Securing Your Network?

Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."

Honey Pot

[by Anonymous Coward]

I heard about this honey pot feature for network security. I installed them on each users computer, but they keep using the honey in their tea. Maybe it was not installed correctly?

Re:Honey Pot

[TopShelf (92521)]

You've got it all wrong - honey pot security is where you take some of your spouse's best joints and use them as bait around the data center...

Not enough diversification

[delphi125 (544730)]

Since you posted this on /. you obviously aren't interested in security through obscurity!

it must be said

[flynt (248848)]

I don't think I am the only one spending evenings and weekends playing around with yet another IDS.

Think again!

Keep it simple

[Lucky Kevin (305138)]

Allow only very few services and open just those ports. Probably HTTP, SMTP, FTP, SSH that's all.

Keep Web and FTP on separate DMZ LANS.

FTP? Was: Keep it simple

[bwhaley (410361)]

Probably HTTP, SMTP, FTP, SSH that's all.

Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University [colorado.edu] I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you :)

Re:FTP? Was: Keep it simple

[ewhac (5844)]

Why FTP? There is no need for it any more.

I have a dinky little 166MHz Pentium laptop which is parked on my (wired) LAN 99% of the time. Depending on file content, file transmission over sftp or scp happens at about 55K bytes/sec. This is glacial (one-third the speed of a 1X CD-ROM drive). The problem is the time spent encrypting the data for transmission -- a 166 MHz Pentium just can't crank it out much faster.

FTP has no encryption step, so file transfers happen at line speed. Of course, FTP has almost no security measures at all, transmitting passwords in the clear. However, for moving files among machines on my switched LAN (as opposed to the Internet), I see this as less of an issue.

Ideally, I'd like sftp and scp to have the (obviously non-default) option of using secure authentication (encrypted passwords, etc.), but transfer the files themselves in the clear. I believe this would be useful in a wired LAN setting with anemic machines where the file contents are not considered sensitive (uploading MP3s and Vorbis files to your home jukebox, for instance). ssh does have the option of turning session encryption off, but it's a compile-time option none of the distros enable.

Of course, in a wireless "LAN" setting, all the bets are off, and encryption should be de rigueur.

Schwab

Re:FTP? Was: Keep it simple

[EvilAlien (133134)]

"SSH just ensures plaintext passwords aren't bouncing around your network."

JUST?!

Thats like saying "oh, a firewall just keeps external network traffic from getting to services and hosts you don't want them to get to". Well duh.

If your only authentication scheme is passwords, then this is crucial, there is no "just" about it. For example, the only thing separating your hosts from being vulnerable to all local-only exploits is a malicious user authenticating through SSH with a stolen password from sniffed FTP traffic, even if your FTP service is patched and non-vulnerable to priveledge escalation and buffer overflows resulting in shell access.

If you want to write off such a simple attack then <sarcasm>you might as well just leave telnet enabled, tie all your systems together with NIS on a public network, and make sure you have stickies with administrative account authentication information at all physical access points.

Oh ya, don't forget to implement some wireless APs too... and remember: WEP and MAC exclusions are for the paranoid. Information wants to be free</sarcasm>.

Re:FTP? Was: Keep it simple

[RollingThunder (88952)]

Well, in addition to what the other respondent said, which is that keeping passwords from going in the clear is a pretty valuable item, I generally find that ssh/scp stuff is written to a higher standard.

It's security-realm software, and the authors know it, and take a lot of care with it. With XYZftpd, you have no idea, and don't get me started on the variety of slapdash FTP clients that are out there.

Re:FTP? Was: Keep it simple

[bwhaley (410361)]

Unfortunately some web development clients only understand FTP and can't use sftp.

I assume you're referring to applications such as Dreamweaver/Frontpage/Composer. True, these apps can't use FTP, but there's an easy workaround which we've suggested to our users. Check out stunnel [stunnel.org]. Works great, and it's GPL'd. Yay!

Re:Keep it simple

[frodo from middle ea (602941)]

Also remember
Most security breachings occur from within. May be a over curious geek looking for holes in the network, or a disgruntled employee.

