1. Run a firewall; you pays your money and you takes your choice, so to speak. There are many good software and hardware (appliance type) firewalls out there to choose from, some better than others, some more (or less) expensive than others. I am partial to Symantec products (Yes, I realize that there are as many people who swear AT Symantec than swear BY them, so please keep the derisive laughter to a minimum…..), and the firewall products (the enterprise class ones at least) are based upon the old Axxent Raptor product – one of the better choices out there. Also, you need to decide whether to run the firewall as a Bastion Host (a single firewall – keep the good guys protected and the bad guys out), as a DMZ (basically a single computer/appliance with three networck cards – LAN on one, the “DMZ” – your publicly accessible servers (webserver, commerce server, whatever) on another, and the third connected to your web internet access, or run two firewalls with the DMZ in between.

2. Run desktop firewalls on each client machine connected to your network. I am partial to Sygate (recently purchased by Symantec, but my experience with Sygate goes back a few years…), but there are many good low cost/no cost options available (Sygate, Black Ice, Tiny, Norton, McAfee for the Windows platform to name just a few; there are others for Macintosh and Linux).

3. Run an antivirus program on EVERY computer you’ve got; server, workstation, standalone, whatever… This is one area where although I use the Symantec product, I readily admit that there are better solutions out there. Look at Panda, Sophos, Kapersky, Symantec and McAfee, as well as GriSoft. There are others as well.

4. Run Snort as an IDS/IPS solution. It comes either as a free program, or as supported software: the free version is about 5 days behind the supported version (www.sourcefire.org) in signature updates.

5. Run Nessus as a system/network integrity checker: many commercial products are based upon the Nessus engine (Snort as well!), so again there ar both freebie and supported versions.

6. Invest some time/energy/money in END USER TRAINING. If your users know what to do (or NOT do) you’ll be well on your way to a more secure enterprise.

The list above is by no means comprehensive, but it should give you a good starting point…

Make certain that you get authorization to run a vulnerability scan/network penetration test prior to doing any work, otherwise you are risking your employment. Get the CEO or upper level management to essentially waive your liability for conducting the test in case you crash something or cause a loss of revenue or worse. It’s best to work with a team for different perspectives, but you can do it yourself. They might already know an avenue to exploit/test that you didn’t think of before (a forgotten dial-up modem pool or Joe over there with his personnal WAP connected to your network!).

You can run it in a safe mode that doesn’t try to crash services or allow those to run. It’s best to run it in safe mode first, investigate and fix anything that you find and then schedule a comprehensive test that may crash services on the network.

Test outside first to ensure that your boundries are safe, then take it to your DMZ and inside networks later on. No matter what, make sure you test inside as well as outside because you are more vulnerable inside than you should be from the Internet.

For a more extensive test, schedule a penetration test by either outside vendors or see if you get volunteers inside if you don’t have the budget for an independant review. Also make sure the independent review is by a reputable company whom isn’t going to leave some important information out of the report and later exploit to get inside.

Nessus is pretty good and the price is great. There are others, but it’s like paying for something that someone else is giving out for free. Nessus beats some of the commercial products, so there really is no need to look further unless you have deep pockets or want a support contact. I think that Nessus will let you pay them for a support contract too, if that’s your cup o’tea.

Hope this helps,
SF

HFNETCHK (http://www.hfnetchk.com/default.html)

This one checks primarily windows systems for vulnerabilities, security patch levels, etc. Works pretty well.

GFI Network Security Scanner (http://www.gfi.com/)

Is another tool for checking systems. It does a bit more in that it will check on Linux systems and network nodes.

There are a host of other port scanners and such that will review systems or entire subnets for vulnerabilities. You can also find product specific tools, like Microsoft’s IIS Lockdown tool that will secure web services. It really depends on what you are looking for.

If you are really looking at getting security going at you site you will need to become more familiar with it or hire a consultant to do a formal audit (especially if you are looking at any type of gonvernment compliance or standards compliance for business). Security often involves physical security, employee procedures, and employee education.

Here are a couple of decent books on the subject:

http://www.amazon.com/exec/obidos/tg/detail/-/059600611X/qid=1124985804/sr=8-6/ref=pd_bbs_6/102-3654224-0637718?v=glance&s=books&n=507846

http://www.amazon.com/exec/obidos/tg/detail/-/0072229578/qid=1124985804/sr=8-4/ref=pd_bbs_4/102-3654224-0637718?v=glance&s=books&n=507846

Paul