Securing Your Network? 349
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
Honey Pot (Score:5, Funny)
Re:Honey Pot (Score:3, Funny)
Nope, simple solution.... (Score:2)
Well, the simple solution would be to hire employees that like honey in their tea.
Not enough diversification (Score:5, Funny)
it must be said (Score:3, Funny)
Think again!
Re:it must be said (Score:2, Insightful)
Syadmins need to work together and top trying to play 'security by obscurity'. Share with others and learn how to improve your network.
Keep it simple (Score:5, Insightful)
Keep Web and FTP on separate DMZ LANS.
FTP? Was: Keep it simple (Score:5, Informative)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University [colorado.edu] I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you
Re:FTP? Was: Keep it simple (Score:2, Interesting)
I agree, I also recently made the switch from ftp to sftp/ssh. I thought the users would have a fit, however, I found a great sftp client called 'FileZilla
Re:FTP? Was: Keep it simple (Score:2, Informative)
Re:FTP? Was: Keep it simple (Score:3, Funny)
- Necron69
Re:FTP? Was: Keep it simple (Score:5, Interesting)
I have a dinky little 166MHz Pentium laptop which is parked on my (wired) LAN 99% of the time. Depending on file content, file transmission over sftp or scp happens at about 55K bytes/sec. This is glacial (one-third the speed of a 1X CD-ROM drive). The problem is the time spent encrypting the data for transmission -- a 166 MHz Pentium just can't crank it out much faster.
FTP has no encryption step, so file transfers happen at line speed. Of course, FTP has almost no security measures at all, transmitting passwords in the clear. However, for moving files among machines on my switched LAN (as opposed to the Internet), I see this as less of an issue.
Ideally, I'd like sftp and scp to have the (obviously non-default) option of using secure authentication (encrypted passwords, etc.), but transfer the files themselves in the clear. I believe this would be useful in a wired LAN setting with anemic machines where the file contents are not considered sensitive (uploading MP3s and Vorbis files to your home jukebox, for instance). ssh does have the option of turning session encryption off, but it's a compile-time option none of the distros enable.
Of course, in a wireless "LAN" setting, all the bets are off, and encryption should be de rigueur.
Schwab
Re:FTP? Was: Keep it simple (Score:3, Interesting)
My partial solution is to use a tool like purefptd and use a different set of passwords and a different login file with pureftpd than what is in
Re:FTP? Was: Keep it simple (Score:5, Informative)
I assume you're referring to applications such as Dreamweaver/Frontpage/Composer. True, these apps can't use FTP, but there's an easy workaround which we've suggested to our users. Check out stunnel [stunnel.org]. Works great, and it's GPL'd. Yay!
Re:FTP? Was: Keep it simple (Score:3, Insightful)
What kind of users are you talking about? The non-paying kind methinks, because the paying kind do not complain when they don't get their way, they just go away and stop paying you - that is if they ever paid you in the first place.
This is the primary reason that Frontpage extensions still exist at all, despite the fact that no Unix sysadmin would touch it with a 10 foot pole if they had the choice. They can argue until they're blue in the face tha
Re:FTP? Was: Keep it simple (Score:5, Insightful)
JUST?!
Thats like saying "oh, a firewall just keeps external network traffic from getting to services and hosts you don't want them to get to". Well duh.
If your only authentication scheme is passwords, then this is crucial, there is no "just" about it. For example, the only thing separating your hosts from being vulnerable to all local-only exploits is a malicious user authenticating through SSH with a stolen password from sniffed FTP traffic, even if your FTP service is patched and non-vulnerable to priveledge escalation and buffer overflows resulting in shell access.
If you want to write off such a simple attack then <sarcasm>you might as well just leave telnet enabled, tie all your systems together with NIS on a public network, and make sure you have stickies with administrative account authentication information at all physical access points.
Oh ya, don't forget to implement some wireless APs too... and remember: WEP and MAC exclusions are for the paranoid. Information wants to be free</sarcasm>.
Re:FTP? Was: Keep it simple (Score:3, Interesting)
Nobody uses coax anymore, and hubs are becoming increasingly rare. The only way to sniff most networks anymore (unless you're interested in broadcast traffic) is to have administrator access to the network equipment between the server and the client. Or be able to insert your own equipment. Both of which are considerably more
Re:FTP? Was: Keep it simple (Score:3, Interesting)
This means you are depdendent on a third party to implement proper security. SSH means you'll have to worry less about the machines your traffic passes by.
