A simple challenge - get my network online securely.

[mycarsavw]

I feel I've used my fair share of help up this year already, but I'm going to push my luck again and ask for some more

My office network as it stands today;



Cat 5 cabling, fixed IP addresses for each client but an ever changing one on the router.

The router (a generic BT business hub BT2700HGV) serves four XP desktops all with ZoneAlarm and AVG. It also has specific controls over what the desktops can and can't see online. This works perfectly. However, by the end of this month all the desktops will be replaced with XP Pro units and will have to be online.

The simple, logical way of doing this (to me at least) is to plug the router straight into an empty port on the switch, fiddle with some settings on the desktops and enable parental controls on the router.

What I think I should be doing is investing in a hardware firewall of some sort. I'm sure the current router works well for the clued up user but I'm about to let people who have little to no-clue loose on the internet and I'm not sure I trust it 100%

Their viewing must be restricted and their hours of free roaming must be managed. I want it as secure as possible with the ability to manage it from my desktop. I'll install ZoneAlarm on each desktop and they'll be scanned daily for viruses/malware/spyware etc.

One last thing of importance - nothing can happen on/to/with the server - it's old and basically serves as a document server. Things are afoot to change that but this is the main focus for now.

Ta once again in advance for any advice and assistance.

[peterb]

Any of the machines need to be accessible from outside (ie from the net)? If not then teh NAT translation on the router will give good protection from external hack attacks. User education is the most important aspect fopr protection from malware. If you want to start blacklisting websites (and teh router supports it) a subscription to one of the filtering companies would work, or you could use open DNS and filter content that way. Otherwise you could use something like smoothwall on a linux box as a hardware firewall.

the measures you take will become clear when you do the risk assessment. What are the likely threats; what is the impact if these threats are realised; how much are you prepared to invest in time and money to minimise these threats to an acceptable level? The more complex the protection, the greater the time taken to manage and monitor it.

[mycarsavw]

Any of the machines need to be accessible from outside (ie from the net)? If not then teh NAT translation on the router will give good protection from external hack attacks. User education is the most important aspect fopr protection from malware. If you want to start blacklisting websites (and teh router supports it) a subscription to one of the filtering companies would work, or you could use open DNS and filter content that way. Otherwise you could use something like smoothwall on a linux box as a hardware firewall.

the measures you take will become clear when you do the risk assessment. What are the likely threats; what is the impact if these threats are realised; how much are you prepared to invest in time and money to minimise these threats to an acceptable level? The more complex the protection, the greater the time taken to manage and monitor it.

Starting from the top.

Ideally the machines would they'd be completely closed off to the outside;
NAT appears to be supported by the router according to the specs here - I have some reading to do on the basics though;
I fully agree user education is key, but ageing user education is tricky. I plan to sit down and say, "Don't do this, don't do that" and so on, but I also want something fail safe in place because I know there's be that one time where they forget;
This week, I have been mostly playing with Smoothwall. I got it installed, the IP routing etc sorted, rebooted and then it just hung. I haven't gone back to it as I'm a little disheartened. I could keep plugging away or I could just go for the paid option - Corporate Firewall 5 and couple it with Corporate Guardian 6 but to me that seems a waste when, with a bit of effort, I can DIY.

Which leads me to your second paragraph.

It's a solicitor's office. The accounts are networked, the documents are networked. If anything is compromised it's pretty much game over, so it's important. It's not life or death, but it is higher than your average home user.

I've invested a lot of time before asking here for "professional help". I'm prepared to invest more time, but I'm now at a stage where I'd rather invest money than time. Budget wise, I've had my eye on some Watchguard kit around the £400 mark but from what I can see, they don't do content filtering.

I have no idea who the big boys are in hardware firewall/content filtering and I can see prices from a few hundred to £6k so my budget could be completely unrealistic as could my intentions and concerns. But that's why you lot are here, to slap me and bring me back to reality

[Jay]

what about a Linux firewall like IPCop or monowall?

[peterb]

Hmm - I don't know what he capabilities of the router are. I use a Draytek 2800Vg at home (you wouldn't want the wireless version, but the V version supporting VPN might be useful for any homeworkers - but that isn't in your spec)

The Vigor does support restricted intenet hours, so you could close off internet except for 12 to 1 for example, or you could have two subnets, each with a separate time allowance. It also supports subscription to content blacklisters, and you can add your own (or blacklist all and have a whitelist) and also content filtering for sites that implement it.

Smoothwall is very capable, but does need a bit of setting up. You could have internet machines in a DMZ. The options are quite extensive and there is no 'best' way.

From what you describe, you are unlikely to be subject to a targeted attack, so NAT on a reliable router would almost certainly be adequate. I guess that Internet access isn't a core business requirement for the majority of users, but e mail is.

You could set up a proxy server which would further insulate the users from the internet, although that might be OTT (would reduce some of your network traffic, particularly if the users are accessing legal web sites. A dedicated mail server could give you centralised virus control and content management, but again adds to the system management burden.

The KISS approach is to invest in a router of known provenance, ensure the AV licences are kept up to date and updates applied (same for the OS - and of course make sure that users are not logging on with admin priveliges) and accept the management overhead of making sure the software is updated.

Next step would be to subscribe to a content management service and /or add in sometthing like smoothwall or a proxy server.

Belt and braces would be a mail server with centralised AV scanning, a proxy serve with content filtering/blacklisting and possibly something like smoothwall, but they must all be correctly configured to avoid the risk of a false sense of security. This should be backed up with enforced company security policy and security instructions to all staff, and is, I would suggest, a bit OTT.

One other approach might be to ask your ISP to see what they can do as a managed service, if they provide your mail service, they might have AV and spam filters in use or available. Similarly they may be able to offer content filtering.

Hope that gives you some ideas and further avenues to pursue.

[charleski]

Here are my thoughts, which may or may not be of any help.

If I read your diagram correctly, right now your system effectively has 2 LANs, 1 carrying all of the desktops and the server, connected through the switch and offline, the other consisting of 4 desktops connected to the router/hub and online. You need to change that such that all desktops have internet access, within certain limits, and the server is protected. You don't need any form of VPN or remote access to the network. Is that right?

So you have several aims:
1) Protect all the machines from incoming attacks (DDOS, portscans, etc).
2) Prevent users from accessing undesired sites.
3) Prevent users from initiating insecure outbound connections (e.g. as a result of malware).
4) Prevent any data on the server from outside access.

Your idea of simply placing the router on one of the switch ports is probably the right way to go. The router's built-in SPI firewall and NAT will protect against 1).

Requirement 2) (content filtering) depends a lot on your precise needs. If this is the correct guide for your router (BT's site isn't very well laid-out), then the router comes with basic content-filtering built-in. If you need something more sophisticated, then you will need new hardware, in fact the best route would be to replace your current router completely and buy one with more capability and a subscription to a content-filtering service. This would either be a customised box or another PC running gateway software such as the one you mentioned that would then connect to the net through a ADSL modem. Another, cheaper, option is to upgrade to ZoneAlarm Internet Security Suite, which carries a more advanced set of parental controls for content filtering, and ZA is going to be deployed to all the desktops anyway, so it's not adding more software to manage.

Requirement 3) will be handled by ZoneAlarm. ZA's management features aren't stellar, but if you only have a limited number of machines and aren't adding new ones regularly, then it works well.

Requirement 4) could be implemented simply by blocking the server from accessing any IPs outside your network. Small LAN IP addresses are typically assigned in the 192.168.0.xxx range. Your router should have a static LAN-side IP address as well (the internet address assigned by your ISP will usually be dynamic, but that doesn't matter here). If your router's LAN-side IP address is 192.169.0.1, for instance, simply set up an IP-blocker on your server so that it can only contact addresses in the range 192.168.0.2-192.168.0.255. This provides an added layer of security in that the server won't be able to see the internet at all. You say it's a Novell server, facilities for doing this sort of IP blocking may already be built in to the OS, I'm not familiar with Novell.

Buying new hardware or creating a new machine to act as an Internet gateway with the appropriate software will ease management issues, but will certainly cost more. What you're paying for is flexibility and the ease with which new machines can be added, if your network is static, then that's not really needed.

