Putting enterprise security in place with open source tools
What's the best way to secure an enterprise network, including both communications and data? No single solution fits all situations, but the practices outlined here mark a solid starting point on which IT departments can build.
Protect your network with a strong firewall – I recommend using Smoothwall, a security-hardened Linux distribution that runs on its own hardware. Smoothwall offers port blocking, IP blacklisting, antivirus protection, and other critical hardware firewall duties, and is exceptionally easy to use. You can either purchase a ready-to-deploy hardware device or install the Smoothwall distribution on the hardware of your choice. Installing Smoothwall is straightforward, but should you find yourself getting stuck, turn to the documentation. If you need more handholding, Smoothwall partners can help you set up a Smoothwall appliance for your business.
Secure work-from-home communications – By using a virtual private network, users can connect to your workplace network securely from home or another remote location. VPN software creates a virtual private tunnel that protects your data from prying eyes through data encryption.
OpenVPN is a popular choice for software that provides a secure way of working remotely while remaining fully connected to the office. The guide entitled From Zero to OpenVPN in 30 Minutes makes setting up a fully functional VPN easy. OpenVPN advantages include price (it's free), localized control (not relying on third-party services), and the ability to work with all major operating systems.
Connecting through OpenVPN is straightforward. Both the GNOME and KDE desktop environments, as well as Windows and Mac OS, provide GUI network manager applications that let users configure their connections. Using a network manager allows non-IT personnel to easily connect to an OpenVPN server without the hassle of editing a configuration file.
Secure workstation hard disk data – Any data written to a hard disk that remains unencrypted is at risk of being exploited. I suggest using TrueCrypt to protect local hard disk data. TrueCrypt can encrypt the data on the hard disk, so that if your computer is stolen or otherwise compromised, its contents are useless to anyone who lacks the digital key needed to access the information.
Be careful, however: Encrypting your hard disk can lead to big problems if you don't know what you're doing. Pay attention to the differences between a standard TrueCrypt volume and a hidden one, and bear in mind that the password for a standard volume isn't the same as the one for the hidden volume.
Before you decide to implement TrueCrypt on your company's laptop, verify that such a practice isn't against your company's policies. Some companies may have other encryption software available.
Keep your network safe with strong Wi-Fi security – Anyone within range of one of your wireless access points has a direct route to your company network. You should address this security issue by using WPA2-enterprise Wi-Fi encryption with RADIUS authentication. WPA2-enterprise hides its encryption keys from the end users while allowing authorized Wi-Fi network users to log in easily, using a RADIUS server to authorize Wi-Fi users by having them log in with a username and password.
To set up a RADIUS server, follow this FreeRADIUS guide. FreeRADIUS software provides enterprise users with a method of setting up a RADIUS server free of cost. The server works with your wireless access points to authenticate each Wi-Fi network login attempt, according to the access provided by your company's IT department.
Best sysadmin practices – Certain system administration practices can add to your network's security. For instance, you should require all users connecting to the company's network to use strong passwords. If you're not using a particular system service, turn it off to remove it as a target waiting to be exploited. And set up a routine to comb through your log files for suspicious activity. I recommend using Mon in addition to manual server log monitoring. Mon allows you to set up alerts for problems on the network and polls the health of attached devices.
Secure internal web access – Your corporate Internet access could be used for downloading adult material, sharing personal files, or wasting time on social networking sites. You can stop these activities by using a web proxy to filter out unauthorized access to blacklisted websites and search engine topics. A secure web proxy provides your IT department with some peace of mind because it can filter out non-work-safe websites while also preventing malware from being downloaded to individual workstations. Providing an effective web proxy to allow for secure web access is no simple feat, but this guide on setting up and configuring a secure web proxy should enable you to provide secure web access for corporate users.
You can add SquidClamAV to your web proxy installation to detect potential virus threats and stop them in their tracks. Once you've set up your proxy software, test it by attempting to download a virus test file and checking the C-icap server's log for a positive identification of the test file.
Because any additional software increases the load on the server running it, you may want to roll out your proxy gradually. For example, if you're working for a company that has five departments, you might consider setting up one proxy for two departments first to test it out thoroughly. Keep an eye on the server logs and listen to any concerns that come up during testing. If all goes well, you can roll it out to other departments.
Secure instant messaging communications – Some companies still use hosted instant messaging applications to allow their employees to communicate with each other. The key to having secure instant messaging for your workplace is to control as much of the experience as possible. This tutorial on instant messaging with an Openfire server configuration demonstrates how you can enjoy popular protocols such as XMPP while keeping tight control over security.
While you can use multinetwork IM clients such as Pidgin and Kopete with an Openfire server, I recommend sticking with Spark for an enterprise environment. It's better suited for in-house IT departments that would rather avoid connections to unsecured public IM networks.
If you don't already use an internal IM system, get buy-in from corporate management before implementing one, and make sure you establish clear policies about acceptable use [.doc file]. You don't want to end up with employees chatting amongst themselves about LOLCATS instead of getting work done.
Test your company's security – All the preparation in the world can prove to be meaningless if you don't test the security you've implemented. With the tools bundled in BackTrack Linux you can put your enhancements to the test. BackTrack is a professional-grade security auditing distribution that can be run as a live CD. It offers a healthy complement of penetration testing, Wi-Fi cracking, and information-gathering software.
Because of the potentially intrusive nature of penetration testing and security auditing, you should get explicit permission before you use any of BackTrack's tools at work. Without good communication you could inadvertently create problems for one of your peers by setting off alarms for the IT team.
In addition to obtaining permission for a full security audit, I suggest you keep careful records of your security audit findings. You can use your records to review the improvements you've made to your company's security and make any necessary post-audit corrections to your company's network.
By taking a stronger approach to enterprise security, your company will enjoy improved control over incoming and outgoing data, reducing the potential for data theft or loss due to malware. Improved security frees IT resources for more positive projects. And the folks who run your company can take solace in the knowledge that company data and resources are being managed in a secure, effective manner.
This work is licensed under a Creative Commons Attribution 3.0 Unported License