One of my friend has started a company, it's a small-scale company that has a 40 workers.There is two guys also responsible for the security and IT related issues.He is managing the LAN, Webpage of the company, e-mail configuration, printer hardware modification, application deployment etc.
In this point, to provide the security measures including access controls, authentication, web server security etc. Which tools do you use for securing, monitoring and controlling the system ? Are you paying for these tools or are they open source?
This question is due to the security administrators requests to my friend.He offers to get some tools for the company and my friend hesitates to pay that much on them (what he mentioned me.)
Well these are the top three:
A decent anti-virus package on all computers on the network including servers. Ideally, scanning email as it comes in. (e.g. Trend micro, bit defender, nod32... ideally ones that can be centrally managed).
A good firewall with graphing and intrusion prevention mechanisms (set up to only allow essential services and block the rest). (e.g. pfsense, astaro, untangle, cisco pix)
A backup system you can rely on. Preferably, a copy of the data off-site. Remember the backup is only as good as the ability to restore. Although some may not see this as a security tool, it does provide some security to your data in case of catastrophic failure. It doesn't guard against corruption though because you can backup corrupted data. (e.g. shadow protect). In addition to this, make sure you have at least mirrored RAID drives in all your servers.
After that, you can go to authenticated network access. Authenticated browsing etc. If it's a Microsoft network then a domain controller with domain logon for each computer and a domain policy applied to ensure that access internally is correctly controlled. e.g. you don't want the whole organisation be able to view/edit your financial data that may be stored on an internal server.
If you have a wireless LAN in place then authentication into the wireless LAN through Radius or similar. You need the ability to control access to your LAN.
Thats all that comes to mind right now.
For monitoring I would recommend you Nagios. It's free, you can monitor everything in your network and it will never crash.
Here a link: http://www.nagios.org/
W3AF is good for quickly penetration testing your web servers. It catches a lot of the basic web server security issues. I also use the metasploit framework, but that is more involved. Backtrack has all of that stuff installed.
I recommend they install a HIPS on the office computers and maintain those via an enterprise solution where signatures are pushed from a central system. If they are responsible for the company webpage they are likely taking security somewhat seriously on their server OS, but only somewhat seriously with what that webserver is willing to processing, and probably don't know what client-side security is with regard to web development. If they are going to publish applications on behalf of the enterprise then they need to be fully aware of application and web security, because systems security then becomes only partially relevant.