Building an expanded anti-virus protection system for a small enterprise. Part 1. Choosing a strategy and decision

    Probably, you should not write a lot about the need to pay attention to IT security and what will happen if you do not. Therefore, let's get down to business immediately. As part of one of the projects, it was necessary to organize comprehensive protection of one of the network IT infrastructures.

    How it all began

    The management of this company was very puzzled by the victorious procession of encryptors on computers and partner offices. And the task was set quite correctly - to provide the necessary level of protection against such disgrace. Of course, nobody needs redundancy, but accidental infections should be absent.

    If you dwell on the details, the company is small, the business is on its feet, but does not intend to spend the extra money and is ready to bargain for every penny.

    I must say right away that simple measures from the series “tighten the screws”: cut user rights and so on - this has already been done.

    It was the turn of more serious changes, such as the introduction of additional elements to protect the IT infrastructure.

    Principles of Reliable Protection

    The work of building IT systems requires the architect not only technical skills, but also strategic thinking. Like the ruler of a state, it is necessary to foresee where the enemy troops will come from and how spies and saboteurs will make their way, trying to steal information or cause damage.

    It is impossible to imagine a situation in which only one police force, in the person of a local precinct or sheriff, is engaged in the search and elimination of enemy agents.

    If we correlate the state protection scheme with the IT infrastructure, then some analogies suggest themselves. So an Internet gateway with built-in protection can be considered border troops, ordinary anti-virus monitors - police, and encryption of transmitted traffic along with its verification - courier service.

    It is worth noting an important point: when the anti-virus monitor reports a detected threat, this means that the malicious code has already entered the system. At what stage he was noticed and how much he managed to do harm in doing so - that’s the question ...

    Figure 1. Anti-virus protection scheme with an Internet gateway.

    Recent epidemics of ransomware viruses have completely debunked the myth that “one antivirus is enough if only it is reliable ...”.

    Organization of multilevel protection

    So, we have come to the conclusion that good protection should have several levels.

    If everything is more or less clear with the internal protection system, you need to buy a good antivirus. And in this matter you have to rely on the reputation of its creators.

    Perimeter protection is not so simple.

    It is imperative that the local protection of computers and the perimeter is based on different products and platforms. Otherwise, the malicious program can bypass, or, conversely, infect both protection systems. Ideally, these should be devices with different architectures that are running another operating system that is difficult for virus writers to access.

    We define a set of basic requirements for an anti-virus gateway:

    1) An anti-virus engine with signature database updates

    Here, as they say, neither add nor take. Without this function, everything else loses its meaning.

    2) The availability of comprehensive technical support

    This is an interesting and important point that is often forgotten. While the IT infrastructure is relatively small, internal IT staff can easily cope with its support. However, as an organization grows and develops, requirements for availability and fault tolerance increase. At the same time, the number of points of failure is growing. Existing IT professionals are becoming scarce. Many companies in the terms of reference for an integration project from the very beginning require the presence of support from the vendor as a prerequisite.

    3) Convenient control system, preferably with a graphical web-interface

    It makes no sense to comment on this feature for a long time. I note only that a clear interface - not only simplifies the interaction with the device, but also makes it possible to delegate certain powers without special problems, for example, in case of vacation, illness, and so on.

    4) The presence of good documentation.

    There is no point in writing about this for a long time. I only note that the documentation should be understandable not only to the system developer.

    Creating a security system manually

    The first thing that comes to mind is to buy a small server, install an open operating system on it and install the appropriate software on it and configure everything yourself.

    Many manufacturers of anti-virus systems offer their software solutions that can be installed on an Internet gateway running Linux (or another Unix-like OS) and consider themselves to be somewhat protected.

    At the same time, this approach is not without drawbacks.

    No comprehensive support. That is, for the support of protection software, you need to contact one manufacturer, with problems of the operating system - to the second, and when solving hardware issues - to the third.

    And according to the established sad tradition, each of this trinity can say: “This is not my problem, turn to ....”, thereby leaving the local IT staff to fight alone.