[mycarsavw]

what about a Linux firewall like IPCop or monowall?

See above, I had a play with Smoothwall but felt defeated

--------------------------------------

Hmm - I don't know what he capabilities of the router are. I use a Draytek 2800Vg at home (you wouldn't want the wireless version, but the V version supporting VPN might be useful for any homeworkers - but that isn't in your spec)

The Vigor does support restricted intenet hours, so you could close off internet except for 12 to 1 for example, or you could have two subnets, each with a separate time allowance. It also supports subscription to content blacklisters, and you can add your own (or blacklist all and have a whitelist) and also content filtering for sites that implement it.

BT router also supports restricted hours per user so that's an option. No idea if it allows subs to content filters though. It does have a black/white list option.

Smoothwall is very capable, but does need a bit of setting up. You could have internet machines in a DMZ. The options are quite extensive and there is no 'best' way.

Hmm, I tried, and felt deflated. I'm not willing to move back and give it another go, I feel I've "wasted" enough time on it already. I appreciate it's a simple thing, but maybe my heart isn't quite in it <sigh>

From what you describe, you are unlikely to be subject to a targeted attack, so NAT on a reliable router would almost certainly be adequate. I guess that Internet access isn't a core business requirement for the majority of users, but e mail is.

You could set up a proxy server which would further insulate the users from the internet, although that might be OTT (would reduce some of your network traffic, particularly if the users are accessing legal web sites. A dedicated mail server could give you centralised virus control and content management, but again adds to the system management burden.

You're right in saying internet access isn't as important as email and a mail server is still something we're toying with. There are, I'd say, 10 major sites that require access, I have a feeling the bulk of access will be during the lunch hour to non-work related sites.

The KISS approach is to invest in a router of known provenance, ensure the AV licences are kept up to date and updates applied (same for the OS - and of course make sure that users are not logging on with admin priveliges) and accept the management overhead of making sure the software is updated.

Next step would be to subscribe to a content management service and /or add in sometthing like smoothwall or a proxy server.

Belt and braces would be a mail server with centralised AV scanning, a proxy serve with content filtering/blacklisting and possibly something like smoothwall, but they must all be correctly configured to avoid the risk of a false sense of security. This should be backed up with enforced company security policy and security instructions to all staff, and is, I would suggest, a bit OTT.

All noted and understood - thank you very much for taking the time.

One other approach might be to ask your ISP to see what they can do as a managed service, if they provide your mail service, they might have AV and spam filters in use or available. Similarly they may be able to offer content filtering.

Hope that gives you some ideas and further avenues to pursue.

Sadly the ISP is BT. They do offer options, but I'm not too convinced I want to rely on them for everything. Another avenue to explore.

--------------------------------------

Here are my thoughts, which may or may not be of any help.

If I read your diagram correctly, right now your system effectively has 2 LANs, 1 carrying all of the desktops and the server, connected through the switch and offline, the other consisting of 4 desktops connected to the router/hub and online. You need to change that such that all desktops have internet access, within certain limits, and the server is protected. You don't need any form of VPN or remote access to the network. Is that right?

Spot on.

So you have several aims:
1) Protect all the machines from incoming attacks (DDOS, portscans, etc).
2) Prevent users from accessing undesired sites.
3) Prevent users from initiating insecure outbound connections (e.g. as a result of malware).
4) Prevent any data on the server from outside access.

Again, spot on.

Your idea of simply placing the router on one of the switch ports is probably the right way to go. The router's built-in SPI firewall and NAT will protect against 1).

It seems too simple to me. Is a standard router enough to do what I want?

Requirement 2) (content filtering) depends a lot on your precise needs. If this is the correct guide for your router (BT's site isn't very well laid-out), then the router comes with basic content-filtering built-in. If you need something more sophisticated, then you will need new hardware, in fact the best route would be to replace your current router completely and buy one with more capability and a subscription to a content-filtering service. This would either be a customised box or another PC running gateway software such as the one you mentioned that would then connect to the net through a ADSL modem. Another, cheaper, option is to upgrade to ZoneAlarm Internet Security Suite, which carries a more advanced set of parental controls for content filtering, and ZA is going to be deployed to all the desktops anyway, so it's not adding more software to manage.

