Defense in Depth Reference Guide
Security Strategies to Protect Small Business
Defensive Layer 1: Blocking Attacks - Network Based
- Firewalls (Must Have)
- Firewalls:
- Checkpoint
- Cisco PIX or ASA
- SonicWall
- Fortigate
- Firewalls:
- Secure Email - Anti-Virus and Anti-Spam (Must Have)
- Remote protection
- Email Protection
- Localized Protection
- Symantec AntiVirus Gateway Solution
- Trend Micro InterScan VirusWall
- McAfee Secure Web Gateway
- Remote protection
- Secure Web Filtering (Should Have)
- WebSense
- Surf Patrol from Vantage Software
- eTrust Secure Content Manager from CA
- SonicWall Content Filtering Service
- Discovery and Mitigation (Should Have)
- Quarterly scan and assessment of the network for vulnerabilities and exploits
- MBSA
- HFNetcheck
- Languard
- Intrusion Prevention (IPS) (Enhancement)
- SonicWall and PIX firewalls
- MyTek Managed Security
- Intrusion Detection (IDS) (Enhancement)
- MyTek Managed Security
- Juniper Networks IDP 50
- Snort
- Managed Security Services (Enhancement)
- MyTek Managed Security
Defensive Layer 2: Blocking Attacks - Host Based
- Personal Anti-virus (Must Have)
- Symantec Anti-Virus
- McAfee Anti-Virus
- Trend Micro
- Spyware Removal (Must Have)
- Spysweeper from Webroot
- Adaware from Lavasoft
- Spybot search and destroy from Safer Networking
- Windows Defender (Beta 2) from Microsoft
- Personal Firewalls (Should Have)
- Windows XP SP2 Firewall
- ZoneAlarm Pro from Zone Labs
- Black Ice defender from Internet Security Systems
- Host Intrusion Prevention System (Enhancement)
- Symantec Critical System Protection
- McAfee Host Intrusion Prevention for desktops and servers
- Blink Endpoint Vulnerability Prevention from Eeye digital security
- Cisco Security Agent
Defensive Layer 3: Eliminating Security Vulnerabilities
- Patch and Configuration Management and Compliance (Must Have)
- WSUS from Microsoft
- MBSA from Microsoft
- HFNetChkPro from Shavlik
- Vulnerability Management and Penetration Testing (Should Have)
- MyTek Managed Security
- Core Impact from Core Security Technologies
- Languard Security Scanner
- Nessus
Defensive Layer 4: Safely Supporting Authorized Users
- Strong Passwords (Must Have)
- Password cannot be based on or contain the user's account name
- Must contain at least 8 letters
- Must contain digits and punctuation characters (%,$,@, etc.)
- Mandatory password change every 90 days
- Passwords can't be reused for 270 days or longer
- File Encryption (Must Have)
- Windows XP Encrypting File System (EFS)
- TrueCrypt open-source disk encryption software for Windows XP/2000/2003 and Linux
- BestCrypt v.7 for Windows from Jetico
- Virtual Private Networks (VPNs) (Should Have)
- Hardware to Hardware (home office firewall)
- Software to Hardware (VPN client)
- Secure Remote Access (Should Have)
- Citrix
- Microsoft Windows Terminal Services
- Microsoft Windows XP Remote Desktop
- ID & Access Management (Enhancement)
- RSA SecurID hardware tokens
- Enterprise Access Cards by ActivIdentity
Defensive Layer 5: Tools to Minimize Business Losses and Maximize Effectiveness
- Back-Up (Must Have)
- Backup Exec from Veritas
- Symantec Livestate Recovery Server with Restore Anywhere
- ArcServe from Brightstore
- Retrospect from EMC Insignia
- Security Skills Development (Must Have)
- Localized Security Seminar
- Lunch and learn events
- Log Management (Should Have)
- Kiwi Syslogger
- Mytek Managed Security
- Regulatory Compliance Tools (Enhancement)
- NetChk Compliance from Shavlik
- Compliance solutions from NetIQ
To ensure protection in the small business environment it is critical to implement solutions at EACH Layer to provide overlapping protection.