Re:FTP? Was: Keep it simple (Score:4, Insightful)
It's security-realm software, and the authors know it, and take a lot of care with it. With XYZftpd, you have no idea, and don't get me started on the variety of slapdash FTP clients that are out there.
Re:Keep it simple (Score:5, Insightful)
Most security breachings occur from within. May be a over curious geek looking for holes in the network, or a disgruntled employee.
These are the one's that you should concentrate on first. Its a simple 80-20 ratio thing.
Its no point building up the strongest bastion, when you have traitors within.
Pull the ether. (Score:5, Funny)
Re:Pull the ether. (Score:2)
Re:Pull the ether. (Score:3, Funny)
Thanks for letting me know (Score:5, Funny)
Thanks for the link, I didn't know what diversify meant.
Not sure your reasoning is sound (Score:5, Insightful)
That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.
Re:Not sure your reasoning is sound (Score:4, Informative)
Re:Not sure your reasoning is sound (Score:4, Informative)
I honestly have read every NSA guide publically available on nsa.gov, they are usually indepth and are a good starting point(with the exception of the DNS guide). I don't blindly accept everything they say, however its my tax dollars working for me for once.
Re:Not sure your reasoning is sound (Score:2)
That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.
I have read the NSA litteratirure and find it accessible an
Real World Linux Security (Score:5, Informative)
In particular I recommend "Real World Linux Security" [amazon.com] , second edition, by Bob Toxen, which contains a wealth of useful information.
Full disclosure: I know the author; I am doubtless biased. But I like the book and have found it quite handy.
Here's an excerpt from an Amazon reviewer:
Re:Not sure your reasoning is sound (Score:3, Insightful)
Application choice as a security feature (Score:3, Flamebait)
Re:Application choice as a security feature (Score:2, Informative)
Re:Application choice as a security feature (Score:5, Funny)
Aaah yes... "Security through obsolescence".
Think layers (Score:5, Insightful)
Go calculate [webcalc.net] something
Re:Think layers (Score:5, Funny)
I laughed my ass off when I read this, because I read it as "think in lawyers". Security through litigation? If only that didn't happen.
Re:Think layers (Score:2)
Re:Think layers (Score:5, Funny)
Ogres are not like cake.
Re:Think layers (Score:5, Funny)
What about parfait? Everybody likes parfait.
(If you don't get it, you don't have a 3yr old Shrek junkie in your house)
Re:Think layers (Score:2)
Extremely important.... Furthermore, if you have your security vertically layered, you get security through diversity, while if every aspect of the diverse architecture is exposed, the attacker can pick and choose a way in, and you get *insecurity* through diversity.
Think Risk Reduction (Score:2)
Estimate the cost of the risk (potential impact X probability of occurence).
Compare this risk cost to the incremental cost of the security countermeasure or technique to see if it is really worth it.
Re:Think layers (Score:3, Funny)
Donkey: They both smell?
Shrek: NO! They have LAYERS. There's more to us underneath. So, ogres are like onions.
Donkey: Yeah, but nobody LIKES onions!
Best security. (Score:5, Funny)
get all your shit working. Cut the lan/wan/internet lines, brick it in with now doors and spray the outside with teflon.
Hire a muscle head with a 8th level Edu to guard the brick box with a baseball bat.
Other than that your just playing the odds like the rest of us.
This reminds me (Score:5, Funny)
This is a very important part that is often overlooked as demonstrated by the following example [techweb.com]
The University of North Carolina has finally found a network server that, although missing for four years, hasn't missed a packet in all that time. Try as they might, university administrators couldn't find the server. Working with Novell Inc. (stock: NOVL), IT workers tracked it down by meticulously following cable until they literally ran into a wall. The server had been mistakenly sealed behind drywall by maintenance workers.
Re:This reminds me (Score:2, Insightful)
Re:This reminds me (Score:3, Insightful)
Re:Best security. (Score:5, Funny)
I got it.. I swear! (Score:3, Funny)
Step 2) Arange equipment in nice steel shipping container.
Step 3) Toss the entire thing into the bowels of either your local foundry's furnace or your closest actively erupting volcano
Step 4) Giggle because the poster never said the network had to work or anything....
Do what I do... (Score:2, Funny)
At least I hope they will....
Here's an idea... (Score:2)
Re:Here's an idea... (Score:4, Informative)
That's OK if you live in magical budget candy land, but for the rest of us, this is not an option.
