Results 1 to 7 of 7

Thread: Getting a whole network onto the internet

  1. #1
    Vampire
    Join Date
    Jul 2003
    Location
    London
    Posts
    1,705
    Thanks
    2
    Thanked
    11 times in 11 posts

    Getting a whole network onto the internet

    My business wants to get internet.

    Currently there is a windows network with a windows 2003 server and about 8 other workstations.

    Will it be safe as long as I install anti-virus on all the pcs including the server ? Any recommendations ?

    Block all incoming ports on the router too ? Except what I need.

    Dont want people installing stuff onto the computers, what can I do to stop that ?

    And I would like to block all MSN, AIM etc. Can I just block the ports on the router for those?

    Havent done anything like this and cant really find anything similar with the search button.

    Thanks.
    All Hail the AACS : 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  2. #2
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Getting a whole network onto the internet

    Quote Originally Posted by Sinizter View Post
    My business wants to get internet.


    Thanks.
    In what way? E mail, Web access, web hosting, own mailserver? How big is the business? Does it have its own domain name registered? Are you looking to register a block of (class C?) IP addresses so that each machine is connected to the public internet? What services are you looking to provide?

    These are fundamental questions that you need to answer before you even consider asking the next ones, as the answers will dictate the direction and type of security measures you will need to take.

    Assuming that you are just looking for e mail out and web browsing for the client machine, and that you are looking at some form of NAT through the router, then that will give a lot of protection from direct attacks, provided you aren't opening any inbound ports. However it won't protect you from malware your users might import inadvertantly by mail or from web sites.

    There are a whole range of protection measures you could employ, with varying costs (capital and administration) and effectiveness. Education of the users is a major one, with clearly defined company policies.

    Technical measures include mail proxies, web proxies, AV software - and of course ensuring that none of your users are operating their machines as administrators.

    There are basically two aspects to tackle - individual machine security and network security - to some extent they are complementary - but both need to be considered.

    Start off with a risk assesment - basic stuff - likelihood of a damaging event and the impact of it occurring. Then look at mitigation measures.
    Last edited by peterb; 03-02-2008 at 12:48 AM.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  3. #3
    Admin (Ret'd)
    Join Date
    Jul 2003
    Posts
    18,481
    Thanks
    1,016
    Thanked
    3,208 times in 2,281 posts

    Re: Getting a whole network onto the internet

    Quote Originally Posted by Sinizter View Post
    .....

    Will it be safe as long as I install anti-virus on all the pcs including the server ?

    .....
    The answer to that is "no, you won't."

    If you want safety, don't connect it.

    The real question is the degree of risk you'll accept, and what you stand to lose if it happens, and what you can do to mitigate that risk. peterb has given you a good start, and I agree with him - go with the risk assessment.

    What type of risks will you face, and what level of sophistication?

    If you open your network to outside connections, there WILL be attempts to get in .... and my guess is the first ones will happen within hours if not minutes. But if you've taken sensible measures, you'll be able to defeat all but the most determined and skilful. If you're worried about a stray virus getting in, then those measures are fairly successful. If you're worried about world-class industrial espionage that specifically targets you, and has the ability to do damage sufficient to put your firm out of business, then you have a different set of risks. Most businesses will be somewhere in-between.

    And, it also has to be said, that if you're facing a determined attempt at industrial espionage, even not having an internet connection may be enough. One of the most common security risks is that from staff, either via ignorance or incompetence, or via bribery.

    Another is that of social engineering. Suppose someone shows up at your workplace dressed as a phone engineer. Would reception be sharp enough to verify that before letting him/her rummage around in your offices, behind desks or in the cooms cupboard .... and are the comms physically locked up, or just sitting on a shelf somewhere? Do you have adequate security to stop cleaning crew sticking a data capture device in the keyboard connection of a critical PC and collecting it the next night/week? Or connecting a wireless access point into an internal switch?

    If someone is determined enough to get in, your security needs to be pretty much obsessive and paranoid to stop them, net connection or not. Fortunately, most of us don't face the degree of risk where that level of determination becomes a serious issue.

    peterb is right. You need to identify the issues and risks, because security will always be a trade-off of one against the other, with improving security on the one side, but increasing cost and intrusiveness to staff on the other.

  4. #4
    Does he need a reason? Funkstar's Avatar
    Join Date
    Aug 2005
    Location
    Aberdeen
    Posts
    19,874
    Thanks
    630
    Thanked
    965 times in 816 posts
    • Funkstar's system
      • Motherboard:
      • Gigabyte EG45M-DS2H
      • CPU:
      • Intel Core2Quad Q9550 (2.83GHz)
      • Memory:
      • 8GB OCZ PC2-6400C5 800MHz Quad Channel
      • Storage:
      • 650GB Western Digital Caviar Blue
      • Graphics card(s):
      • 512MB ATI Radeon HD4550
      • PSU:
      • Antec 350W 80+ Efficient PSU
      • Case:
      • Antec NSK1480 Slim Mini Desktop Case
      • Operating System:
      • Vista Ultimate 64bit
      • Monitor(s):
      • Dell 2407 + 2408 monitors
      • Internet:
      • Zen 8mb

    Re: Getting a whole network onto the internet

    I was going to reply when I first saw your post, but I'm glad I didn't.

    Peter and Saracen have answer your question far more succinctly than I could have

  5. #5
    Vampire
    Join Date
    Jul 2003
    Location
    London
    Posts
    1,705
    Thanks
    2
    Thanked
    11 times in 11 posts

    Re: Getting a whole network onto the internet

    Thanks for all those thoughts.

