Tips For: Setting Up and Maintaining My SMB's Environment

Sometimes, you don’t have the option of working with a Managed IT Services (MITS) provider — whether the reason is budgetary, logistical, or otherwise. It’s important, however, to set up and maintain your environment so you don’t experience outages and broken systems.

The main reason SMBs don’t work with MITS providers is due to the associated cost — but if your network is constantly down, your employees’ productivity is down — and loss of productivity causes loss of revenue.

In addition to this loss of revenue, if your primary concern with MITS partnership is of a budgetary nature, having to bring in a contracted IT service provider repeatedly can become a costly expense very quickly.

So if you’re planning on managing your SMB’s environment, make sure to follow these tips in order to avoid as many problems as possible.

GENERAL NETWORK MANAGEMENT

There are a few habits every network administrator should have: staying ahead of problems through continuous monitoring, proactively updating and patching operating systems and software, training your Helpdesk on your tech stack, continually checking your email spam filter for holes, setting up your VoIP auto attendant, and regularly checking and testing server backups.

If you’re going to manage your network, you need to think and act like a network administrator (because that’s essentially what you are!) — and the name of the game is proactively predicting and protecting against any problems that may arise.

FIREWALLS

Your firewall is your first line of defense against cyber incursion. Before your firewall can be effective in the defense of your network, however, you’ll need perform some basic configurations steps for it to be effective.

For Internet traffic to pass through a firewall, you must configure the firewall with your ISP Static Public IP address, Gateway address, Subnet and DNS addresses. 

Web and application filter configuration: Within this step, you’ll need to set up your requirements for what categories of Internet traffic you want to filter.  Examples would be gambling, pornography, violence, guns and ammo sites.  You will also need to configure any applications you want to filter like Facebook or Twitter.

Port forwarding: this allows devices that are outside your network or WAN (Wide area network) to connect to your LAN (local area network) and access resources like a server, phone system or application.

NAT: NAT (Network Address Translation) translates local IP addresses into global or outside IP addresses, providing internet access to local hosts — NAT also does this same process in reverse, and controls your port forwarding.

VPN: A VPN (Virtual Private Network) will extend your private network to a public network — this allows your users to securely access, share and receive data and applications on your local network from a public network like a house or hotel.

LDAP: LDAP (Lightweight Directory Access Protocol) is an integration protocol that essentially connects your employees computer user names to other devices and applications on your network.  This is how you would pull a list of all employees into your VPN configuration instead of manually creating users for VPN access.

After setting all of this up, you’ll want to make sure all the proper firmware and updates have been put in place — this is an on-going, never-ending task. In addition to this, make sure to review your security logs as frequently as possible — look for suspicious activity, and follow-up if you notice any strange behavior on your network.

You’ll want to create an escalation plan — this is the plan put in place for how to respond to a security issue or breach. Things to consider here would be response time, response method, and who needs to be informed about the issue. Make sure you have a backup of your firewall’s configurations — it can be a major hassle to reconfigure everything if there is a glitch or you experience data corruption.

WIRELESS ACCESS POINTS

Simply put, wireless access points act as the wireless connection device for your internal network.  You’ll want to configure two networks with your wireless access points: a corporate network, and a guest network.

Your corporate network should house all of your trusted devices — those being your employee’s desktops and laptops (sometimes even mobile devices), applications, server files, printers, and any other device type your business uses.

Your guest network exists for when clients or others who come to visit your office, and need to access the internet. Having these two separate and distinct networks adds an additional layer of security to your network by ensuring the only devices and users with the permissions to access critical data and infrastructure are those that you can trust, and are kept quarantined from outside threats.

In order to achieve this, you’ll need to set up a wireless controller — commonly referred to as a WLAN controller — which will require its own set of configurations.

BACKUPS

Backups are essential for any business’ network. Proper backups are more than just duplicating files — you can actually take a snapshot of your entire server, backing up its configurations, files, firewall, applications, and every aspect of your tech stack. You’ll need to determine how often these snapshots should occur — this can be as frequent as once every hour, or as infrequent as once every week.

The more frequently you update, the more backup space you’ll require. When determining this snapshot frequency, you’ll also want to figure out the duration of storage — how long do you want these backups to exist in your backup server? Again, the longer these snapshots will live, the more backup space you’ll require.

You’ll want to monitor your scheduled backups, and check to see if anything in the process has gone wrong. If there is a hiccup, you’ll need to immediately diagnose the issue. Hopefully, you’ll never have to make use of your backups, because your server will be healthy, but just in case, you’ll want to set up quarterly restoration reviews.

A quarterly restoration review is used to determine if your backup snapshots are actually functional. This requires you to pull the backup onto a device, and check the functionality of each part of that backup. In addition to these quarterly reviews, you’ll want to conduct an annual review, this time digging through each part of your backup server to ensure everything is working as it should.

In case something does go wrong on your server, you’ll want to determine your RTO (recovery time objective) and RPO (recovery point objective). Your RTO determines how long you want the recovery process to take, and your RPO determines how far back this backup will go.

ANTI-VIRUS

Finally, we’re at the final step — your anti-virus system. Like everything else in this blog, you’ll first need to configure your anti-virus software. During this configuration, you’ll need to specify unwanted software — this prevents any harmful software from being downloaded onto any device on your network. Most anti-virus software will come preloaded with templates that have blocked software packages already installed.

Next is your scan configuration — you need to schedule when your anti-virus scans occur. Just like your backup schedule, you have a lot of freedom here — your anti-virus could scan twice a day, or twice a week.

Anti-virus software works off of something called “virus definitions.” Basically, what happens is this:

  1. A new virus is released, and infects a certain number of devices
  2. The new virus is reported to the anti-virus software
  3. The identifying characteristics of the virus are logged into the anti-virus software
  4. A virus definition is created, allowing the anti-virus software to automatically block the new virus

It’s like when your immune system creates an anti-body for chicken pox — just on the scale of the entire internet, rather than your body. Because anti-virus software relies so heavily on these virus definitions, you’ll want to manage and monitor for these updates as frequently as possible.

There is a new form of defense out on the market now, called Endpoint Detection and Response, commonly referred to as EDR. This is a limited artificial intelligence that learns the behavior of each individual user on your network, and takes the appropriate action to block incoming viruses, even if there isn’t a virus definition for it yet. This creates an almost 100% secure environment, since you won’t have to rely on a reactive defense, but rather a proactive one.

Your antivirus software also controls your email spam filter, of which you must send updates to your network’s devices, server, and switches.

MONITOR, MAINTAIN, MITIGATE

That’s a network administrator’s mantra. Monitor your systems frequently, maintain them via continuous updates and patches, and mitigate as many security risks as possible by utilizing all the tools available to you in order to shore up your network.

Patrick Judy
Patrick Judy is an IT Solutions Specialist who originally began working for Cobb in 2010, and after a five year stint in Raleigh, North Carolina, returned to Cobb’s managed IT development department. Patrick specializes in consulting with businesses in order to help grow and maintain their enterprise ecosystems, and when he’s not working, he’s snowboarding (in which he has over 20 years of experience), or spending time with his family.