The router does have content filtering and it is in place on one machine. It works surprisingly well and coupled with Firefox (and some choice extensions) the machine is still virus/mal/adware free. The history cannot be erased (by the average user) and is inspected weekly. One thing it doesn't do is monitor who uses the machine. Obviously when access is granted to every desktop that'll become easier.. I never even thought of replacing the router for an all-in-one solution though- doh!

I presume there's something out there that serves as a router (both wired and wireless) a firewall and a content filter? Is there an off-the-shelf solution or would I have to assemble something. I can build PCs and networks, but I'm stumped on this so far which is embarrassing.

Requirement 3) will be handled by ZoneAlarm. ZA's management features aren't stellar, but if you only have a limited number of machines and aren't adding new ones regularly, then it works well.

That's what I wanted to hear. If I step up to the ZA Suite I think I'll feel more comfortable. With the machines behind a router/firewall and additional firewalls on each machine I'll be happy. The number of machines is fixed for the foreseeable future.

Requirement 4) could be implemented simply by blocking the server from accessing any IPs outside your network. Small LAN IP addresses are typically assigned in the 192.168.0.xxx range. Your router should have a static LAN-side IP address as well (the internet address assigned by your ISP will usually be dynamic, but that doesn't matter here). If your router's LAN-side IP address is 192.169.0.1, for instance, simply set up an IP-blocker on your server so that it can only contact addresses in the range 192.168.0.2-192.168.0.255. This provides an added layer of security in that the server won't be able to see the internet at all. You say it's a Novell server, facilities for doing this sort of IP blocking may already be built in to the OS, I'm not familiar with Novell.

Of course, how simple. I think this option is already up and running - I'll have a poke about today and see for sure though.

Buying new hardware or creating a new machine to act as an Internet gateway with the appropriate software will ease management issues, but will certainly cost more. What you're paying for is flexibility and the ease with which new machines can be added, if your network is static, then that's not really needed.

The network is static. I think I have it in my head that the router, while fairly decent, just isn't up to the job of protecting the whole site. I think I'm worrying about what the users will do when the internet is give to them.

Thank you too (both of you) for your help, it's good to know I got my requirements out and they were understood.

If the general consensus is that changing the router/firewall for something more functional/respected then that is what I'll do. I perhaps have to trust the users more, which is tricky when it took some of them months to work a mouse.

My next step is to compile a list of gateway servers and/or all-in-one solutions. Who's gonna help with that one then?

One final requirement which I think I missed was the ability to log who visits what (much like the parental controls does in Vista) and access it centrally. I presume again that the dedicated machines/hardware does this already?

[mycarsavw]

By jove I think I've found just what I'm looking for.

http://www.clarkconnect.com/info/compare.php

Does the Office version offer everything I need? I'd go for the Community version but I need more than ten mailboxes.

$75p/a + the cost of a suitable machine. I have one spare (HP dx2250) but I'd rather go for a machine built for this purpose than use a budget desktop.

[charleski]

The firewall built into your current router will be fine for blocking external attacks, I wouldn't worry too much about that. If you got hit with a massive DDoS attack it would probably fall over, but it's very unlikely that would happen anyway, and if it did you just lose internet access until you reset the router and reconnect to your ISP. Industrial-strength firewalls are built to keep on providing service while under attack, but that's really far more than you need. Since you aren't providing any services to users outside the LAN the firewall in your current router will be perfectly adequate.

The advantage of using ZoneAlarm on each individual user's machine is that it provides application-level filtering as well, in case the user somehow manages to download a trojan that will broadcast out from the machine. ZA can sometimes be fussy to setup for full security, but if you already have it running on 4 machines I assume you know the program quite well.

The only requirement that might really need an additional gateway machine is content filtering. The problem here is that many content-filtering schemes also take out legitimate sites, and sometimes you'll need specifically to authorise a certain site so your users can get to it. If your users are fairly unsophisticated and unlikely to want to look at industry blogs, etc, then you probably shouldn't worry too much about that though.

