Appropriate firewall settings for a small/medium sized business

[berderder]

Hi everyone,

 

I know this is a very broad question, but I was wondering if I could ask the suggested firewall settings for a small to medium sized business (say 5 - 10 computers and possibly a server).

 

Looking for a general scheme of how that would look.

 

Are Windows firewall settings robust enough?

 

Thanks for any thoughts both broad or specific.

[DyverTech]

As you said yourself, it's a very broad question. That being said, we employ a mix of hardware and software based firewalls. We don't use Windows built in firewall but rely on an AV based firewall that comes with most enterprise grade AV software. We have a byod environment so putting in a system that protects the company's actual assets ends up being a higher priority than the end users devices. Since a lot bring Apple products and/or their own AV in, it's extremely challenging to find a system that will cover all of them. 

 

The hardware side is a bit more of a mixed bag. If you have the money and the knowledge you can get a very robust system like something from Cisco, Adtran, Fortinet, or Sonicwall that can provide you with a lot of protection and custom rules. However, if you don't know how to set that up or have someone who can for your environment specifically, then it's about as useful as a best buy router. We opted for something more center of the road that does what we need it to and provides an adequate amount of configuration capabilities for our needs. 

[berderder]

4 minutes ago, DyverTech said:

As you said yourself, it's a very broad question. That being said, we employ a mix of hardware and software based firewalls. We don't use Windows built in firewall but rely on an AV based firewall that comes with most enterprise grade AV software. We have a byod environment so putting in a system that protects the company's actual assets ends up being a higher priority than the end users devices. Since a lot bring Apple products and/or their own AV in, it's extremely challenging to find a system that will cover all of them. 

 

The hardware side is a bit more of a mixed bag. If you have the money and the knowledge you can get a very robust system like something Cisco, Adtran, Fortinet, or Sonicwall that can provide you with a lot of protection and custom rules. However, if you don't know how to set that up or have someone who can for your environment specifically, then it's about as useful as a best buy router. We opted for something more center of the road that does what we need it to and provides an adequate amount of configuration capabilities for our needs. 

May I ask what enterprise grade AV software you use?

 

I am not terribly experienced with configuring routers via their IP Address if that is what you are referring to. I think they make those user interfaces pretty user friendly though, and I could probably just Google a lot of the settings. I may have clients in the future who seek this type of support, so I'm looking to cut my teeth on it.

 

For instance, opening/closing ports, port forwarding, etc.. 

[Lurick]

I would avoid just using windows firewall but instead using a combination of a hardware firewall and some good enterprise antivirus.

 

Do you have a budget for a firewall and/or security hardware in general?

[berderder]

1 minute ago, Lurick said:

I would avoid just using windows firewall but instead using a combination of a hardware firewall and some good enterprise antivirus.

 

Do you have a budget for a firewall and/or security hardware in general?

I don't actually. This is all hypothetical right now as I try to bolster my skills with cyber security and firewalls, etc.

[DyverTech]

Just now, berderder said:

May I ask what enterprise grade AV software you use?

 

I am not terribly experienced with configuring routers via their IP Address if that is what you are referring to. I think they make those user interfaces pretty user friendly though, and I could probably just Google a lot of the settings. I may have clients in the future who seek this type of support, so I'm looking to cut my teeth on it. 

AVG is what we have right now. Our contract is up soon though and I've been less than pleased with the number of issues that have arisen this year from them. We will be looking at some of the last gen AV products on the market that are generally much less resource dependent and look at behavior rather than basing security on server definitions. I'm not sure how it'll all turn out. 

 

The hardware side I was more speaking of advanced routing configurations like DMZs, traffic shaping, Subnet configuration, VPN, EPN (or whatever that acronym is for private ethernet tunneling), hooking up to a service like AWS, Flagging types of malicious content at the hard Firewall side, stuff like that. It can get infinitely complicated and that's why you can get a job just configuring security settings on firewalls and be fully employed. 

 

Configuring through IP's is pretty straight forward, you just put in the IP and do your thing. Honestly, I'm not much of a CLI person so I rely a lot on the GUI side of things. Cisco Meraki really impressed me in it's simplicity on configuring some fairly advanced technologies with just a couple clicks. Stuff like Mesh Networking and things like that. But the price point and recurring fees were very tough for me to stomach. 

[berderder]

3 minutes ago, DyverTech said:

AVG is what we have right now. Our contract is up soon though and I've been less than pleased with the number of issues that have arisen this year from them. We will be looking at some of the last gen AV products on the market that are generally much less resource dependent and look at behavior rather than basing security on server definitions. I'm not sure how it'll all turn out. 

 

The hardware side I was more speaking of advanced routing configurations like DMZs, traffic shaping, Subnet configuration, VPN, EPN (or whatever that acronym is for private ethernet tunneling), hooking up to a service like AWS, Flagging types of malicious content at the hard Firewall side, stuff like that. It can get infinitely complicated and that's why you can get a job just configuring security settings on firewalls and be fully employed. 

 

Configuring through IP's is pretty straight forward, you just put in the IP and do your thing. Honestly, I'm not much of a CLI person so I rely a lot on the GUI side of things. Cisco Meraki really impressed me in it's simplicity on configuring some fairly advanced technologies with just a couple clicks. Stuff like Mesh Networking and things like that. But the price point and recurring fees were very tough for me to stomach. 

Yes, thankfully I can say I'm familiar with a handful of things you've mentioned like configuring subnets and DMZ's, but I think I have my work cut out for me. It would probably be useful for me to study CompTIA Security + and textbooks like that. Currently reading through a CompTIA Network + textbook.

