[R2D2]

Quote:

Originally Posted by shashank.nk

At 27k, I can consider investing in this if it'll serve my purpose,however not sure if ebay is reliable.

eBay is reliable as it carries an ebay guarantee. If you are not satisfied with the purchase due to defects take it up with eBay. That said, do your homework before purchase.

Quote:

If I were to invest either in Sonicwall or any of the firewalls mentioned by R2D2, will it restrict access to sites on employees' mobile phones as well ?

Yes it can provided the phones are connected thru WiFi to your network and you know how to configure the FW software. Firewalls are now configured thru the GUIs so there are no more arcane UNIX commands to remember for the most part.

Quote:

Currently, Ive disabled Wi-Fi and blocked a whole lot of sites, which has led to grumpy employees since they can't use WhatsApp either.

I've worked for companies with restrictive and liberal internet access policies. It all depends on what you want to achieve in terms of data + network security, bandwidth conservation and customer expectations. You need to formulate your own policies and set your employees' expectations straight.

Quote:

This is a problem for me. Neither I, nor anyone in our firm studied computers to possess the knowledge required for setting up and maintaining commercial grade routers,though I believe this can be outsourced. We rely on Google and some forums to do anything not often done by home users.

Now this is a very important factor in deciding which product suits you. I'd definitely recommend you go in for a commercial firewall product. If you need hand holding either speak to the author's technical support staff and/or consult external network engineers on how to set it up.

Quote:

Absolutely right! I can't afford to lose data, though some downtime is acceptable at the stage and scale we operate now.

I'd bet more on data backups than firewall software if I were worried about losing data. Firewalls are to protect your company's network and equipment from unauthorised external access (hacks), data theft plus restrict access to the internet from the inside. Some firewalls also scan for viruses and trojans, adding intrusion detection capabilities.

Quote:

So in a nutshell, he explained that right now all systems are connected in a peer to peer network which is not so desirable from a security point of view.

He recommended a Linux server but I rejected it right away when he said it may cost upwards of a lakh and based on my understanding of what he explained, its only required if you have more than 10 systems with need for file sharing,mail server etc.

Then as an alternative,he suggested I invest in a new desktop, more powerful than the existing one's and that would function as a semi server. Something with i5 processor,16gb RAM, 2-3tb HDD and windows 10 pro 64 bit as software. This way all files can be stored only on this computer and backup,restricted access etc becomes easier.

Is this a good idea ? Im hesitant since I don't think its a good idea to store all files only on one computer. Also, if I were to buy this more powerful PC, I'll have to configure firewall only on that pc right ?

I am unable to understand why he wants you to buy a new server. Is it for network authentication for e.g. domain authentication plus data storage/backups? You are right in being apprehensive. Putting all your data on one machine is like putting your eggs in one basket. If you follow this person's recommendations I'd strongly suggest you have data backup plans for this machine.

How does this consultant expect you to control internet access from within your LAN with this server? Will it run the FW software? If yes, it's a bad idea. The firewall should ALWAYS be a dedicated box with no sensitive data on it. Your data can reside on another PC/machine behind the firewall.

[Samurai]

What's this server requirement? You need a file server other than firewall?

Data/network security is really becoming a very scary scenario. In the year 2000, there was a TV serial called Dark Angel, starring a young actress named Jessica Alba.

The Premise: The year is 2010, the Internet is dead. It has become a post-apocalyptic world.

I really laughed at the premise in year 2000. I mean how can the world go apocalyptic at the loss of Internet. Now in 2016, when everything is on the cloud and all computers/phones are connected to the Internet, it is reality.

Which means you can't depend on luck. Get a commercial firewall with solid support.

[shashank.nk]

Quote:

Originally Posted by R2D2

I've worked for companies with restrictive and liberal internet access policies. It all depends on what you want to achieve in terms of data + network security, bandwidth conservation and customer expectations. You need to formulate your own policies and set your employees' expectations straight.

I'm working on this, in a few days we should have a policy which clearly lays down what is and what isn't acceptable Internet Usage.

Quote:

Now this is a very important factor in deciding which product suits you. I'd definitely recommend you go in for a commercial firewall product.
I'd bet more on data backups than firewall software if I were worried about losing data. Some firewalls also scan for viruses and trojans, adding intrusion detection capabilities.