The cheapest solution would be to use your current router attached to the switch, install and setup the full ZA suite on each user machine, and lock down your server with port-blocking to restrict it to your LAN machines. Maintenance will require you to go to the machine that needs fixing, but on a small static network that isn't a great hassle.

[peterb]

By jove I think I've found just what I'm looking for.

http://www.clarkconnect.com/info/compare.php

Does the Office version offer everything I need? I'd go for the Community version but I need more than ten mailboxes.

$75p/a + the cost of a suitable machine. I have one spare (HP dx2250) but I'd rather go for a machine built for this purpose than use a budget desktop.

I have only had a quick scan of that product, so I haven't looked at all its capabilities, but I did see that you can buy a licence for a on e off fee of about $375, rather than a yearly fee.

My only concern about the ZA solution is the management overhead in keeping all the machines up to date - a centralised solution (if clarkconnect offers it) to blocking unauthorised outbound connections reduces that overhead. ZA also requires some user intervention during the 'training' period. (It is a while since I used ZA though - can it be set so that the outbound connections can be pre-defined and the user not asked about any others?)

Don't forget the management and policy aspects - a secure network is not just about implementing technology! (BTW - I assume that your business continuity, disaster recovery and back up plans are all in place - might be worth revisiting those when the changes tp the network have been finalised.)

[mycarsavw]

The firewall built into your current router will be fine for blocking external attacks, I wouldn't worry too much about that. If you got hit with a massive DDoS attack it would probably fall over, but it's very unlikely that would happen anyway, and if it did you just lose internet access until you reset the router and reconnect to your ISP. Industrial-strength firewalls are built to keep on providing service while under attack, but that's really far more than you need. Since you aren't providing any services to users outside the LAN the firewall in your current router will be perfectly adequate.

You're right, a few minutes without internet access isn't the end of the world or productivity.

The advantage of using ZoneAlarm on each individual user's machine is that it provides application-level filtering as well, in case the user somehow manages to download a trojan that will broadcast out from the machine. ZA can sometimes be fussy to setup for full security, but if you already have it running on 4 machines I assume you know the program quite well.

Yup, I've been using ZA for years, it works fine for the home user and for the machines here, my only worry is users clicking "Remember" and "Allow" without really evaluating the issues. peterb's comments on a usage policy probably come into play here though.

The only requirement that might really need an additional gateway machine is content filtering. The problem here is that many content-filtering schemes also take out legitimate sites, and sometimes you'll need specifically to authorise a certain site so your users can get to it. If your users are fairly unsophisticated and unlikely to want to look at industry blogs, etc, then you probably shouldn't worry too much about that though.

I have no problem at all allowing sites, in fact I'd rather it worked starting from fully blocked to white list entry. That way we get to see who is viewing what and can decide what to allow and what to continue to block. I'll look into content filtering now, they all seem to be subscription based so assume it's just a case of finding the one that is easiest to manage.

I now realise I have two spare machines, so one may become the gateway/filter with the router attached directly to this machine.

The cheapest solution would be to use your current router attached to the switch, install and setup the full ZA suite on each user machine, and lock down your server with port-blocking to restrict it to your LAN machines. Maintenance will require you to go to the machine that needs fixing, but on a small static network that isn't a great hassle.

Excellent, thanks for your continued help.

-----------------------

I have only had a quick scan of that product, so I haven't looked at all its capabilities, but I did see that you can buy a licence for a on e off fee of about $375, rather than a yearly fee.

Well spotted - completely missed that part

My only concern about the ZA solution is the management overhead in keeping all the machines up to date - a centralised solution (if clarkconnect offers it) to blocking unauthorised outbound connections reduces that overhead. ZA also requires some user intervention during the 'training' period. (It is a while since I used ZA though - can it be set so that the outbound connections can be pre-defined and the user not asked about any others?)

You make a good point, but spending once a month going round the machines gives me an excuse to snoop and tweak

I think there's lots of initial training to be done but once that's out the way, only the "obvious" threats pop up (he hopes)

Don't forget the management and policy aspects - a secure network is not just about implementing technology! (BTW - I assume that your business continuity, disaster recovery and back up plans are all in place - might be worth revisiting those when the changes tp the network have been finalised.)

