A site reader recently asked Windows Network Security expert Wes Noonan what measures to take and avoid when setting up a network perimeter for a smaller shop. The following is Wes' expert response.
In setting up a network perimeter, one of the most important things to do is keep it simple. In security there is often a tendency to over-architect a solution that becomes impossible to maintain. Remember not everything needs to be protected like Fort Knox -- especially if you aren't able to maintain it 24/7, as is so often the case in smaller shops.
I recommend implementing a perimeter firewall solution that has the ability to grow to support a DMZ if you determine that you want one in the future. The Cisco PIX, Netscreen and Nokia/CheckPoint firewalls all make good solutions in a small environment. They are small, self contained and generally do not require a high level of expertise to install and maintain.
When you implement the firewall, don't forget to filter what traffic you want to allow out of your network. By default most firewalls allow no traffic to come in, but they have no restrictions on what traffic can go out. If you allow your users to connect to external POP3 or SMTP servers, for example, you provide a mechanism for unauthorized traffic to enter your network. Determine what your users need to be doing on the Internet, and only allow them to connect using those protocols.
I would also encourage you to take advantage of your Internet router's ability to perform filtering and lock it down accordingly. Make it the first component of your firewall system, with the actual firewall appliance residing behind it.
Another aspect of perimeter defense is to control the traffic coming in and out of your network. As spam and viruses easily propagate over e-mail, you should implement some form of e-mail filtering software on your SMTP gateway. This will make it much easier to keep virus outbreaks from infiltrating your network since you only need to maintain a single point of entry.
If you perform the above, you will have a solid network security perimeter.
If you want to be even more secure, also consider implementing content filtering and intrusion detection and prevention functionality. Content filtering will give you precise controls over what your users are permitted to do over the Internet. SurfControl and Websense both make excellent content filtering software. For intrusion detection and prevention in a small environment, the key is simplicity. IDS/IPS products can be very time consuming to install, maintain and update. As a result, they are practically beyond the means of many small environments. However, vendors have begun to recognize this problem and they are making products with simpler and more intuitive interfaces that allow people who are not necessarily IDS/IPS experts to take advantage of the solution. In particular, I have been impressed with the Demarc Sentarus software which leverages the Snort IDS engine to provide a highly-functional IDS/IPS solution while using a very nice Web-based interface to manage it.
While not all inclusive, these recommendations will provide a solid foundation in ensuring that your network perimeter is secure.
More from Wes Noonan on SearchWindowsSecurity.com