A firewall which also scans for viruses etc is definitely a bonus. Whatever data i've lost is only due to virus attacks.

Quote:

I am unable to understand why he wants you to buy a new server. Is it for network authentication for e.g. domain authentication plus data storage/backups? You are right in being apprehensive. Putting all your data on one machine is like putting your eggs in one basket. If you follow this person's recommendations I'd strongly suggest you have data backup plans for this machine.

How does this consultant expect you to control internet access from within your LAN with this server? Will it run the FW software? If yes, it's a bad idea. The firewall should ALWAYS be a dedicated box with no sensitive data on it. Your data can reside on another PC/machine behind the firewall.

Quote:

Originally Posted by Samurai

What's this server requirement? You need a file server other than firewall?

Which means you can't depend on luck. Get a commercial firewall with solid support.

So I waited to post this until i'd spoken to him regarding the semi server, what he told me was since data is being stored locally in each system,restricted access,security and backups is tough, instead saving it all on one system helps in easier backups,enabling restricted access to certain folders and also antivirus and firewall can be installed in that one system.

He intends to set up the network such that all internet traffic is routed through the server. So if I understood correctly router--->server--->user PCs

I also discussed my apprehensions about storing all data in one system to which he said he'd add 3 1tb HDDs and one will be reserved exclusively for backups on a weekly basis.

[Samurai]

That doesn't make sense at all. You really need two things, a soild firewall and a backup solution. Concept of the central file server is very ancient.

We have 70 odd desktops and severs spread across 3 timezones in multiple offices and co-location centers. All the offices and co-location centers are connected to each other via site-to-site VPNs. This is a typical scene in most small companies. Central file server is really an old hat.

[R2D2]

Quote:

Originally Posted by shashank.nk

A firewall which also scans for viruses etc is definitely a bonus. Whatever data i've lost is only due to virus attacks.

Then you definitely need to formulate Internet access policies and enforce them through a firewall and proxy server.

Quote:

So I waited to post this until i'd spoken to him regarding the semi server, what he told me was since data is being stored locally in each system,restricted access,security and backups is tough, instead saving it all on one system helps in easier backups,enabling restricted access to certain folders and also antivirus and firewall can be installed in that one system.

As long as this server system is protected by a separate firewall appliance it's ok. But the idea of centralised storage is very much passe. And one must have a backup schedule running on the server at least a few times a day that will protect all the work done by your employees.

Quote:

He intends to set up the network such that all internet traffic is routed through the server. So if I understood correctly router--->server--->user PCs

And how does he plan to do this? By using this storage server as a proxy server, I assume? If I were you I'd use separate machines for proxy and file storage purposes.

Quote:

I also discussed my apprehensions about storing all data in one system to which he said he'd add 3 1tb HDDs and one will be reserved exclusively for backups on a weekly basis.

Weekly may or may not cut it. For a company you need to 1st analyse how many files (deliverables and other data) are created and/or existing files changed on an hourly and daily basis. Depending on this you need to set up a backup frequency. Rule of the thumb - more frequent the data creation/changes the more frequent the backups.

There are different methods of backups (incremental differential, full, disk imaging, local, centralised, off-site etc.) and a large variety of software to do this. You can read further on the 'net. Since you do commercial work, backups and backup frequency are of prime importance!

Also, remember that firewalls are not fool proof. There have to be multiple layers of security in your local network to deter attackers (hackers and/or viruses and trojans) and to save your data.

So, think of investing in an security solution for your desktops and servers. Windows comes with Windows Defender and a built in firewall that will suffice for most purposes. But it's your file server that you need to worry about the most given it will serve as a data repository.

[hserus]

Your first job here is to block torrents - that should be easy enough in commercial firewalls which have readymade rules to block p2p and file sharing.

A cheaper workaround is to set policies on employee machines to not allow them to install, for example, any unapproved software, including bittorrent, without an admin intervention. Don't let your users login as administrator or admin equivalent user either.

And limit bandwidth to each client so that no one guy can hog most of the bandwidth.

Check traffic stats to see which mac address hogs most of the bandwidth, and if any employee uses bittorrent, fire him. (Of course have HR or yourself if it is a smaller company as it appears, first issue a public warning to all employees that downloading torrents, streaming movies etc is forbidden).

You could either use a better wifi router that can take custom firmware like openwrt or tomato, which have several such controls. Or go the whole hog and get a barracuda, sonicwall etc commercial firewall as others have suggested.

Check what tightening up windows OS policies can do though ..

Also keep a good look out for virus infected machines on your network, they can generate a surprising amount of traffic.

Quote:

Originally Posted by shashank.nk

Hi guys,

Need your help to set up a office network with some restrictions. I have a small office with a BSNL broadband that connects to 5 desktops and 4 laptops. I use a DLink DSL-2750U router and the PCs connect via LAN and laptops via WiFi.

I've used OpenDNS to block access to certain sites after I saw huge amounts of data (>100gb) was being downloaded by some staff and that used up all bandwidth leaving net painfully slow by month end. Most downloads were movies,sitcoms,music,software etc.

So after I configured OpenDNS I observed they now download directly via browsers and OpenDNS doesn't block those sites even though its setup to restrict access to P2P/File sharing and storage sites.Typically its a google search which leads them to sites like moviez.net from where they download.

How do I prevent access to such sites, but at the same time allowing legitimate downloads such as attachments received via mail? Will I need new hardware or can the existing router do it ?

[Samurai]

This just in, a new head ache for small size companies.

http://indiatoday.intoday.in/technol.../1/745181.html

If an employee connects to torrent website, who are they going to arrest? It is very difficult to find out who it was. Cops will arrest the MD/CEO when in doubt, remember Avinash Bajaj?

https://www.chmag.in/landmark-cases-...indian-courts/

This news made me look for p2p blocking option in my own Sonicwall TZ105. I see it here, part number is 01-SSC-4844.

[hserus]

Given the abundance of career grade NAT that is poorly implemented, so end users get RFC1918 (private) IPs to NAT yet further if they share the connection - finding the perp is tough to impossible.

After that, there's the little matter of getting timestamps correct.

http://epaper.timesofindia.com/Defau...0100&AppName=1

Some fellow in Pune posted whatever comments about Shivaji, so that sena activists rushed to the cybercrime police back when 66A was still in force.

The Pune cybercrime police sent in a warrant with the IP address and time of the offending post, but forgot to specify AM or PM in their warrant.

Airtel, whose IP address it was and so whose user had posted the comment, forgot to ask the police, and so purely by guesswork they came up with the particulars of some random fellow in Bangalore whose only acquaintance with Shivaji would have been in school history books or amar chitra katha.

This bangalore guy was hauled in and kept in Yerewada Jail Pune for 50 days before the police figured out that a mistake had been made and released him. Lost his job, developed kidney stones etc etc but was awarded a mere 2 lakh rupee compensation by the courts.

This was in the early days of cybercrime prosecutions in India, and to be very fair I know several police officers who are much more up to date on such issues but still light years behind their counterparts from other countries - where I met at a security conference, for example, a detective sergeant who has two PhDs in computer science, compare that to the education levels of our local hawaldars.

Quote:

Originally Posted by Samurai

This just in, a new head ache for small size companies.

http://indiatoday.intoday.in/technol.../1/745181.html

If an employee connects to torrent website, who are they going to arrest? It is very difficult to find out who it was. Cops will arrest the MD/CEO when in doubt, remember Avinash Bajaj?

https://www.chmag.in/landmark-cases-...indian-courts/

This news made me look for p2p blocking option in my own Sonicwall TZ105. I see it here, part number is 01-SSC-4844.

[Samurai]

Quote:

Originally Posted by hserus

Given the abundance of career grade NAT that is poorly implemented, so end users get RFC1918 (private) IPs to NAT yet further if they share the connection - finding the perp is tough to impossible.

But as corporate customer I have static public IPs, it becomes DHCP only inside the company. Then cops will happily go after the stakeholder.

[hserus]

Quote:

Originally Posted by Samurai

But as corporate customer I have static public IPs, it becomes DHCP only inside the company. Then cops will happily go after the stakeholder.

