Implementing Security Policy....

[rpk2006]

Hi,

A customer has contacted us for Anti-Virus and Internet security for his network.

His network comprises of 4 servers and 80 nodes. Each server handles 20 nodes. Server run Windows 2003 server and nodes run Windows 98/XP.

Please suggest how we can effectively design security policy for this customer so that their network is well protected from Viruses and other Internet Threats, in a cost-effective manner.

There are plenty of Anti-Virus and Internet Security tools available out there, but we have no experience implementing enterprise level security.

 

[keain]

Every customer is different, but here are some of the tools I use. The first question, though, is what are their current liabilities? Before you start quoting them prices and labor, you might need to do an assay first, or at least suggest one. I like to use nmap to check out their network. Airsnort, netstumbler and kismet are some tools I use for wireless networks. There's a big difference between telling a CEO, "You need to secure your network" and telling a CEO, "You need to secure your network. Here's your top-secret password and the SSID you didn't think you were broadcasting."

As for software tools, I use Norton Corporate for AV. For anti-spyware I use Webroot Spysweeper Enterprise, mainly because of its ease of deployability to clients from a centralized location. For ongoing security scanning, Nessus is invaluable in a Unix environment, should you ever run across one in the future. For email, I use MXlogic, which is a hosted service that I've found works really well.

For firewalls, Sonicwall, Cisco Pix, or Watchguard are some options. I prefer the Pix.

 

[chiph]

Ummm, they're paying you to do this work for them, yet you have no clue as to how to get started??

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[rpk2006]

We have provided them with custom software solution and also looking at their hardware purchasing and maintenance. When they enquired about this issue, I thought of getting expert and experienced advice so as to think about this field too in future.

 

[keain]

If you have no experience in this field, you may just want to consider subcontracting to a firm with experience in security implementation.

 

[kHz]

You are going to take money from somebody and you have no idea what you are doing? Really, you should decline this offer from the other party because you are not in a position to perform security services.

 

[rpk2006]

We have contacted the respective Anti-Virus and firewall companies and they have suggested solutions too. In future also I will request for the concerned personnel from the company itself or the authorized partners.

Since each company suggests its own way, hence I want to know the best approach taken by any of you aware of the combination of technologies used in your departments.

In our state, we do not have independent security consultancy services provider, so we have to request the company itself to send an expert from any of their offices.

 

[eyec]

if your client is a publically traded company then they MUST comply with SOx Section 404 and this is not for the faint of heart or the in-experienced!

 

[chiph]

Yup. Lots of consulting/contracting companies are going to make a ton of money off Sarbanes-Oxley compliance. If you do a Google on the term, there's a ton of sponsored links, so you know that people are spending serious money to get business in that area.

Chip H.



____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[rpk2006]

How effective are the features like, Centralized Scanning, Remote Installation, Admin Console etc., found in the corporate edition of the Anti-Virus programs?

 

[keain]

Not sure what you mean by effective; but they are very useful from an administration point of view. I for one don't want to walk to 60 or more desktops.

 

[rn4it]

There pretty effective, we have an enterprise Anti-virus server, which checks for updates and pushes the Virus definition out to approx 600 nodes. Since I don't manage the AV system I'm not sure about some of the other features rpk2006 is asking about. What I can say is if there were a problem with them I'd definately hear about.

 

[schofs]

You really need to be looking at doing a risk assessment on the clients assets: i.e. what is he going to loose if he gets a virus loses company data, or suffers from a DOS.

You can then do a cost benefit analysis to work out what you are willing to put in place to reduce the risk, transfer it or just accept it. once you realize this it is easier to sell to management.
Again when you know what needs to be protected it will give you an idea of which safeguards to implement.