Hi, first time posting here. Regularly watch the Tek Syndicate videos and have been following the forums for a while.
I look after the IT services for a small business and have a question regarding the security of my office network. I would like advice as to whether or not I should be investing in hardware based firewall/UTM ie. Sophos or something like a UniFi Security Gateway. Also, are there any security benefits to implementing a Windows Domain Controller?
Our IT setup consists of the following-
- 10 Client laptop computers - Windows 10, Bitlocker encryption
- QNAP NAS for local storage and file sharing - Webdrive client software for syncing user folders
- Office365 hosted Email and SharePoint
- Symantec Cloud Hosted Endpoint Protection - SBE
- Local network consists of all computers cabled back to an unmanaged switch with ISP provided router/modem.
Investing in a Firewall/UTM would be a great idea. Depending on the budget will determine what you can afford. I do not have any experience with Sophos, however I do have experience with PFsense, Untangle, VYos, Cisco ASA and Fortinet. Since you run services for a small business then you are probably familiar with licensing features with certain brands. Having a dedicated Firewall/UTM would be a win/win. It's added security at the network layer and depending on the flavor of the device it can give great flexibility for that business to use more secure services as well. If you are operating on a small budget, familiar with linux then I would suggest taking a look at PFsense, VYos, and Untangle. If you have a bigger budget then don't be afraid to look at Cisco, Juniper, and Fortinet. There is a list of benefits of having AD services for a local network.
- First level user authentication to use network shared resources like networked drives, ntfs shares, etc.
- Secure centralized location for user credentials
- Added workstation security, i.e (locking USB ports, disabling cmd prompt/ powershell, user program granularity, forced password updates)
- Better granularity for user groups, i.e (Admin user Group, Standard user Group, Guest user Group)
- Able to set parameters on NTFS and group policies for file sharing.
I hope you find this useful although it isn't as detailed information about the two topics. There is plenty of information out there that will help you with your decision when making a choice. Good luck with your business!
2 Likes
Setting up a firewall and/or Active Directory isn't so much about security per se. It's about control. User control for that matter. As already said by allent8246 you gain the benefit of more or less control over your users by joining the clients to a domain. Also the admin gains the ability of a more centralized management of mentioned users. I have no experience with Cisco, Fortinet oder Juniper Devices (besides a few switches) but I can tell you that the Sophos UTM-Appliances integrate nicely into any active directory. That many Laptops probably also get used at home I suppose? Then there's a reasonable chance to make the admins life easier with a Sophos appliance for centralized VPN-Management. The other network- and web-protection capabilities depend on the budget you're allowed.
Thanks for your replies, that's very helpful advice. I will do some research into PFsense as I'm not familiar with it but have heard it mentioned a few times.
Good to know Sophos works well with Active Directory. Sounds like I'm definitely best to go with a firewall appliance and switch over to a Windows domain environment. I'll start shopping around for a low cost 1U server.
Phoenix323 - Staff are definitely operating their laptops at home, coffee shops, airports and just about everywhere else. Most staff are using either laptops or Surface tablets. Can I configure an always-on VPN solution? I just don't see staff connecting to the VPN themselves unless they have to in order to access resources not in their user folders being synced through Goodsync when they return to the office.
I do not know of any always on vpn service installed on clients. You most likely will have to have a vpn server of some kind like a firewall (Sophos, PFsense, Cisco, OpenVPN server) which also would have a corresponding client program to be installed as well like Open vpn client. OpenVPN is a feature that can be installed in PFsense. If you went the OpenVPN server route then you would be configuring a actual server OS that is based on linux.
The Sophos appliances gives you multiple options how to set up a VPN connection. It supports SSL and IPsec with IKE1 and 2 and L2TP. So technically there's no need for extra client software. But control- and securitywise it's not recommended to save any credentials and automatically starting the connection. If anyone manages to gain access to the running machine your business data is at risk. Using a certificate with pin is the safer way.
You know, I had completely forgot about those security options. If any of the workers are telecommuting from there houses then having a soho router configured for site-to-site with the main office would be the best bet working from home that is. Just as Hungryalpaca stated before the employees are using the devices at home, in coffee shops, and airports. They will probably be windows machines so you can use windows vpn setup wizard to configure the vpn's with proper configs, and should be good to go for vpn usage. There might be a mixture of windows 7/ 8 machines so the setup process should be very similar if not the same. There is still the problem of saved credential information on the target machine whether the person is using third party software or built in OS functionality. In order for the remote clients to reconnect automatically means that the OS is pulling config information stored locally on the drive somewhere. The means of compromise would be harder seeing that if the target person/machine frequents a coffee shop often then the attacker would have to use a usb like device to execute code to pull the certs, config files, and so on from the target. Then taking it back for decryption, and to return to further compromise the system further with the decrypted files. Or the attacker could further try a man in the middle attack using the certs that he/she has attained from the target machine to compromise the secure connection entirely, so a second visit to the target machine would be pointless just as long as they are on the same network. I do agree with phoenix323 that having a third parties software installed with the config files is slightly less secure, but in the IT industry you often make trade-offs like this when it comes down to production networks and network security for a business that has remote users for convenience.
Jep. Maybe this is an interesting topic for @Wendell for the enterprise channel :)
1 Like
Hi, thanks for all your replies, much appreciated.
Just an update on this. I'm meeting with a local Sophos distributor this week to discuss options, but its looking like I'll go with the SG 115W to secure the local office wired and wireless networks. Still unsure if I need added security above and beyond the existing Symantec software on staff computers when they're working remotely.
I had a look into purchasing a server that would slot into our small office server rack. Local offerings from HP and Lenovo seem a little overcooked for my requirements and on the expensive side, so I'm considering building something myself. Parts list below-
Supermicro X10SLH-F mATX Server Board
Procare RK-238B 2U Rackmount Case
ADATA Premier Series, 8GD316ECC 8GB Memory
Xeon E3-1231 v3 3.4 GHz, Socket 1150
Silverstone Strider Plus Series, ST60F-PS, 600W ATX PSU
Samsung 850 Pro Series MZ-7KE256BW SSD
Windows Server 2012 R2 Standard, OEM
Uh well, hardware is a whole other beast of story. You have to consider what exactly you need the machine for, what services should it run, how much redundancy do you need in case of failure or desaster, how much down time would be acceptable in case of a hardware failure.
IMHO, to give just some basic guideline, I would recommend not to forego a RAID. At least mirroring should be considered, because if something happens your shiny new server is absolutely useless. Also only 8 GB of RAM is not nearly enough.