Most such will be driven by the copyright holder's law firms using Anton Piller orders. Very similar to how they randomly turn up demanding to audit your IT infrastructure to see whether you have pirated software.

Typically - they'll drag along an officer from the nearest police station when they enforce such an order.

[shashank.nk]

Apologies for the delay in posting, the systems guy wasn't reachable till noon today.

Quote:

Originally Posted by Samurai

That doesn't make sense at all. You really need two things, a soild firewall and a backup solution. Concept of the central file server is very ancient.

Quote:

Originally Posted by R2D2

But the idea of centralised storage is very much passe. And one must have a backup schedule running on the server at least a few times a day that will protect all the work done by your employees.

Should I go for cloud storage then ? Skipping backups on external/internal disks entirely. He suggested centralized storage since many times its difficult to search for files as a new employee wouldn't know which drive or pc its stored in. Despite instructions to store in a logical manner and create a list of whats stored where, we haven't met much success in implementing it.

Quote:

If I were you I'd use separate machines for proxy and file storage purposes.

Yes, we decided to install and run the firewall on a system which doesn't see much critical data storage. Data storage, if to be done locally will be on a separate system.

Quote:

Also, remember that firewalls are not fool proof. There have to be multiple layers of security in your local network to deter attackers (hackers and/or viruses and trojans) and to save your data.

So, think of investing in an security solution for your desktops and servers. Windows comes with Windows Defender and a built in firewall that will suffice for most purposes. But it's your file server that you need to worry about the most given it will serve as a data repository.

As of now, I plan to have a firewall apart from the antivirus already installed on each system, that should make it 2 layers and may suffice.

Also, regarding backups, the frequency is undecided as of now but he'll provide me with a software which will take full backups initially followed by incremental backups.

Quote:

Originally Posted by hserus

Don't let your users login as administrator or admin equivalent user either.

Thank you for pointing this out. I'd somehow overlooked this.

Quote:

And limit bandwidth to each client so that no one guy can hog most of the bandwidth.

Check traffic stats to see which mac address hogs most of the bandwidth, and if any employee uses bittorrent, fire him. (Of course have HR or yourself if it is a smaller company as it appears, first issue a public warning to all employees that downloading torrents, streaming movies etc is forbidden).

You could either use a better wifi router that can take custom firmware like openwrt or tomato, which have several such controls. Or go the whole hog and get a barracuda, sonicwall etc commercial firewall as others have suggested.

I plan on limiting bandwidth to each PC and later on to each wireless client as well. I'm guessing this is possible only with a router or will a firewall have this ?

A policy on internet usage is in drafting stages,expect to implement it starting 1st Sep or from when I have a firewall running. Will warn them twice before firing them. Since we're a small company of 50+ employees, not all can be fired immediately

[Samurai]

I moved all documents to Google Apps in 2011, never looked back. People write documents online, and then share with only people they need to share it with. They can access it from anywhere and work on it. I let Google worry about security.

And for source code, we use GitLab server in a cloud server in our Colo, which is on permanent VPN with our local branch.

[R2D2]

A credit card sized pfSense firewall appliance for $149. Ideal for tele-commuting and SOHO. Neat!

http://netgate.com/products/sg-1000.html

[Samurai]

Quote:

Originally Posted by shashank.nk

At 27k, I can consider investing in this if it'll serve my purpose,however not sure if ebay is reliable.

I needed to get a Sonicwall Firewall for training purposes. With a dread, I asked for a quote. I got a quote of 18K for Sonicwall SOHO (01-SSC-0217). That means sanity is back. This is a very good price.

[shashank.nk]

Quote:

Originally Posted by Samurai

I needed to get a Sonicwall Firewall for training purposes. With a dread, I asked for a quote. I got a quote of 18K for Sonicwall SOHO (01-SSC-0217). That means sanity is back. This is a very good price.

Thats fantastic news! Sorry for not writing back here in time. As suggested earlier, we set up a policy to deal with misuse of Internet and sent out a e-mail saying employees should refrain from using Internet for downloads etc.

It worked very well and only on Feb 4 did I notice the first instance where I had to take action. We're now moving to a much larger premises and have decided to invest in IT infrastructure, hope the price is continuing and no surprises in store when I ask for a quote