Networks need Multi-Faceted Protection

Owners, executives, and financial officers do not like to spend money unless they can understand the absolute need for spending those dollars.

However, the hardest part of consulting for a business’ network security is to convince these people to spend money on a solution in which they can not see a tangible result of that expenditure.  They are asked to spend money on something you hope they will never need to experience, i.e. the failure of their network due to some breach in security, or act of virus and spyware activity.  If they never see a problem, and never experience a failure in their network, they wonder why the money was ever spent in the first place.  However, if they experience an attack on their network because it was not well protected, immediately the questions begin, such as, “How is this allowed to happen?”, “How come we don’t have something in place to protect us from this?”, and of course, the dreaded “Have you ever considered what you would do after this job…. ?”.  It is a Catch-22 of sorts.

The second hardest part of consulting for a business’ network security is to convince these people to spend money on more than one solution that seemingly give the same type of protection.  But the multi-faceted protection of a network is required to close as many holes as possible to block the greatest number of threats from breaching your network security.

In any typical network, there are a number of threats that need to be addressed.  The ones I want to discuss in this post have to do with protection from some outside entity.  Let’s assume for this post that internal security is already under control.  I will cover internal security at another time.  From outside your network, there are three broad categories in which networks can be compromised: the threats of hackers, viruses, and spam.

The difficult part to understand is that these threats all overlap each other in a multitude of ways.  For example:

  • Hackers can directly attack business firewalls to try to breach that device and gain access to internal devices.
  • Or hackers can create viruses or spyware that are used to breach the network of a particular target network from the inside.  For that virus or spyware to do its job, it needs to somehow be installed on a system inside that network.
  • Viruses can automatically spread themselves to other systems that they can reach.
  • Or viruses and spyware can be inserted into email that is sent into a network through the email system.  A user can click on something that installs that virus or spyware.  Then the virus could spread.
  • The virus may tell a hacker that it is ready to be used for some attack.
  • Or a virus may simply be something that a goofball created to just be destructive with no attempt to breach security at all, but to simply wreck someone’s day.
  • Spam is just an unfortunate way to fill up Internet bandwidth with useless information, typically disguised as advertisements.  The Spam itself may be legitimate advertisements.  Or the content of a spam mail may be free of viruses, but it may include a link to a site on the Internet that, when clicked, does attempt to infect a PC with a virus or spyware program.

As you can see, the overlap can be quite extensive and the ways in which the different ways these pieces interact can be put together in more ways to further breach a network.  No single solution is 100% foolproof in protecting your network.  Indeed, every solution is only a single part of a larger plan to protect your entire network, and even then, your network is still not completely 100% protected.  It may be close, in the range of 99%.  In fact, that always makes it a harder sell to the executives.  How can they approve the purchase of three or four solutions that protect your network from the same sorts of attacks from different standpoints, and still NOT be 100% protected?

Well, it is because the methods used by hackers, viruses, and spam creators are always changing.  They find new security holes in the operating systems of computers, servers, firewalls, routers, scanners, filters, web sites, and other devices that they exploit and gain new ways to get access to a system.  There is always a short lag in the amount of time a particular security hole has been found, exploited, and then researched, and plugged by the developer of the device.  It is these moments when the 1% of possibility can creep in and cause you trouble.

Luckily, it may seem that the days where an entire network could be brought to its knees by a single virus attack are over.  But just because such attacks haven’t been seen since the early 2000’s doesn’t mean they won’t happen again.  But it is still very common for an exploit to be discovered, and a virus to be installed, or a link to be clicked on by a particular user, and have that system become trashed as a result.  If it is Jane or John Doe’s PC, it is not usually a show stopper.  But if it is Jane or Joe Boss’ PC, it can still become a network emergency, even if no one else knows it ever happened.

So what do you do to try to achieve that 99% of protection.  Following are the recommended types of protection that should be made as an investment to the continued protection of the network.  These are typically something that needs to be renewed on an ongoing basis, indefinitely for as long as the network needs to stay safe from the threats I have mentioned.  Allowing a particular product functionality to lapse can drop your 99% pf protection to somewhere in the 70%-80% range.  Allowing another to lapse would drop your protection by another 30% or more.  At this point, you might as well turn off the remaining protective measures as they are not going to help much in defending your network.

Antivirus, Anti-spyware, Spam protection on every workstation

There are a multitude of products available for protecting workstations from the various types of threats.  Some products are meant for corporations and allow centralized control, management, and monitoring, while others are just standalone products that must be maintained manually at each system. Some cost money, and others are free.  Some do a good job and some do a poor job.

