- Jun 15, 2023
- 240
What's a good multilayer security setup?
- Thread starter Azazel
- Start date
- Apr 21, 2016
- 3,492
When setting up a multilayer security setup, there are several components that should be included to provide comprehensive protection. Here are some essential elements to consider:
1. Firewall: A firewall acts as a barrier between your network and the internet, monitoring and controlling incoming and outgoing network traffic. It helps filter out potential threats and unauthorized access attempts.
2. Intrusion Detection System (IDS) or Intrusion Prevention System (IPS): An IDS/IPS monitors network traffic for suspicious activities and potential security breaches. It can detect and alert you about unauthorized access attempts or malicious activities, and in the case of an IPS, it can also take action to block or prevent such activities.
3. Antivirus/Antimalware Software: Deploying robust antivirus and antimalware software on all devices helps protect against known and emerging threats. Regularly updating the software and running scans is crucial to ensure the latest protection.
4. Secure Email Gateway: Email is a common vector for cyberattacks, so implementing a secure email gateway can help filter out spam, phishing attempts, and malicious attachments. It can also provide encryption and data loss prevention features.
5. Web Application Firewall (WAF): A WAF protects web applications by filtering and monitoring HTTP traffic between the application and the internet. It helps prevent attacks such as SQL injection, cross-site scripting (XSS), and other web-based vulnerabilities.
6. Virtual Private Network (VPN): A VPN encrypts internet traffic, providing a secure connection between remote users and the network. It is especially important when accessing sensitive information or using public Wi-Fi networks.
7. Regular Patching and Updates: Keeping all software, operating systems, and firmware up to date is crucial to address vulnerabilities and security flaws that could be exploited by attackers.
8. Strong Authentication: Implementing strong authentication methods, such as two-factor authentication (2FA) or biometrics, adds an extra layer of security to user accounts and helps prevent unauthorized access.
9. Data Backup and Recovery: Regularly backing up critical data and having a robust recovery plan in place is essential to mitigate the impact of potential security incidents, such as ransomware attacks or hardware failures.
10. Employee Education and Awareness: Security is not solely reliant on technology; educating employees about best practices, such as avoiding suspicious links or attachments, using strong passwords, and being cautious about sharing sensitive information, is vital to overall security.
Remember, a multilayer security setup is about combining different security measures to create a defense-in-depth approach. The specific components and their configurations may vary depending on your organization's needs and the nature of the data you are protecting.
1. Firewall: A firewall acts as a barrier between your network and the internet, monitoring and controlling incoming and outgoing network traffic. It helps filter out potential threats and unauthorized access attempts.
2. Intrusion Detection System (IDS) or Intrusion Prevention System (IPS): An IDS/IPS monitors network traffic for suspicious activities and potential security breaches. It can detect and alert you about unauthorized access attempts or malicious activities, and in the case of an IPS, it can also take action to block or prevent such activities.
3. Antivirus/Antimalware Software: Deploying robust antivirus and antimalware software on all devices helps protect against known and emerging threats. Regularly updating the software and running scans is crucial to ensure the latest protection.
4. Secure Email Gateway: Email is a common vector for cyberattacks, so implementing a secure email gateway can help filter out spam, phishing attempts, and malicious attachments. It can also provide encryption and data loss prevention features.
5. Web Application Firewall (WAF): A WAF protects web applications by filtering and monitoring HTTP traffic between the application and the internet. It helps prevent attacks such as SQL injection, cross-site scripting (XSS), and other web-based vulnerabilities.
6. Virtual Private Network (VPN): A VPN encrypts internet traffic, providing a secure connection between remote users and the network. It is especially important when accessing sensitive information or using public Wi-Fi networks.
7. Regular Patching and Updates: Keeping all software, operating systems, and firmware up to date is crucial to address vulnerabilities and security flaws that could be exploited by attackers.
8. Strong Authentication: Implementing strong authentication methods, such as two-factor authentication (2FA) or biometrics, adds an extra layer of security to user accounts and helps prevent unauthorized access.
9. Data Backup and Recovery: Regularly backing up critical data and having a robust recovery plan in place is essential to mitigate the impact of potential security incidents, such as ransomware attacks or hardware failures.
10. Employee Education and Awareness: Security is not solely reliant on technology; educating employees about best practices, such as avoiding suspicious links or attachments, using strong passwords, and being cautious about sharing sensitive information, is vital to overall security.
Remember, a multilayer security setup is about combining different security measures to create a defense-in-depth approach. The specific components and their configurations may vary depending on your organization's needs and the nature of the data you are protecting.
An excellent answer to the question presented.
