Let's face it -- few midmarket organizations have enough money or resources to protect against all security threats....
Therefore, being placed in charge of security might seem like a career-limiting assignment, but before you worry, let's take a look how we can use everyday small-office network equipment as a security appliance, and add some defense-in-depth to our systems.
An everyday router, for example, can be converted into a reasonably effective firewall. Out of the box, a router permits all traffic, and a firewall permits none. Neither extreme is practical; thus the desired configuration always lies somewhere in the middle. Commercial firewalls do have tools that provide additional security such as VPN support, packet inspection, etc., but at an additional cost.
I configured a Belkin wireless router as a small enterprise firewall for my home network. It's remarkably robust, supports a dozen devices (including Windows XP, two flavors of Linux, Windows CE, and a Wii), and makes my IP address completely invisible to a ShieldsUP! scan from www.grc.com. Not bad for $34.99. Just about any brand of router will offer similar capabilities, but I'll use mine to illustrate the concept.
A good approach for developing security solutions is to answer the questions who, what, when, where, why, and how. We must know who is authorized access to the network (by IP or MAC address), what resources they need (Web browsing, e-mail, peer-to-peer), when access is required, where computers can be granted access (URLs, websites), why access should be provided (business rules), and how to enforce this list (that's our configuration task.)
- Why should access be provided? This is the most important question. You must first understand the business before you can secure it. Know what information or processes are critical to the bottom line. Find out who should be able to access key resources. Don't waste time or money protecting trash. Get management involved at this stage; their buy-in will help counter complaints when busybodies lose access to data they shouldn't be seeing anyway.
- Who is authorized to access the network? Define what devices should be permitted access to your network. Are they wired or wireless? Do you have frequent visitors that use your network, or is it the same cast of characters every day? (If you have visitors, I recommend that you set up a separate subnet that goes directly to the Internet and doesn't permit access to any internal systems.) Collect a list of MAC addresses of known devices (don't forget most laptops have two -- the wireless card and the Ethernet card), and enter them into the "MAC Address Filtering" rules of your router. When you turn on MAC address filtering, you effectively block all other devices from accessing your network. (Don't forget yourself; it's rather embarrassing when the security "expert" locks himself or herself out.) Also, you can "tighten down" your DHCP network by specifying a maximum number of IP addresses. Defaults are usually 50 or 100; make it only what you need.
- What resources can be accessed? This is the key firewall question. What ports (both inbound and outbound) do you need open? If you're not running a Web server behind your router, block port 80 and 443 inbound. If your Microsoft network doesn't extend beyond the router, block 445. Let everyone know you're compiling a list of approved applications and associated ports, and will block all the others. If a legitimate application breaks, users know whom to call. If someone asks for port 3724 to be reopened, it's a good bet he's playing World of Warcraft on company time. Cheaper routers limit you to a handful of port blocks, so complete granularity might be elusive. Blocking outbound traffic is important, especially if you have laptops that travel outside the firewall. Botnets sometimes communicate on unusual ports; if a machine is infected, it remains benign if it can't call the mother ship for instructions. (Note many newer attack tools use port 80 to sneak past security controls.) At a minimum, permit outbound 53, 80, 110, 443, 1024-1035. Don't forget 995 if you use Gmail's POP service.
- When is access required? If employees routinely leave at 5 p.m., create a rule that denies Internet access after 6 p.m. until the next morning. A disgruntled employee or cleaning staff will have no means to download or misuse systems after hours. For home use, it's a good way to ensure Junior doesn't stay up all night playing computer games. Pick a bedtime, and shut off access after that. Make sure if there's a big proposal due you don't inadvertently lock out the late-working staff. (Most routers permit remote configuration, but tread very carefully here. If you can access your router from home, so can the bad guys.)
- Where are machines allowed to go? Knowledgeable network administrators use a DNS "Black Hole" list that prevents users (or malware) from accessing known bad sites. The website malwaredomains.com maintains a list of thousands of known "evil" addresses, but that list changes daily. Your simple router can't manage that large of a list. A combination of policy and awareness may keep most users away from the danger, but some sites are too tempting to resist. I'm referring to webmail, of course. If you filter inbound e-mail traffic for viruses and malware, but permit users direct access to AOL or Yahoo! mail, you may be asking for trouble. Blocking the most popular webmail sites is likely to prompt grumbling, so let senior management make this call.
- How will you enforce your firewall rules? Take the time to learn the capabilities of your equipment. Read the manual or check online help. Most features are underutilized; in the urgency to get something going, configuration often gets postponed indefinitely.
Master the fine points of what you've already purchased, and you'll become a hero in tough economic times.
G. Mark Hardy is President of National Security Corporation, and is the author of more than 100 articles and presentations on information security.