Given the recent security breaches all over the news, what would a good Main Street business security solution look like and how much would it cost? After all, if organizations such as the NSA and large retailers such as Target can’t keep their secrets safe, what chance does Main Street business have?
A pretty good one actually. Keep reading.
First, an assumption. No piece of equipment is hacker proof. You must assume bad guys want to get inside your devices and use your equipment and your network for their own evil purposes. They have specs for everything you own and probably know more about the internal workings of your equipment than you’ll ever hope to learn. They’re smart, they’re greedy, they collaborate, and they want what you have.
That’s the nature of the threat. Here are the pieces to deal with it.
It starts at the firewall. You need a real firewall with provision for multiple LANs. A real firewall is a router with multiple segments and some rules to regulate how each segment interacts with the other segments. Most credible DSL and cable modems can accommodate firewalls behind them if configured properly. Here is a PDF file you can download with some firewall frequently asked questions. [edit: The Infrasupport references in that PDF download are from my IT contracting company, Infrasupport. When I accepted the job offer from Red Hat in 2015, my IT contracting work at Infrasupport went dormant.]
Your firewall will have at least one public, Internet facing segment. It might have more public segments if you want multiple Internet feeds from multiple providers so you always have a path out if one feed drops. Multiple Internet feeds is probably overkill for a business like a Chinese takeout restaurant, unless that restaurant depends on, say, a website to operate hour by hour.
You may choose to have an HA (highly available) firewall system with redundancy at your boundary that can juggle multiple Internet feeds and do automated failover routing in case an Internet feed goes offline. This may also be overkill for that Chinese food takeout restaurant. It may not be overkill for a multiple site retail operation that depends on the HQ site always being available. Start small and scale as the business grows.
It will have a “people” segment where you put your employee computers. This is where you put in the typical rules you see in most business networks. You’ll want a credible antivirus solution on all your workstations in this segment. It can also become elaborate. You can put in web filtering appliances to regulate which websites your users visit, for example. If you choose to host your own email or web server(s), you can put in rules to accommodate those, and rules to accommodate spam filtering. This is overkill for small operations and a logical growth path for larger businesses.
If you’re a retailer, your firewall will also need a POS segment for your Point of Sale systems. A simple POS terminal might interact only with your credit card processors. Credit card processors all have IP Addresses, so your firewall will have rules to allow anything in the POS network to interact only with those IP Addresses. The firewall will also have a rule blocking anything between your “people” segment and POS segment.
If your POS network is more sophisticated, those POS systems might need to interact with, say, a database server. That database server, in turn, may need to access servers in your “people” network. In this case, carefully construct firewall rules to accommodate this traffic and log attempts at any other traffic. This is overkill for that Chinese restaurant, but might be essential for a franchise of Chinese restaurants or a sophisticated retailer with, say, a loyalty program.
Maybe you want to offer wifi as a convenience for your customers. This is tricky to do properly because of the nature of wireless and because you don’t want your customer wifi to mingle with your employee wifi in your stores. Isolate the customer wifi from your employee wifi and all your other segments. The wifi segment is only a convenience for your customers to get to the Internet. Nothing crosses the border between the customer wifi into the “people” segment or the POS segment.
And there you have it in a few short paragraphs. A topology that does a wonderful job of enabling your business, serving your customers, and keeping bad guys out. Total investment includes a properly built firewall and either a few physical network switches or a smarter switch with VLAN capability. Budget a cost of about $4k to start. The actual cost might be a little less for small operations, probably more for larger operations. The antivirus subscriptions and other support subscriptions will also cost some op-ex each year.
(First published on my Infrasupport website on Feb. 8, 2014. I back-dated here to match the original posting.)