These are the one's that you should concentrate on first. Its a simple 80-20 ratio thing.

Its no point building up the strongest bastion, when you have traitors within.

Pull the ether.

[theNetImp (190602)]

The way I secure my systems, is not to put them on a network, though it does make email a bitch...

Thanks for letting me know

[by Anonymous Coward]

I look on the stock market: diversify [yourdictionary.com]. Don't put all your eggs in one basket.

Thanks for the link, I didn't know what diversify meant.

Not sure your reasoning is sound

[flynt (248848)]

I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?

That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.

Re:Not sure your reasoning is sound

[SquadBoy (167263)]

To answer the question and second you I *have* read the NSA docs along with a bunch of other stuff and you are %100 right. The knowledge and information to secure a network and secure it right is out there and it is just lazy not to know it if you are a person who is supposed to be doing this stuff. Start with "Secerts and Lies" to get you in the right frame of mind and then start reading the rest of the stuff. Then you can do it right.

Re:Not sure your reasoning is sound

[stikk (134509)]

> I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?

I honestly have read every NSA guide publically available on nsa.gov, they are usually indepth and are a good starting point(with the exception of the DNS guide). I don't blindly accept everything they say, however its my tax dollars working for me for once.

Real World Linux Security

[Doug Merritt (3550)]

Why don't you read the literature not only from the NSA, but from the other various institutions

In particular I recommend "Real World Linux Security" [amazon.com] , second edition, by Bob Toxen, which contains a wealth of useful information.

Full disclosure: I know the author; I am doubtless biased. But I like the book and have found it quite handy.

Here's an excerpt from an Amazon reviewer:

Bob goes far beyond a simple how-to, teaching best security practices and his "Rings of Security" approach to keeping your information safe. The depth of knowledge contained within will appeal to security administrators across the enterprise. The book is by far the most useful security book on my shelf, and I continue to go back to it for reference.

Think layers

[Blaine Hilton (626259)]

Not just diversify, but think in layers. Try to achieve a layered security approach, with the most sensitive data in the center of the security "sphere".

Go calculate [webcalc.net] something

Re:Think layers

[Frostalicious (657235)]

Not just diversify, but think in layers

I laughed my ass off when I read this, because I read it as "think in lawyers". Security through litigation? If only that didn't happen.

Re:Think layers

[laugau (144794)]

Ogres have layers, onions have layers.

Ogres are not like cake.

Re:Think layers

[Amoeba (55277)]

Ogres have layers, onions have layers. Ogres are not like cake.

What about parfait? Everybody likes parfait.

(If you don't get it, you don't have a 3yr old Shrek junkie in your house)

Best security.

[Neck_of_the_Woods (305788)]

get all your shit working. Cut the lan/wan/internet lines, brick it in with now doors and spray the outside with teflon.

Hire a muscle head with a 8th level Edu to guard the brick box with a baseball bat.

Other than that your just playing the odds like the rest of us.

This reminds me

[apankrat (314147)]

: .. cut the lan/wan/internet lines ..

This is a very important part that is often overlooked as demonstrated by the following example [techweb.com] :

The University of North Carolina has finally found a network server that, although missing for four years, hasn't missed a packet in all that time. Try as they might, university administrators couldn't find the server. Working with Novell Inc. (stock: NOVL), IT workers tracked it down by meticulously following cable until they literally ran into a wall. The server had been mistakenly sealed behind drywall by maintenance workers.

Re:Best security.

[TeknoHog (164938)]

yeah, and for securing your music files, don't put all your oggs in one basket.

A network is secure if...

[sterno (16320)]

A network is secure if it costs more to an intruder to break in than the value of the information being protected.

Network security must exist within a context of what is being protected and who would want to break in. If you are protecting your personal information, the amount of security that is needed is substantially less than if you are a major bank. Sure, your design might have some holes in it. In fact, I guarantee that it does, but if it's too much hassle to exploit those holes, then nobody's going to bother.

