| The purpose of this document is to provide | | | | provide in-depth firewall protection and |
| small business owners and network | | | | additional security services, while others |
| administrators with a better understanding of | | | | simply provide Internet connection sharing |
| security needs and to outline the actions | | | | with NAT translation, allowing only very |
| that can be taken to ensure the safety of | | | | basic protection. The main purpose of a |
| networks and their data. | | | | firewall is to keep out unwanted traffic, |
| This document can be download in full | | | | such as a computer worm attempting to infect |
| and in PDF format for free at you don't know | | | | computers with a specific vulnerability. Note |
| about network security can hurt your | | | | that some firewalls can also be used to block |
| business. | | | | specified outgoing traffic, such as file |
| | | | sharing programs, and to block specified |
| "With broadband usage quickly becoming a | | | | incoming traffic, such as instant messengers |
| standard in the business world and network | | | | or any other service the firewall |
| security hazards on the rise, small | | | | administrator chooses to block. |
| businesses without a dedicated IT team are | | | | |
| faced with the great challenge of protecting | | | | Many hardware firewalls offer additional |
| their networks from threats. However, in | | | | services such as email antivirus and antispam |
| order to meet this challenge, small | | | | filtering, content filtering, and secure |
| businesses must first face a greater | | | | wireless access point (AP) options. When |
| challenge: understanding and acknowledging | | | | selecting a firewall, define the requirements |
| the threats. | | | | of your business. Many firewall vendors |
| | | | provide customizable firewalls with pricing |
| The purpose of this document is to provide | | | | depending on the range of services you |
| small business owners and network | | | | select. If you can, get technical assistance |
| administrators with a better understanding of | | | | from a local network security service |
| security needs and to outline the actions | | | | provider. |
| that can be taken to ensure the safety of | | | | |
| networks and their data. | | | | 4.Antivirus. Antivirus (AV) software is used |
| | | | to scan files on the computer on which it is |
| Why Are Small Businesses Vulnerable?Perhaps | | | | installed, files that are downloaded to the |
| the greatest threat to small business | | | | computer, and of course email. In addition to |
| networks is the owners' false sense of | | | | implementing AV solutions on each machine, it |
| security and their lack of proficiency in | | | | is important to have an AV gateway: a local |
| protecting their networks. Very often, small | | | | or remote machine where email messages are |
| business owners push network security issues | | | | scanned for viruses while they are being |
| down the priority list in favor of more | | | | downloaded to the client computer. It is |
| pressing matters, and in many cases, network | | | | crucial to keep the antivirus software |
| security is not a concern at all. | | | | updated at all times, as new viruses are |
| | | | found almost every day. |
| To better understand the severity of this | | | | |
| phenomenon, consider the following research | | | | Do not forget that simply having the software |
| results: | | | | is not enough. Schedule an automatic scan if |
| | | | possible. If not, then set a reminder to |
| - According a survey conveyed by the National | | | | ensure that you and other office employees |
| Cyber Security Alliance, "More than 30% of | | | | run the scan on their computers periodically. |
| those polled by the National Cyber Security | | | | |
| Alliance (NCSA) think they'll take a bolt of | | | | 5.Patches and Updates. Microsoft and other |
| lightning through the chest before they see | | | | software vendors provide updates that are |
| their computers violated in an Internet | | | | meant to fix bugs and patch potential |
| attack." | | | | security holes in their software. Make sure |
| | | | you regularly check for updates. You can even |
| - The SANS/Internet Storm Center publishes a | | | | decide on a specific day (once in two weeks |
| statistic reporting the average time a | | | | is usually enough) on which to remind |
| "clean" (un-patched and undefended) system | | | | yourself and your employees to run the |
| can be connected to the Internet before being | | | | software updates or check the software |
