Small-business network security 101
- 02 July, 2009 05:17
Today more than ever, good network security is vital to businesses of all sizes. Cybercriminals, equipped with sophisticated software that automates the task of seeking out vulnerabilities, aren't focusing on large enterprises alone; any easy target will do. Fortunately, however, good security isn't as expensive or as complicated to implement as it used to be.
Technology for protecting valuable data from prying eyes, warding off malware, managing spam, or empowering employees to work remotely and securely is now bundled in routers at prices that most organizations should be able to afford. Though consumer routers offer some of these protections, you don't have to spend a lot more for business-class alternatives that provide more-robust defenses and, typically, features that consumer products simply don't offer.
Attending to the Basics for Free
Small businesses must cope with the same Internet security threats as larger companies do, but usually without the same budget and manpower. And in recent years, the threats have diversified and become more subtle: Whereas several years ago, you worried that a hacker or virus would crash your computers, now you may never even realize that your network has been compromised until real economic damage has been done. For example, your data may be lost or held hostage; you, your colleagues, and/or your customers may fall victim to identity theft; or your computers may be used to distribute spam or malware.
Of course, once your business grows to a certain size--100 to 200 staffers or more--you're best off putting security in the hands of a pro, typically an independent contractor or a reseller. But if you're handling security for a workgroup or a smaller business and money is tight, you can develop and implement your own security policy. This doesn't cost a dime, and it can be very effective if you put in the required effort--but make no mistake, effort is involved. Nobody likes to change passwords every month, perform regular backups, and check for software updates, but tending to these chores can help minimize your risk.
Security organizations offer how-to guides that can get you going. For example, the Internet Security Alliance makes its "Common Sense Guide to Cyber Security for Small Businesses" available as a free download to registered users; you can read some of its contents in the SANS (SysAdmin, Audit, Network, Security) Institute's "Network Security and the SMB" paper.
The guides have similar checklists with instructions that you've probably seen before, but the major ones bear repeating:
Also included are items that you don't hear about as often but can also help to plug security holes:
The router that connects your network to the outside world is the primary line of defense, and ordinarily it has its own firewall; current consumer routers typically have other security features, too, so you should read the manual to see which ones your router offers. One important step that many otherwise savvy users often neglect is to change the default administrative log-in settings so that an outsider can't easily alter all of the other settings. (Router vendors tend to use the same default settings for all their products.)
If you're using Wi-Fi, it's time to bite the bullet and use the best encryption available, WPA2. If you're hanging on to a laptop that doesn't support WPA2, either upgrade to one that does or resign yourself to disabling Wi-Fi completely and using a wired hookup. The same goes for smartphones: Current and recently issued handsets (including the iPhone) support WPA2, and you should abandon Wi-Fi on older handsets that don't.
Moving Up to Business Class
So what does a business-class router give you that a consumer one doesn't? The list varies, but features can include a more-robust firewall (with sophisticated software that can check to make sure data packets are what they purport to be), additional antivirus/antispyware/antispam protection, and business-friendly features such as VPN support (so that you can access your network remotely and securely, without exposing it to intruders), guest Internet access (so that visitors to your office can go online without gaining access to your internal network), and support for multiple broadband ISPs (for backup when one fails, or for load-balancing when all are functional).
A note on VPN support: This is a key feature of business-class routers, since so many people want to be able to access a network when they're at home or on the road. (Wouldn't you rather have remote staffers access corporate data inside your firewall than keep copies of files on a laptop they might lose?) Don't confuse VPN support on business hardware with the pass-through VPN support on many consumer routers, which is designed to let a home user connect to a corporate VPN; a business router creates the VPN itself. They don't have to cost a bundle: D-Link's DIR-130, for example, is an eight-port firewall router that lets you set up VPN access for up to 25 users (it doesn't, however, offer antivirus, antispam, or other business features).
The All-in-One Approach
Routers that do address the entire range of business security needs are known as unified threat management (UTM) appliances (see our detailed examination of UTM features from last year). Typically they involve subscriptions on top of the base price to pay for updates to the antivirus/antispyware/antispam software, and for many such offerings the fees are based on the number of users or connections supported. (Even if no user fees are involved, you should check on the number of users the device is designed to support: Exceeding that number can result in significant network slowdowns.)
You may be wondering why you need a UTM when your business PCs already have antivirus and antispyware software. Security experts say that the additional layer of protection at the network level can make a real difference--especially if the antimalware programs on your client PCs and on the UTM appliance come from different vendors. You should confirm which third-party software vendors an appliance manufacturer has partnered with; most depend on established antivirus, antispam, and/or antispyware products.
A Wealth of Security Choices
The UTM category is exploding, with offerings from home and small-business networking companies such as D-Link and Netgear, networking giants such as Cisco, and companies that are well known for their enterprise-class security appliances and software, such as Check Point and SonicWall. Most of these companies have a range of products that a growing business can step up through.
Prices vary widely depending on the features and the number of users supported. A couple of examples: Check Point's Safe@Office UTM appliances for small businesses come in versions that cover 5 seats ($299), up to 25 seats ($599), or an unlimited number of seats ($999). Software updates run $79 a year. However, if your primary concern is a good firewall and you don't need features such as multiple ISP support, Check Point's ZoneAlarm subsidiary offers a Z100G security router that supports 802.11 b/g Wi-Fi and up to 10 seats for $150.
Netgear, meanwhile, is readying its first ProSecure UTM devices, the UTM 10 (recommended for up to 15 users) and the UTM 25 (for up to 30 users). The UTM 10 starts at $550, which includes a year's worth of software updates and features for remote network management; subscriptions for the antimalware/spam services run $175 a year thereafter.
The pricier the device, the more complicated it will be to set up. Typically vendors will provide links to a network of professional resellers. Again, larger workgroups or medium-size businesses will probably find working with a security professional more efficient, but the tech-savvy user at smaller outfits or workgroups can usually buy these appliances directly from big online retailers such as CDW, NewEgg, or PC Connection. You'll have to determine whether it makes more sense to pay a pro or to spend your own time on setup.
For more, watch the PC World video, "Small Business Network Security."