Trying to Build a Secure Small Business Network

[ROJO]

I own a small business with eight employees that is about a year old....to date we've made it by with our Dell/Mac laptops, a Buffalo NAS, PGP encryption, and a Cisco firewall that was provided by our landlord in a small business shared office setting. In May we're moving to new office space so I set our to build a better network.

We run seven workstations on XP and one MAC.....we will not grow dramatically so scalability is not a priority......we do work with our confidential data from our clients.

After my research (knowing just enough to be dangerous) below is the setup I'm about to pull the trigger on.....I'm looking for any opinions, feedback or resources that could be helpful.

A.) PGP whole disk encryption on all workstations with two-factor authentication via Aladdin USB etoken
B.) Two Netgear ReadyNAS NV+ drives (one in the office, one as a offsite backup location)
C. PGP Netshare protecting all confidential data stored on NAS (two-factor authentication)
D. Netgear 24-port unmanaged gigabit switch
E. Watchguard Firebox x20e-W firewall
F. SonicWall SSL-VPN 200 appliance using SMS two factor authentication

Thanks

 

[ROJO]

Also......

Also, we use hosted MS Exchange service.....so e-mail is not a concern in our setup........we don't have any networked applications which is why I have gone the NAS devices (with RAID) instead of Windows Small Business Server. My hope is that the NAS is easier to configure and cost less to maintain.

 

[thiggins]

Why the Watchguard and Sonicwall?

 

[ROJO]

The Watchguard because there seems to be consensus that it is a solid UTM device (mix of protection & ease of use). I understand that the SonicWall SSL-VPN is somewhat redundant of the Watchguard VPN capabilities but it provides the ability to implement two-factor authentication via an SMS text message.

I'm trying to use two-factor authentication across the board.

That said, I don't know if my budget is being well spent here.....products like the Netgear FVS336g seem to offer very similar functionality of the Watchguard UTM + SonicWall SSL-VPN) at half the cost???

I have no pride in authorship in the technology I've outlined.....please feel free to be brutally honest if I'm way off base on any or all aspects.

Thanks

 

[thiggins]

You are certainly going an expensive route with two products that require service contracts.

If you are not running any servers that require ports opened on your router/firewall, any NAT router is going to protect you from inbound traffic. As for other nasties, daily updated anti-virus should be fine. Does your hosted Exchange include AV and spam filtering?

 

[ROJO]

Yes, our Exchange host (Intermedia) provides AV and spam filtering.

Would you recommend I take another look at less expensive firewalls with VPN (e.g. Netgear FVS336g)?

 

[YeOldeStonecat]

Intermedia is a solid Exchange host.
What is it that you use the VPN for?

 

[ROJO]

We don't currently have any type of remote access to our central file repository (NAS).....with this new network we're adding VPN to provide secure remote access to the central file repository and we'll also use the VPN to facilitate the backup between the office ReadyNAS and the off-site ReadyNAS.

Currently we send/receive confidential data with our clients via LeapFile (hosted solution)....because it is a hosted solution we encrypt any files sent via LeapFile as an added level of security. We'll most likely continue using the LeapFile solution for clients transfers and use the VPN only for employee remote access.

 

[thiggins]

Would you recommend I take another look at less expensive firewalls with VPN (e.g. Netgear FVS336g)?

Yes. Try the Linksys RVL200. It supports SSL VPN (and one IPsec tunnel).
SSL is much easier to deal with than IPsec clients.

 

[YeOldeStonecat]

We don't currently have any type of remote access to our central file repository (NAS).....with this new network we're adding VPN to provide secure remote access to the central file repository and we'll also use the VPN to facilitate the backup between the office ReadyNAS and the off-site ReadyNAS.

You have to think about how you want to gain access to these files on the NAS. Getting access to files through a skinny VPN tunnel can be slow. And then you have your name resolution issues. Access to a Windows desktop, such as through Terminal Server, or RDP or LogMeIn or something like that to your workstations ends up being a much more usable experience.

With the offsite backup, most of those remote backup solutions already use a wicked encrypted stream across the internet, plus the files being backed up are already encrypted with a hash....that's needed to open them. However if you still want the warm 'n fuzzy feeling of shooting that through a tunnel...that's a sustained heavy load, I recommend a solid biz grade appliance on each end. Going for the cheaper VPN endpoints ends up with you spending time troubleshooting why the tunnels keeps dropping. I'm a fan of Juniper myself, also spinning your own routers with distros such as PFSense.