| attacked or scanned. Recent data indicated an | | | | manufacturer Web site for any updates that |
| average of 20-30 minutes. New threats | | | | may be available. Disaster Recovery Be |
| continue to emerge every day, and "lightning" | | | | prepared if something goes wrong. Beyond |
| can strike, whether in the form of lowered | | | | network security issues, there are many more |
| productivity due to spam, or priceless | | | | things that can disable your network or leave |
| information such as customer credit card | | | | it vulnerable. |
| numbers that end up in the wrong hands. | | | | |
| | | | 6.Backup. Always backup information. The more |
| Many small business owners wave off network | | | | important the information is, the more copies |
| security concerns, claiming that the size of | | | | of it you should have available. Make sure |
| the company and its insignificance in the | | | | not to leave it lying around or misplace it. |
| market will deter hackers from targeting the | | | | Create a backup policy to back the data up |
| network. This is a very misguided approach. | | | | regularly. If possible, encrypt sensitive |
| Strict regulations such as the Sarbanes-Oxley | | | | information and always keep a non-rewritable |
| Act require enterprises to invest more in | | | | copy (CD-ROM) of the files in a safe |
| information security. Enterprises are aware | | | | location. It is also recommended to back up |
| of various security threats and often employ | | | | firewall, email, and Internet configuration |
| in-house specialists to defend their networks | | | | settings to enable quick access to these |
| from various threats. Companies with large | | | | settings in case of a failure. |
| networks own complex firewall and intrusion | | | | |
| prevention systems that are regularly updated | | | | 7.ISP and/or Gateway Failover. For businesses |
| and maintained. Small businesses cannot be | | | | that are dependant on Internet connectivity, |
| expected to have manpower, money, or time to | | | | it is crucial to have a backup Internet |
| invest in maintaining an enterprise-scale | | | | connection and a backup firewall/gateway to |
| network security system. However, this does | | | | preserve connectivity and production in the |
| not mean they should ignore security threats. | | | | event that your primary Internet connection |
| | | | goes offline or the main firewall/gateway |
| A good example of the vulnerability of small | | | | malfunctions. Several firewall gateways offer |
| networks in comparison to enterprises is the | | | | smooth and automated failover and ISP backup |
| effect of the My. | | | | options. If temporary connectivity loss means |
| | | | potential profit loss, be sure to have |
| Doom worm (released in January 2004). | | | | failover options. |
| According to the Internet Security Alliance | | | | |
| data, one out of three small businesses was | | | | Annoyances Spam and spyware are not only |
| affected, while only one out of six | | | | annoying, but they can be quite dangerous to |
| enterprises was affected. It is not always | | | | your network security and, of course, |
| personal. As you will learn later, most | | | | productivity. Another threat to productivity |
| attacks and security threats are aimed at the | | | | is sites with questionable content, as well |
| general public and not directed at any | | | | as file sharing software. |
| specific company or network. A hacker can run | | | | |
| a software program that scans networks and IP | | | | 8.Antispam and Antispyware. Spam filtering |
| ranges, looking for potential weaknesses. | | | | can be implemented on the mail server, on the |
| When such weaknesses are found, the hacker | | | | firewall/gateway, or on the machine receiving |
| can take over the machines or infect them, in | | | | the messages. Most antispam software uses |
| order to use them as a "zombie army" in | | | | various filters and blacklists to attempt to |
| larger scale attacks. | | | | eliminate spam without deleting legitimate |
| | | | emails. In small networks with few mailboxes, |
| What Happens If I Do Get Hacked?According to | | | | you may consider locally set antispam |
| a Gartner study , 40% of small businesses | | | | software, but in larger networks with more |
| that use the Internet for more than email | | | | users, you may want to use spam scanning on |
| will be successfully attacked by the end of | | | | the firewall/gateway. |
| 2005. More than half of the businesses | | | | |
| attacked will not even know it. Could you be | | | | Spyware can be removed by using antispyware |
