| The purpose of this document is to provide small | | | | translation, allowing only very basic protection. The |
| business owners and network administrators with | | | | main purpose of a firewall is to keep out |
| a better understanding of security needs and to | | | | unwanted traffic, such as a computer worm |
| outline the actions that can be taken to ensure | | | | attempting to infect computers with a specific |
| the safety of networks and their data. This | | | | vulnerability. Note that some firewalls can also be |
| document can be download in full and in PDF | | | | used to block specified outgoing traffic, such as |
| format for free at you don't know about | | | | file sharing programs, and to block specified |
| network security can hurt your business. | | | | incoming traffic, such as instant messengers or |
| "With broadband usage quickly becoming a | | | | any other service the firewall administrator |
| standard in the business world and network | | | | chooses to block. |
| security hazards on the rise, small businesses | | | | Many hardware firewalls offer additional services |
| without a dedicated IT team are faced with the | | | | such as email antivirus and antispam filtering, |
| great challenge of protecting their networks from | | | | content filtering, and secure wireless access point |
| threats. However, in order to meet this challenge, | | | | (AP) options. When selecting a firewall, define the |
| small businesses must first face a greater | | | | requirements of your business. Many firewall |
| challenge: understanding and acknowledging the | | | | vendors provide customizable firewalls with pricing |
| threats. | | | | depending on the range of services you select. If |
| The purpose of this document is to provide small | | | | you can, get technical assistance from a local |
| business owners and network administrators with | | | | network security service provider. |
| a better understanding of security needs and to | | | | 4.Antivirus. Antivirus (AV) software is used to |
| outline the actions that can be taken to ensure | | | | scan files on the computer on which it is installed, |
| the safety of networks and their data. | | | | files that are downloaded to the computer, and of |
| Why Are Small Businesses Vulnerable?Perhaps the | | | | course email. In addition to implementing AV |
| greatest threat to small business networks is the | | | | solutions on each machine, it is important to have |
| owners' false sense of security and their lack of | | | | an AV gateway: a local or remote machine where |
| proficiency in protecting their networks. Very | | | | email messages are scanned for viruses while |
| often, small business owners push network | | | | they are being downloaded to the client computer. |
| security issues down the priority list in favor of | | | | It is crucial to keep the antivirus software |
| more pressing matters, and in many cases, | | | | updated at all times, as new viruses are found |
| network security is not a concern at all. | | | | almost every day. |
| To better understand the severity of this | | | | Do not forget that simply having the software is |
| phenomenon, consider the following research | | | | not enough. Schedule an automatic scan if possible. |
| results: | | | | If not, then set a reminder to ensure that you |
| - According a survey conveyed by the National | | | | and other office employees run the scan on their |
| Cyber Security Alliance, "More than 30% of those | | | | computers periodically. |
| polled by the National Cyber Security Alliance | | | | 5.Patches and Updates. Microsoft and other |
| (NCSA) think they'll take a bolt of lightning through | | | | software vendors provide updates that are |
| the chest before they see their computers | | | | meant to fix bugs and patch potential security |
| violated in an Internet attack." | | | | holes in their software. Make sure you regularly |
| - The SANS/Internet Storm Center publishes a | | | | check for updates. You can even decide on a |
| statistic reporting the average time a "clean" | | | | specific day (once in two weeks is usually enough) |
| (un-patched and undefended) system can be | | | | on which to remind yourself and your employees |
| connected to the Internet before being attacked | | | | to run the software updates or check the |
| or scanned. Recent data indicated an average of | | | | software manufacturer Web site for any updates |
| 20-30 minutes. New threats continue to emerge | | | | that may be available. Disaster Recovery Be |
| every day, and "lightning" can strike, whether in | | | | prepared if something goes wrong. Beyond |
| the form of lowered productivity due to spam, or | | | | network security issues, there are many more |
| priceless information such as customer credit card | | | | things that can disable your network or leave it |
| numbers that end up in the wrong hands. | | | | vulnerable. |
| Many small business owners wave off network | | | | 6.Backup. Always backup information. The more |
| security concerns, claiming that the size of the | | | | important the information is, the more copies of it |
| company and its insignificance in the market will | | | | you should have available. Make sure not to leave |
| deter hackers from targeting the network. This is | | | | it lying around or misplace it. Create a backup |
| a very misguided approach. Strict regulations such | | | | policy to back the data up regularly. If possible, |