Noted and thanks. Backups are a number one priority - onsite, offsite, incremental and full - we had a server fall over taking a lot of accounts data with it, since then we've gone through DAT drives, CDRWs and all sorts before finding the perfect solution.

All the key data will be held on the central file server, the desktops will just carry OOo, XP and the front end of the legal form software.

[charleski]

my only worry is users clicking "Remember" and "Allow" without really evaluating the issues.

Once the system is setup, you should, ideally, prevent users from being able to authorise anything. In Overview->Preferences you can set the admin password, and then deselect "Allow others to use programs without a password (unless the program permission is set to “Block”)". This means you'll have to be on-hand to install updates, but you probably do that anyway.

I have no problem at all allowing sites, in fact I'd rather it worked starting from fully blocked to white list entry. That way we get to see who is viewing what and can decide what to allow and what to continue to block. I'll look into content filtering now, they all seem to be subscription based so assume it's just a case of finding the one that is easiest to manage.

You may want to look at Websense, which provides a range of content filtering and security apps, though I have no idea how much they cost.

[peterb]

You make a good point, but spending once a month going round the machines gives me an excuse to snoop and tweak

True, but a centralised web proxy server would enable you to logs who accessed what and from where and monitor it centrally. You could use something like Squid for a low cost option. (This was discussed in Hexus in the last month or so)

[mycarsavw]

Once the system is setup, you should, ideally, prevent users from being able to authorise anything. In Overview->Preferences you can set the admin password, and then deselect "Allow others to use programs without a password (unless the program permission is set to “Block”)". This means you'll have to be on-hand to install updates, but you probably do that anyway.

You may want to look at Websense, which provides a range of content filtering and security apps, though I have no idea how much they cost.

Ah, had no idea the all-in package of ZA gave you that option, thanks.

I just looked into their (ZoneLabs/Checkpoint) own hardware units here and they seem to offer everything I already have at even more money. I'll take a look at Websense too.

True, but a centralised web proxy server would enable you to logs who accessed what and from where and monitor it centrally. You could use something like Squid for a low cost option. (This was discussed in Hexus in the last month or so)

That was my initial decision, but I started to get a little bored of Smoothwall. I'll have a look at Squid, and see what it does and doesn't do. From a brief search I can see they are a large, diverse group of marine cephalopods but I have feeling I was looking at the Wikipedia entry

I'm torn on what to do. One half says free is good, the other says paid for is trusted. It's good to get different points of view too, but at some point I'm going to have to rubbish one half....

[peterb]

I'm torn on what to do. One half says free is good, the other says paid for is trusted. It's good to get different points of view too, but at some point I'm going to have to rubbish one half....

I'm not sure why you you think open source is untrustworthy! What you may get with paid for is some form of warranty and maybe some support. However many open source projects (such as mysql for example) offer their (identical, open source) products under two schemes, one is community edition (no support) the other is as an enterprise edition with support, regular updates etc. Why is commercial software more trustworthy? If the source is closed, how can it be peer reviewed? But I digress...

The link for the squid project is http://www.squid-cache.org/

[mycarsavw]

I'm not sure why you you think open source is untrustworthy! What you may get with paid for is some form of warranty and maybe some support. However many open source projects (such as mysql for example) offer their (identical, open source) products under two schemes, one is community edition (no support) the other is as an enterprise edition with support, regular updates etc. Why is commercial software more trustworthy? If the source is closed, how can it be peer reviewed? But I digress...

The link for the squid project is http://www.squid-cache.org/

We seem to be chatting about Open Source on a few threads now! I'm not at all against it, I dual boot Ubuntu and Vista, I use Ubuntu more, I like it, I now understand it, and I'd go as far to say I prefer it.

I do not think Open Source is untrustworthy at all in the same way that I do not trust commercial software over Open Source.

My point (albeit a hidden one) was that if I have to pick up a ZA all-in-one box it'd work the way I'm used to with minimal input from myself. I can trust it to work.

With Open Source I have to configure it properly for it to work the way I want it to. If it goes wrong, it's my fault, I've configured it wrongly.

Thanks for the link too, I've been doing a bit of reading since my last post but I'm still undecided.