Network security - small business

[mushtafa]

Lets start with this;

That's a rough idea of our setup.

The router is a standard issue Netgear model from BT. It's so old it doesn't have wireless.
The switch is just a cheap & cheerful hub.

We need to up the security on the wired network for the PCs, alarm system and payment machine.
We have a few older devices on the wireless network still, but these don't need to be secure.
Allowing customers access to the wireless would be a bonus.

I'm thinking I need to get a new wireless router which always different SSIDs for the wireless connections, or perhaps incorporate a VLAN somehow, and split the network into two separate networks. - I'm favouring this, but not sure what equipment I need?

Basically the red circle needs securing. Any advice please guys?

 

[bremen1874]

Best advice... get someone competent onsite to look at this. Your post just raises too many additional questions to deal with easily.

The fact that you can write 'The switch is just a cheap & cheerful hub' is enough to seriously suggest you shouldn't be the person trying to lock a network down.

That said you could probably do what you want with a wires only DrayTek 2860 and one or more UniFi APs.

 

[mushtafa]

Thanks for your input, but that's not going to happen. I've told the boss it needs improvement, he's asked me to do it. He wants to do it as cheap as possible. I'm the most computer literate person there.

We are a very small company, we don't keep any payment details, only customer name/address/contact details.

The pic should have said hub, not switch.

I had a look at the DrayTek router and looks like it'll fit the bill OK. Their AP900 access point looks good as well - still need to have a look at UniFi.

 

[Steveocee]

Bremen pretty much hit it on the head but for arguments sake I'll try to be helpful.

If you are taking card payments I thought for compliance it has to be as separate as possible. Also if you have an internet enabled alarm you probably don't want that on the same network as your "normal" running data.

Something like a 2860 would be great as it can do port based VLAN, eg port1 is card network, port2 is alarms and the other ports and your LAN.
You could get a 2860n (?) which has wifi built in and you may negate the need for the separate access point.

If you do require a separate AP then I'd really recocmend the Unifi AP range, they have a nice UAP-AC-Lite model that is quite overlooked but is cheap and very capable.

As far as the switch goes, a cheap hub isn't going to hold you back but if you're spending some money, invest about £80 on a 24 port gigabit switch for some scalability, TP-Link do a nice one.

 

[Caged]

Everything you said in response to bremen1874's suggestion to bring in outside help just convinced me further that their suggestions were in fact correct.

If you're determined to do this yourself then I'd start with the Meraki MX65W - at least then you don't need to worry about forgetting to do firmware updates, and can delegate admin tasks to a third party in the future without just opening up remote management ports.

 

[mushtafa]

If you are taking card payments I thought for compliance it has to be as separate as possible.

This is the main reason for this upgrade. Our original machine connected to the phone line, but the new one is ethernet. This is why I thought I'd try and split the network, keep one for the office PCs and payment machine, and another for the wireless side of things. That way our 'unsafe and insecure' wireless bits will be separate from the payment machine.

 

[mushtafa]

If you're determined to do this yourself then I'd start with the Meraki MX65W

Thank you for the advise, I'll take a look.

 

[bremen1874]

This is the main reason for this upgrade. Our original machine connected to the phone line, but the new one is ethernet. This is why I thought I'd try and split the network, keep one for the office PCs and payment machine, and another for the wireless side of things. That way our 'unsafe and insecure' wireless bits will be separate from the payment machine.

The payment machine should be secure without you doing anything. They don't rely on local network security. If you want to double check then ask the payment provider what if anything needs doing.

 

[Hyburnate]

By payment machine are we talking about a PDQ?

The computers, are they needing to be secure from each other or just from the rest of the network?

e; On your shopping list I'd have the following:

Ubiquiti Edge Router Lite
Ubiquiti Edge Switch Lite (24 Port)
Ubiquiti UAP-AC-Lite

I do however fear you're not going to be able to configure VLANs or understand certain aspects - why is your Alarm on the network, is it maybe connected to a phone line? Is your PDQ machine over ethernet or over phone line?

There's a few other things I'd recommend you purchase, however, it'd be ideal if you got an external company in as when something goes wrong I'm afraid you'll be getting the blame even if it's BT's problem

 

[mushtafa]

Yes, a single PDQ.

The alarm uses the internet and it's own 3G connection to alert the alarm company when it sounds.

As far as I've been told, we need to make sure the PDQ is secure as possible.

