RE: Security for new small company

From: Gary McKinney (gmckinney@megabits.net)
Date: 01/16/02 

From: "Gary McKinney" <gmckinney@megabits.net>
To: <security-basics@securityfocus.com>
Date: Wed, 16 Jan 2002 07:51:56 -0500

There are several options for a small business to obtain inexpensive
protection...

A couple of methods:

1. If you have a small number of machines to protect you can use one of the
private software firewall on the market (such as BlackICE or ZoneAlarm) and
at least have some filtering in place (if you use the "commercial"
versions - not the free ones - you can also do email attachment filtering).
I personally am using the pay version of the ZoneAlarm software as a
secondary firewall on my machine and have not been hit with any of the virus
attachments to date because of the attachment filtering).

2. Use a SOHO firewall product such as been previously suggested although I
would add the WatchGuard SOHO to the list as well. They have released a new
version of their software (firmware) for the product and it has all sorts of
added features you find on more expensive firewalls and is easy to
administer (read: you don't need to be a Masters Degree in Computer Science
to set it up and use it) - it even has the capability to allow remote users
to access the trusted side of the network using IPSec VPN.

3. The least method would be using a Network Address Translation(NAT) router
or Port Address Translation (PAT) router with internal private network
addresses for your network - but - you are relying on your ISP NOT to pass
the private network addresses through their routers to preclude direct hack
attempts (can be done but not as easily as some would lead to believe - you
have to steal the TCP session to do it)...

I realize most small businesses getting started do not have the capital to
invest in a medium range firewall and the above are suggestions I give a
small business - most can be implemented by someone with a basic knowledge
of firewall security practices for less than $600 or so - of course it is
more expensive if you have someone do the configuration and installation...

Personally I tend to lean towards the WatchGuard SOHO solution myself (and
use one too) as it seems to have the greatest number of features (especially
the IPSec VPN capabilities for remote connections) and it can be setup and
used by most anyone (uses a web-based configuration menu or can be remotely
administered through an IPSec VPN link using WatchGuard's remote management
software - but the SOHO has to be configured for that first since there is a
shared pass-phrase used for the IPSec key generation)...

Of course - all of the above is for naught if things are not configured
correctly - even on the big firewalls....

just food for thought...

Gary N. McKinney, WGCP

> -----Original Message-----
> From: Vachon, Scott [mailto:Scott.Vachon@Paymentech.com]
> Sent: Monday, January 14, 2002 12:38 PM
> To: security-basics@securityfocus.com
> Subject: RE: Security for new small company
>
>
> >In regards to your statement about a netgear router. A device that does
> >nat and port forwarding is not a firewall.
>
> It is not a "true" firewall, though it is marketed as one.
>
> > Easily hackable.
>
> Can you point us to evidence to support this statement ?
>
> >There is no rulebase in one of those things.
>
> Not true. The Netgear routers do allow one to implement a rulebase via the
> CLI.
>
> >You could easily get the cisco pix or as I prefer a checkpoint FW1 for
> small business. I am very big on checkpoint and it has got a lot more
> features then a cisco pix.
>
> Easily get ? You are assuming that a small business can "
>
> 1) Afford a PIX or Checkpoint FW
> 2) Afford training so as to properly administrate devices from #1.
> 3) Afford to hire a person proficient on #1.
>
> IMHO , a small business could do very well with one of the SOHO NATting
> devices. They could further enhance the protection by ensuing all the host
> systems have the latest patches, and up-to-date anti-virus
> software running.
> Yes, you are correct that PIX and FW-1 are better but, the key word was
> "small business."
>
> ~S~
>
> Disclaimer: My own two cents !
>

Relevant Pages

  • Re: NAT vs Firewall
    ... > business is the correct approach. ... (I'm assuming that any business info you have on your home network ... >> Your NAT router might do this already as it may have other coding to see ...
    (comp.security.firewalls)
  • Re: NAT vs Firewall
    ... business is the correct approach. ... (I'm assuming that any business info you have on your home network ... SPI will help in logging, email alerts and stopping hacker attempts. ... > Your NAT router might do this already as it may have other coding to see spoof, ...
    (comp.security.firewalls)
  • Re: Firewall recommendation
    ... that a NAT router provides BASIC firewall capability, ... would not use a consumer-grade firewall/router to protect our own ... networks, nor would we recommend one to our clients, which in turn ... my 6 client business is running with a consumer ...
    (microsoft.public.windows.server.sbs)
  • Re: Suggest firewall for Win98se+ICS(dialup)+NAV
    ... to go out and buy all new boxes capable of running Win 2000 Pro or Win XP ... |> either disable the firewall or otherwise change its settings. ... vulnerability in a small business environment is from the inside, ... Any disgruntled Win 98 SE user can obviously walk in and install something ...
    (comp.security.firewalls)
  • Re: Help needed with intermittent internet
    ... network, and the Ethernet network. ... A router can direct traffic to multiple devices, ... "plain old modem." ... Plain Old Modems are for residential and business ...
    (comp.dcom.modems.cable)