- Jan 8, 2011
- 22,361
To note, the chosen OS must be supported by the developer, and receive regular security updates.
- Apr 16, 2017
- 2,094
today's Virtual Machine flavor of the day is MS Defender tweaked with DefenderUI, Windows firewall, Voodooshield aka CyberLock 7.58 beta, and recently added Malwarebytes 5 beta just to add an unnecessary layer. a paid VPN, and ublock for browsers and a few misc extensions. Surprisingly (to me) this VM "feels" fast, no noticeable slowdowns. I check unknown downloads with Virustotal and Kaspersky Threat Intelligence Portal. This is one example. My other VM(s) each run entirely different security. The trick is finding layers that do not interfere with each other. I suggest using Windows security with @Andy Ful app(s) but read all his documentation to the point of understanding it.
- Jan 27, 2018
- 1,266
Nice setup, I am going to try it someday, minus Defender and minus Malwarebytes.
Kidding, Defender with DefenderUI or Configure Defender along with Cyberlock is a killer setup. Don' t think Malwarebytes is needed but throw in Malwarebytes Browser Guard for good measure. All I use now on 2 computers is a combination of FSecure, Defender with Configure Defender, Cyberlock, WHH and sometimes Malwarebytes. I switch frequently as I am a dummy.
- Apr 16, 2017
- 2,094
I used to switch AV more, but now I feed that craving to the extent it remains by having several VM with different security setups. F-Secure was a fav for the last year, but then FS wanted $90 to renew or something like that, and let it go, although I know there are ways around those licensing cost issues. Right re MBAM not needed, but someone suggested it, getting better reviews, and seems not to slow down MS Defender. My current primary VM is Checkpoint Harmony. I am having good luck with VMware Workstation 16. (I have Zorin Linux VM I like too). Typically I only run one VM at a time.Nice setup, I am going to try it someday, minus Defender and minus Malwarebytes.
Kidding, Defender with DefenderUI or Configure Defender along with Cyberlock is a killer setup. Don' t think Malwarebytes is needed but throw in Malwarebytes Browser Guard for good measure. All I use now on 2 computers is a combination of FSecure, Defender with Configure Defender, Cyberlock, WHH and sometimes Malwarebytes. I switch frequently as I am a dummy.
- Oct 3, 2022
- 393
I am assuming you are not asking on behalf of a corporation, but as an individual.
For firewall, if you want a firewall engine different than Windows' own, then there is Comodo Firewall and ZoneAlarm. Most anti-malware that comes with a firewall only uses Window's own Base Filtering Engine. Diversity is a concept of security, if you rely on one vendor for all your defenses, like MS, then it is more risky.
If you have several PCs, then you can put an old desktop pc to use by plugging in an extra network adapter and installing pfSense. It is a proper firewall and comes with an Intrusion Prevention System (IPS). Then that could guard your whole network. It is Linux based but simple to install.
For backup I use Macrium Reflect. It is no longer free, but it is fast and the backup compression is good so you save disk space. If you want a free one, there is MiniTools ShadowMaker. It's backup compression is not as good, but it is free. They are both drive imaging programs, which means it does a bit for bit backup, backing up Windows, all Windows settings and all files including your docs, pics etc. But you have to allow drive space because a barebones Windows setup with only an antimalware willl create a 18GB backup file. (Macrium)
For file based backup you can rely on Windows' OneDrive. The bad thing about it is that it synchronizes, which means it deletes from the cloud backup whenever you delete from your hard drive. So it is kinda not a backup software, but can be considered a backup program because it stores a copy of your data files in the cloud, so that accomplishes off-site backup, which is important if your house burns down. There are quite a few file based backup program available for free. I do my file based backups manually because I have to only copy a few folders to USB stick so I don't need a file based backup program.
I need to stress that you must keep several versions of your backups. If you accidentally introduce a malware infection and not know about it, it may exist in your backups too. So then you would need to use an earlier version of your backup. I don't delete backups until I run out of disk space. Backups are your last line of defense - do not omit it.
I will recommend a category not listed by Bot, and that is an anti-executable. What it does is create a list of all your programs and Windows exe's and from then on only allow those to run. Any new exe, malware or not, will not be permitted to run and it will prompt you. It is a 'whitelist' approach rather than a 'blacklist' approach used by anti-malware. These programs don't require constant signature updates and is in a way superior to anti-malware. Many people don't know of this category of protection. A good product is Cyber Lock.