    Another drawback is the need to update and configure different components separately, while not interfering with their interaction. Suppose an antivirus works in conjunction with a proxy server. It is necessary to update the operating system, proxy server software and the antivirus itself so that in the end they do not interfere with their work.

    If, for example, an intrusion protection system is additionally present, then another set of service components is added to this. If the VPN is another ... As a result, the local sysadmin needs to be highly qualified in order to single-handedly support all this difficult business.

    An equally important issue is system management. If anti-virus products usually have a nice-looking out-of-the-box interface, then nobody promised the same amenities for the rest of the system, for example, a proxy server. You have to choose the products yourself for management, delegation of authority, then it’s all set up, updated, and so on.

    As a result, we have a rather difficult task to create, configure and maintain such a home-made system of independent "bricks".

    If we talk about documentation, then most often the principle works: "I will write when the time is ...". Comments are redundant.

    Using ready-made solutions

    All of the above problems lead to an interesting thought: did anyone try to calculate how much does a homemade solution to protect the perimeter cost in the end?

    But it is necessary to count not according to the “soft + iron” formula, but in aggregate together with the staff salary taking into account deductions from the wage fund, with lost profits and other costs in case of downtime and so on. And the amount can be very, very considerable.

    The second question: what if the creator of the system is unavailable? Everyone can get sick or just quit.

    And what should small companies do, including in the periphery, which so far cannot find a highly qualified specialist in the above areas?

    The conclusion suggests itself - to look at the market for an inexpensive (!) Finished device that has all of the above features. Available for purchase in the Russian Federation.

    In addition to having the seller in stock, you need to consider whether the manufacturer supports economic sanctions against Russia. The possible prospect of being left not only without technical support, but also without updating the anti-virus databases, is somehow not happy.

    You can try to look for such a thing from manufacturers of antivirus products. However, the search returned links only to software for installation on a computer. That finished hardware and software systems for perimeter protection could not be found here.

    But the desired options were found among the network equipment. Many manufacturers in one form or another have solutions to protect the network perimeter. It is worth noting that many vendors of network equipment are American companies that are required to support anti-Russian sanctions. Probably few people will be delighted with the prospect of "playing cat and mouse", trying to save the projected structure of troubles of this kind.

    Therefore, the choice fell on the neutral option in the form of Zyxel products. The Taiwanese company and headquarters in Taiwan do not support sanctions. Another advantage of the Taiwanese company is that since the equipment is manufactured here in Taiwan, which is called “near by”, prices due to logistics and the absence of customs and other fees will be lower. At least because it is not necessary to bring components from abroad, as is the case with the Russian assembly.

    At the same time, Zyxel is a well-known company with a good reputation, so there is no need to fear that it will disappear without a trace, leaving its customers without support.

    Summing up all the pros and cons, it remains to make a choice on devices of the USG / ZyWALL family: USG60W and USG40W

    In this case, we get a built-in antivirus, anti-spam, content filtering and, as a bonus, detection and protection against intrusions (IDP).

    Figure 2. Next-Gen USG USG60W Unified Security Gateway.

    Still interested in some of the features of the "gentleman's set" of Internet gateway:

    • firewall;
    • Virtual Private Network (VPN);
    • bandwidth management;
    • event log and monitoring;
    • unified security policy.

    If we recall the problems of delegation, then for very simple situations, a simplified configuration option is provided - Easy Mode. This can be useful when creating an infrastructure of the type “center-and-branches”, and in branches sometimes the problem of finding highly qualified IT specialists pops up.

    Conclusion to the 1st part

    In this article, we decided on the IT infrastructure protection scheme: perimeter protection in conjunction with local anti-virus agents, and both directions should be based on products from different vendors.

    We found that a comprehensive hardware-software solution has additional advantages primarily due to the internal integration of all components.

    We picked up devices free of anti-Russian sanctions.

    In the next part, we will consider the construction of integrated protection using the selected USG / ZyWALL family as an example.

    Sources :

    1. We create an IT structure resistant to malware. Part 1
    2. We create an IT structure that is resistant to malware. Part 2
    3. Next-Gen USG Quick Reference
    4. Memo. ZyWALL USG Hardware Gateways

    Also popular now: