internet on wan

[naren3108]

i have a office with 500 PCs connected to the internet. The internet line comes to a firewall and then goes to the switch and then to the user. currently i do not know which user is logged in and doing what. i want something to control the user access by way of assigning user id and password so that relevant logs can be kept for auditing purpose. Please guide and help. thankyou

 

[ColinTaylor]

That's quite a lot of PC's. I think we'd need to know a lot more about your situation.

You say it "goes to the switch". 500 PC's, that's probably multiple switches across multiple locations?

So who administers this network at the moment? Is that you, an IT department, an external company? What hardware infrastructure do you have?, i.e. Juniper firewall, Cisco switches. What about network printers. Any other network devices?

Then there's the software side of things. Are you 100% Windows. If so, are your PC's part of a Windows Domain with a Domain Controller providing security through Active Directory?

Knowing the answer to these questions, your existing setup might provide (or be able to provide) the information you're looking for.

 

[naren3108]

Thanks for the reply. yes the intenet cable comes to a firewall and then to multiple switches distributing internet to various departments. Right now no one is managing it. Thats what is required. I have pc's which have windows os... But some of them may have pirated os and other applications.

It is a prerequisite that all os on all pc have to be genuine.

 

[ColinTaylor]

Hmm, it doesn't sound good.

The answers to my other questions could indicate a preferred strategy to deal with things. For example, Active Directory could deal with a lot of your audit/security requirements and group policies can lock down PC's so that users can't install unauthorised software. On the internet side of things your existing firewall might be able to provide activity reports, and if it can link in with Active Directory also provide additional security. Likewise with the switches, there are various types of security that can be done at the physical level if that's a requirement.

If you're not already familiar with these things then you might be better off bringing in an external company to audit your estate and formulate a plan for going forward. With an estate that large (I'm assuming it's a commercial business) it's not something that you can work out as you go along. Particularly if you're going to have to spend significant amounts of money on hardware and software (including maintenance and licence fees). It's not something you want to get wrong and then have to throw away and start again.

 

[MichaelCG]

The issues you describe cannot be solved with just replacing the firewall and/or security infrastructure. An all encompassing security and risk plan needs to be defined and executed across all technology lanes to bring everything into compliance one way or another.

You can look at a proxy/fw solution if you want to choke out the Internet connection to at least know who is on it. However, without a good directory service to use, trying to manage 500 user accounts and passwords will be a challenge over time. This is where having Active Directory or some other service comes in handy.

I know when my company has acquired smaller companies that had limited or no IT staff, we basically did an inventory of what they had....then usually just came in with a rip and replace project. When things are just that out of control, it is quite often more work to try to wrangle it all back into peaceful harmony than it is to just rip it all out and start from scratch.

 

[Xelas]

The issues you describe cannot be solved with just replacing the firewall and/or security infrastructure. An all encompassing security and risk plan needs to be defined and executed across all technology lanes to bring everything into compliance one way or another.

You can look at a proxy/fw solution if you want to choke out the Internet connection to at least know who is on it. However, without a good directory service to use, trying to manage 500 user accounts and passwords will be a challenge over time. This is where having Active Directory or some other service comes in handy.

I know when my company has acquired smaller companies that had limited or no IT staff, we basically did an inventory of what they had....then usually just came in with a rip and replace project. When things are just that out of control, it is quite often more work to try to wrangle it all back into peaceful harmony than it is to just rip it all out and start from scratch.

Seconded, and what ColinTaylor said, too. With 500 devices, you NEED a directory service, and you NEED some thing MUCH better than "a firewall". Think of it this way - if even one of the users snags a cryptovirus and infects every other user on that network, and all of the data is irrevocable lost (this seems like a VERY likely scenario, based on what you've presented), how much will that cost the business?

Incidentally - the place probably also needs a complete audit of data storage/usage, to segment, isolate, and secure data (so that, for example, HR or managerial data isn't visible to everyone), and a backup plan - onsite AND offsite. Again - a nasty virus can infect your onsite storage, and you have burglaries, disgrunteled employees, and floods or fires that can wipe out everything onsite.

Do you have disaster recovery plan?

Sounds like you really have your work cut out for you!