Q
Problem solve Get help with specific problems with your technologies, process and projects.

Setting up a network perimeter for a small shop

I am about to implement a network perimeter defense for a small start-up company with less than 100 computers. Do you have any advice on measures to take and what to avoid during this process?
One of the most important things to do is keep it simple. In security there is often a tendency to over-architect a solution that becomes impossible to maintain. Remember not everything needs to be protected like Fort Knox -- especially if you aren't able to maintain it 24/7, as is so often the case in smaller shops.

I recommend implementing a perimeter firewall solution that has the ability to grow to support a DMZ if you determine that you want one in the future. The Cisco PIX, Netscreen and Nokia/CheckPoint firewalls all make good solutions in a small environment. They are small, self contained and generally do not require a high level of expertise to install and maintain.

When you implement the firewall, don't forget to filter what traffic you want to allow out of your network. By default most firewalls allow no traffic to come in, but they have no restrictions on what traffic can go out. If you allow your users to connect to external POP3 or SMTP servers, for example, you provide a mechanism for unauthorized traffic to enter your network. Determine what your users need to be doing on the Internet, and only allow them to connect using those protocols.

I would also encourage you to take advantage of your Internet router's ability to perform filtering and lock it down accordingly. Make it the first component of your firewall system, with the actual firewall appliance residing behind it.

Another aspect of perimeter defense is to control the traffic coming in and out of your network. As spam and viruses easily propagate over e-mail, you should implement some form of e-mail filtering software on your SMTP gateway. This will make it much easier to keep virus outbreaks from infiltrating your network since you only need to maintain a single point of entry.

If you perform the above, you will have a solid network security perimeter.

If you want to be even more secure, also consider implementing content filtering and intrusion detection and prevention functionality. Content filtering will give you precise controls over what your users are permitted to do over the Internet. SurfControl and Websense both make excellent content filtering software. For intrusion detection and prevention in a small environment, the key is simplicity. IDS/IPS products can be very time consuming to install, maintain and update. As a result, they are practically beyond the means of many small environments. However, vendors have begun to recognize this problem and they are making products with simpler and more intuitive interfaces that allow people who are not necessarily IDS/IPS experts to take advantage of the solution. In particular, I have been impressed with the Demarc Sentarus software which leverages the Snort IDS engine to provide a highly-functional IDS/IPS solution while using a very nice Web-based interface to manage it.

While not all inclusive, these recommendations will provide a solid foundation in ensuring that your network perimeter is secure.


More from Wes Noonan

  • The weakened state of the network perimeter
  • Eight ways to protect Windows from perimeter threats
  • Five steps to control network access

  • This was last published in January 2005

    Dig Deeper on Network intrusion detection and prevention and malware removal

    PRO+

    Content

    Find more PRO+ content and other member only offers, here.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchVirtualDesktop

    SearchWindowsServer

    SearchExchange

    Close