And besides; firewalls are NOT (read again; NOT) the end-all of security. Most exploits and viri attack the ports that are open anyway, your IIS webserver; your Exchange box(es), the FTP server etc. etc.
My 2 cents:
- lock down servers and workstations
- strip all rights from users and then give them ONLY the rights they need - update, update, update & patch
- firewall the edge of the network
- create a DMZ for all those vulnerable boxes on the edge of your network
- divide the network in VLANs (provided you take care of a big enough network)
- buy antivirus software with server-distributed automatic updates
- run a IDS on the edge of your network (snort et al)
- use Ntop (or a similar sniffer) for network traffic profiling so you can spot any anomalies
- Backup the important stuff every day and move the tapes offsite (make sure your backup WORKS; do a yearly restore drill)
- audit on a regular basis, either yourself or (if you live in magic budget candy land) by external consultants.
- AND MOST IMPORTANTLY:
EDUCATE YOUR USERS!
(which, admittedly, seems to be the hardest thing on my list, as I haven't managed to do it in 10 years+ of network management.
Re:Here's an idea... (Score:2)
A network is secure if... (Score:5, Insightful)
Network security must exist within a context of what is being protected and who would want to break in. If you are protecting your personal information, the amount of security that is needed is substantially less than if you are a major bank. Sure, your design might have some holes in it. In fact, I guarantee that it does, but if it's too much hassle to exploit those holes, then nobody's going to bother.
Re:A network is secure if... (Score:2, Insightful)
My personal information may be of low value compared to a bank, but if I am compromised and find myself reinstalling from scratch or blowing past my bandwidth quota to pay for excessive traffic I have an additional cost. Likewise, if the bank is compromised it will have to pay in marketing (cover-up or spin) and possibly fines.
In the end, though, a security professional can only
Re:A network is secure if... (Score:5, Interesting)
I'm ashamed to say I learned this particular point of interest myself, and only when root started getting mail from other admins wanting to know why our server was portscanning them.
Live and learn, they say. I say wisdom is learning from someone else's mistake, such as mine. Hint: when Tripwire stops sending you messages, you may be compromised.
secure? (Score:4, Insightful)
Anybody who considers security important.
Unfortunately (Score:5, Informative)
Unfortunately, I suspect that we are among the few that do. Especially when you look at this [linuxsurveys.com] and this [linuxsurveys.com].
I would say that you are definitely on the right track and that your network is probably more secure than most. Certainly more so than those that will respond to you here. The fact is that if you are in doubt, you should have an audit performed by a security expert. This person will review you policies, procedures and configurations and make appropriate recommendations. Additionally they will perform penetration testing both from inside and out and make subsequet recommendations.
As I said above, I think you are on the right track and would guess that you have taken all of the necessary steps, and are hearing the complaints from your user community. But, the only thing that I would add is that you should never become complacent. Test your security regularly and use multiple tools to do it, and always the latest versions. Don't rely soley on a Nessus or nmap scan to validate your security. Also, when testing, remember that it isn't just a matter of whether you get in or not, you should also make sure that the attempt is properly caught in the logs, regardless of the attempts success or failure.
Re:Unfortunately (Score:2)
Can't get enough of that myself.
Security show, (Score:3, Interesting)
-vt
two steps (Score:5, Funny)
1) Fire developers
2) Fire users
Simple. (Score:4, Interesting)
I welcome suggestions as to why Windows or even Linux would be a safer choice in regards to security.
And OpenBSD with Evil Bit checking is even better. ;)
Re:classic (Score:2)
Re:classic (Score:2, Insightful)
However, while classic Mac OS can be stable with the right setup, it's pretty rare and difficult to achieve. A crashed Mac is as secure as a computer can get, but it's not very useful.
First and foremost (Score:5, Insightful)
A properly patched one, Linux or Windows.
Re:First and foremost (Score:3, Informative)
Beyond just trying to make each component secure, consider individually the consequences of each being compromised. You don't get much provably secure stuff out there on store shelves, so assume everything may be v
Re:First and foremost (Score:3, Interesting)
With all due respect: bollocks. They may be known by any number of people before they are documented and patched (if they're ever patched). All that time, you're vulnerable.
You should never assume anything is 100% secure. For it to be so means it have a provably secure design and no flaws in the implementation. That's a desperately naive assumption.
question/answer (Score:4, Funny)
Probably professionals who weren't picked to be the "security guy" by a game of spin the bottle at the last office meeting.
My hat's white. (Score:5, Funny)
Really, we will.
We won't break too much along the way.
We promise.
(It's humor, laugh.)
Re: Multiple Products (Score:2, Informative)
The potentially enhanced visibility made available by using a heterogeneou
What has worked for me... (Score:3, Funny)
In my experience working securing networks, I have found that the best approach is "Security through apathy". Sure I can get rooted easy, but boy do I have loads of free time now!
who needs security.... (Score:3, Funny)
Securing your networks supports terrorism (Score:3, Funny)
"Securing" your networks hampers our efforts to roam freely through them, searching for any files/activities/writings that contravene the "Freedom from Thoughts" act, thus directly supporting terrorism.
Trying to get advice on how to secure your networks interferes with our self-described legitimate efforts to make sure you aren't doing/listening/reading/thinking/considering thinking about things we've decided you shouldn't.
Now just stand over there in the corner and wait. We'll be by to pick you up in a little while. And remember, running away supports terrorism.
Good security (Score:3, Funny)
You might think I'm joking but this actually works! Go ahead and try it, then post your IP address to this site. Your boss will thank you for the amazing audit!
any unbiased opinions here? (Score:2)
Oh, the irony.
KISS (Score:5, Informative)
Dont let any attachments in.
Have DMZ's.
Pay attention to bugtraq and errata postings.
Nmap every once in a while.
Only have two ssh's open to get in and have the IPs defined in hosts.allow.
ALWAYS upgrade when security bugs are fixed.
Have snort on the main DMZ in a promiscuous switch port, get some nice looking reports going.
Pay attention to bandwidth useage ( cricket ).
Add a dash of portsentry+tcpwrappers.
Dont act macho and send nasty letters to people who try to get in.
Maybe, dont return pings ( tcp-reset ) or portscans.
Bind 9 with zones.
Check all logs all the time (3 times a week).
KISS = keep it simple stupid.
Dont hire lazy admins.
Try out all new security related programs.
I SHOULD be sending most all logs to a central host.
Make sure MS admins dont totally let their guard down.
*pant*pant*. ummmmm, thats about it for now.
Oh and dont enable web crap on routers etc (more ports open).
ssh for everything.
shut down telnet.
https for everything.
Try to protect email, imap, pop (plaintext over the network).
Read the "security section of all apps you install and try to KISS
ummmmmmmm, thats about it for me.
everyone already knows this but im just throwing in my 2 cents :-)
Re:KISS (Score:2)
But that's the best part of being a security admin! At least the ones I've worked with. That and making sure nobody can get any work done.
Secure... (Score:2)
In this, you have a general with N subordinates who, through various channels of communication, give orders to M end-points. The papers on the problem detail how you can have assured communication between the general (you, or the master node of a cluster, or whatever) and any execution nodes.
well since noone else wants to ... (Score:5, Informative)
I work for a moderate sized engineers consultation company (500+ employees all over the east coast). We have over a dozen offices from Florida to Maine. All are connected by a VPN using frame relay. At each access node, there is a Sisco Router/switch controlling what traffic can come in and out. Behind that is a firewall, NAT, and DHCP server (each office runs on a seperate private IP group). All external traffic (i.e. not on the VPN) must go to the main headquarters and pass through the proxy before making out to the "real world." We also have several web, ftp, and email servers in the private IP realm that are NAT'd to the outside. All incoming packets from the outside worled must go through the Router, Firewall, NAT, Virus Scanner, Mail Content Scanner (read: anti-spam detector) before making it to the target machine.
Software-wise, we are Novell users (mod me down if you want, but it is a hell of a lot better than M$). Every user has 1 concurrent log-in with very few exceptions (IT staff being 1 of them). Users cannot pass through the proxy or access any file servers without full LDAP authentication. this includes email, web browsing, ftp, etc. All logins are fully logged to time, machine and duration. Passworded screen savers automatically kick in after 10 minutes of idleness and users are auto-logged off after 30 minutes of idleness. Strong passwords are enforced (9+ charaters, 3 of 4 ({CAPS, lower, 1234, !@#$}), no repeating of past passwords, no dictionary words). L0phtcrack is used randomly to check for weak passwords.
I consider our systems to be fairly secure, given that most of the system is redundant as well as obscure to all but a few people in IS. It's a combination of cyber-armor and security through obscurity.
Hope this helps.
Your network needs work... (Score:5, Funny)
Your root password is "sheila".
Your social security number is 182-90-6134.
You just broke up with your girlfriend.
And you really ought to get a disk-wipe program to remove all traces of those deleted pornos.
Low budget (Score:2, Informative)
For my home network, it's pretty simple. Just me and a few computers, and few assets to protect. One of the trees might be how people might steal my pr0n collection. No big deal.
Once you have your attack trees written out, then you secure and document how you secure against each and every one of the attacks. For my pr0n collection, it comes down to 1) locking the front door and windows to my house 2) setting the burglar alarm 3) running a firewall 4) k
A secure system keeps its word. (Score:5, Insightful)
Here's what I would offer as a cornerstone for thinking about your systems' security: A secure component is one that keeps its word. That is, it provides guarantees -- assurances -- of its behavior, and it meets those guarantees. Because it provides these guarantees, other components can depend upon it (though they need not depend exclusively upon it). And once a system is built out of dependable components, staff can place their trust in it and not be betrayed.
Take an example: a firewall. A firewall is commonly thought of as a tool for blocking attacks or reducing exposure. I would suggest that it is, rather, a tool for providing assurance that certain traffic will not enter the network from a certain point. Systems behind the firewall should not be thought of as being made "more secure" (what muddy thinking!) on account of the firewall's presence. They should be thought of as receiving a guarantee from the firewall that certain traffic will not enter.
This allows for evaluation. Under the blocking-attacks model, we must rate a firewall as doing its job if it blocks attacks. Which attacks? "Uh -- some attacks, the ones from the other side of the firewall." But what about attacks from other places? "Uh -- the firewall can't help you there, it's only at the border." But then what good is it? "Uh -- it makes your security better. That's what everyone says." With a clear understanding of the guarantees the firewall provides, we can evaluate its success with a clearer mind: does it succeed or fail at meeting those guarantees?
(Microsoft's marketing folks recognize that people want dependability when they talk about "trusted computing". They're using it as a nasty trick, of course, but they have the right words. By "secure system" people don't just want a system that rejects today's attacks, but one that provides dependable assurances of its behavior. Too bad they are wasting the memetic capital of the phrase "trusted computing" on a despicable power grab.)
Diversity is not always an advantage (Score:5, Insightful)
> the stock market: diversify. Don't put all your eggs in one basket.
That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she [insecure.org] can leverage that access to further compromise your network.
Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.
I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner [insecure.org]. Version 3.27 was released today.
Security isn't a destination, it's a journey. (Score:3, Informative)
Seriously, it's true. Security isn't something you setup and put into place and just let it fester or sit.
What you've done is started packing for the journey. Gathering your tools and getting it all setup to go with you as you move forward.
But as effective as some security measures are, they still need to be tended to. Watched over. Tweaked. That's the journey.
Along the way, you will find new tools. You might even be waylaid by someone with better tools than you. Surely, you haven't arrived.
And you never will. Your security, through watchfulness, effort, and action, will improve as you improve and move forward.
It is bad security to see security as something you plan, implement, and walk away from. That leaves you prone to holes and highly creative or bored individuals out there.
Security is something that is ongoing.
A home user using a simple firewall package who is diligent with watching the logs and keeping up on security bulletins for the software, the os, and the system in general will be much safer than a multi-layer security system that no one bothers to watch or that can't be easily understood by those watching.
Good Golly, it's simple common sense... (Score:5, Informative)
Better yet... (Score:2, Insightful)
Of course, creating that data filter is the tough part. You don't want to be too inclusive or too restrictive.
Re:Better yet... (Score:5, Informative)
Or find one that already exists [logwatch.org], is well supported [gnu.org] and is widely used.
Secure the hosts, add gadgets after (Score:2)
We have a firewall, IDS, packetshaper, and a few other network toys. And if they were all removed from the network, the servers are still patched, still only have the services needed available, still use tcp wrappers, still use host based firewalls, still have things like tripwire
Mandatory Access Controls! (Score:5, Informative)
But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure [ultraviolet.org]
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!
As they say, it is "Military grade security at Open Source prices!"
Eat your spinach! Don't forget the documentation. (Score:2)
Take time along the way to write down how everything is configured, why it's configured that way, and any unusual exceptions or special cases. Include "obvious" stuff, too.
After everything is in place, go back and and make sure everyt
It's not all about the gear... (Score:2, Interesting)
You've got to build strict policies regarding all aspects of your systems and network infrastructure and also write down some procedures and guidelines to enforce that policies.
