Looking for [corporate] security setup

So title pretty much says it all.

you guys ready for a little challenge?

I've recently got an intern-type job at my bf's dad's office as an assistant to the IT guy(my official title is "assistant applications specialist" LOL ) and a pretty lengthy portion of my job is to repair machines as well as set them up for employees.

Now the company installation works through an installation server or something like that; I haven't really got the details but basically once you connect a machine to the network, the network can get stuff to install on it so as to uniform all computer installations.

Now, my question is what kind of security background we should be looking at? My boss asked me to look for an alternative as we're in a phase where lots of machines have to be re-initiated.

Now here's the catch(es): the setup has to be compatible/adequate for every machine the office uses since I won't be manually installing each machine. I need an AV and firewall recommendation basically(I'll handle spyware and malware later).

Here's a brief overview of them(#5 is optional):

1- It's a mix of desktops and laptops

2- It's a mix of PCs and Macs(Macs will run bootcamp most of the time). I'm not relaly worried about OSX, but if you wanna propose something for it, by all means...

3- Most machines run Windows XP(I've been told the XP firewall isn't up to par with the Vista & 7 version) but a portion of them run Vista and Windows 7

4- Part of them are recent(as in Core 2 Duos, Core i7s and such). but probably a few of them are Pentium Ms if not Pentium 4s with somewhere around 512mb to 4Gb of RAM and the setup needs to be light enough so that all machines can run it smoothly without being too insecure as employees will take them during business trips.

5- Some of them are really really old IBMs(running RAMBUS memory and SCSI HDDs) if you want to take those into account as well, but good luck lol

6- It's not a large company but there are probably between 50 and 100 machines(including every desktop/laptop) within the Quebec branch of the company(France and Toronto can manage their own computers ) so price IS an issue if you're suggesting purchasing keys.

Now before you ask, we DO plan to upgrade the machines(I've started shopping for new machines) as well as the OSes(we're upgrading to Windows 7 and OSX Snow Leopard/Bootcamp 3.1) but we're not yet in the stage of doing so, therefore I need a setup which can still keep productivity until then.

Thanks in advance(if not simply for reading the entire OP )

 

Well, I read the whole post!

Windows XP through to Win 7 and also jump across the pond to play with Apple too. Notebooks that can/will travel and, importantly outside of the main 'office' complex/network.

I say you have your hands full with this task - I don't see a single solution but look forward to the recommendations people will make.

Sorry I couldn't help more.

 

Aww I'm disappointed tiller lol. Of all people I thought you'd have the answer for me since it seemed that you were a very informed corporate user of computers. Oh well, thanks anyhow

Yeah I realize the vastness of the task in itself, the cross-platforming as well as different generations of hardware is what makes it so tough IMO. I mean, I haven't worked with SCSI hard discs since like the 90s so when I saw one last week my eyes went "O_O"(especially since they were in Raid lol )

Nonetheless I'm tasked with finding a solution, perhaps not the perfect one but the best suited one for the office.

The laptops will be the machines who will travel and they'll probably mostly be used either when taking work home or when on business trips so I'm not TOO worried about them being compromised(the big boss has a backup of every company file at his house anyhow lol ).

The OSX platform should take care of itself, it's mostly the Windows one(and bootcamp Windows) which I'm looking at. Most older amchines are XP equipped and probably 25% of them share Vista/Windows 7 so int he WORST case scenario I could ask for a split setup between these 2 as managing the smaller proportion of Windows Vista/7 could be feasible for me.

On second thought, I'll consider split setups as long as you're not splitting it into 50 parts and the "split" is logical.

 

I think this is worth considering.
Corporate Version of MSE.

 

Thanks for the recommendation Weinter!

Hmm I've read a bit on the site, but it seems a bit vague nonetheless. Does it use Windows Firewall like MSE does? Because I've been told here on NBR that the Windows XP Firewall isn't really worth much so wouldn't I need a firewall to compliment ForeFront?

 

Windows Firewall on XP isn't worth much because it doesn't allow customization of Firewall ruleset.
For that matter you have to ask Microsoft if they have a solution for that.
I am using Forefront now
It uses Windows Firewall, anti malware protection as well as Network Access Protection which isn't activated (because I am not using it on a Corporate Client)
I am not sure how it behave on Xp as I am on Windows 7.

 

Just want to point out that you need to address A/V on the Mac O/S because even if the virus doesn't do anything on those systems (yet), it will still pass it on to other computers on the network and possibly even infect data too which your clients will access.

Something to think about.

 

Thanks Weinter, I guess I'll give them a call and maybe see if I can get a corporate pricing or something.

And tiller, that'd wholly depend on how the virus is coded, but yes, I am still looking at a setup which will address all machines in all contexts, just that I'm prioritizing those most "at risk". A unified solution that can support both a Windows and OSX environment(and possibly a Linux one for the virtualization server) won't be easy to come by :/

 

Bump.

Unfortunately, I gave MS a call and they said they don't officially support Windows XP nor half the hardware I'm running(they say it was made for Vista/7) so they can't predict 100% efficiency

 

the best malware and antivirus i have used would be nortan endpoint... that beast is light on resources and gets everything... What you could do if you had time and the willingness to learn is have a machine running a linux operating system and use that machine as a firewall... idk just a idea

 

If you are looking for firewall, why don't you look at the hardware firewall first before you think about client firewall. Your company might want to look at Fortigate firewall, which is an applicant device like Cisco PIX. I believe you can google it.

I am using NOD32 antivirus. You can set up the server to deploy virus definition to its clients, so you save WAN link bandwidth. I would not worry about software firewall if you have hardware firewall in place.

I assume that you run Windows server domain, so you can set your desktops to recieve virus definition from local NOD32 server, and let the laptops recieve the definition from ESET on internet.

Please ask more difficult question next time.

 

@Texan: Thanks for the suggestion, part of our machines are currently running Endpoint actually. As for the Linux idea, well, we do use Linux, but we're running a virtualization server rather than the pure OS on most machines.

@merlin: Thanks for the suggestions! Actually, we're using Cisco PIX already but thanks, I'll look into Fortigate.

The reason I'm considering a software firewall is mostly for the laptops as they'll be venturing outside the company network on business trips and such.

And yes, I was planning on setting up the AV definitions on the installation server so as to save download bandwidth.

I'll check and see if ESET can give me a quote on license keys for nod32.

Thanks

 

Cisco PIX is inferior to Fortigate. Why do I say that? Well, I dump PIX in favor of Fortigate because it can do deep packet inspection up to application layer while Cisco PIX or ASA can't do anything more than layer 3.

I also dump Symantec over ESET, and they are still mad at me. I am talking about the large scale network with 4000 users. If you get the promotion, don't forget me.

 

Well we have a deal with Cisco so we can get the setup a lot cheaper; I contacted Fortinet and they wouldn't be willing to make a deal price with a small company like the one I'm in. The company is also pretty dependent on Cisco's superior VPN.

I'll call ESET today and see how it goes.

Btw, I'm not looking for a promotion, this is a part time intern job until I start school again in August

 

Hahaaaaa Cisco superrior VPN I dump that one too. Don't forget that Cisco VPN needs client software to be installed, but fortigate doesn't need one. You can VPN through web browser. The encryptions between two are pretty much the same.

 

Client software isn't a problem really since everyone has that, it's just the throughput bandwidth that concerns me. The new Ciscos have nearly twice as much as the Fortigate models I've seen.

 

I think that's the best suggestion.

I was pretty immediately thinking Microsoft Security Essentials - but that's even better. (MSE is a specced down version of Forefront Security I believe - at its core anyway) - it will most likely also update via Microsoft Update as MSE does.

 

Unfortunately, I called them up and they said they can't really guarantee nor even predict the full efficiency of the Forefront client on XP machines, let alone on older hardware.

I mean, Forefront might still be great under XP and the old stuff, but then again, maybe a gimped Forefront might be just as bad/good as the other solutions.

 

If you are moving on from XP - i.e. its only old machines that have it, it might be an idea to run MSE on the XP laptops and forefront security on the newer ones?

I suppose this is where legacy support is troublesome

 

We're planning to, but we're currently negotiating the contracts for the licenses with our dealer so it's not for another few months. I mean, I suppose I could run MSE and Forefront, just that it'd be a pain on the installation server setup(at least from what I understand of it). Also, MSE uses the Windows Firewall, which as has been outlined, isn't all too great when compared to the Vista/7 one. Mind you, we're in a secure network environment, but it's the concern for machines going outside(ex: business trips) that's the issue.

For now we're temporarily relying on our Symantec Endpoint licenses(which are about to expire at the end of the month I think).

 

I think that even machines on business trips would be more than adequatly protected with MSE.
Fact remains though that MSE was designed for Windows in mind, and XP's firewall while not necessarily as sophisticated as 7's, will do it's job.

Have you considered upgrading older OS-es such as XP to Windows 7 by any chance?
Is the hardware inside capable of running Win 7 decently along with business related applications?
If so, then sticking with MSE would likely be your best option.

 

As I already stated in my OP, we're planning on upgrading our OSes, but we're still in the stage of negotiation our license agreements so we're not going to be fully upgraded until a few months down the line(hence why they need a lowly intern like me who doesn't even have a degree nor study in IT). Our licenses for our current security suites however are about to end this month so I need to find a suitable solution until we renew everything.

As for the hardware being able to run Windows 7, I don't see why it wouldn't. P4s can run Windows 7 fine for those using them, SCSI discs are still capable of storage ok, and RAMBUS(while being scarce) still provides decent enough amounts of random access memory. Windows 7 is said to be almost as resource light as XP so I see no issue, even with machines with as low as 512mb of RAM(I phased out those with 256mb and under).

Now it's just the Macs that are in question...

 

I've had good luck with Trend Micro in that sort of environment. The keys aren't prohibitively expensive and the installation options are pretty flexible.

It's not the most complete option, but it's also cost effective.

Min