| one of those businesses? Are you aware of the | | | | software on the local machine. You may want |
| damage a severe attack could inflict on your | | | | to include this in your weekly or bi-weekly |
| business? Think of what would happen if a | | | | routine of updates and scans, and scan your |
| computer containing important business data | | | | network computers for spyware, as well as |
| was physically stolen, and the data was not | | | | viruses and worms. |
| backed up. · How much would a new machine | | | | |
| cost?· How much irreplaceable data would | | | | 9.Blocking Specific Sites, IM Clients, and |
| be lost?· How much would this data loss | | | | File Sharing Programs. The best way to deal |
| cost your company?· Can you afford the | | | | with questionable sites online, IM |
| financial costs, downtime, and hassle?Each | | | | conversations during work hours, and |
| business is different in both vulnerability | | | | bandwidth-wasting file sharing is to enforce |
| and risk. The questions above can assist you | | | | their exclusion on the gateway. Some |
| in beginning to assess the potential damage | | | | firewalls allow you to select specific |
| of an attack on your network. However, there | | | | services to which access should be blocked |
| are other threats beyond hacker attacks and | | | | and to filter Web sites by address and/or by |
| loss of information. Know them, and protect | | | | category. |
| yourself. | | | | |
| | | | Improving Productivity Safely Access your |
| What Are the Threats?Like any technology, | | | | office network whenever you need it, wherever |
| Internet security threats are changing and | | | | you need it - safely. |
| evolving at all times. Hackers adjust their | | | | |
| methods and develop them to take advantage of | | | | 10.Remote Access VPN and Site-to-Site VPN. |
| both technological vulnerabilities and | | | | Virtual private network (VPN) technology |
| psychological weaknesses of employees. Some | | | | allows you to connect two or more networks in |
| current threats are: | | | | a private connection, creating a tunnel of |
| | | | encrypted data between the two points. This |
| - Security Holes or Vulnerabilities. These | | | | technology was adopted to replace expensive |
| are "bugs" in operating systems and software | | | | private networks (such as frame relay) with |
| that can be exploited by hackers. When a | | | | increasing popular and available broadband |
| vulnerability is discovered, the race begins: | | | | Internet connections. VPNs provide privacy |
| hackers hurry to develop exploits, which are | | | | and encryption for the data as it is |
| pieces of code that use the vulnerability to | | | | transferred over the Internet. This is |
| penetrate or disable a program or a whole | | | | especially useful if you have two or more |
| network, before the software developer | | | | branches in your business or would like to |
| releases a patch to close the hole. · | | | | access your office network remotely. For |
| Direct Attack. Though less common in the | | | | example, your sales representative does not |
| small business world, direct attacks do | | | | have to carry confidential information on his |
| exist. A disgruntled worker, a very unhappy | | | | laptop when visiting abroad. All he has to do |
| customer, or a competitor with network | | | | is connect to the Internet and access the |
| knowledge can try to hack into the network | | | | data in the office through a secure |
| with different intentions. From simple | | | | connection. |
| curiosity to data theft, many reasons can | | | | |
| cause a hacker to come knocking on your | | | | Numerous security appliances offer VPN server |
| office network door. | | | | and endpoint capabilities. If accessing your |
| | | | office network increases productivity, or if |
| - Viruses. Though less common nowadays and | | | | you have been accessing your office network |
| often confused with worms, viruses are pieces | | | | without using a secure VPN, you should select |
| of executable code that can do damage to a | | | | a gateway appliance that offers this feature. |
| computer system. Viruses often spread over | | | | Check Point(R) Safe@Office(R) Small Business |
| email and recently over instant messaging | | | | Security and Remote Access SolutionThe |
| networks, by disguising themselves as | | | | Safe@Office appliance delivers a modular |
| legitimate attachments. The user activates | | | | small business security solution that can be |
| the code unknowingly, thus infecting their | | | | tailored to any small business network and |