Re:A network is secure if...

[Kargan (250092)]

Not entirely true. Often times the only thing a system needs to become a target is a high-speed 'Net connection. The compromised machine can then be used to scan other random subnets to find other machines to compromise to then use those to scan other random subnets...you get the idea.

I'm ashamed to say I learned this particular point of interest myself, and only when root started getting mail from other admins wanting to know why our server was portscanning them.

Live and learn, they say. I say wisdom is learning from someone else's mistake, such as mine. Hint: when Tripwire stops sending you messages, you may be compromised.

secure?

[geekoid (135745)]

"I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?"

Anybody who considers security important.

Unfortunately

[FreeLinux (555387)]

I don't think I am the only one spending evenings and weekends playing around with yet another IDS.

Unfortunately, I suspect that we are among the few that do. Especially when you look at this [linuxsurveys.com] and this [linuxsurveys.com].

I would say that you are definitely on the right track and that your network is probably more secure than most. Certainly more so than those that will respond to you here. The fact is that if you are in doubt, you should have an audit performed by a security expert. This person will review you policies, procedures and configurations and make appropriate recommendations. Additionally they will perform penetration testing both from inside and out and make subsequet recommendations.

As I said above, I think you are on the right track and would guess that you have taken all of the necessary steps, and are hearing the complaints from your user community. But, the only thing that I would add is that you should never become complacent. Test your security regularly and use multiple tools to do it, and always the latest versions. Don't rely soley on a Nessus or nmap scan to validate your security. Also, when testing, remember that it isn't just a matter of whether you get in or not, you should also make sure that the attempt is properly caught in the logs, regardless of the attempts success or failure.

two steps

[by Anonymous Coward]

1) Fire developers

2) Fire users

Simple.

[Eric_Cartman_South_P (594330)]

www.openbsd.org

I welcome suggestions as to why Windows or even Linux would be a safer choice in regards to security.

And OpenBSD with Evil Bit checking is even better. ;)

First and foremost

[Faust7 (314817)]

What do you consider to be a secure network?

A properly patched one, Linux or Windows.

question/answer

[flynt (248848)]

I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?

Probably professionals who weren't picked to be the "security guy" by a game of spin the bottle at the last office meeting.

My hat's white.

[Mononoke (88668)]

As I was pondering the review results I wondered what a completely unbiased observer would think of my security.

Just post a few IP addresses for us to try. We'll let you know.

Really, we will.

We won't break too much along the way.

We promise.

(It's humor, laugh.)

KISS

[CommonSalt (580630)]

Always know exactly what ports you have open.
Dont let any attachments in.
Have DMZ's.
Pay attention to bugtraq and errata postings.
Nmap every once in a while.
Only have two ssh's open to get in and have the IPs defined in hosts.allow.
ALWAYS upgrade when security bugs are fixed.
Have snort on the main DMZ in a promiscuous switch port, get some nice looking reports going.
Pay attention to bandwidth useage ( cricket ).
Add a dash of portsentry+tcpwrappers.
Dont act macho and send nasty letters to people who try to get in.
Maybe, dont return pings ( tcp-reset ) or portscans.
Bind 9 with zones.
Check all logs all the time (3 times a week).
KISS = keep it simple stupid.
Dont hire lazy admins.
Try out all new security related programs.
I SHOULD be sending most all logs to a central host.
Make sure MS admins dont totally let their guard down.

*pant*pant*. ummmmm, thats about it for now.

Oh and dont enable web crap on routers etc (more ports open).
ssh for everything.
shut down telnet.
https for everything.
Try to protect email, imap, pop (plaintext over the network).
Read the "security section of all apps you install and try to KISS
ummmmmmmm, thats about it for me.

everyone already knows this but im just throwing in my 2 cents :-)

well since noone else wants to ...

[Abm0raz (668337)]

... I'll give a serious answer.

