 |
|
Secure your network |
|
|
|
|
 May 20, 2008–Network security can be a thorny issue for small businesses, which generally lack pricey equipment and dedicated IT staffs with the expertise to lock down a local-area network. But addressing security is nevertheless essential: Just one customer data breach could easily wipe out a small business, and constantly battling viruses, spyware, and spam can sap productivity. Threats may also come from wireless deployments — Wi-Fi access is a great convenience but also a serious weak point in most networks — as well as from Web site breaches and employee downloads of illegitimate material. (Since you are responsible for employees' use of your network, that those ill-advised downloads can have serious consequences.) And that list doesn't even count bandwidth wasted when employees visit sites like MySpace and Facebook or watch YouTube videos on company time. How can you secure your small business against so many disparate threats, constrained as you are by limited resources? The task is actually not as difficult as it may sound, thanks to enterprise-grade security technology that has been trickling down to the small-business level. So-called unified threat management (UTM) security appliances offer one-stop "security-in-a-box" protection that even part-time network administrators can deploy. Basically, UTM appliances are firewall routers supplemented with powerful features such as antivirus and antispyware capabilities, intrusion-detection and/or -prevention tools, spam filters, and Web content filters (for blocking software downloads and visits to porn sites and other inappropriate Web pages). These appliances may have other useful features as well, such as the ability to wall off a guest wireless network from the rest of the LAN, an array of secondary wide-area network ports for redundancy or fail-over, and extensive logging and reporting systems. Formerly the domain of network pros with deep pockets, UTM appliances for networks of eight to 25 users now sell for as little as $400, including a year's subscription to product updates and virus and malware definition services. I found many vendors offering full-featured UTM products for less than $1,000 (see "Sub-$1,000 UTM Appliances"). All of the vendors market higher-priced products for larger businesses, too. Some UTM appliances are more user-friendly than others, but all can be installed by a third-party reseller and then maintained fairly easily. Key UTM features explained Unlike standard firewall routers, UTM appliances vary widely in terms of the features and capabilities they offer. And for the most part, you get what you pay for. Here are the major features to look for when choosing a network security package for your small business: Antivirus, antispyware and antiphishing tools By stopping viruses and malware at the Internet gateway, you can reduce the burden on individual computers and prevent most threats from reaching your network. Antivirus tools also provide a second layer of protection beyond your individual PCs' virus-checkers, which frustrated users may disable and negligent users may update too infrequently. Gateway-checkers can't find every piece of malware, however, because they lack the horsepower needed to emulate the programs on each computer. So you should retain the antivirus and spyware tools on each PC. It's also worth finding out the brand of virus- or malware-checker that the UTM appliances use. Some devices work with their own software, but most rely on third-party tools from companies such as McAfee Inc. or Kaspersky Lab, or even open-source tools like ClamAV. You should make sure that ongoing support will be available. Content and keyword filtering With content and keyword filtering, you can block access to specific IP addresses, domains and URLs by invoking the vendor's database of inappropriate Web sites and keywords in various categories — and you can tailor those lists of sites and keywords by adding or subtracting your own. Content filtering isn't just for porn. You can block Webmail sites, for example, or video-streaming services. You can use filtering on outgoing data as well as incoming data, so you could prevent people within your network from sending explicit e-mail or instant messages. Check to confirm that the UTM appliances you're considering have the content-filtering capabilities you need. Spam filtering A few UTM appliances have antispam filters, but most offer spam filtering only as an extra-cost option (if at all). Because spam filtering can have a major effect on firewall throughput, many IT experts prefer to use a separate spam filter at the mail server. Your ISP probably can perform this task at little or no extra charge if you use its e-mail services. If you run your own e-mail server behind your firewall, UTM appliance-based spam filtering may be appropriate. Intrusion detection and prevention Intrusion detection goes beyond the simple packet header inspection that all firewalls perform. Intrusion-detection tools actually examine the packets' contents as well. Together with deep-packet inspection, intrusion-detection and -prevention systems use ever-evolving rules and behavioral algorithms to block suspected attacks, much as antivirus software does. Data-leakage prevention Less commonly available — but important to some small businesses — are data-leakage prevention (DLP) tools. "Data leakage" refers to the loss of proprietary information and documents from the network via e-mail, e-mail attachments, instant messaging, Web site uploads and so on. Law and medical offices especially need these kinds of tools to prevent transmittal of client or patient data; they can be sued if such information leaks out. DLP software uses content filtering or simply blocks file transfers and e-mail containing attachments. You may be able to simulate DLP by using regular content- and port-filtering tools, but you'll need to be able to anticipate some of the ways data can leak, and some expertise in security configuration is extremely valuable. A security consultant can be a big help here. Gateway throughput One of the first specs you'll see on any UTM appliance data sheet is firewall performance or throughput, expressed in Mbit/sec. These numbers