Home page logo
/

basics logo Security Basics mailing list archives

RE: Securing a Local Network
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Thu, 15 Apr 2004 14:27:35 +0200

Hi John,

just want to touch on a couple of points:

a linux domain controller would certainly be a possibility, with a
combination of samba/openldap/krb5 you can even simulate ADS. The
implementation costs, however, will be much higher than the
license/implementation costs with a wintendo DC.  

There would be many reasons to put a server in there, you could run
file/patch/auth/anti-virus and more on one machine for that size network. 

As far as AV, I would suggest putting in client-side AV for now, and
planning to expand to a virus-gateway for smtp/http/ftp at some point in the
future. At the moment, I would guess that the risk of getting infected files
from disks is similar to the risk of getting infected stuff by downloading
it. 

Regarding 'a good way to set up a solid base of security' I would recommend
you think about defense in depth, and start with things that will have the
largest impact first. The largest impact will be your DC and AV, which you
have correctly identified. Are you able to audit the router configs
yourself? If not then, add firewall to the 'large impact' items. Otherwise,
you probably can lock your router down tight enough to allow you to wait
with a firewall. (Some people will disagree, but I think that your
priorities are definitely your domain and you anti-virus.) 

If you want to talk in more detail, feel free to email me back.

Cheers,

Chris Meidinger

-----Original Message-----
From: John Roberts [mailto:roberts () tridecap com] 
Sent: Tuesday, April 13, 2004 7:17 PM
To: security-basics () securityfocus com
Subject: Securing a Local Network

I started working as a sys admin at a small company (about 15 
people) and they are starting to think it's time to upgrade 
their network.  Right now it's just 20 computers, running a 
mix of xp and 2000 on a local network, sharing files, with 
almost no anti virus and the only protection from the outside 
world is the NAT that the routers perform.  

I've tried to get the to upgrade to a domain, add a file 
server for backup, get some office wide virus protection and 
maybe even take our email in house, but they've balked at the 
price to setup a legit windows domain.  The main goals are 
access control on the local network and virus / worm 
protection.  I'm suggesting a Windows domain controller to 
enforce access control and then an centralized anti-virus 
product.  Is this enough, and are there other (easier, 
cheaper, more effective ways) to make sure that only the 
people who need to can access the financial records, the 
computer people can access the all computers when they need 
to, and some user decides to download a cute little program 
won't destroy the whole network with a virus.


Is a linux domain controller a solution, considering 
everything else in house is windows?  Is an anti-virus 
solution at the gateway better than an anti-virus solution on 
each desktop?  Basically, what's a good way to set up a solid 
base of network security, which can then be expanded on?

John Roberts


--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off any course! All of our class sizes are 
guaranteed to be 10 students or less to facilitate one-on-one 
interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field pen testing experience in our state of the art 
hacking lab. Master the skills of an Ethical Hacker to better 
assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault