VE² Scenario for Small/Medium Business Average Network

Company SaleMe are specializing in selling to consumers, the company's employees are using the internet on-line to connect to its business associates for CRM, ERP, Specs and to their competitors for market analysis.

The company has a typical small business network, working with emails, local files and local database systems. Employees are using the internet for information, and downloading programs. Hindering the internet would cause loss of productivity and employee conflict as they have become used to instant messaging and need the Internet to perform their jobs. There is no local system administrator hence there are no consistent backups and every computer crash, virus or spyware result in losing work, losing documents and files and additional recovery expenses.

The programs that are installed in the company are: Windows XP, Microsoft Office and a client database holding personal details and credit card information. Leaking of this sensitive information can result in serious business damage and expose the company to potential lawsuits. The installed anti-virus slows down the Company's computers are 1-2 years old.

An average computer is installed with 1. Windows (C:\windows), 2. Default program files, MS office and CRM, ERP clients in C:\Program Files\... 3. Documents on the "Desktop" and "My Documents" directories.

The protection currently used is a package of personal firewall and an anti-virus, there is no gateway firewall installed and the emails are not scanned for viruses. Users are restricted by user rights, mainly: administrator and normal users. There IT policies regarding memory-sticks, USB devices or installations are not set and every one can do everything.

The company use VPN server to connect its mobile computers to the network.

SaleMe's emails are hosted at the ISP, using normal SMTP and POP3.

Understanding the scenario:

SaleMe has 2 major processes:

1. The Critical Process (SECURE), without these basic capabilities the company cannot function - Email, ERP, CRM, Files and database.

2. A non critical process (PUBLIC), without these capabilities the company can function - Internet, instant messaging, downloads, VoIP solutions, etc.

The proposed solution:

SaleMe can have solid business continuity and be protected without hindering Internet access by following the described below steps:

Email

Install a Virus Scanner on your ISP emails; it should cost about $2 per month per email, it is more updated and better managed than your local anti-virus. You can even ask your ISP to block any suspicious attachment as this is NOT critical for SaleMe. Employees can continue and use their private web-mails.

If you already have a gateway with mail server and content scanners you can use it instead.

Firewall and Network

The firewall should configure automatically during the installation,

The SECURE side should be able to access resources that are critical for the business process, i.e. Server, Mail, VPN from the Internet, etc., it should not access any external resource:

The PUBLIC side should NOT be able to access resources that are critical for the business process. Unless we cannot control them anyway, such as the access to SaleMe external email server:

Note that if you want to allow any program to access the network you'll need to allow the IP range

Device Access

To maintain an input and output policy and to prevent an employee to install undesired software on the machine it is recommended to DENY all device access in the SECURE environment to keep the business critical process un-intervened.

In the PUBLIC side, allow the use of all the devices to allow the user to work freely:

* Multi UNC Provider and Bastian Mode are for advanced configurations and should be left as is.

* Note that if the DNS is blocked you'll have to use a direct IP address eg. 64.10.20.30

One email address can be used for the entire company as VE² adds an additional layer to the SMTP and POP3 protocols.

File Migration

Migration is a process where files moved to the SECURE environment. Not moved files will become shared non modified files and can be accessed by both environments.

During the installation VE² would suggest to move all files that are NOT in the WINDOWS and PROGRAM FILES directories. It would mainly transfer the desktop, document and settings, my documents and other installed programs that do not belong to these directories.

For business continuity it is wise to leave all the installation in the shared area so that they would not be tempered with, modified or corrupted. For example, ERP and CRM clients would not be able to function in the PUBLIC environment as they would not be able to connect anywhere, same goes for MSN Messenger or the internet browser in the SECURE environment, it cannot connect anywhere, bound by the network rules. MS Office would be available to use in both environment.

On the other hand the information must not be shared and should be moved to the SECURE environment.

Microsoft updates would be terminated in normal working mode, as the danger from vulnerabilities is diminished you can now stop the rush of infinite immediate updates.

To perform an update, you must go to Update Mode (see in the manual).

Note that Microsoft update addresses must be allowed in the firewall configuration.

Personal Firewall

VE2 has a built in firewall, Windows XP has a built-in firewall. You can decide if to use Windows's firewall or not. No other firewall is needed.

Anti-Virus

If you wish that your Anti-Virus would continue to update from the network you should allow it to access the Internet, for example Symantec Anti-Virus uses the following IP addressed 212.113.20.69, 64.156.240.51, 209.133.111.3 and 64.41.192.107.

We have no position regarding end-point anti-viruses but you may consider the save your computer speed and remain with a much cheaper out sourced anti-virus.

Recovering from disaster

In case that the PUBLIC environment was corrupted with spyware, viruses, damaged by the user, etc. Use the VE² administrator to clean-up the environment (see in the manual).