I work for a moderate sized engineers consultation company (500+ employees all over the east coast). We have over a dozen offices from Florida to Maine. All are connected by a VPN using frame relay. At each access node, there is a Sisco Router/switch controlling what traffic can come in and out. Behind that is a firewall, NAT, and DHCP server (each office runs on a seperate private IP group). All external traffic (i.e. not on the VPN) must go to the main headquarters and pass through the proxy before making out to the "real world." We also have several web, ftp, and email servers in the private IP realm that are NAT'd to the outside. All incoming packets from the outside worled must go through the Router, Firewall, NAT, Virus Scanner, Mail Content Scanner (read: anti-spam detector) before making it to the target machine.

Software-wise, we are Novell users (mod me down if you want, but it is a hell of a lot better than M$). Every user has 1 concurrent log-in with very few exceptions (IT staff being 1 of them). Users cannot pass through the proxy or access any file servers without full LDAP authentication. this includes email, web browsing, ftp, etc. All logins are fully logged to time, machine and duration. Passworded screen savers automatically kick in after 10 minutes of idleness and users are auto-logged off after 30 minutes of idleness. Strong passwords are enforced (9+ charaters, 3 of 4 ({CAPS, lower, 1234, !@#$}), no repeating of past passwords, no dictionary words). L0phtcrack is used randomly to check for weak passwords.

I consider our systems to be fairly secure, given that most of the system is redundant as well as obscure to all but a few people in IS. It's a combination of cyber-armor and security through obscurity.

Hope this helps.

Your network needs work...

[hoggoth (414195)]

Your network is pretty secure compared to the average. However, ...

Your root password is "sheila".
Your social security number is 182-90-6134.
You just broke up with your girlfriend.
And you really ought to get a disk-wipe program to remove all traces of those deleted pornos.

A secure system keeps its word.

[Frater 219 (1455)]

A lot of the dialogue on computer security takes it as read that security is about keeping hackers out or about patching holes or about reducing exposure by blocking attacks ... or something of those ilk. I'd like to suggest that none of these are really what people want out of security, and while they may provide useful tactical steps they do not provide the insight needed for an overarching security strategy.

Here's what I would offer as a cornerstone for thinking about your systems' security: A secure component is one that keeps its word. That is, it provides guarantees -- assurances -- of its behavior, and it meets those guarantees. Because it provides these guarantees, other components can depend upon it (though they need not depend exclusively upon it). And once a system is built out of dependable components, staff can place their trust in it and not be betrayed.

Take an example: a firewall. A firewall is commonly thought of as a tool for blocking attacks or reducing exposure. I would suggest that it is, rather, a tool for providing assurance that certain traffic will not enter the network from a certain point. Systems behind the firewall should not be thought of as being made "more secure" (what muddy thinking!) on account of the firewall's presence. They should be thought of as receiving a guarantee from the firewall that certain traffic will not enter.

This allows for evaluation. Under the blocking-attacks model, we must rate a firewall as doing its job if it blocks attacks. Which attacks? "Uh -- some attacks, the ones from the other side of the firewall." But what about attacks from other places? "Uh -- the firewall can't help you there, it's only at the border." But then what good is it? "Uh -- it makes your security better. That's what everyone says." With a clear understanding of the guarantees the firewall provides, we can evaluate its success with a clearer mind: does it succeed or fail at meeting those guarantees?

(Microsoft's marketing folks recognize that people want dependability when they talk about "trusted computing". They're using it as a nasty trick, of course, but they have the right words. By "secure system" people don't just want a system that rejects today's attacks, but one that provides dependable assurances of its behavior. Too bad they are wasting the memetic capital of the phrase "trusted computing" on a despicable power grab.)

Diversity is not always an advantage

[fv (95460)]

> I like to look at network security with the same attitude as I look on
> the stock market: diversify. Don't put all your eggs in one basket.

That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she [insecure.org] can leverage that access to further compromise your network.

Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.

I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".

-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner [insecure.org]. Version 3.27 was released today.

Good Golly, it's simple common sense...

