• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

IT Help

Joined
Feb 29, 2004
Messages
11
Hello, I work for An IT company in lincoln Nebraska. We recently got asked to do a buiseness. This is the first time ive done something this big. I need some help with a few things. I would like to know the best way to set it up and how much would you charge and other companys charge. Heres the details :

They have 5 computers and one server. They have Cable internet (Road Runner). What they want us to do is network all 5 comps. They need a Firewall also. On 1 of the comps they dont want internet at all.on the others they want internet, but They want restricted access. Such as no porn sites and downloading. One these comps they also want restricted access for installing programs. What would be the best way to set all this up. My idea is. We run the server as a router and run everything through it. Putting the Firewall on the server, and also a content filter. I was thinking of putting all this on a domain. But They dont have an admin to monitor it. Any ideas on the easiest way to set this up?

Thanks :)
 
All depends on your skillset, do you only know windows? How much do they want to spend? But I think you have the right idea.
 
Between me and my boss we have all the skill we need. Im just worried about no admin. So if something goes wrong or they need to add a user. I dont know. I guess im just worried about messing up this job.
 
#1, Do not use the server that may potentially be running AD, DNS, and a number of other services as your firewall. That is just asking for trouble as you will leave yourself open to all the vulnerabilities Windows has to offer as well as creating a single point of failure for the entire operation. Get a stand alone firewall. You can always use the server on the inside of this firewall as a content filter/proxy server if you wish. There are also some all-in-one firewall/filter/IDS systems on the market that you should check out.

#2, If you decide to run a W2K or greater domain then you can implement group policy to keep people from installing software and accessing applications such as their web browser for the user that does not get web access (poor guy).

#3, Sell them a maintenance contract to maintain their system on an as needed basis if they don't require a full time Admin.

#4, As far as what to charge for this, it depends. What market are you in? Big City or small town? I would not charge a flat rate for this job as your time there could be very short or very long depending on your skill level (although I hate it when people try to learn on someone else's dime and end up charging them twice the price of a competent consultant because they took a job without knowing what they were doing... sorry, got off track), the time it takes to bring the staff up to speed, and any unforeseen problems.
 
If you work for an "IT Company," and you are asking for some basic networking info, I'd run.
 
First off, its a MUST to assess how much the company wants to spend.

Obviously you can do this the "el-cheapo" method, or you can go "all out!".

Seeing how you did not specify their financial budget, and seeing how they only have 5 computers.... i will go someone in the middle.

Also, before i get into this, you said one of the computers will NOT be connected to the "internet", but should it be a part of the "intranet"? That is something that needs to be addressed.

Oh, last thing.... you said they want it so that no one can install software............. Is this downloading software from the internet... or is this going to prevent people from installing software from... like a cd?

Anyway, content filtering is at best "OK". There are somethings that can search for words in the website... and for example if it finds "XXX" it will block access to the website... But if someone as a porn pic on their own website, and they just goto it, it would be very hard for the filters to block it. Just a heads up.


WIth that said, im always ammazed with what a little Linksys router with built in firewall can do. This can make specific IP's private, and many other features. But then you will have to deal with thrid party software for content blocking/filtering, and the prevention of downloading programs. Also, some browsers have built in content filtering capabilities... which should also be looked at. As im sure you guessed, this is one of the "el-cheapo" methods that home based business will consider.

BUT! if they have a larger IT budget, consider something from compaines like www.watchguard.com.

My school uses a watchguard firebox and it works very well! If the company your working for would give you the money, this will make your life much eaisers because these are basically all-in-one setups. Perhaps something like a firebox 500 or x500. and of course there are other companies who provide similar products.

Basically though, more information from the company your working for is required before any major decisions are made.:(
 
Im not asking for basic network info. IM asking what to charge and a way to look at this. Im very confident in my networking.

PHUNBALL : Thanks for the help. Its not a guy that cant have internet Its the whole comp no matter who uses it. They are maxed out on there budget so what I listed is all we have to work with. If we could do that I dont think I would be here. What really sucks is they are running XP home for the client machines and the server is 2003.
 
Uhm well there's a problem right there...XP home can't join a domain.
 
Originally posted by Ampedservers
Im not asking for basic network info. IM asking what to charge and a way to look at this. Im very confident in my networking.

PHUNBALL : Thanks for the help. Its not a guy that cant have internet Its the whole comp no matter who uses it. They are maxed out on there budget so what I listed is all we have to work with. If we could do that I dont think I would be here. What really sucks is they are running XP home for the client machines and the server is 2003.

OUCH, if you can't spend any money on hardware or software then you are in a tough position because you really can't implement most of what you want to do with what you have...
 
Originally posted by PHUNBALL
#1, Do not use the server that may potentially be running AD, DNS, and a number of other services as your firewall. That is just asking for trouble as you will leave yourself open to all the vulnerabilities Windows has to offer as well as creating a single point of failure for the entire operation.