can provide a rough guide to performance, but they may not factor in the impact of the UTM tools you use — and those tools can reduce throughput by up to 50%, though some gateways handle the hit better than others thanks to speedier processors or more efficient software. Antispam filters usually have the heaviest impact on throughput. Most vendors have try-before-you-buy programs, so take advantage of these arrangements to ensure that the UTM appliance you ultimately select has the features you need and doesn't bog down under your network's loads. When you count the number of users on your network, remember to include peripheral network devices such as NASs, printers and PDAs, since they may count toward the "recommended" user load. Access control and authentication To prevent unauthorized users from accessing your LAN, most UTM appliances support one or more authentication schemes, such as Windows Active Directory, LDAP, RADIUS or an internal user database. They also provide MAC address filtering to prevent unregistered devices from accessing your LAN; unfortunately, MAC addresses are easy to spoof. WAN fail-over/redundancy One very important difference between standard firewall routers and many UTM appliances is the presence on the latter of a second (and sometimes even a third) WAN port. In case of an outage, you could balance the network load between two regular connections — say, one DSL link and one cable connection. You can set one up as the primary option, with the second kicking in only during an outage, or you can divide loads on a round-robin or percentage basis. This is a great way to establish outage protection without investing in an expensive T1 line (and the accompanying service-level guarantees). VPN gateway If you want to set up secure connections between offices or offer business travelers and telecommuters a secure way to connect to your network remotely, virtual private network technology is a must-have. Most UTM appliances can serve as VPN gateways for incoming connections. Remote users can connect to the gateway in order to access LAN resources securely over an encrypted tunnel. Wireless security Most small businesses want Wi-Fi network access, so it's very important for UTM appliances to have wireless security features. Some appliances have built-in wireless routers, enabling them to run Wi-Fi traffic through the same strong filters that they use for Internet traffic. Others let you use third-party Wi-Fi access points to create special security zones for wireless networks. Annual subscription fees Normally, if you want to a UTM that offers more than basic firewall filtering capabilities (including antivirus, antispyware, content-filtering, intrusion-detection and spam-checking tools) you must pay an annual subscription fee. You can use the hardware without a subscription, but you'll lose most of the appliance's security value if you do. So before choosing a UTM appliance, investigate the annual subscription price for virus definitions and software/firmware updates, and find out whether costs go up as the number of users does. Some vendors use a sliding scale of this type, but others don't. Also, check to see whether the initial purchase price includes the cost of the first year's subscription. Since subscriptions may run to $500 or more, having to pay separately for the first year is a significant factor. You'll want to compare the total cost of ownership — for both equipment and annual maintenance — over the number of years you expect to own the appliance. And if you'll be hiring a consultant to set up the UTM, installation fees represent another variable to consider. That's a quick review of the key features of UTM appliances, but you may want to consider other features as well, such as support for VoIP services (which may be adversely affected by filtering tools), the ability to set up zones governed by different security levels (say, a public zone and a private zone), dynamic DNS support, printer sharing, and monitoring and reporting tools that proactively provide crucial information (such as reports of WAN outages or peak load times) in a form that even a part-time IT person can understand and act on. Sub-$1,000 UTM appliances All of the UTM appliances listed below provide the basics — a business-class VPN firewall router with antivirus and antispyware protection, as well as intrusion-detection, content-filtering and monitoring tools. And many have extra features or special strengths in other areas. Most include an initial one-year subscription for antivirus and antispyware updates. Recommended network capacities range from eight to 25 users, but all of these vendors offer higher-end models for larger businesses as well. The entry level SonicWall TZ 180, Fortinet FortiGate-50B and D-Link NetDefend DFL-CPG310 cost less than $500 and can be set up by a non-IT professional. Even so, it's a good idea to hire a security expert, if possible, to set things up properly. A network is only as secure as its weakest point, which usually isn't the router. Moving up the UTM scale, the Check Point UTM-1 Edge Appliance, the Secure Computing SnapGear SG580 and the ZyXel ZyWall 5 UTM cost around $500 to $700. And the Calyptix AccessEnforcer AE500, the eSoft InstaGate 404e and the Juniper Networks Secure Services Gateway 5 run all the way up to $1,000. The extra money pays for enterprise-class features, more software options (for which you'll need to buy annual renewals) and the ability to scale up to more users without buying new hardware. The InstaGate 404e, for example, offers modular e-mail and Web "ThreatPaks" that cover far more than basic antivirus tools do, while the Juniper SSG5 amounts to a branch-office version of the company's enterprise security system. Calyptix AccessEnforcer AE500 Check Point UTM-1 Edge Appliance D-Link NetDefend DFL-CPG310 eSoft InstaGate 404e Fortinet FortiGate-50B & FortiWifi-50B Juniper Networks Secure Services Gateway 5 Secure Computing SnapGear SG580 SonicWall TZ 180 TotalSecure 10 or 25 ZyXel ZyWall 5 UTM Becky Waring is a Berkeley, Calif.-based technology writer who specializes in networking, mobility and multimedia topics. |
|
|
Copyright 2008 Hewlett-Packard Development Company, L.P. and International Data Group |
||||