Monday, 26 May 2008
In my last post I talked about securing a simple workgroup network aimed more at sharing an internet connection than sharing data. In this post I'll discuss securing a more sophisticated network which is the next step up.
Once the business needs to regularly share information between employees then a simple workgroup can become a disadvantage as users require more than one username and password as they access the data stored on the individual machines. When this happens a server is the obvious solution. A Windows Server sat in the corner of the office (or a separate room) acts as a central repository for company data, but it also provides a network wide security layer. It does this by providing the means to identify and authenticate users across the whole network, this means that a user need only have one username and password to remember to access any machine on the network
This server based security layer also means that it is relatively easy to allow only certain users to have access to certain areas of the network. Thus if a junior member of staff has no reason to have access to the company business plan or accounts (for instance) then he or she can be denied access to the folders where that information is kept.
However, having the ability to authorise and authenticate users on the network doesn't obviate the need for other security measures, in some ways it makes it more important. More than likely the users will require access to the internet, if that is the case then having a firewall between the local network and the internet is just as, if not more, important. With a central repository for the data (i.e. the server) it is even easier for an intruder to find and copy/delete vital company data, were an intruder to acquire a users password then without a firewall it is quite likely that remote access to the network would be granted.
In addition to a firewall anti-virus software is also every bit as important and it must be up to date. If needed there are network management tools available which can check the anti-virus software and ensure that it is up to date before allowing the computer access to the network.
There are many different kinds of threat on and from the internet and it is evolving all the time. As the number of users grows it will become increasingly likely that the firewall supplied with a broadband router is no longer up to the job, this could be from something as simple as not being able to cope with the demands placed on it by all the different users or it maybe that new abilities are required that the router can't supply. At this point the next step up would be a dedicated internet security appliance.
There are many types of appliance, but here I am only concentrating on firewall appliance. Such an appliance must provide a more sophisticated firewall which inspects the traffic passing through it more deeply and is thus able to detect and rebuff more threats, it should also have more flexibility to define more complex rules for what sort of traffic is allowed in and out. A popular option is to choose a unified threat management (UTM) appliance, which is an appliance that allows for the protection of the network from more than one type of threat.
With a UTM appliance acting as the gateway to the internet, the business gains not just a more sophisticated firewall but the ability to cover other types of threat depending upon the specification of the appliance chosen. Many offer the ability to block certain undesirable web sites (unfortunately a very real need, as it seems an employer must increasingly nanny it's employee's and protect them from themselves), with annual subscriptions available to keep the black lists up to date. Some appliances also provide an anti-spam capability but inspecting emails as they come through, again subscriptions are normally required to keep the black lists up to date. While others provide gateway anti-virus capabilities by analysing the network traffic and attempting to identify any that might contain a virus. Not forgetting those appliances which insist on client anti-virus software being installed on any machine making use of it and blocking those that don't have the software installed or are not up to date.
Hopefully, those of you who have read this article will at least pause for thought as you consider the decisions that need to be made as you look at upgrading your network. But I thought I would finish by giving a few bullet points to show what I'm looking for in a security appliance that I would choose:
Does such a device exist? In short, yes, contact us if you'd like to know more.