While having a single point of failure is a valid concern, I disagree with your statement that a business would leave themselves open to vulnerabilities. While it is a bit more complex than configuring seperate devices, it's all in how well the system is configured.
 
Originally posted by SJConsultant
While having a single point of failure is a valid concern, I disagree with your statement that a business would leave themselves open to vulnerabilities. While it is a bit more complex than configuring seperate devices, it's all in how well the system is configured.

I always work on the theory that your firewall is only as secure as the operating system it runs on. In this case we are talking about Windows, a platform that can be locked down tremendously if required, but in this case that is not possible because it will be required to run other services to support the businesses leaving it vulnerable.

I have locked down many windows machines that were used in lab environments to test Checkpoint FW-1 and those boxes were absolutely worthless for doing anything except running a firewall package because of the great lengths you must go to in order to make them secure, basically disabling every function of the machine except the absolute necessary...
 
Originally posted by PHUNBALL
I always work on the theory that your firewall is only as secure as the operating system it runs on. In this case we are talking about Windows, a platform that can be locked down tremendously if required, but in this case that is not possible because it will be required to run other services to support the businesses leaving it vulnerable.

I have locked down many windows machines that were used in lab environments to test Checkpoint FW-1 and those boxes were absolutely worthless for doing anything except running a firewall package because of the great lengths you must go to in order to make them secure, basically disabling every function of the machine except the absolute necessary...

While "best practices" dictate the OS should be locked down, it's not a procedure that must be adhered to verbatim.

I've done numerous SBS installs with ISA as the firewall with no system as of yet to be compromised (I say yet because we all know security is not 100%). Some of those installs have open ports for SMTP, POP3, and VPNs, some others are fully closed.

If the firewall if configured to block everything from the internet, then the only "vulnerability" is from inside the business network.

If a person is already inside the network then it doesn't matter where the firewall is located. If your firewall is seperate from the servers, then again if its an inside attack the firewall does no good to protect the server.

The biggest vulnerability is from misconfiguration and not simply having a firewall on a DC.
 
Originally posted by SJConsultant
If the firewall if configured to block everything from the internet, then the only "vulnerability" is from inside the business network.

If a person is already inside the network then it doesn't matter where the firewall is located. If your firewall is seperate from the servers, then again if its an inside attack the firewall does no good to protect the server.

Internal threats are not always from someone being in the network already. How about a virus infected laptop that makes it's way into the office or an email that launches a script when open that then compromises your firewall from the inside opening the door for the guy waiting outside??? There are far too many scenarios not to take these simple precautions...

The biggest vulnerability is from misconfiguration and not simply having a firewall on a DC.

Ever hear about the man that built his house upon the sand? Well, it didn't work out too well for him and I don't know a single security expert that would condone this type of thing. It would also raise a BIG RED FLAG in a security audit. It may work, but it's just not a smart thing to do IMHO...

Question: Would you only lock the front door of your house at night leaving the back door unlocked all the time?
 
Originally posted by PHUNBALL
Internal threats are not always from someone being in the network already. How about a virus infected laptop that makes it's way into the office or an email that launches a script when open that then compromises your firewall from the inside opening the door for the guy waiting outside??? There are far too many scenarios not to take these simple precautions...

Viruses are another security issue that are addressed by a different layer of security....... don't try to detract from the firewall point by introducing another security issue that's not the main point of having a firewall in the first place. Which is keeping outsiders out of the network.

Originally posted by PHUNBALL
Ever hear about the man that built his house upon the sand? Well, it didn't work out too well for him and I don't know a single security expert that would condone this type of thing. It would also raise a BIG RED FLAG in a security audit. It may work, but it's just not a smart thing to do IMHO...

Question: Would you only lock the front door of your house at night leaving the back door unlocked all the time?

It's not an ideal situation to place all your eggs in one basket, but in the real world of small businesses who have tight budgets, it may be the most cost effective solution.

Originally posted by PHUNBALL
Question: Would you only lock the front door of your house at night leaving the back door unlocked all the time?

I'm not even going to entertain analogies here because you can't "analogize" such a complex topic so simply.
 
Question: Would you only lock the front door of your house at night leaving the back door unlocked all the time?

It would be more like someone already in your house.
 
Viruses are another security issue that are addressed by a different layer of security....... don't try to detract from the firewall point by introducing another security issue that's not the main point of having a firewall in the first place. Which is keeping outsiders out of the network.

FACT: Firewall's function as bi-directional devices if they are implemented correctly. There should never be full, unrestricted access to any interface on a firewall...

FACT: A firewall should not be in a position to be compromised from the outside of a network or from the inside of a network...

AV is a form of protection and it should catch this type of problem, but why would anyone in their right mind want to risk something getting through, is laziness or not wanting to spend a miniscule amount of money really worth the risk??

