Enterprise security on a small business budget

Switch your company and your home router's DNS resolver to use OpenDNS. Do it right now, I'll wait. There's no reason to use the default DNS provided by your Internet service provider. OpenDNS has a gigantic cache that will speed up your queries and a free Website filtering service that might interest some companies. Even if you don't want the filtering, its robust and secure DNS infrastructure can shield you from well-known attacks at the DNS level.

After 5 minutes of reconfiguration, your Internet connection will be snappier because the OpenDNS servers usually respond much quickly than your default ISP servers. Its Website explains the simple steps involved in changing your home router or your company's Active Directory domain controllers to their resolvers, and it has infrastructure spread all over the globe to ensure a speedy reply no matter where you are.

For power users and anyone in an IT capacity at work, I'm a big fan of using a host-based outbound firewall on both servers and workstations. It is absolutely essential to be notified when an unknown or new process decides to make an outbound connection. This way, even if something slips past your antivirus and antimalware defenses, you can catch it on the way out. Of course, this won't help nontechnical users who always click "Accept" on any pop-up that comes up.

At your company, implement outbound firewall rules. Most companies I work with have an "allow all" outbound policy for their users. While this may have been acceptable in the past, in this century I would not recommend running a business with such a permissive policy. You can start with restricting users to only HTTP and HTTPS outbound; this won't protect you from everything, but it will close down a large portion of outbound connections that may not be authorized. You can also use OpenDNS to restrict access to inappropriate Websites.

Most important (and most often overlooked), server and DMZ networks should allow only a few explicit outbound connections (such as outbound SMTP for your mail server). Modern packet inspection firewalls are smart enough to allow your Web server to reply to an inbound request for a Web page, but very few legitimate reasons exist for your Web servers to initiate a connection to the outside world.

To be sure, there are exceptions (business partner inventory interchange, or offsite data backup, for instance), but in general most servers respond to inbound requests for information and do not themselves initiate connections. If a hacker compromises your server, one of the first things he or she will do is to use your server to connect to another machine (either within your organization or back to their network). Leaving a rule for outbound access to windowsupdate.microsoft.com (and similar update sites) is perfectly acceptable. A blanket "allow all" policy is just asking for trouble.

Steven Andrés is Founder and CTO of Special Ops Security.

| 1 2 Page 4
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon