Small office network configuration advice

[ggadrian]

Well, as some of you already know I manage the IT of a small network.

So far it's been working fine for almost a year, but I'd like to make some changes to improve performance and security, and to have more options in a future.

The office typically has the following computers:

-1 Server that holds the files, make backups and is used for administrative tasks.
-2 desktops connected by wifi
-2 laptops connected by wifi
-4/5 smartphones
-3 laptops that sometimes are there (although they usually aren't)

And one network printer: HP Officejet Pro 8600

My network gear is:
-ISP router used only as a modem
-TP-Link TL-WR1043ND
-A spare belkin n450
-2 spare Tp-Link TL-PA511 PLC

So, I'm planning to change the firmware of my router to DD-WRT since it will give me more options to configure it.

All the computers are property of the business and I have access to them, I just don't have access to the employees smartphones.

What would you do with that? Something in special that you would do in order to improve security (most important thing), stability or performance?

 

[duncan-idaho]

First, I'm not an IT pro. I can see some things you may want to change though - first one that jumps out at me is that you may want to consider remotely administrating your server as normally you will want to physically secure your server (one store I worked at had it in a locked cage). Physical access to the hard drives that store all your important files should be controlled for sure.

I'm not sure exactly what you have in mind when you say "improving security", but if you want to be serious about controlling access to your network and the data on it then you need to consider how secure it is when it is at rest (ie stored on your hard drives), when it is being accessed (who has the permissions to access sensitive documents), when it is being transmitted and worked with (are you using a VPN to encrypt traffic between you and your ISP, or you and any machines accessing your data remotely?) and when you are moving it around (laptops or devices that can access this data -encrypted?) For that matter, are the disks you are storing it on encrypted?

Then there's backups. Do you have an offsite mirror of some kind, rackspace/amazon type cloud backup and if so are these backups secured? How will you respond if your server/network hardware dies and you need to keep the business functioning/recover all the critical data/make it accessible for working with again?

Basically, I think you need to flesh out what you want to do and what is important more if you want good quality, specific advice here.

 

[ggadrian]

First, I'm not an IT pro. I can see some things you may want to change though - first one that jumps out at me is that you may want to consider remotely administrating your server as normally you will want to physically secure your server (one store I worked at had it in a locked cage). Physical access to the hard drives that store all your important files should be controlled for sure.

I'm not sure exactly what you have in mind when you say "improving security", but if you want to be serious about controlling access to your network and the data on it then you need to consider how secure it is when it is at rest (ie stored on your hard drives), when it is being accessed (who has the permissions to access sensitive documents), when it is being transmitted and worked with (are you using a VPN to encrypt traffic between you and your ISP, or you and any machines accessing your data remotely?) and when you are moving it around (laptops or devices that can access this data -encrypted?) For that matter, are the disks you are storing it on encrypted?

Then there's backups. Do you have an offsite mirror of some kind, rackspace/amazon type cloud backup and if so are these backups secured? How will you respond if your server/network hardware dies and you need to keep the business functioning/recover all the critical data/make it accessible for working with again?

Basically, I think you need to flesh out what you want to do and what is important more if you want good quality, specific advice here.

I'm asking for network advice. I'm not worried of people physically accessing to the data and I have multiple backups (1 in a separate hard drive inside the server for fast recovery, every week I take a external HDD home with multiple backup images and now I'm setting up a server for backups over internet).

The problem is that I'm really a noob in networking and apart from protecting the wifi with WPA2, doing MAC filtering and only allowing physical access to the router configuration I don't know how to improve security.

Basically I wanna know what would you do if it were your network.

 

[duncan-idaho]

I'm asking for network advice. I'm not worried of people physically accessing to the data and I have multiple backups (1 in a separate hard drive inside the server for fast recovery, every week I take a external HDD home with multiple backup images and now I'm setting up a server for backups over internet).

The problem is that I'm really a noob in networking and apart from protecting the wifi with WPA2, doing MAC filtering and only allowing physical access to the router configuration I don't know how to improve security.

Basically I wanna know what would you do if it were your network.

I'd look at encrypting mobile devices that have access to your network and managing users' access to files and resources. Wireless passwords are only as safe as the handling practices protecting them. Someone loses a phone or laptop with saved passwords, that is the ball game and you have to hope they tell you about it in time to change all the passwords, which means in an unmanaged network manually updating everyone's passwords. Time spent now setting this up correctly could prevent an event like someone getting their laptop stolen from becoming a catastrophic event

I know it may seem alarmist considering you seem to be talking about a small scale operation, but it is one of those things that doesn't seem important until it is. Properly securing data, including physical access ie encryption, is important.

 

[386DX]

The standard method of securing your Wi-Fi network in a business/enterprise environment is to use a radius server for authentication. One of the reason a standard WPA key or passphrase isn't used is with a radius server every user has there own login/pass, you can add or remove users without effecting other users. In your current setup if someone with your WPA key quits you have to change your WPA key on every device and Access Point to maintain security. There are many other reasons to use a radius server but that's the main one IMO.

 

[Lorne]

I assume you are small data only and not large file like PSD, Large file work over wifi can become really tedious and choke the network to unbarable speeds.

 

[Mushkins]

The first thing I would suggest is to ditch the SOHO stuff and get yourself a business class network security appliance that can double as your router. We use Sonicwall gateway devices where I work and they're ok, but the subscription-based features get expensive quick.

Also since everything is wireless, invest in some business-class APs with proper handoff/roaming support. The AT forums swears by Ubiquiti UniFis, I gave them a try and they're pretty good but I dislike the need for management software and prefer a standard web interface.

 

[Enigma102083]

P2V your server as well.

 

[duncan-idaho]

P2V your server as well.

I think we scared him away

 

[kevnich2]

Well, as some of you already know I manage the IT of a small network.

So far it's been working fine for almost a year, but I'd like to make some changes to improve performance and security, and to have more options in a future.

The office typically has the following computers:

-1 Server that holds the files, make backups and is used for administrative tasks.
-2 desktops connected by wifi
-2 laptops connected by wifi
-4/5 smartphones
-3 laptops that sometimes are there (although they usually aren't)

And one network printer: HP Officejet Pro 8600

My network gear is:
-ISP router used only as a modem
-TP-Link TL-WR1043ND
-A spare belkin n450
-2 spare Tp-Link TL-PA511 PLC

So, I'm planning to change the firmware of my router to DD-WRT since it will give me more options to configure it.

All the computers are property of the business and I have access to them, I just don't have access to the employees smartphones.

What would you do with that? Something in special that you would do in order to improve security (most important thing), stability or performance?

Judging by your post and responses, this is for a very small office network and probably has a budget to match. The one thing I agree with so far is to go with a sonicwall firewall appliance. These are higher priced but have tons of features (if you want to use them). Look at something like tz210 wireless or tz215 wireless on ebay or something (only buy new sealed though).

This will provide you with plenty of features for remote administration if you ever need it, better firewall protection and much better stability than what you currently have.

Another cheaper option is like a high end asus wireless router (forget the exact model number) flashed with shibby tomato. I've had one going solid for 7 mos+ and no reboots and the firmware gives every feature imaginable.

As far as others posting using radius for your wireless - sorry but for a small office network, I have yet to see this actually work correctly. In large companies, that's one thing but not most of the smaller ones I've consulted with.