 

I'm really more useful in a residential manner when it comes to networking at the moment unfortunately

[DyverTech]

17 minutes ago, berderder said:

Yes, thankfully I can say I'm familiar with a handful of things you've mentioned like configuring subnets and DMZ's, but I think I have my work cut out for me. It would probably be useful for me to study CompTIA Security + and textbooks like that. Currently reading through a CompTIA Network + textbook.

 

I'm really more useful in a residential manner when it comes to networking at the moment unfortunately

Amen to that my friend. Best of luck to you.

[berderder]

13 minutes ago, DyverTech said:

Amen to that my friend. Best of luck to you.

Thanks, man

[Guest]

6 hours ago, DyverTech said:

AVG is what we have right now. Our contract is up soon though and I've been less than pleased with the number of issues that have arisen this year from them. We will be looking at some of the last gen AV products on the market that are generally much less resource dependent and look at behavior rather than basing security on server definitions. I'm not sure how it'll all turn out. 

What weren't you liking? At the MSP I work for we use AVG Managed Workplace & Cloud Care. Can't say I'm overly thrilled so far.

 

@berderder - do you have an existing router at the moment? If so what model? If not, were there staff working remotely? Is your IT handled internally or externally? What happens if you lose internet connectivity - are staff able to continue to work?

[LAwLz]

This question is waaaay too broad. It's like saying "I think I might be sick. What should I do to cure my illness?".
There is not enough info to recommend you do anything, and any recommendation made can actually harm you more than help you. You don't just recommend a bunch of medicines without even doing a diagnosis or knowing what the symptoms are.

 

What settings to use? Well block all traffic that might be malicious, and allow the one that can be trusted and/or is absolutely necessary.

[Remix]

I'm in agreement with @LAwLz that your statement is too broad. Every environment is different, and that's where you need to determine what you want setup. For example, we use to have a BYOD policy for students. The infrastructure was designed with a 1:1 (1 device per user) in mind, and we had a 16/3 installed. This was later upgraded to a 20/4. Faculty/Staff had wireless on a separate 105/20 connection. Hardwired managed computers (non-BYOD) used a symmetrical 20/20 connection. The policy for students was to block essentially everything, allowing only ports for the internet (80, 443, 8080) as well as the ports necessary for E-mail on mobile devices. Streaming, etc... was blocked allowing only websites necessary. Faculty/Staff had a much more open policy, allowing essentially everything but graphic and sexually explicit material.

 

We recently redid the entire infrastructure, got rid of BYOD, and removed our connections keeping the 20/20 which was upgraded to 1000/1000 (1 Gbps). Last summer we upgraded all managed devices on the network, and deployed ESET Endpoint Antivirus among many new management programs. This yielded in more control for the IT department.

 

However setting up a Guest Network at a coffee shop, you don't necessarily need to impose rules this broad.

 

It honestly depends. Give us more information, and perhaps we can inform you on the best solution.

[berderder]

21 hours ago, Windspeed36 said:

What weren't you liking? At the MSP I work for we use AVG Managed Workplace & Cloud Care. Can't say I'm overly thrilled so far.

 

@berderder - do you have an existing router at the moment? If so what model? If not, were there staff working remotely? Is your IT handled internally or externally? What happens if you lose internet connectivity - are staff able to continue to work?

 

11 hours ago, LAwLz said:

This question is waaaay too broad. It's like saying "I think I might be sick. What should I do to cure my illness?".
There is not enough info to recommend you do anything, and any recommendation made can actually harm you more than help you. You don't just recommend a bunch of medicines without even doing a diagnosis or knowing what the symptoms are.

 

What settings to use? Well block all traffic that might be malicious, and allow the one that can be trusted and/or is absolutely necessary.

 

3 minutes ago, Remix said:

I'm in agreement with @LAwLz that your statement is too broad. Every environment is different, and that's where you need to determine what you want setup. For example, we use to have a BYOD policy for students. The infrastructure was designed with a 1:1 (1 device per user) in mind, and we had a 16/3 installed. This was later upgraded to a 20/4. Faculty/Staff had wireless on a separate 105/20 connection. Hardwired managed computers (non-BYOD) used a symmetrical 20/20 connection. The policy for students was to block essentially everything, allowing only ports for the internet (80, 443, 8080) as well as the ports necessary for E-mail on mobile devices. Streaming, etc... was blocked allowing only websites necessary. Faculty/Staff had a much more open policy, allowing essentially everything but graphic and sexually explicit material.

 

We recently redid the entire infrastructure, got rid of BYOD, and removed our connections keeping the 20/20 which was upgraded to 1000/1000 (1 Gbps). Last summer we upgraded all managed devices on the network, and deployed ESET Endpoint Antivirus among many new management programs. This yielded in more control for the IT department.

 

However setting up a Guest Network at a coffee shop, you don't necessarily need to impose rules this broad.

 

It honestly depends. Give us more information, and perhaps we can inform you on the best solution.

Thanks for all the input, everyone. This was all actually purely hypothetical.

 

I am more of a client side hardware and software person with residential level networking skills. I'm not as professionally immersed in commercial networking as many of you appear to be. 

 

I simply wanted to scratch the surface as to some of the technologies, AV software, infrastructure used and thankfully I got a lot of interesting feedback here to chew on. 

 

I am a independent computer technician and business owner and am always trying to expand my knowledge and appropriate services, hence why I asked this question. Myself alone isn't quite enough manpower to tackle a commercial scale setup, which was part of the reason I was throwing this question out there.