| as the Sarbanes-Oxley Act require enterprises to | | | | encrypt sensitive information and always keep a |
| invest more in information security. Enterprises | | | | non-rewritable copy (CD-ROM) of the files in a |
| are aware of various security threats and often | | | | safe location. It is also recommended to back up |
| employ in-house specialists to defend their | | | | firewall, email, and Internet configuration settings |
| networks from various threats. Companies with | | | | to enable quick access to these settings in case |
| large networks own complex firewall and intrusion | | | | of a failure. |
| prevention systems that are regularly updated | | | | 7.ISP and/or Gateway Failover. For businesses |
| and maintained. Small businesses cannot be | | | | that are dependant on Internet connectivity, it is |
| expected to have manpower, money, or time to | | | | crucial to have a backup Internet connection and |
| invest in maintaining an enterprise-scale network | | | | a backup firewall/gateway to preserve |
| security system. However, this does not mean | | | | connectivity and production in the event that your |
| they should ignore security threats. | | | | primary Internet connection goes offline or the |
| A good example of the vulnerability of small | | | | main firewall/gateway malfunctions. Several |
| networks in comparison to enterprises is the | | | | firewall gateways offer smooth and automated |
| effect of the My. | | | | failover and ISP backup options. If temporary |
| Doom worm (released in January 2004). | | | | connectivity loss means potential profit loss, be |
| According to the Internet Security Alliance data, | | | | sure to have failover options. |
| one out of three small businesses was affected, | | | | Annoyances Spam and spyware are not only |
| while only one out of six enterprises was | | | | annoying, but they can be quite dangerous to |
| affected. It is not always personal. As you will | | | | your network security and, of course, |
| learn later, most attacks and security threats are | | | | productivity. Another threat to productivity is |
| aimed at the general public and not directed at | | | | sites with questionable content, as well as file |
| any specific company or network. A hacker can | | | | sharing software. |
| run a software program that scans networks and | | | | 8.Antispam and Antispyware. Spam filtering can |
| IP ranges, looking for potential weaknesses. When | | | | be implemented on the mail server, on the firewall |
| such weaknesses are found, the hacker can take | | | | gateway, or on the machine receiving the |
| over the machines or infect them, in order to use | | | | messages. Most antispam software uses various |
| them as a "zombie army" in larger scale attacks. | | | | filters and blacklists to attempt to eliminate spam |
| What Happens If I Do Get Hacked?According to a | | | | without deleting legitimate emails. In small |
| Gartner study , 40% of small businesses that use | | | | networks with few mailboxes, you may consider |
| the Internet for more than email will be | | | | locally set antispam software, but in larger |
| successfully attacked by the end of 2005. More | | | | networks with more users, you may want to use |
| than half of the businesses attacked will not even | | | | spam scanning on the firewall/gateway. |
| know it. Could you be one of those businesses? | | | | Spyware can be removed by using antispyware |
| Are you aware of the damage a severe attack | | | | software on the local machine. You may want to |
| could inflict on your business? Think of what | | | | include this in your weekly or bi-weekly routine of |
| would happen if a computer containing important | | | | updates and scans, and scan your network |
| business data was physically stolen, and the data | | | | computers for spyware, as well as viruses and |
| was not backed up. · How much would a | | | | worms. |
| new machine cost?· How much irreplaceable | | | | 9.Blocking Specific Sites, IM Clients, and File |
| data would be lost?· How much would this | | | | Sharing Programs. The best way to deal with |
| data loss cost your company?· Can you | | | | questionable sites online, IM conversations during |
| afford the financial costs, downtime, and | | | | work hours, and bandwidth-wasting file sharing is |
| hassle?Each business is different in both | | | | to enforce their exclusion on the gateway. Some |
| vulnerability and risk. The questions above can | | | | firewalls allow you to select specific services to |
| assist you in beginning to assess the potential | | | | which access should be blocked and to filter Web |
| damage of an attack on your network. However, | | | | sites by address and/or by category. |
| there are other threats beyond hacker attacks | | | | Improving Productivity Safely Access your office |
| and loss of information. Know them, and protect | | | | network whenever you need it, wherever you |
| yourself. | | | | need it - safely. |
| What Are the Threats?Like any technology, | | | | 10.Remote Access VPN and Site-to-Site VPN. |
| Internet security threats are changing and | | | | Virtual private network (VPN) technology allows |
| evolving at all times. Hackers adjust their methods | | | | you to connect two or more networks in a |
| and develop them to take advantage of both | | | | private connection, creating a tunnel of encrypted |
| technological vulnerabilities and psychological | | | | data between the two points. This technology |
| weaknesses of employees. Some current threats | | | | was adopted to replace expensive private |
| are: | | | | networks (such as frame relay) with increasing |
| - Security Holes or Vulnerabilities. These are | | | | popular and available broadband Internet |
| "bugs" in operating systems and software that | | | | connections. VPNs provide privacy and encryption |
| can be exploited by hackers. When a vulnerability | | | | for the data as it is transferred over the Internet. |
| is discovered, the race begins: hackers hurry to | | | | This is especially useful if you have two or more |
| develop exploits, which are pieces of code that | | | | branches in your business or would like to access |
| use the vulnerability to penetrate or disable a | | | | your office network remotely. For example, your |
| program or a whole network, before the | | | | sales representative does not have to carry |
| software developer releases a patch to close the | | | | confidential information on his laptop when visiting |
| hole. · Direct Attack. Though less common in | | | | abroad. All he has to do is connect to the Internet |
| the small business world, direct attacks do exist. | | | | and access the data in the office through a |
| A disgruntled worker, a very unhappy customer, | | | | secure connection. |
| or a competitor with network knowledge can try | | | | Numerous security appliances offer VPN server |
| to hack into the network with different intentions. | | | | and endpoint capabilities. If accessing your office |
| From simple curiosity to data theft, many reasons | | | | network increases productivity, or if you have |
| can cause a hacker to come knocking on your | | | | been accessing your office network without using |
| office network door. | | | | a secure VPN, you should select a gateway |
| - Viruses. Though less common nowadays and | | | | appliance that offers this feature. Check Point(R) |
| often confused with worms, viruses are pieces of | | | | Safe@Office(R) Small Business Security and |
| executable code that can do damage to a | | | | Remote Access SolutionThe Safe@Office |
| computer system. Viruses often spread over | | | | appliance delivers a modular small business |
| email and recently over instant messaging | | | | security solution that can be tailored to any small |
| networks, by disguising themselves as legitimate | | | | business network and its requirements. By |
| attachments. The user activates the code | | | | combining enterprise-level Stateful Inspection |
| unknowingly, thus infecting their system with the | | | | firewall protection and IPSec VPN capabilities with |
| virus. Viruses often use the victim's address book | | | | customization options and ease of use, |
| to email themselves to other mailboxes. Viruses | | | | Safe@Office delivers a cost-effective solution for |
| can range from merely annoying to dangerously | | | | offices with three to seventy-five users. |
| destructive. | | | | No security expert is required for appliance |
| - Worms. Similar to viruses and much more | | | | installation and configuration, as wizard-driven |
| common are computer worms. Unlike viruses, | | | | setup options allow simple and quick customization |
| which infect programs and files, worms do not | | | | of the firewall and VPN settings to match the |
| attach themselves to any other software and are | | | | company security policy. |
| self-sustained. Worms often propagate | | | | Safe@Office Internet Security Appliance |
| themselves using an infected system's file | | | | FeaturesSafe@Office network and remote |
| transmission capabilities, and may increase | | | | access security appliances are high-performance, |
| network traffic dramatically in the process. Other | | | | hardware-based platforms that provide advanced |
| possible effects of a worm include deletion of | | | | firewall protection and support a wide variety of |
| files, emailing of files from the infected computer, | | | | security services from Email Antivirus to Dynamic |
| and so on. More recently, hackers have designed | | | | DNS. All Safe@Office appliances include the |
| worms to be multi-headed, so that their payload | | | | following features: |
| includes other executables. The most infamous | | | | - Stateful Packet Inspection Firewall. Safe@Office |
| worm is My. | | | | appliances are equipped with best-of-breed, |
| Doom, which, along with its variants, caused | | | | patented firewall technology from Check Point |
| several billion dollars worth of damage to | | | | Software Technologies, the same technology |
| businesses, ISPs, and home users. | | | | used by 97% of the Fortune 500. The firewall |
| - Trojan Horses. These are software programs | | | | protects your network from DoS attacks, IP |
| that capture passwords and other personal | | | | spoofing, and TCP/IP-based attacks, without any |
| information, and which can also allow an | | | | need for configuration. The moment you connect |
| unauthorized remote user to gain access to the | | | | your network to the Internet using the |
| system where the Trojan is installed. To protect | | | | Safe@Office appliance, your network is protected: |
| against damage by Trojan horses, it is necessary | | | | no setup is required on the LAN computers, and |
