Security on a Shoestring Budget

For many, security is like going to the dentist--you have to deal with it, but that doesn't mean you have to go willingly, or like it once you get there. One of the main problems with IT security, though, comes down to money. While new servers or PCs can be justified as an investment, security is seen simply as an expense and a headache. But, what if you could protect your network and your PCs without breaking the bank?

Well, General Motors and JP Morgan Chase Bank may not be able to do it on the cheap, for obvious reasons, but small and medium businesses--as well as individuals--have a variety of open-source tools and free software available to keep PCs and networks safe on a shoestring budget.

Protect the Perimeter

A firewall is a de facto requirement for any network security implementation. The firewall is the gatekeeper of the network--blocking unauthorized traffic from entering your internal network, and restricting the flow of traffic in and out of your network based on the rules you establish. Think of it as locking down the "perimeter" of your home or office network.

Brush the dust off of that old Pentium desktop you shoved in the closet and put it good use--it can house your firewall software. SmoothWall Express is a Linux-based open-source firewall delivering advanced features and perimeter protection capable of running on any Pentium-class PC with at least 128MB of RAM.

Smoothwall Express was designed to be simple enough to be installed by an average home user with no Linux experience, to run efficiently on seemingly obsolete hardware by today's PC standards, and to provide intuitive management and configuration through a browser-based console.

Smoothwall Express supports local networks, wireless networks, and what IT pros call DMZs (demilitarized zones). It performs all of the basic firewall functionality one would expect--port forwarding, outbound filtering, blocking bad IP addresses--and also delivers quality-of-service (QoS) features and network traffic statistics that can be broken down per network interface or per IP address.

Watch the Network

Filtering the traffic that is allowed into or out of the network at the perimeter is one thing, but you should also be monitoring the traffic flowing through the internal network for signs of suspicious or malicious activity. An intrusion detection or intrusion prevention system (IDS/IPS) will do the trick, and--when it comes to IDS--Snort basically wrote the book.

Snort combines monitoring based on signatures of known threats (think virus definitions in antivirus software) with monitoring based on detecting suspicious network activity to identify potential threats. With millions of downloads and 300,000 registered users worldwide, Snort is the most widely deployed intrusion detection system in the world, and the established standard for IDS. Snort is available for both Linux and Windows.

Snort is a shining example of the benefits of a robust open-source community. As new malware threats and attack techniques are discovered, rules have to be created and implemented in Snort to allow the IDS to detect and identify them. But because of the size and the contributions of the vast Snort user community, the rules are almost constantly updated and there is no shortage of support available.

While Snort can be run on just about any PC, the Smoothwall Express firewall also includes the ability to provide IDS functionality with integrated support for Snort rules. If you do set up a Smoothwall Express firewall, you can just use Snort rules for intrusion detection without having to install Snort separately.

Guard the PCs

Even with the perimeter locked down, and the internal network being actively monitored, some threats may still slip through to PCs on the network. A firewall and an IDS are not a replacement for having antimalware protection installed locally on each PC.

A variety of free antimalware applications are available, but the terms of engagement are generally limited to consumer use. Businesses are expected to pay up in most cases. Microsoft took the initiative, though, of making its Microsoft Security Essentials software free for small businesses running up to ten PCs.

Microsoft subsequently began automatically pushing Security Essentials to unprotected PCs through its Microsoft Update Service. So, even businesses with more than ten PCs may find their Windows computers proactively protected by Microsoft.

Bolster Your Passwords

Do you have a password policy at your office? If not, you should. But I'll let you in on a little secret about password policies--just because they appear to offer security on paper doesn't mean that users can't find a way to effectively circumvent their intent. Users can sometimes follow the letter--but not the spirit--of the password policy and create passwords that leave your network open to trivial compromise.

If you want to verify the strength of your password policy, or ensure that your users are not weakening your network security with simple passwords, just try cracking them yourself.

Tools like John the Ripper or Cain and Abel will use dictionary, brute force, and hybrid techniques to try to crack your passwords. A dictionary attack just tries every possible password from a dictionary database, while brute force tries literally every possible character combination. The hybrid approach combines the two to crack passwords like "p@ssw0rd"--those that are based on a dictionary word but substitute some letters with alternative characters.

Depending on the results, you can either modify the entire password policy to make it more secure in general, or simply identify those accounts with weak passwords and work with individual users to implement stronger ones.

These tools aren't just useful in a small business environment--try them out on your PC at home, and see how well your personal passwords hold up.

Manage Risk

To plug the holes and strengthen your network and PC defenses, you first have to know where the weak points are. A vulnerability scanner can be an effective tool for identifying where and how you are vulnerable so you can manage the risk and either patch the holes or implement additional protection to mitigate the risk.

Nessus has been the gold standard for vulnerability scanners. At one point it was available for free as an open-source tool, but it is now a commercial product available through Tenable Network Security. The Nessus software can be downloaded for free, but in order to use it businesses must also subscribe to the Nessus feed, which supplies the tests and audits that Nessus needs to probe your network. The Professional Feed subscription costs $1200 per year.

While not as robust, the Nessus 2 engine is still open-source and forms the backbone of free tools such as OpenVAS. It may not be as robust or well known as Nessus, but IT admins who can't stomach the $1200 subscription should at least take a look at what it can do.

Home users can check out Microsoft Baseline Security Analyzer. This free tool from Microsoft scans your Windows PCs to detect common security misconfigurations and missing security updates on your computer systems.

Protecting your network and PCs with free and open-source tools can be every bit as effective as expensive security software and services. The tools highlighted here are a mere drop in the bucket. Check out the list of Top 100 Network Security Tools for a more comprehensive list of software to choose from.

Open-source tools are often not as polished as commercial software--or filled with the familiar bells and whistles that bloat packaged applications in an effort to justify their cost--but they work, and it's hard to argue with free.

Subscribe to the Security Watch Newsletter

Comments