IMO the single most important factor of having a secure network is user
education (as they say there is no patch for human stupidity). It can be the
most cheap step in securing a company's network, but it can also be the most
difficult at the same time. Technologically speaking, all solutions are
equally good for both small and large companies. Whether they are cost
effective is another issue. My point is that you can not judge whether a
security system is good or not based solely on its price, because it is the
business normal operation you are trying to protect. It is like buying a car
without ABS or airbags due to the cost of these systems. Your certainly do
not need them every day, but you might want them in case of an accident.
Ultimately each manager needs to decide which systems the company's budget
can afford and what is an acceptable downtime in a worst case scenario.
There are lots of things that can be done either using either open source
solutions or the built-in capabilities of the systems already used.
Technology alone in the form of a box lying in the machine room did not help
anyone.
On 30/12/05, coder <elite.coder@ntlworld.com> wrote:
Ok, so there are solutions that already exist, but how good are they fore
small companies with limited financial resources?
I myself am a network admin, the company I work for has about 20 PCs and 4
servers. The company really only has just enough to pay the wages each month
so an expensive firewall system is out of the question (I assume symantec,
checkpoint and zonealarm are all very expensive), also I do a lot of
application developement for them and sometimes write my own protocol for
client-server software.
Also I am called out to build networks for other small companies with
limited financial resources. One thing I have noticed with the company I
work for and the other smaller companies is that they dont have a full time
net admin (and in some cases they dont have one at all), and as they dont
have Active Directory (the company I work for does, but the ones I build
networks for do not) or equivelent, there is a 100% possibility of them
getting some malware on their desktops.
Im thinking for the thesis, I can say the current firewall technology is
time consuming to setup, expensive and requires a full-time network admin to
maintain the system. And I can then say that I shall develope a new firewall
system that is cheaper and does not require a full time admin to maintain.
Does this sound reasonable?
Thanks
~Davie Elliott
-------- Original Message --------
Hello everyone,
I wanted to get the opinions of experts before I carry on with my project.
I
am curently writting a thesis on the limitations of firewall technology,
for now it seems that firewall technology for the gateway is pretty much
covered. However, noone seems to have focused on firewall technology for
clients (on big networks), home firewalls such as ZoneAlarm are useless
for
a network with many PCs because it cant be managed centrally and it asks
the
user if they want to create a new rule when somthing tries to get out.
In my thesis I was going to say that these are the problems and the
solutions was to write a firewall system that can be managed centrally
(via
web interface), also for technical universities where students maybe
writting network software and using their own protocols, I was going to
see
if I could create some kind of "protocol creator" for admins. Originally
my
thesis was going to be about security corporation sized networks, but in
my
research I have come across a few other things.
IEEE802.1x and IPSec can apparently replace client-side firewalls, I dont
really know much about those two technologies, but I am still researching.
If these two techologies are better than client-side firewalls and or cost
less, I shall focus my thesis on small company networks (who cant afford
good network technology or a full-time net admin).
My thesis was going to be centered around the fact that machines within
huge
networks get infected by malware and such, either by websites or via
removable media, I am hoping that my firewall I idea would: stop sending
keylogger and spyware details back to the "hacker" and stop viruses/worms
spreading from the infected client.
So, what client-side technologies do corporations use (if any)?
Are there any limitations for IPSec and 802.1X?
What are your opinions on what I was saying about client-side firewalls?
Thank you for your answers,
Davie Elliott.