| system with the virus. Viruses often use the | | | | its requirements. By combining |
| victim's address book to email themselves to | | | | enterprise-level Stateful Inspection firewall |
| other mailboxes. Viruses can range from | | | | protection and IPSec VPN capabilities with |
| merely annoying to dangerously destructive. | | | | customization options and ease of use, |
| | | | Safe@Office delivers a cost-effective |
| - Worms. Similar to viruses and much more | | | | solution for offices with three to |
| common are computer worms. Unlike viruses, | | | | seventy-five users. |
| which infect programs and files, worms do not | | | | |
| attach themselves to any other software and | | | | No security expert is required for appliance |
| are self-sustained. Worms often propagate | | | | installation and configuration, as |
| themselves using an infected system's file | | | | wizard-driven setup options allow simple and |
| transmission capabilities, and may increase | | | | quick customization of the firewall and VPN |
| network traffic dramatically in the process. | | | | settings to match the company security |
| Other possible effects of a worm include | | | | policy. |
| deletion of files, emailing of files from the | | | | |
| infected computer, and so on. More recently, | | | | Safe@Office Internet Security Appliance |
| hackers have designed worms to be | | | | FeaturesSafe@Office network and remote access |
| multi-headed, so that their payload includes | | | | security appliances are high-performance, |
| other executables. The most infamous worm is | | | | hardware-based platforms that provide |
| My. | | | | advanced firewall protection and support a |
| | | | wide variety of security services from Email |
| Doom, which, along with its variants, caused | | | | Antivirus to Dynamic DNS. All Safe@Office |
| several billion dollars worth of damage to | | | | appliances include the following features: |
| businesses, ISPs, and home users. | | | | |
| | | | - Stateful Packet Inspection Firewall. |
| - Trojan Horses. These are software programs | | | | Safe@Office appliances are equipped with |
| that capture passwords and other personal | | | | best-of-breed, patented firewall technology |
| information, and which can also allow an | | | | from Check Point Software Technologies, the |
| unauthorized remote user to gain access to | | | | same technology used by 97% of the Fortune |
| the system where the Trojan is installed. To | | | | 500. The firewall protects your network from |
| protect against damage by Trojan horses, it | | | | DoS attacks, IP spoofing, and TCP/IP-based |
| is necessary to use a firewall with strict | | | | attacks, without any need for configuration. |
| control for outgoing traffic. | | | | The moment you connect your network to the |
| | | | Internet using the Safe@Office appliance, |
| - DoS (Denial of Service) Attacks. This | | | | your network is protected: no setup is |
| particular threat is valid if you run a Web | | | | required on the LAN computers, and no expert |
| server with a promotional or Web commerce | | | | is needed to configure the firewall settings. |
| site. The attack attempts to disable the | | | | |
| server by flooding it with fake requests that | | | | - Internet Connection Sharing and IP Address |
| overload the server. Very often, unable to | | | | Management. All Safe@Office appliances |
| mount this attack with a limited number of | | | | include built-in NAT (Network Address |
| computers and bandwidth, the attacker will | | | | Translation) and DHCP (Dynamic Host |
| create an army of "zombie" machines, by | | | | Configuration Protocol) features to allow |
| infecting various networks with worms that | | | | seamless integration with an existing network |
| allow the hacker to exploit the machines and | | | | and connection sharing between multiple |
| their bandwidth for the attack. This is | | | | stations. |
| called a DDoS (Distributed Denial of | | | | |
| Service). DoS has become a popular online | | | | - Easy Management and Simple Configuration. |
| criminal activity with hacker groups | | | | Safe@Office appliances provide you with a |
| demanding protection money to keep them from | | | | wide range of management options, both local |
| ruining businesses. Companies that depend on | | | | and remote, to provide all users with the |
| online commerce are particularly vulnerable | | | | configurability they require. Locally, the |
| to this type of attack. | | | | Safe@Office can be managed via a Web-based |
| | | | interface that incorporates |