We have some old machines running on XP which are connected wireless to the AP. Now my thoughts are; XP is no longer updated, and Chrome has now decided to stop updates on XP machines. In my mind, these computers aren't considered secure.

 

[Hyburnate]

Yes, a single PDQ.

The alarm uses the internet and it's own 3G connection to alert the alarm company when it sounds.

As far as I've been told, we need to make sure the PDQ is secure as possible.

We have some old machines running on XP which are connected wireless to the AP. Now my thoughts are; XP is no longer updated, and Chrome has now decided to stop updates on XP machines. In my mind, these computers aren't considered secure.

Is the PDQ using an ethernet/internet connection or a dedicated phone line? PDQs are generally secure however to completely segregate it I would recommend using its own phone line, obviously, this isn't cost effective and, to be honest, is completely overkill, a dedicated VLAN is what I would recommend.

I would personally propose a few different VLANs for all of your equipment, I would also recommend at least one secure SSID, WPA-2 would be enough and I'd put it on its own VLAN for your XP machines and laptops.

I'm unsure of how 'noisy' the alarm would be on the network, however I would also segregate it via a VLAN.

 

[mushtafa]

The PDQ uses the internet via Ethernet. I completely agree with not going overkill and having it on its own dedicated line.

So I need a new wireless router which supports numerous VLANs, a switch, and a new AP which can also support multiple SSIDs.

 

[Hyburnate]

The PDQ uses the internet via Ethernet. I completely agree with not going overkill and having it on its own dedicated line.

So I need a new wireless router which supports numerous VLANs, a switch, and a new AP which can also support multiple SSIDs.

I wouldn't go with a Wireless Router. You will want to identify if you've a modem > router or an all in one system, if it's the latter you'll need to understand if it can be configured to only act as a modem - this is important else you'll have a double NAT situation. The list I created gives you an idea of what to get, however without understanding your entire network it's hard to suggest.

 

[Rroff]

Everything you said in response to bremen1874's suggestion to bring in outside help just convinced me further that their suggestions were in fact correct.

That may be so but having been in what is probably mushtafa's position I suspect the MD or whoever isn't interested in the cost of that, doesn't understand the need for that and can't be convinced of the need for that :S

 

[bremen1874]

If the management decides that it isn't worth getting the network sorted professionally then it's their problem.

If the OP dives in and something goes wrong it'll quickly become his problem.

 

[Caged]

That may be so but having been in what is probably mushtafa's position I suspect the MD or whoever isn't interested in the cost of that, doesn't understand the need for that and can't be convinced of the need for that :S

Again to echo what bremen1874 says, the solution to this isn't to muddle your way through and then become the fall-guy for any future problems. What if the OP arrives at work and the entire network is down - the network that was configured with help from an Internet forum. Who does the OP call? How much is a lost day of productivity worth? How many sales would be lost if the card machine can't submit transactions?

To be clear I am not against people using discussion forums to learn things and get advice - that's where I started and that's why I still contribute. But I think it's important to know which environments are appropriate for learning-by-doing, and which ones aren't.

 

[zoomee]

This isn't for PCI-DSS compliance is it?
If it is, I highly recommend keeping the PDQ on its on phone line.

Otherwise I can guarantee its too complicated for you to segregate the data etc in a manner that's fully compliant - you also have to ensure machines are all patched etc for example.

 

[Rroff]

Again to echo what bremen1874 says, the solution to this isn't to muddle your way through and then become the fall-guy for any future problems. What if the OP arrives at work and the entire network is down - the network that was configured with help from an Internet forum. Who does the OP call? How much is a lost day of productivity worth? How many sales would be lost if the card machine can't submit transactions?

To be clear I am not against people using discussion forums to learn things and get advice - that's where I started and that's why I still contribute. But I think it's important to know which environments are appropriate for learning-by-doing, and which ones aren't.

Aside from just refuse to touch it I'm not sure what else you'd suggest though :S if its like is typical for these kind of businesses there is no convincing the boss.

 

[Caged]

I agree it's not always straightforward - if you're convinced you will be tasked with this regardless of how much you explain that you don't really know what you're doing then I guess it's important to express objections in writing so you don't end up under the bus at the first issue.

 

[Steveocee]

If you're not sure, leave well alone. You may be the most computer literate person in the office but it doesn't mean you are literate in networking and security.

Make the boss aware that you aren't sure, can help out but really don't want to be liable if anything goes belly up.