Currently, my recommended product for protecting the workstation from many of the common hacker, virus, and spyware attacks is Symantec Endpoint Protection.  The main reason is that I have worked with this product for over 15 years as it has gone through its growth and improvement.  Most of my clients are already running it.  It is a centrally managed product that allows system-wide rollout of new versions of the product.  The centralized management console keeps track of who is up to date, who is not, who is infected, and what threats have attempted to infiltrate the network, and from where the attack occurred.

Of course you can invest in any product that you feel the research shows as favorable, but you should probably avoid the free offerings.  Many of them work well, but are administratively heavy since there is no central management and monitoring involved, meaning the administrator must do an awful lot of foot work to keep the product updated on the systems, and to verify that automatic updates occur regularly, and to spot check to make sure systems are kept clean.

Call NMJ Technology LLC today to learn how Symantec Endpoint Protection and start protecting your workstations.

Antivirus, Anti-spyware, Spam, and Firewall protection on every server

Server protection is just as important as workstation protection.  Luckily since one of the greatest threats to a computer system is a user when they click on things they should not have, and servers do not generally have users that are using them, so the possibility of attack on a server is lower.  However, files that users may download that are infected can be stored on servers, or viruses that spread themselves through the network can infect servers.  So the protection of the server cannot be overlooked.  In fact, losing a workstation to a virus is a nuisance, losing the server to one is a disaster.

The recommended Symantec Endpoint Protection product protects servers just as well as it protects workstations. Call NMJ Technology LLC today to learn how Symantec Endpoint Protection and start protecting your servers.

Workstation and Server Firewall protection

Workstations and Servers have the firewall which should be used.  Firewalls help to protect hackers and rogue programs, virus, and other threats from accessing workstations by essentially denying network communications “Inbound” on “ports” that are not in use or needed on the system, or by allowing communications from specific devices to another but denying that inbound communications from unknown devices.

Firewalls can also block communications from the computer or server that are “Outbound” to some other device.

Firewalls can cause some headaches for administrators as they can block legitimate communications as well. Many times, network administrators turn off the firewalls globally because they might interfere with these communications, and it is easier to just turn them off thinking “I have a corporate firewall to protect us, right?”.

The right thing to do is to keep the firewalls active and fix the communications.  Nowadays, firewall configuration takes into account the common communication needs and opens the needed ports automatically.  Most also have simple tools for opening more ports you may need for a specialized application.

A product such as Symantec Endpoint Protection has a firewall component built-in.  It is typically easier to turn off a firewall provided by an add-on product and use the firewall built into the OS of the workstation.  But either one is effective.  Just be sure not to run BOTH, or you will create administrative pains for yourself.

Call NMJ Technology LLC today to learn how firewalls can be used to protect your workstations and servers.

Corporate Firewall

I mentioned “Corporate” firewall above.  In general, all networks that have multiple devices on an internal private network connected to the Internet by a single device inherently do have a firewall that protects that entire network.  We call this the corporate firewall as it is protecting the entire business’ network and all devices on it from direct communications from the Internet by hackers, and other threats.

Just like the workstation and server firewall, the corporate firewall allows only the types of communications needed to keep the business running and blocks all other communication attempts.  The firewalls also allow or disallow “Inbound” and/or “Outbound” communications from the network to the Internet or vice-versa.

My recommended device for utilizing as a corporate firewall is the Cisco Adaptive Security Appliance, or ASA.  The likely models for most of my clients would be the ASA5505 or ASA5510.  The larger the network is, and the more people simultaneously needing to get access to the Internet, the larger the ASA that can be employed.

Out of the box, the ASA does not directly protect against threats such as Virus or Spyware.  But there are products that can work in conjunction with the ASA to offer that type of protection.  I typically do not use the products that “plug” into the ASA.  I will just let the ASA do its first job only and use another product to handle virus and spyware protection.

ASA do almost nothing for Spam protection at all.

Another perk is that the ASA uses a very popular form of Virtual Private Network or VPN to allow secure remote access to the network from remote locations by those authorized to do so.

Call NMJ Technology LLC today to learn how a Cisco ASA can be used to protect your corporate network at the gateway.

Web Filtering

Web Filtering is a method of scanning what users who are utilizing the Internet.  It will actually inspect every request a user makes with their Internet browser, or any other product or application that makes direct requests to a site on the Internet, and decides whether that user is allowed to go to that site or not, and allow or block them.