[jjwahl (81757)]

1. Only allow those ports that are absolutely necessary - i.e. HTTP, FTP, SMTP,...
2. Review log files daily. Make it part of your religion. Log files. Review. Daily.
3. Err on the side of being too restrictive.
4. Review log files daily. Make it part of your religion. Log files. Review. Daily.
5. Absolutely keep up to date with your virus signatures and patches for your workstations and servers.
6. Review log files daily. Make it part of your religion. Log files. Review. Daily.
7. Find a few quality security web sites (securityfocus.com [securityfocus.com], cert [cert.org] and others - check out DMOZ [dmoz.org] for a nice list of links...) and put them on your daily visit list. Make sure to go to several sites daily and use them to triangulate on what's relevant and important.
8. Review log files daily. Make it part of your religion. Log files. Review. Daily.
9. Visit the IT Security Cookbook [boran.com] and enjoy!!!
10. Review log files daily. Make it part of your religion. Log files. Review. Daily.
11. If you're running a web server on your network, check out the open web application security project [owasp.org]. The OWASP Top 10 [sourceforge.net] is a great tool to get you to think about how your web sites can be made more secure
12. Review log files daily. Make it part of your religion. Log files. Review. Daily.
13. Know that you're not ever going to secure everything 100% , but if you make security one of your daily duties and take a proactive approach to security instead of a reactive approach, you'll do better than 99% of the networks out there. Just be diligent, use common sense and stay on top of patches/updates and you'll be fine.
14. Review log files daily. Make it part of your religion. Log files. Review. Daily.

Re:Better yet...

[Rob Riggs (6418)]

Write a script that filters out non-suspicious activity in the logs so that you're left with only the stuff you want to see.

Or find one that already exists [logwatch.org], is well supported [gnu.org] and is widely used.

Mandatory Access Controls!

[Tracy Reed (3563)]

There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.

But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their .rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux [nsa.gov] for a while now and I really
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure [ultraviolet.org]
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!

As they say, it is "Military grade security at Open Source prices!"

From an independant Network Security Auditor

[Inexile2002 (540368)]

Ok, this is what I do for a living and frankly I find WAY WAY WAY too many companies lock down ports, install patches configure a firewall well and then call their networks secure.

All of the technical fixes in the world are rubbish when the independent auditor requests a list of all users on the network, goes down to HR and discovers 20 or 30 active user IDs for people who don't work there any more. Worse, I'll find 5 or 10 more for people who have changed jobs but still have their old privileges. (The guy in Accounts Payable SHOULD NEVER be able to access the Accounts Receivable systems.)

Everyone in security knows a high percentage exploits and a higher percentage of serious exploits are carried out by people who had valid access to the systems. Security for a network or a system begins in HR and the processes for granting, modifying and revoking system authority are much more critical that what ports are open. So what if you keep the script kiddies out when your CIO's secretary writes herself a cheque for $1,000,000? If you're serious about securing your network, figure out what your users can do that they shouldn't and look to developing systems to prevent internal breaches.

When I do a network security audit, first I test the following: Segregation of duties and appropriateness of access, procedures for adding / changing and removing users, change management and a user access privilege testing. Is everything authorized? By who?

If those things pass mustard, then I start actually looking at server room access, patches, firewall configuration, network diagrams, open ports, system auditing and security levels. It's not as sexy as pitting your skills against the crackers (what a f**ked up notion of sexy I have) but it's where you need to start if you're serious.

Layers...lots of layers

[MerlynDavis (637066)]

I used to run network security for a prominent .com. In 2 years, we never got successfully penetrated. I stopped an awful lot of attacks, but I spent a lot of time, money and effort keeping the hackers out.

Use layered security...

Layer 1 - External Firewall - nothing comes in except exactly what you need where you need it to go to. HTTP only allowed in to the webservers, VPN to the VPN systems, etc. Tie an IDS into this firewall layer. SNORT works great...

Layer 2 - DMZ - Anything in this zone is considered compromised by default. Nothing further in should absolutely trust systems in this domain. Put at least one IDS in this zone..and make sure to not only check traffic from the outside, but track from this inside.