| - Spam. Though not officially defined as a | | | | easy-to-understand wizards and options. For |
| security threat, spam can seriously damage | | | | extended configuration options, advanced |
| productivity and represents a potential risk, | | | | users can configure the appliance directly |
| due to the current rise of malicious software | | | | via the command line, using SSH. Remotely, |
| delivered by spam messages, as well as | | | | the Safe@Office appliance can be configured |
| "phishing". Phishing is a method used to | | | | via HTTPS or secure SSH, when these remote |
| acquire personal information such as | | | | access options are enabled. For increased |
| passwords, bank account and credit card | | | | security, you can configure the Safe@Office |
| numbers, and more, through sophisticated | | | | appliance to allow administrator access only |
| email messages that claim to have come from a | | | | from specified IP addresses, over VPN, or |
| specific provider (eBay for example) and | | | | from local machines. Safe@Office appliances |
| appear quite authentic to the unsuspecting | | | | can be centrally managed by the SofaWare |
| recipient. | | | | Security Management Portal (SMP) to receive |
| | | | customized security policies, additional |
| - Spyware. Spyware is malicious code | | | | services, and advanced logging options. |
| sometimes found in various freeware or | | | | |
| shareware software, as well as in file | | | | - Security Updates and Additional Services. |
| sharing clients. It takes a toll on system | | | | Internet hazards, security standards, and |
| performance and sends user data to the | | | | technology are constantly developing. The |
| spyware creators. | | | | Safe@Office solution can be customized for |
| | | | your office network and updated automatically |
| - Inappropriate or Illegal Content. Though | | | | with the latest security updates and new |
| not considered a security threat, | | | | features. Safe@Office Solution for Any |
| inappropriate content can seriously damage | | | | OfficeSafe@Office appliances are available in |
| employee productivity. Web sites with illegal | | | | a variety of feature sets and user numbers to |
| content often contain files with viruses, | | | | suit your business. All Safe@Office |
| worms, and Trojans horses embedded in the | | | | appliances can be subscribed to advanced |
| available downloads. How Can I Protect | | | | security and productivity services such as |
| Myself?If you have read this far, you have | | | | Email Antivirus, Antispam, Web Filtering, |
| passed the toughest challenge for small | | | | Dynamic DNS, managed VPN and security policy, |
| business network owners. You should now have | | | | and advanced security logging. |
| a pretty clear picture of what the possible | | | | |
| threats are and how they can harm your | | | | - Safe@Office 100/200 SeriesSafe@Office 100 |
| network. The next step is to evaluate the | | | | 200 series appliances protect your computers |
| risks and allocate the resources: | | | | and data from hackers and reduce network |
| | | | downtime, so you can focus on running your |
| - Assess your needs and invest correctly. | | | | business. Designed specifically for the needs |
| Consider the harm that could be caused if a | | | | of the small to medium business, Safe@Office |
| competitor retrieved customer information. | | | | 100/200 series appliances provide |
| Think of the damage to your business that can | | | | easy-to-use, Stateful Inspection firewall |
| be done by Web site downtime. · Don't go | | | | protection, while supporting Remote Access |
| overboard, investing valuable time and money | | | | and Site-to-Site VPNs. Safe@Office 100/200 |
| in resources you do not need. For example, a | | | | offers exceptional firewall and VPN |
| home-based business of three employees does | | | | throughput, allowing employees in remote |
| not necessarily require content filtering to | | | | locations to securely and easily access |
| avoid questionable content online. | | | | resources that reside on the company network |
| | | | (such as email), enhancing both efficiency |
| - Outsource whenever possible. Many ISPs | | | | and comfort. |
| offer security services for small as well as | | | | |
| large networks. Check what security | | | | - Safe@Office 400W SeriesThe Safe@Office 400W |
| management options then can provide. Network | | | | series wireless security appliance is an |
| security consultants as well as companies | | | | advanced, fully integrated wireless access |
| dedicated to network security service | | | | point, delivering top performance and |
