What are the best practices to protect small IT Office?
-
Hi All,
- Firewall Rules: What are the recommended ports need to be opened in the firewall rules?
- Web Filter: Need to restrict websites(http/https) based on the AD Groups. Which tool is best SquidGuard or PfblockerNg-Devel ?
- Need to allow only the company emails in the network.
Please let me know the best method to achieve these targets in a small IT organization.
Regards,
Ram. -
@rkadmin 1. U only open the ports you need. 2/3. Don't know. IMO oftentimes in a small office is counterproductive to keep the noose too tight, 'cuz after a while everybody has to come to you for any mundane tasks. IMO, just keep a FW log, look at it at the end of the month and look at which IP has a inordinary amount of traffic and go from there.
Keep backups, have disaster recovery procedure, ur all set.
-
Here is a good place to start with firewall rules and the basics. It goes a lot more in depth too.
https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprintYou don't have to follow every single recommendation, but in terms of outgoing ports to open, it is a good start. I would recommend starting with the default rules setup by pfSense (outgoing ports open). pfSense is by default secure to start, then you can monitor your traffic and do some homework to figure out which ports are being used before potentially breaking valid connections and having office users complaining about things not working. For monitoring the traffic, run several packet captures over a long period of time on the LAN interface (Diagnostics > Packet Capture) during the peak office hours. Try to set the packet capture count to 2000000, that should take a nice long time to finish and give you a good sample of information. Download that capture file when it's done. Load that cap file into wireshark. https://www.wireshark.org/
In Wireshark, go to Statistics > IPV4 statistics > Destinations and Ports. It will take some time to analyze all that data and will give you a good idea of which ports are being used on your network.
You can then do a save as into csv format to make it easy to work with in Excel. Remove duplicates from the Topic/Item column, then sort from lowest to highest on that column.
You will have to sift through it to figure out which ports are really needed and which aren't.
Also, you may want to do this more than once to be sure you got a final compiled list of all the outgoing ports you really need open.Raffi
-
Regarding 2, pfblockerng is a great package for url filtering. I use the current version in our small office environment, not the devel version. It's easy to setup and it works. I don't have it setup with AD groups. I don't know if that's possible or not. You may want to ask specific questions about those packages in their sub-forums.
Regarding 3, will all work emails come and go from a specific known server? If so, then I think creating outbound/inbound rules to only allow traffic with that IP as the destination/source on the email ports (SMTP, IMAP, POP) should work?
-
@sammywoo Thank you very much for you inputs.
-
@raffi_ Thank you very much for your inputs.