| to use a firewall with strict control for outgoing | | | | no expert is needed to configure the firewall |
| traffic. | | | | settings. |
| - DoS (Denial of Service) Attacks. This particular | | | | - Internet Connection Sharing and IP Address |
| threat is valid if you run a Web server with a | | | | Management. All Safe@Office appliances include |
| promotional or Web commerce site. The attack | | | | built-in NAT (Network Address Translation) and |
| attempts to disable the server by flooding it with | | | | DHCP (Dynamic Host Configuration Protocol) |
| fake requests that overload the server. Very | | | | features to allow seamless integration with an |
| often, unable to mount this attack with a limited | | | | existing network and connection sharing between |
| number of computers and bandwidth, the | | | | multiple stations. |
| attacker will create an army of "zombie" | | | | - Easy Management and Simple Configuration. |
| machines, by infecting various networks with | | | | Safe@Office appliances provide you with a wide |
| worms that allow the hacker to exploit the | | | | range of management options, both local and |
| machines and their bandwidth for the attack. This | | | | remote, to provide all users with the configurability |
| is called a DDoS (Distributed Denial of Service). | | | | they require. Locally, the Safe@Office can be |
| DoS has become a popular online criminal activity | | | | managed via a Web-based interface that |
| with hacker groups demanding protection money | | | | incorporates easy-to-understand wizards and |
| to keep them from ruining businesses. Companies | | | | options. For extended configuration options, |
| that depend on online commerce are particularly | | | | advanced users can configure the appliance |
| vulnerable to this type of attack. | | | | directly via the command line, using SSH. |
| - Spam. Though not officially defined as a security | | | | Remotely, the Safe@Office appliance can be |
| threat, spam can seriously damage productivity | | | | configured via HTTPS or secure SSH, when these |
| and represents a potential risk, due to the current | | | | remote access options are enabled. For increased |
| rise of malicious software delivered by spam | | | | security, you can configure the Safe@Office |
| messages, as well as "phishing". Phishing is a | | | | appliance to allow administrator access only from |
| method used to acquire personal information such | | | | specified IP addresses, over VPN, or from local |
| as passwords, bank account and credit card | | | | machines. Safe@Office appliances can be centrally |
| numbers, and more, through sophisticated email | | | | managed by the SofaWare Security Management |
| messages that claim to have come from a | | | | Portal (SMP) to receive customized security |
| specific provider (eBay for example) and appear | | | | policies, additional services, and advanced logging |
| quite authentic to the unsuspecting recipient. | | | | options. |
| - Spyware. Spyware is malicious code sometimes | | | | - Security Updates and Additional Services. |
| found in various freeware or shareware software, | | | | Internet hazards, security standards, and |
| as well as in file sharing clients. It takes a toll on | | | | technology are constantly developing. The |
| system performance and sends user data to the | | | | Safe@Office solution can be customized for your |
| spyware creators. | | | | office network and updated automatically with the |
| - Inappropriate or Illegal Content. Though not | | | | latest security updates and new features. |
| considered a security threat, inappropriate content | | | | Safe@Office Solution for Any OfficeSafe@Office |
| can seriously damage employee productivity. Web | | | | appliances are available in a variety of feature |
| sites with illegal content often contain files with | | | | sets and user numbers to suit your business. All |
| viruses, worms, and Trojans horses embedded in | | | | Safe@Office appliances can be subscribed to |
| the available downloads. How Can I Protect | | | | advanced security and productivity services such |
| Myself?If you have read this far, you have | | | | as Email Antivirus, Antispam, Web Filtering, |
| passed the toughest challenge for small business | | | | Dynamic DNS, managed VPN and security policy, |
| network owners. You should now have a pretty | | | | and advanced security logging. |
| clear picture of what the possible threats are and | | | | - Safe@Office 100/200 SeriesSafe@Office 100 |
| how they can harm your network. The next step | | | | 200 series appliances protect your computers and |
| is to evaluate the risks and allocate the resources: | | | | data from hackers and reduce network |
| - Assess your needs and invest correctly. | | | | downtime, so you can focus on running your |
| Consider the harm that could be caused if a | | | | business. Designed specifically for the needs of |
| competitor retrieved customer information. Think | | | | the small to medium business, Safe@Office 100 |
| of the damage to your business that can be done | | | | 200 series appliances provide easy-to-use, |
| by Web site downtime. · Don't go overboard, | | | | Stateful Inspection firewall protection, while |
| investing valuable time and money in resources | | | | supporting Remote Access and Site-to-Site VPNs. |
| you do not need. For example, a home-based | | | | Safe@Office 100/200 offers exceptional firewall |
