be sure to include devices such as scanners, printers and voice systems as these often have passwords.
At best, the above is more about risk mitigation, rather than prevention. In the end, you have to balance the short term and on-going cost versus the risk of being down. Having above recommendations in place gives you less risk in having a problem. And when problems occur, you have the tools to find and correct in hours versus an on-going saga lasting a few days or weeks.
Even if you spend boocoo moula (lots of money) on the latest virus protection, security appliances and filters, if your staff click on a bogus e-mail promising them millions of dollars from a distant Aunt in Nigeria, you’ll still get nicked.
Next: Are your back-ups filling up with data? Are they failing? See next article on best practice back-ups.
1. ” Is a Firewall Needed for Routers?” by Alan Parsons, Demand Media,Houston Chronicle, Small Business, http://smallbusiness.chron.com/firewall-needed-routers-64122.html
2. “Firewall vendors revisit core technologies to win market”, by Philip Hunter, 12 August 2013, Engineering and Technology Magazine, Vol 8, Issue 8, http://eandt.theiet.org/magazine/2013/08/cyber-securitys-new-hard-line.cfm
3. To see which anti-virus vendors get a 99%+ rating, go to AV Comparitives website, http://www.av-comparatives.org/comparatives-reviews/
4. Sample Centralised Anti-Virus Console from ESET