Layer 3 - Internal Firewall - Again...more security. Proxy servers, if you can, secured systems, more IDS systems, preferably a different one than the external one. Again, only let what data that you need to get through to get through.

Layer 4 - Internal network - VLAN's, IDS systems, and access lists. Make sure that traffic stays where it belongs, and make sure every system is backed up. Also, if you can afford it, Tripwire, or something along those lines...

CHECK YOUR LOGS If you don't review your logs regularly, you're begging to get hacked. You have to keep up on what's going on and update your defenses accordingly. A corollary...LOG EVERYTHING YOU CAN Disk space is cheap. Log everything...you may need it at some point...especially for after-attack forensics.

Make sure you are warned of possible intrusions somehow. My pager went off fairly often until I had my IDS systems tuned...but better an extra page and some minor panic than not knowing when a major hack happens...

What I used - Snort IDS, Cisco PIX firewalls, Linux box running IPFW, Cisco NetRanger IDS, Cisco Routers, 3Com & Cisco Switches, patched Windows boxes...(PATCH THOSE SYSTEMS OFTEN!)

Diversification?

[4of12 (97621)]

To nail the point down better, I'd rephrase that as "multiple layers of defense".

It goes without saying to this audience, but probably needs to be said multiple times to the people that manage your budget, but having defense in layers (i.e., serial) is more effective than having defense mechanisms side by side (parallel).

Make potential intruders go through all the doors of your dungeon, not just one.

That's easy to say and hard to do. The problem is that many dungeons (workplaces, whatever they're called these days) have obscure, lesser known secret doors that can let in the monsters if only that one door is discovered and compromised. Creative social engineering tricks are particularly devastating this way.

Some internal walls for damage control can be helpful in the event of an incident.

Standard spiel...

[gerardrj (207690)]

I post this most every time I run across a discussion of network security and the "evil hacker" protections people try to impliment.
Where is your IDS? At or near the firewall from your Internet connection I'm willing to bet.

Okay, now what about the malicous hacker wanna-be that lives within your trusted network. This could be a student in a campus lab, Jane doe in cubicle 12B who lilives a secret on-line life as Kamander KRak, or Dave Smith the quiet guy in the corder office who thinks he's about to get fired. What about those cleaning crew who have full access to every square inch of the facility at night without any supervision. What about The CEO who just brought a new WiFi notebook in and connected it to the LAN and offeres an open WAP to anyone within 200 feet of the office.

We all spend a whole lot of time and money securing our Internet connections and services from external hackers. Yet most managers/admins almost completely ignore the internal threats. And ONE inside job will do a lot more damage than a dozen attacks from outside.

Those on your LAN already have password access to the network and services. They know what servers to hit, they know what data is stored where. They know where the wiring closet is, and what equipment you run (your memos frequently tell them you are upgrading Windows from NT4 to 2000). They can open a closet door, or slide over a ceiling panel and easily connect a device to the monitoring port of thier distribution switch.

A comprehensive security plan needs to at least acnowledge these threats, and find ways to secure these services and components from otherwise trusted sources. IDS on each major server, physical lockdown of all remote network devices, regular/random physical inspections of the wiring closets. Some facilities may require that the night cleaning crews be cleared with at least a basic background check.

In my experience, protecting against outside attack is really rather trivial compared to protecting against the potential internal threat.

who reads this stuff?

[linuxbert (78156)]

YOU should.
the government produces these documnets for a reason. if anyone knows who to secure a system, its the government. read them and apply them as required.

Also you have much nice hardware. How about policy? Policy is more important. What happens when somone is hired/fired? Who is allowed to do what on the network? Do you have a business continuity plan? Is their a document that states how to recover from a disaster? Has it been tested? Have you ever had a Threat and Risk assesment preformed? If yes when was it last updated.

You have some good technical means to provide security, how about the rest? The government has wonderfull guides on how to do all this stuff, and although thick - they really are helpfull.

Five easy steps.

[plcurechax (247883)]

1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.