| business of three employees does not necessarily | | | | and VPN throughput, allowing employees in |
| require content filtering to avoid questionable | | | | remote locations to securely and easily access |
| content online. | | | | resources that reside on the company network |
| - Outsource whenever possible. Many ISPs offer | | | | (such as email), enhancing both efficiency and |
| security services for small as well as large | | | | comfort. |
| networks. Check what security management | | | | - Safe@Office 400W SeriesThe Safe@Office |
| options then can provide. Network security | | | | 400W series wireless security appliance is an |
| consultants as well as companies dedicated to | | | | advanced, fully integrated wireless access point, |
| network security service provisioning can be very | | | | delivering top performance and comprehensive |
| helpful if you do not have an IT staff. | | | | wireless security in a single plug-and-play solution. |
| Ten Steps to a Secure Small Business | | | | Specifically designed to meet the needs of the |
| NetworkNot Just the Technology - Before you go | | | | small business, Safe@Office 400W is simple to |
| out and shop for firewalls, antiviruses, and | | | | install and manage, allowing your business to |
| network security service providers, be sure to | | | | become fully secured and wireless in minutes. |
| set the goal. Asses your needs, examine your | | | | Safe@Office 400W keeps your information |
| current resources, and estimate the potential | | | | secret from unauthorized intruders by using |
| benefits of having a secure network. | | | | mature IPSec technology to encrypt all wireless |
| 1.Awareness. Perhaps one of the most important | | | | transmissions. Your network will also be fully |
| ingredients of a secure network is awareness. | | | | protected against external Internet attacks by |
| Familiarize yourself with various security threats. | | | | the world-class Check Point firewall. |
| Be sure to check the availability of security | | | | For increased productivity, Safe@Office 400W |
| updates and software patches. Increase | | | | also supports secure remote access and the |
| awareness among your workers. Have them read | | | | creation of VPN networks, enabling remote |
| this document, if necessary. Make sure they do | | | | branches and on-the-road employees to remain |
| not bring unprotected mobile devices into the | | | | securely connected to office resources at all |
| network, that they do not open unexpected email | | | | times. |
| attachments, and so on. | | | | For more information on Safe@Office solutions |
| 2.Security Policy. Technology is but a tool in the | | | | please visit the Safe@Office homepage at and |
| enforcement of certain rules that are meant to | | | | use the automatic product selector to choose the |
| keep your data safe and your business running | | | | right solution for your business. If you have any |
| smoothly. A security policy should consist of | | | | questions, please feel free to use our live chat |
| various rules and behaviors, such as a password | | | | service to speak with a Safe@Office security |
| policy requiring users to have passwords that | | | | expert. If you are interested in posting this |
| cannot be easily guessed or broken and firewall | | | | document on your Web page or any other media, |
| rules permitting specific traffic in and out of the | | | | please contact . |
| network. It is highly recommended to consult with | | | | COPYRIGHT & TRADEMARKSCopyright |
| a network security specialist when compiling a | | | | © 2005 SofaWare, All Rights Reserved. No |
| security policy for an office with more than ten | | | | part of this document may be reproduced in any |
| users. It is necessary to enforce the policy once it | | | | form or by any means without written permission |
| has been created, to ensure its effectiveness. | | | | from SofaWare. Information in this document is |
| The Basics The following three resources are a | | | | subject to change without notice and does not |
| must for any single computer or network | | | | represent a commitment on part of SofaWare |
| connected to the Internet. | | | | Technologies Ltd. SofaWare, the SofaWare logo |
| 3.Firewall . A firewall acts as the security guard | | | | and Safe@Office are service marks or registered |
| between your network and the Internet. | | | | trademarks of SofaWare Technologies Ltd. Check |
| Software firewalls that are installed directly on the | | | | Point and the Check Point logo are service marks, |
| computer are required in cases where the | | | | or registered trademarks of Check Point |
| machine leaves the office, or where it is the only | | | | Software Technologies Ltd. or its affiliates. All |
| computer in the business. Hardware firewalls | | | | other product names mentioned herein are |
| installed on firewall-dedicated machines are | | | | trademarks or registered trademarks of their |
| required in networks comprised of a number of | | | | respective owners. The products described in this |
| computers. Firewalls differ from one another: | | | | document are protected by U.S. Patent No. |
| some provide in-depth firewall protection and | | | | 5,606,668 and 5,835,726 and may be protected |
| additional security services, while others simply | | | | by other U.S. Patents, foreign patents, or pending |
| provide Internet connection sharing with NAT | | | | applications. |