Small Office/Home Office Network Security: Part 1

By Dave Moore
Apr 27, 2006


The security needs of the individual Internet user, and those who work in small or home offices, often overlap in many areas. Just as there are many different ways to get to Chicago, there are many different ways to set up small computer networks. Methods to provide for secure file, application and Internet access to multiple computers can range from simple to downright complicated. To do the job properly, you need to put together a network/Internet security plan.

The first step is to prepare a formal security policy, which will be a template for your overall security plan, and will provide a way to judge progress. Some security policy documents may only be a few pages, others may be quite lengthy. Things to keep in mind when writing the policy are risk assessments, budgetary considerations, and ways to determine your network's weaknesses.

Start by deciding what information on your network should be protected, and who should, and should not, have access to this information. Determine who will be responsible for maintaining security, such as updating OS/software, running antivirus/spyware scans, teaching employees about their security responsibilities, and modifying the security plan to keep up with future needs. Also decide if remote network access is needed, or if employees in the field can do their jobs without the hassle of setting up virtual private networks.

Three areas to look at in detail are basic security measures, configuring existing security options, and network firewalls.

Basic security measures include the "obvious" things, such as physical security, password policies, virus protection, etc.

1. You may need to limit physical access to the office building, equipment closets, server rooms, etc., to authorized personnel only.

2. Develop password policies that employees can and will follow. Best practices dictate that passwords are changed frequently, reuse of old passwords is restricted, and passwords must meet length and complexity rules. No passwords on post-its stuck to the monitor. User accounts must be deleted, and passwords changed when an employee leaves the company.

3. Establish antivirus rules: get clearance from management before using data downloaded from the Internet or on disks that come from outside of the office; always virus scan data and disks before using them on a computer; don't open email attachments unless you are absolutely sure of the contents; run antivirus scans daily.

4. Find out if employees connect to outside networks (such as AOL) using modems, thereby compromising your networks integrity.

5. Are strangers, such as outside workers or visitors, able to access your network? Is this desirable, or not?

6. Decisions should be made regarding who in your office needs Internet access, and who does not. Besides being a potentially spectacular time-waster, unnecessary Internet access is also a security risk.

Next time, we'll look at configuring the existing security options that are built-in to your operating system, programs, and other hardware (such as routers), and move on to the subject of firewalls.