.

Securing Your Network from Scratch

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Dec 20, 2006 2:21 am

Securing Your Network from Scratch

Scenario: Budget minded startup of 5 people expands from garage operation to a new office building with the hopes of growing to 20 employees in 2007 and 100 employees in the next 2 years. The building has nothing. You can decide exactly how to setup their network infrastructure including ISP, security devices, routers, switches, workstations, servers, etc. etc.

Question: What would you recommend for hardware devices, brands, configuration, etc. for a $20,000 budget, a $100,000 and a $1,000,000 budget. Submit an answer for one or all budgets. Don't be afraid to get creative.

Things to think about include... Would you use an IPS? Would you recommend setting up 2 firewalls and a DMZ? Patch management? Would you get an all-in-one box with router, firewall, IPS, etc.? Do you find a directory service like Active Directory necessary? Macs, Vista, Red Hat?

Think of this as though it was YOUR company using YOUR personal money.

Let the debate begin...

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Wed Dec 20, 2006 2:04 pm

Re: Securing Your Network from Scratch

You've left out the most critical piece of info; What does this company do? Do they make plastic childrens toys or top-secret military equipment?
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Dec 20, 2006 2:35 pm

Re: Securing Your Network from Scratch

Good point. My idea was to have an exercise that would benefit the most people. So let's just keep it simple and say that it is a consulting company with no products or manufacturing. Nothing top secret, but they do have private co info and handle private info for clients. It's not a public company and not a medical facility. Just your average company providing services.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

plik

Newbie
Newbie

Posts: 31

Joined: Tue Dec 19, 2006 9:32 am

Location: North - UK

Post Sat Dec 23, 2006 8:59 am

Re: Securing Your Network from Scratch

I'll have a pop at this  ;D. Most of this is based on what I know and am comfortable with now, in real life there'd be a lot more training and research into new tech etc.

$20,000(~£40,000) 5 - 20 users

Servers:
fairly middle of the road servers: HP DL380 or similar, Win 2k3 R2. Couple of DCs, one File and print, mabye one SQL if needed, one exchange box, one backup/AV/patch box, one web running Apache 2 on Redhat and one for Asterisk VoIP.
what's that about so far, £15k inc licences?

Workstations/Desktop:
Bog standard, of the shelf running XP SP2 (I'm not touching vista with a barge pole for the next year or so), locked down to the point of being almost unusable through AD. Except mine which would be the top of the line with as much memory as I could cram into it, dual booting XP & slackware maybe Ubuntu.
that takes the total up to about £25k.

Infrastructure:
2Mb ADSL moving up to 4 or 8 as needed. Cisco 1700 series router feeding into PIX 515e (Probably overkill, but DMZ is so easy with it and it will scale nicley when I need hot fail over on a fatter pipe later.), 48 port 3560 series for PoE to VoIP phones, one gig swicth for server (may be a cisco express as I'm running out of cash now...). All switch ports hard coded to accept one MAC. AC in server room.
That's about me spent up, if there's anything left I might treat my workers to a desk or two, maybe even a chair

Most of the money spent at this level would be actual kit to get the company running, the security coming mostly from policy and configuration.



$100,000
More of the same, scaling up with the users, maybe letting them have laptops if needed, but if wireless, certificates and RADIUS, EAP. If VPN required by now RSA type tokens. IDS sat somewhere, one in the DMZ first, maybe a second on the internal network.

$1,000,000
Now we're talking! put half of it to one side, we'll come to that in a second. Probably move a few of the servers to blades, for heat and space reduction, hot swapable/fail over everything  two net pipes from different providers. Move some of the services off Windows and on to *nix. Probably by some nice Macs for the arty types in the design dept. Couple of machines in the networks as honeypots. IPS installed (Cisco self healing network? with the client on the workstations that stops your machine from getting on the network if you're not patched up to the eyballs - I forget the Apps name). Open view running to keep an eye on things.

The half I put to one side would be given to HR and the legal dept to handle the occasions when we're sued/have to rehire because I've sacked people on the spot for leaving passwords on postits, propped open security doors with old power supplies, left hardcopies of confidential info in bins without shredding and generally done all the stupid things that you can't control with technology.
Last edited by plik on Sat Dec 23, 2006 9:03 am, edited 1 time in total.
<<

Kev

Post Sat Dec 23, 2006 9:21 pm

Re: Securing Your Network from Scratch

Nice post plik! The only thing I would ask is if the group was going to have a full time admin on board. If so, I would go with as complete a *nix network from the start as possible.  Start up costs would be less and with a knowledgeable Admin, it could be made nearly impervious to a breach.  If this group only needed the computers for typical office style entries or even advanced graphics editing, this would be perfect
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Mon Jan 01, 2007 12:30 pm

Re: Securing Your Network from Scratch

That is not a question of money. What you need is a concept - and the very same idea can be set up with $10.000,- or $100.000,-, the difference is reliability and the real level of security.

You can set up a system with a DMZ, an IDS, an IPS, firewall, proxy, mailserver etc. using just one Linux-Box - or a bunch of high-end servers, routers and appliances.

All depends on the needed level of security. As negrita pointed out you'll certainly not choose the option with one Linux-Box if you need to secure top secret information, the more applications runs on one system the more vulnerable it will be.

But for the scenario Don has described I would definitely go for the one Box solution to start with, it is easy to extend such a system as needed. I think the biggest problem in that scenario is who would be the person to do the job. A startup with 5 people will rarely hire a skilled admin ...
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+

Return to Hardware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software