Guest
[Entry]
"I would use a hardware firewall to protect the machine from both the Internet access and intranet access. I hardware firewall will give you reliability and speed.
I would start with the machine having all the traffic blocked and then only allow those IP address, ports, protocols and directions that are needed for it to work. For example, if there will be no web surfing, then I wouldn't add a rule to open port 80 out. If you have a remote administrator, I would allow the ports for VNC in from their IP address. The same for FTP. This way if you aren't talking from the right IP address you are blocked. Also, if someone tries to go out on the machine and check their email they are blocked.
I would also set these rules up for the rest of the intranet. I would only create rules to allow communication to those computers/ports/protocols needed. This way if a machine on the intranet gets compromised, it will have a harder time to spread to the unprotected machine.
Basically, this machine would be in a DMZ configuration.
I would also run Spybot Search & Destroy and SpywareBlaster and immunize the machine. There is no real time cost to this because it isn't a scan, but just a configuration setting. All this does is basically blacklist ActiveX controls and bad sites in the Hosts file. This can prevent a machine from being infected by preventing some bad things from being executed. Of course, you would have to allow via the hardware firewall the ability for the machine to update. You can do this manually or white list those sites.
The firewall you choose should be able to alert you of problems. I would flag some rules to see if anyone is attempting to do anything they shouldn't (i.e. checking email, surfing the web, someone attempting access to the FTP port (especially if left on the default ports)). I use a Zywall which has all the above features, but there are many companies. One thing you should consider is hardware firewall have specifications on throughput. You want to get a firewall that can process the information fast enough.
The remote users could also VPN in to some firewalls, that way you don't have to publicly expose some things like VNC or FTP.
Also, some VNC software will allow you to use certificates to authenticate. This could help because it will allow better security because no username/password to guess and the end user could run the software and it would just work (less for the end user to remember). If not, I recommend using Keepass and having it generate a high entropy password that would be difficult for machines to break.
I hope these tips help.
(Also, because this is a business critical machine, I would image the system so if something did happen, you could get back to a known good state.)"
|