| provisioning can be very helpful if you do | | | | comprehensive wireless security in a single |
| not have an IT staff. | | | | plug-and-play solution. Specifically designed |
| | | | to meet the needs of the small business, |
| Ten Steps to a Secure Small Business | | | | Safe@Office 400W is simple to install and |
| NetworkNot Just the Technology - Before you | | | | manage, allowing your business to become |
| go out and shop for firewalls, antiviruses, | | | | fully secured and wireless in minutes. |
| and network security service providers, be | | | | |
| sure to set the goal. Asses your needs, | | | | Safe@Office 400W keeps your information |
| examine your current resources, and estimate | | | | secret from unauthorized intruders by using |
| the potential benefits of having a secure | | | | mature IPSec technology to encrypt all |
| network. | | | | wireless transmissions. Your network will |
| | | | also be fully protected against external |
| 1.Awareness. Perhaps one of the most | | | | Internet attacks by the world-class Check |
| important ingredients of a secure network is | | | | Point firewall. |
| awareness. Familiarize yourself with various | | | | |
| security threats. Be sure to check the | | | | For increased productivity, Safe@Office 400W |
| availability of security updates and software | | | | also supports secure remote access and the |
| patches. Increase awareness among your | | | | creation of VPN networks, enabling remote |
| workers. Have them read this document, if | | | | branches and on-the-road employees to remain |
| necessary. Make sure they do not bring | | | | securely connected to office resources at all |
| unprotected mobile devices into the network, | | | | times. |
| that they do not open unexpected email | | | | |
| attachments, and so on. | | | | For more information on Safe@Office solutions |
| | | | please visit the Safe@Office homepage at and |
| 2.Security Policy. Technology is but a tool | | | | use the automatic product selector to choose |
| in the enforcement of certain rules that are | | | | the right solution for your business. If you |
| meant to keep your data safe and your | | | | have any questions, please feel free to use |
| business running smoothly. A security policy | | | | our live chat service to speak with a |
| should consist of various rules and | | | | Safe@Office security expert. If you are |
| behaviors, such as a password policy | | | | interested in posting this document on your |
| requiring users to have passwords that cannot | | | | Web page or any other media, please contact . |
| be easily guessed or broken and firewall | | | | |
| rules permitting specific traffic in and out | | | | COPYRIGHT & TRADEMARKSCopyright © 2005 |
| of the network. It is highly recommended to | | | | SofaWare, All Rights Reserved. No part of |
| consult with a network security specialist | | | | this document may be reproduced in any form |
| when compiling a security policy for an | | | | or by any means without written permission |
| office with more than ten users. It is | | | | from SofaWare. Information in this document |
| necessary to enforce the policy once it has | | | | is subject to change without notice and does |
| been created, to ensure its effectiveness. | | | | not represent a commitment on part of |
| The Basics The following three resources are | | | | SofaWare Technologies Ltd. SofaWare, the |
| a must for any single computer or network | | | | SofaWare logo and Safe@Office are service |
| connected to the Internet. | | | | marks or registered trademarks of SofaWare |
| | | | Technologies Ltd. Check Point and the Check |
| 3.Firewall . A firewall acts as the security | | | | Point logo are service marks, or registered |
| guard between your network and the Internet. | | | | trademarks of Check Point Software |
| Software firewalls that are installed | | | | Technologies Ltd. or its affiliates. All |
| directly on the computer are required in | | | | other product names mentioned herein are |
| cases where the machine leaves the office, or | | | | trademarks or registered trademarks of their |
| where it is the only computer in the | | | | respective owners. The products described in |
| business. Hardware firewalls installed on | | | | this document are protected by U.S. Patent |
| firewall-dedicated machines are required in | | | | No. 5,606,668 and 5,835,726 and may be |
| networks comprised of a number of computers. | | | | protected by other U.S. Patents, foreign |
| Firewalls differ from one another: some | | | | patents, or pending applications. |