It's not an ideal situation to place all your eggs in one basket, but in the real world of small businesses who have tight budgets, it may be the most cost effective solution.

Sorry, but I can't swallow that line. I personally believe that if you are going to half ass it then don't even bother doing it. I have worked for plenty of company's where we didn't have the money for the best of the best, but we made it work, and we did it right. It just requires a little creativity...

Sorry for busting your balls, it's just that an ounce of prevention is worth a pound of cure in my book. This is just something I feel strongly about. Friends??? :)
 
Originally posted by PHUNBALL
FACT: Firewall's function as bi-directional devices if they are implemented correctly. There should never be full, unrestricted access to any interface on a firewall...

Hardly a fact, more of a best practice, and your strict opinion. Your statement means that most Linux and Windows based firewalls are in error.

FACT: A firewall should not be in a position to be compromised from the outside of a network or from the inside of a network...

Huh?!?!? The firewall must be placed in the "line of fire" to protect the network it is connected to...............

AV is a form of protection and it should catch this type of problem, but why would anyone in their right mind want to risk something getting through, is laziness or not wanting to spend a miniscule amount of money really worth the risk??

If I had that answer then I would definitely be rich cause there are enough people and businesses out there who don't take this very basic precaution.

Sorry, but I can't swallow that line. I personally believe that if you are going to half ass it then don't even bother doing it. I have worked for plenty of company's where we didn't have the money for the best of the best, but we made it work, and we did it right. It just requires a little creativity...

So your saying that a little bit of security is no better than none at all? I can't swallow that line of bull......

No one said it has to be the best of the best, but when the money is not there and you have to make do with what you have, then it's better than having nothing.

Sorry for busting your balls, it's just that an ounce of prevention is worth a pound of cure in my book. This is just something I feel strongly about. Friends??? :)

Your not busting my balls at all ;) ,you kinda have some conflicting statements though, since an ounce of prevention is worth a pound of cure, yet you would rather do nothing than something "half-assed". :p
 
Hardly a fact, more of a best practice, and your strict opinion. Your statement means that most Linux and Windows based firewalls are in error.

Firewall's are bi-directional devices and in a corporate scenario they should indeed be set up the way I mentioned. This is not only my opinion, but also the opinion of every security expert I know. I have run many Linux based firewalls and I have never had a single one that was wide open on any given interface so I'm not sure what that is in reference to. Also, "Windows firewall" is an oxymoron. :)

Huh?!?!? The firewall must be placed in the "line of fire" to protect the network it is connected to...............

I think we both know what I meant. "Position" meaning you need to do everything possible to ensure it's strength because of the, as you pointed out, position it is in...

If I had that answer then I would definitely be rich cause there are enough people and businesses out there who don't take this very basic precaution.

Very true, but that still doesn't make it right...

So your saying that a little bit of security is no better than none at all? I can't swallow that line of bull...... No one said it has to be the best of the best, but when the money is not there and you have to make do with what you have, then it's better than having nothing.

No, what that statement means is that any job that is worth doing is worth doing well and to the best of your ability. Using a wide open Windows box as a firewall is not to the best of anyone's ability...

Your not busting my balls at all ,you kinda have some conflicting statements though, since an ounce of prevention is worth a pound of cure, yet you would rather do nothing than something "half-assed".

In this situation, I would rather not hook all of these computers to the internet knowing that I have just provided them with a sub par solution that is giving them a false sense of security. I have to live with this and quite frankly I have more respect and care for my customers than that. If someone is paying me to do a job I do it right or I don't do it, that's all there is to it...
 
good one wise guy.

Phunball has a good point (there are thousands of counter points of course).

If you want to be hired by someone, and they place you on a EXTREAMLY small budget, and you know you can not do the job 100%, it is important to specifically tell this to the person who is paying you.

Sit them down and say, "i will do my best, but you must understand that your network will still be vulnerable because i will not be able to outfit you with the needed equipment because of money restraints."

They will eaither allowcate more money, give the approval with the understanding that it won't be 100% perfect, or decide to hold off.

I know you may want the money, but i think its better to not take a job as opposed to having a company blame you if their network gets hacked. As im sure you already know. (on the legal side, its always a good idea to have them sign a terms and conditions statement stating that you are not liable for any loss of data, down time... etc.)

By telling them the situation though, they actually might decide to buy better equipment which will obviously make your job eaiser... and if at nothing more... if they just allow you to proceed, then at least you covered your butt... and will get paid.

As for money, i know one of my friends charges them for the equipment and software, then tacks on eaither an hourly rate or a flat fee. The flat fee will usually be more expensive, but he will also train them, which is a nice way to make some extra money doing simple stuff (such as teaching them the basics of Novell NetWare 5, or how to remotely connect to their firebox :D ).
 
Back
Top