    Industrial espionage is not a risk. Its only a dental practice. Leaking of confidential data could be a major problem - but I assume (have to confirm) that the program used for this would encrypt the data internally. Data is backed up every other day. And constantly throughout the day to a 2nd location on the hard drive.

    Main uses - browsing, email, voip calls, ordering stuff, data transmission

    Currently data transmission occurs through a modem and I can leave it like that. Just have the internet only on my workstation to begin with. And connect the VOIP phones to the router.

    But in the near future I may need to have all the workstations connected.

    So the steps I see now are
    - Demote all users from administrator
    - User education on what they should avoid
    - maybe filtering of some sites on the router or something of the sort
    - Antivirus on the server and all workstations
    - Open only the required ports on the router

    Do I need an additional firewall software on the server ?
    All Hail the AACS : 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  6. #6
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,378
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts

    Re: Getting a whole network onto the internet

    Quote Originally Posted by Sinizter View Post

    Leaking of confidential data could be a major problem - but I assume (have to confirm) that the program used for this would encrypt the data internally.

    Do I need an additional firewall software on the server ?
    As a dental practice, the risk of leaking of confidential data is high - given the recent high profile data loss, you can imagine the Red Top headlines if your system was compromised! Risk, probably low, impact - potentially very high!

    If the data is encrypted, you need to check on how. If it is disk encryption to protect the data when the system is shut down then whenthe system is up, the data will be decrypted on the fly, so anyone accessing the disk under those circumstances would gain access to the data. If the data is served encrypted and decrypted by the client machine, there is still a risk that a client machine could be compromised.

    Is teh practice NHS or private? If it is NHS you should take advice from NHS security people. If private, then you need to consider how you open it up. Do all the client machines accessing the medical records need web browsing and e mail?

    In effect, from what you have said, the proposed set-up is similar to a reasonably sophisticated home network - the main difference being the impact if the system is hacked. I expect the system also holds payroll and practice financial information, whuich is reasonably sensitive.

    I am reluctant to give detailed advice on how to do this on the information you have given though, because the consequences of getting it wrong are potentially severe. I would really need to see a detailed requirement and risk assessment before committing myself, as there are several ways to do this.

    Simplest wouod be using your ISP to provide your mailbox service (one for each client). The6y may also provide other services, such as virus scanning and SPAM filtering. Use a business orientated ISP, such as ZEN (even if you don't use their office products)

    Use a good router - which may support content filtering/web host blocking

    Consider a separate firewall for the server - although compromising a client machine might circumvent that - perhaps put the firewall in front of the router.

    Consider a web proxy server - although that might be overkill - your main threats seem to me to be a hacking attack from outside the network (largely blocked by a NAT router) and accidental user import of malware. However the more servers etc you put in place, the greater the admin load (looking at logs etc) and the greater risk of a false sense of securitty, and particularly if they are mis-configured. Remember KISS - Keep it Simple, Stupid!

    If you haven't been in to demote user privileges from admin NOW - then off you go - that is a big security risk.

    What ios teh server OS and client OS? You should not be using home editions.

    But do your risk assessment, statement of requirement, and policy documents - and the technical requirement will largely fall out of that - then you can consider the specific technical detail. Time spent in preparation is rarely wasted.
    Last edited by peterb; 04-02-2008 at 10:06 PM.
    (\__/)
    (='.'=)
    (")_(")

    Been helped or just 'Like' a post? Use the Thanks button!
    My broadband speed - 750 Meganibbles/minute

  7. #7
    Senior Member GAteKeeper's Avatar
    Join Date
    Feb 2004
    Location
    Derbyshire, UK
    Posts
    582
    Thanks
    14
    Thanked
    28 times in 22 posts
    • GAteKeeper's system
      • Motherboard:
      • MSI P67-GD5
      • CPU:
      • Intel i7 2600k
      • Memory:
      • 8Gb Corsair DDR3 1600
      • Storage:
      • ~44TB
      • Graphics card(s):
      • 980Ti
      • PSU:
      • Seasonic S12 600W
      • Case:
      • Lian Li PC-65
      • Operating System:
      • Win10 64bit
      • Monitor(s):
      • Dell U3415W & 2405fpw
      • Internet:
      • 45Mb vDSL

    Re: Getting a whole network onto the internet

    Another question you could ask is whether all the machines need to be Internet machines. At work we have dedicated internet machines (shared access) that are on a completely independant network from the site machines. HAving said that you need to set up good SecOPs with your users regarding data security and the damage any leaks could cause.

    GK
    Keeper of the Gates of Hell

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Win XP ICS (Internet Connection Sharing)
    By lost eden in forum Networking and Broadband
    Replies: 13
    Last Post: 08-01-2007, 11:20 PM
  2. Network conflict ASUS wifi and Windows?
    By Ken Robinson in forum Help! Quick Relief From Tech Headaches
    Replies: 2
    Last Post: 27-12-2006, 04:12 PM
  3. Network wont reconnect
    By htid in forum Networking and Broadband
    Replies: 1
    Last Post: 22-04-2006, 10:29 PM
  4. Internet Sharing & Sygate...
    By retroborg in forum Networking and Broadband
    Replies: 0
    Last Post: 14-10-2005, 01:17 PM
  5. Network broken?
    By MAS in forum PC Hardware and Components
    Replies: 7
    Last Post: 01-10-2003, 02:02 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •