The increase in supply of IT engineer graduates over the last decade or so is a double-edged sword for corporations:

  • on the good side, it helps suppress the market rate for salary of IT engineers
  • on the bad side, it floods the market with low quality IT engineers
    • increasing the cost of recruitment, because more time has to be spent filtering candidates
    • increasing the cost of network maintenance, because it was badly designed or badly maintained by less competent IT engineers

Like many things in life, corporate network security follows the law of diminishing return. That is, the initial investments increases the security significantly, while to continue investing in it will still increase the security, but at smaller increment. So, it boggles good IT engineers why some SMEs (Small / Medium Enterprises) fail to invest the initial and relatively small amount required to provide basic security

Network

  • Data center
    Photo by brcwcs

    Can’t believe how often this first aspect is overlooked: plan the physical location of the data center. Bad engineers will put the data center on any empty room they can find and just cascade the network switch later to reach far away nodes. Good engineers look for room which is physically in the middle of every nodes so that the data center can reach any node in the company with minimum number of hops. It helps to locate it on 2nd floor to isolate it from danger of flooding

  • Use hardware firewall. Hardware firewall is so cheap nowadays that it doesn’t make sense to rely on software firewall. Get Stateful Packet Inspection (SPI) firewall as minimum. Hardware firewall presents crackers with additional hop before they can access the data center
  • Use manageable switches and access points. The cost difference with the unmanageable ones is so small compared to the benefits of centralised remote control that it provides the engineers
  • Use the security feature in Wi-Fi access point(s). Even using the old WEP (Wired Equivalent Privacy) security mechanism is so much better than nothing
  • Plan the IP address assignment. This will save so much time in identification and troubleshooting during operation. Sample assignment in class C private IP addressing (254 maximum nodes) may be something like this:
    • 1-20 for network infrastructure like DSL router, hardware firewall, switches, access points
    • 21-40 for servers
    • 41-50 for network printers
    • 51-210 for company-owned desktops
    • 211-230 for company-owned laptops (DHCP assigment system via WiFi connection so that the executives with company-owned laptops can go to any hotel with WiFi connection and work from there too)
    • 231-254 for external laptops (e.g. consultants)
  • Use switch(es) with few Gigabit Ethernet ports and connect the servers to those ports
  • Use network printers instead of personal printers. Network printers have built-in printer server inside of it. It can be reached by any node in the network without requiring a separate workstation acting as printer server to be on stand by waiting for print request
  • Change the SNMP (Simple Network Management Protocol) community names from the read-only community default name of public and writeable community default name of private to something else. Do this for all the hardware firewall, manageable switches, access points and network printers you have in the network

Hardware

Server

  • Rack-mounted server
    Photo by Ante C

    Server-grade processor like Intel Xeon or AMD Opteron. Don’t get personal-grade processor like Intel Core or AMD Athlon

  • Built-in RAID controller for failure-tolerant data storage. Get at least 3 symmetric hard discs at largest capacity you can afford and set them up as RAID 5 array for maximum storage with excellent recoverability (probably at the expense of slight performance hit)
  • Built-in Gigabit Ethernet network adapter
  • DVD burner for software installation and ad hoc data retrieval
  • Use manageable UPSes (ones with data connector back to the server for ease of management)
  • Restrict access to data center. Simply locating it inside a lockable door would do
  • Provide adequate cooling and neatly organise data center equipments in racks, if possible. Pay attention to placement of equipments inside racks. Heavy equipments like UPSes should be on the bottom, light equipments like switches should be on the top

Workstation

  • Remove all removable media access like optical drives, disc drives, and additional USB ports
  • Seal built-in USB ports with glue gun so they can’t be used

Software

Server

  • Use server-grade operating system like Linux or MicrosoftWindows Server. Don’t use personal-grade operating system like Microsoft Windows XP
    • If using Linux, do install the Graphical User Interface. On top of it, install remote management tool like Webmin
  • Use Active Directory to institute uniform access rights across all workstations in the company. To use Active Directory, companies don’t have to buy Microsoft Windows Server. They can use the open source alternative: Samba. Make sure that all users are given Domain Users access right and no user is given Domain Admins access right
  • Set up back up management system with automated father-son media rotation scheme to get good trade off between space requirement and speed. For SMEs, 8 large capacity portable hard discs in this set up is probably the best bet
  • Ensure that back up media which are not immediately needed for back up are stored off-site

Workstation

Workstations
Photo by Áron Balogh

The following applies to Microsoft Windows workstations

  • Protect the BIOS set up screens with pass word
  • Make the pass word for local Administrator user uniform across all workstations, and never tell users what the pass word is
  • Make every workstation part of the Active Directory
  • Disable unnecessary services like Remote Registry
  • Tweak Local Security Settings
  • Install Mozilla Firefox web browser and disable access to Microsoft Internet Explorer web browser. As late as January 2010, several governments, including German, French, and Australian, still issue recommendation against using Microsoft Internet Explorer because of its lousy security
  • Set the Windows workstation to automatically lock up if not used for more than 15 minutes to prevent abuse by other users when the original user is away from his/her workstation
Advertisements