You can get a lot of this from several books and websites, such as Secrets and Lies [counterpane.com] by Bruce Schneier, the SANS Reading Room [sans.org], if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides [cccure.org] even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus [securityfocus.com].

2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)

Tools like those from IBM Tivoli [ibm.com] or HP Openview [hp.com] can help here. For security specific vulnerability analyzer [infosecuritymag.com], open-source Nessus [nessus.org] and eEye's Retina [eeye.com], ISS's Internet Scanner [iss.net]

3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.

Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security [cisecurity.org] for benchmarks, and SANS Reading Room - Auditing and Assessment [sans.org], and Site Security Handbook - RFC 2196 [ietf.org].

4. Implement -- Using your education, audits and policies you can now implement decent security.

Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.

5. Be vigilant - "Security is a process, not a product" - Bruce Schneier

Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.

Best way to measure security is to measure it...

[jrl (4989)]

* Disclaimer * - I work for a Security Testing Company.

1st step in security is to perform a risk assessment. The goal of Risk Assessment is to determine if the security controls for a system are fully commensurate with its risks. Without having an understanding of your risk you are unable to determine the proper security policies, procedures, guidelines, and standards to put in place to ensure adequate security controls are implemented. We want to avoid putting a $1000 fence around a $100 horse, but at the same time avoid undue risk.

Once that is completed, you need to create a security policy. This policy is what your company is officially trying to accomplish with it's security initiatives. Until you know what your goals are, any money or time is not going to be well spent.

Once you believe you have your goals from the policy implemented, you may wish to have a Posture Assessment. Posture Assessment is the act of measuring the gap between your information security posture and your information security policy. This is a thorough review of your existing security policies where each stated goal is converted into a test module. Each test is run until a sufficient amount of data is collected to measure the existing posture (The security Posture is what the company is actualy doing).

Assuming the Policy and the Posture match, you may additionaly with to verify that all the bases are covered and request a verification Penetration Test on a specific set of systems with a stated goal for the test, or an out and out Ethical Hack attempt (same idea as a Penetration test, but not as limited in scope). This will uncover holes in not covered by the Security Policy.

You should also consider periodic testing. Some of this should be done internally, some is best to outsource.

A security test is only valid if it is:
* Quantifiable
-- Can be numerically measured

* Consistent and repeatable
-- Two testers would receive the same test results at the same time

* Valid beyond the "now" time frame
-- Lasts and remains valid longer than the wet ink on the report

* Based on the merit of the tester and analyst not on brands
-- It is based on smarts and not expensive tools

* Thorough
-- A complete test where nothing is left untested from the scope

* Compliant to individual and local laws and the human right to privacy
-- Puts the protection of personal privacy before corporate data

Re:Application choice as a security feature

[poot_rootbeer (188613)]

Our network is Novell, our e-mail is groupwise, and we don't use Cisco products.

Aaah yes... "Security through obsolescence".

Re:Here's an idea...

[acid_zebra (552109)]

yeah right.
That's OK if you live in magical budget candy land, but for the rest of us, this is not an option.

And besides; firewalls are NOT (read again; NOT) the end-all of security. Most exploits and viri attack the ports that are open anyway, your IIS webserver; your Exchange box(es), the FTP server etc. etc.

My 2 cents:
- lock down servers and workstations
- strip all rights from users and then give them ONLY the rights they need - update, update, update & patch
- firewall the edge of the network
- create a DMZ for all those vulnerable boxes on the edge of your network
- divide the network in VLANs (provided you take care of a big enough network)
- buy antivirus software with server-distributed automatic updates
- run a IDS on the edge of your network (snort et al)
- use Ntop (or a similar sniffer) for network traffic profiling so you can spot any anomalies
- Backup the important stuff every day and move the tapes offsite (make sure your backup WORKS; do a yearly restore drill)
- audit on a regular basis, either yourself or (if you live in magic budget candy land) by external consultants.
- AND MOST IMPORTANTLY:
EDUCATE YOUR USERS!
(which, admittedly, seems to be the hardest thing on my list, as I haven't managed to do it in 10 years+ of network management.