In addition to providing this “policy enforcement” of allowed sites, these web filter products will typically also block those sites known to be bad, spammy, virus laden, dangerous, or otherwise lewd sites on the internet.  They will categorically block sites that are known to be sexual, or violent, or that are known for spreading viruses and other threats.

At the very least, these devices can simply monitor what people are doing for the purpose of audit, without blocking at all.

In addition to blocking sites, these devices will typically scan for virus and spyware attack attempts, so that even with AntiVirus protection loaded on a workstation, a virus may be caught by a web filter device when someone clicks a bad link before the virus reaches the workstation.  Again, a case where redundant form of protection is provided by separate products from different points of view.

Currently my recommended product for doing web filtering is the Barracuda WebFilter line of products.  This device sits between your network switch, and the corporate firewall, and monitors all communications to and from the network to the Internet and begins to implement the rules that you setup for your corporation.  Most of my clients would need a Barracuda WebFilter 210 or WebFilter 310 to handle the typical load for their network.  Again, the larger the network, and the heavier the load for Internet traffic, the larger the device should be selected to handle that load.

Call NMJ Technology LLC today to learn how a Barracuda WebFilter can protect and monitor your corporation’s Internet usage.

Spam Filtering

Even with all this protection in place, there is still a threat from a virus or spyware infestation from a source that is permitted to enter your network on a regular basis, via email.  According to “Spamhaus.org”, the definition of SPAM is as follows: “An electronic message is “spam” if (A) the recipient’s personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (B) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent.”

Most Spam is harmless from the standpoint of content.  However, the sheer bulk of the amount of spam that is transferred between almost every known mail server on the internet is a staggering 90%-95% compared to the legitimate email.  This means that if allowed to enter your network, and subsequently reach your mail server, your devices will have expended some amount of processor time to dealing with that useless traffic.  Your firewalls and network bandwidth would also be wasted processing that traffic at the network level.  If you do not have spam protection in place, then 90%-95% of the mail in people’s mailboxes would end up being spam, and the amount of disk space that your mail servers needs to hold that useless data is unacceptable.

The further threat is that spam can also carry into your network link, files, or scripts that, if allowed to run, might likely be a virus or spyware program that would attempt to infect your network.  Again, this is another case where the overlap in functionality of products lends to additional redundant protection from virus and spyware infections.

In any case, you want to stop spam as early as you can.  Preferably before it even enters your network.  There are devices and products that I am familiar with that can protect the mail server on the inside of your network.

One such product is Symantec Mail Security.  It is a program that runs on an existing server that also scans email inbound to the mail server.  In this case however, mail is allowed to reach the mail server, and then the product scans for the likelihood that is spam and decides what to do with it.  Again, it may prevent delivery to the user (desired) but may also make your mail server work harder as it is still processing the spam mail (undesired).  For this reason, I prefer the next product over this one.

That product is the Barracuda SpamFilter device.  Just like the WebFilter device mentioned earlier, the SpamFilter will sit between your corporate firewall and your mail server and intercept ALL email that is inbound to your network.  Algorithms are run against the email to determine the likelihood that the email is spam and then prevents its delivery to the mail server.  The mail server never has to process the email.  But your internet and network bandwidth may still be involved in processing the spam mail.

Also, in the case of both of these products, there is some administrative work that you must do to fine tune the products to make the best guesses on what is spam and what is not.  out of the box, the products are ok at what they do, but you will have the case where some legitimate email will get blocked.

For this reason, my choice for spam filtering for corporations is a hosted service called SecureTide provided by AppRiver.  There are three reasons this is a great service, 1) it blocks nearly 99% or higher of spam and allows 99% or higher of your legitimate email, 2) it requires almost no administrative involvement to maintain, and 3) all mail goes to them before it is filtered and sent to your mail server, so your server and network resources never have to process a single spam message.

Call for a free evaluation today at 330-283-6902 or email us at info@nmjtechnology.com.

I have been in the Information Technology Consulting business since 1987. I studied at Kent State University in the field of Industrial Technology with the desire to become an electrical engineer like my father before me. My segue into computer networking was a complete surprise that I gladly accepted as a way to move forward in my experiences. I learned networking from the Novell point of view, and that eventually led me into the Microsoft world which is where I have become an exceptional consultant. Away from business, I continue to perfect my musicianship and write music. I have a lovely wife, and darling daughter, and super step son, two cats, a dog, and some gold fish in my pond.