Home page logo

pauldotcom logo PaulDotCom mailing list archives

Re: [Security Weekly] Small Business Design - Security from Day 0
From: Jamil Ben Alluch <jamil () autronix com>
Date: Tue, 4 Mar 2014 11:53:28 -0500


It all depends on the requirements and priorities of the company - There
isn't one single way to design a SMB network.

The first consideration I would take into account is budget: the reason why
I pick this first is that designing a network with expensive equipment from
the get go is pointless if they don't have the money for it - you can
design the best network in the world, but if it going to cost 100 grand to
the SMB, it might be an issue and you'd have to start over to save costs.

I would also take into consideration userbase and expected growth of the
business in question: do you design for a static business that expects to
remain as it is for a while or something that is expecting to grow its
userbase by 3-10 fold within say 2-3 years? This would probably dictate the
type of appliances and equipment you'd be buying (switches, firewalls, IPS,

The software and equipment is more of details as every business will have
different requirements in terms of data security and security policies.

Is the business in question going to want to run windows workstations and
windows servers?, windows workstations and linux servers? is it going to be
a mixed environment with a bit of everything thrown it? This will define
how you manage your users, and user policies from the server-client (for
example active directory) aspect.

From personal experience, you'd be surprised at the amount of times that
I've seen small business networks being built as home networks and using
only basic off-the-shelf routers as the frontline security and everyone
having access to everything.

Here are some of the guidelines that I follow when I do SMB network design:

   - Use a firewall routing appliance to connect to the internet (I've had
   great success with Endian UTM boxes) - All in one seems to work (drawback
   is that you rely on a single device to ensure security)
   - Split servers and workstations into different sub networks - for
   additional security add firewalls behind the first one and add network
   subnets (more appropriate for bigger sized companies)
   - Use split-split DNS
   - Limit the access and communication to the bare minimum between
   internet facing servers and internal network systems
   - Use Intrusion Prevention Systems and Content filtering when possible
   - For the firewall rules, go from deny all, and allow connections as
   needed, not the other way around
   - Train the users in basic safe internet and information security
   practices - to counter social engineering, viruses, etc
   - Install antivirus on all your workstations, keep everything patched
   and up to date
   - Enforce strong password policy and train people to use them
   - When using WiFi, use a subnet and create allow rules according to the
   - Enforce strong backup policies - while not a security feature, it is
   often underestimated until all hell breaks loose and the company lost 3
   years worth of data.
   - Keep your passwords safe and not freely available to every user (as in
   everyone knows the admin password for the firewall... - I've seen this)

The key idea is compartmentalizing your network and limiting the access as
much as possible and allow only those who should have access; for instance,
if a server is only used internally for serving files  through the SMB
protocol, you're going to allow this server access only on the SMB ports
and allow it external access to get its updates automatically (SMB often
cannot afford to do testing of updates prior to deployment). The other key
element is monitoring and knowing what is going on on your network - here
is where the IPS becomes essential (needs to be configured to match your
the specific signatures you'd be looking for: general attacks, certain
files you may not want crossing the network).

Keep in mind that every response you'll get will probably have a different
approach to your question.

These are some pointers, but covers in no way the full amount of things
that need to be considered/done when implementing a network in a SMB. The
design also depends greatly on the requirements of the company and the
money they can invest in setting up a network (Equipment, installation,
consulting fees, wiring, etc...). It all depends on what needs to be done
and what type of operations are being conducted at the desired network.

There are great documents out there on basic security policies that can be
applied to businesses of any size; I would take a look at the NIST
documents which are a good reference; PCI standards also provide a good
overview of what should be done (although it's efficiency is debated as of
late). Plenty more if you google for it

Hope this helps a bit.

Good luck

*Jamil Ben Alluch, ing. jr, GCIH*
*Information Technology & Security Consulting*
jamil () autronix com
+1-877-564-7656 e.123

On Sun, Mar 2, 2014 at 3:57 PM, systmkor <systmkor () gmail com> wrote:

Dear All,

If tomorrow you were given a small programming/hardware startup network to
architect, with a couple of months before it would be built, how would you
architect it? What would be your priority list of things to do? What key
software, processes, policies, or services would you utilize. I understand
this is a big question but any reply would be appreciated.


securityweekly mailing list
securityweekly () mail securityweekly com
Main Web Site: http://pauldotcom.com

securityweekly mailing list
securityweekly () mail securityweekly com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]