Another defense category omitted by Bot is monitoring. It is common security knowledge among security pros today that it is not 'if' you will be attacked but only 'when' you will be attacked. The computer age has brought a whole generation of computer users and also a sizable population of hackers and cybercriminals. They don't discriminate. You don't have to be a 'target', as per popular folklore. There are different skill levels of hackers and they all know about Kali Linux, the popular penetration attack Linux distro - it is filled with attack tools for any beginner to learn. And some of the tools in that distro are unstoppable by anti-malware. The only solution is to monitor for attacks. Anti-malware vendors are of course not sitting stationary, and they brought along a new category of defense - the EDR. (endpoint detection and response) . It generates Alerts on a web console whenever something suspicious runs. The OpenEDR platform has Auto Containment, which virtualizes anything suspicious. So malware are stopped and hackers are stopped, and it throws alerts at you so you know to put up more defenses, enact containment procedures etc in case that hacker was not stopped. It is priced reasonably at $4/month/pc.
I will add yet another category of defense - network segmentation. Most of us use just one modem/router. Don't. Segment your network into zones; by age group, by rooms, whatever. It is simple to do; just use a seperate router and connect it's laptops for every zone. That way an infection cannot spread, and hackers cannot move around - the routers' NAT firewall stops that. And if things get out of hand, you can contain that infection by pulling the plug to the router.
For firewall, if you want a firewall engine different than Windows' own, then there is Comodo Firewall and ZoneAlarm. Most anti-malware that comes with a firewall only uses Window's own Base Filtering Engine. Diversity is a concept of security, if you rely on one vendor for all your defenses, like MS, then it is more risky.
If you have several PCs, then you can put an old desktop pc to use by plugging in an extra network adapter and installing pfSense. It is a proper firewall and comes with an Intrusion Prevention System (IPS). Then that could guard your whole network. It is Linux based but simple to install.
For backup I use Macrium Reflect. It is no longer free, but it is fast and the backup compression is good so you save disk space. If you want a free one, there is MiniTools ShadowMaker. It's backup compression is not as good, but it is free. They are both drive imaging programs, which means it does a bit for bit backup, backing up Windows, all Windows settings and all files including your docs, pics etc. But you have to allow drive space because a barebones Windows setup with only an antimalware willl create a 18GB backup file. (Macrium)
For file based backup you can rely on Windows' OneDrive. The bad thing about it is that it synchronizes, which means it deletes from the cloud backup whenever you delete from your hard drive. So it is kinda not a backup software, but can be considered a backup program because it stores a copy of your data files in the cloud, so that accomplishes off-site backup, which is important if your house burns down. There are quite a few file based backup program available for free. I do my file based backups manually because I have to only copy a few folders to USB stick so I don't need a file based backup program.
I need to stress that you must keep several versions of your backups. If you accidentally introduce a malware infection and not know about it, it may exist in your backups too. So then you would need to use an earlier version of your backup. I don't delete backups until I run out of disk space. Backups are your last line of defense - do not omit it.
I will recommend a category not listed by Bot, and that is an anti-executable. What it does is create a list of all your programs and Windows exe's and from then on only allow those to run. Any new exe, malware or not, will not be permitted to run and it will prompt you. It is a 'whitelist' approach rather than a 'blacklist' approach used by anti-malware. These programs don't require constant signature updates and is in a way superior to anti-malware. Many people don't know of this category of protection. A good product is Cyber Lock.
Another defense category omitted by Bot is monitoring. It is common security knowledge among security pros today that it is not 'if' you will be attacked but only 'when' you will be attacked. The computer age has brought a whole generation of computer users and also a sizable population of hackers and cybercriminals. They don't discriminate. You don't have to be a 'target', as per popular folklore. There are different skill levels of hackers and they all know about Kali Linux, the popular penetration attack Linux distro - it is filled with attack tools for any beginner to learn. And some of the tools in that distro are unstoppable by anti-malware. The only solution is to monitor for attacks. Anti-malware vendors are of course not sitting stationary, and they brought along a new category of defense - the EDR. (endpoint detection and response) . It generates Alerts on a web console whenever something suspicious runs. The OpenEDR platform has Auto Containment, which virtualizes anything suspicious. So malware are stopped and hackers are stopped, and it throws alerts at you so you know to put up more defenses, enact containment procedures etc in case that hacker was not stopped. It is priced reasonably at $4/month/pc.
I will add yet another category of defense - network segmentation. Most of us use just one modem/router. Don't. Segment your network into zones; by age group, by rooms, whatever. It is simple to do; just use a seperate router and connect it's laptops for every zone. That way an infection cannot spread, and hackers cannot move around - the routers' NAT firewall stops that. And if things get out of hand, you can contain that infection by pulling the plug to the router.
Last edited:
Similar threads