Training also plays a major role and should target the user crowd - stating clearly what is and and what is NOT allowed and why, the admin crew - guidind them through the principles of security-minded system and network
Big question, small post (Score:2, Insightful)
(1) Design your security around risk.
"Risk" is actually well-defined in finance and such areas: R=P*H where risk, R is the cost of the undesired event -- the hazard, H -- times the probability P of the undesired event. This is basically the "expected loss", and if you are spending more than the expected loss, you're losing money.
This means, of course, that you need to figure out what the acceptable risk is. This
From an independant Network Security Auditor (Score:5, Informative)
All of the technical fixes in the world are rubbish when the independent auditor requests a list of all users on the network, goes down to HR and discovers 20 or 30 active user IDs for people who don't work there any more. Worse, I'll find 5 or 10 more for people who have changed jobs but still have their old privileges. (The guy in Accounts Payable SHOULD NEVER be able to access the Accounts Receivable systems.)
Everyone in security knows a high percentage exploits and a higher percentage of serious exploits are carried out by people who had valid access to the systems. Security for a network or a system begins in HR and the processes for granting, modifying and revoking system authority are much more critical that what ports are open. So what if you keep the script kiddies out when your CIO's secretary writes herself a cheque for $1,000,000? If you're serious about securing your network, figure out what your users can do that they shouldn't and look to developing systems to prevent internal breaches.
When I do a network security audit, first I test the following: Segregation of duties and appropriateness of access, procedures for adding / changing and removing users, change management and a user access privilege testing. Is everything authorized? By who?
If those things pass mustard, then I start actually looking at server room access, patches, firewall configuration, network diagrams, open ports, system auditing and security levels. It's not as sexy as pitting your skills against the crackers (what a f**ked up notion of sexy I have) but it's where you need to start if you're serious.
Layers...lots of layers (Score:5, Informative)
Use layered security...
Layer 1 - External Firewall - nothing comes in except exactly what you need where you need it to go to. HTTP only allowed in to the webservers, VPN to the VPN systems, etc. Tie an IDS into this firewall layer. SNORT works great...
Layer 2 - DMZ - Anything in this zone is considered compromised by default. Nothing further in should absolutely trust systems in this domain. Put at least one IDS in this zone..and make sure to not only check traffic from the outside, but track from this inside.
Layer 3 - Internal Firewall - Again...more security. Proxy servers, if you can, secured systems, more IDS systems, preferably a different one than the external one. Again, only let what data that you need to get through to get through.
Layer 4 - Internal network - VLAN's, IDS systems, and access lists. Make sure that traffic stays where it belongs, and make sure every system is backed up. Also, if you can afford it, Tripwire, or something along those lines...
CHECK YOUR LOGS If you don't review your logs regularly, you're begging to get hacked. You have to keep up on what's going on and update your defenses accordingly. A corollary...LOG EVERYTHING YOU CAN Disk space is cheap. Log everything...you may need it at some point...especially for after-attack forensics.
Make sure you are warned of possible intrusions somehow. My pager went off fairly often until I had my IDS systems tuned...but better an extra page and some minor panic than not knowing when a major hack happens...
What I used - Snort IDS, Cisco PIX firewalls, Linux box running IPFW, Cisco NetRanger IDS, Cisco Routers, 3Com & Cisco Switches, patched Windows boxes...(PATCH THOSE SYSTEMS OFTEN!)
Diversification? (Score:5, Insightful)
To nail the point down better, I'd rephrase that as "multiple layers of defense".
It goes without saying to this audience, but probably needs to be said multiple times to the people that manage your budget, but having defense in layers (i.e., serial) is more effective than having defense mechanisms side by side (parallel).
Make potential intruders go through all the doors of your dungeon, not just one.
That's easy to say and hard to do. The problem is that many dungeons (workplaces, whatever they're called these days) have obscure, lesser known secret doors that can let in the monsters if only that one door is discovered and compromised. Creative social engineering tricks are particularly devastating this way.
Some internal walls for damage control can be helpful in the event of an incident.
Standard spiel... (Score:4, Insightful)
Where is your IDS? At or near the firewall from your Internet connection I'm willing to bet.
Okay, now what about the malicous hacker wanna-be that lives within your trusted network. This could be a student in a campus lab, Jane doe in cubicle 12B who lilives a secret on-line life as Kamander KRak, or Dave Smith the quiet guy in the corder office who thinks he's about to get fired. What about those cleaning crew who have full access to every square inch of the facility at night without any supervision. What about The CEO who just brought a new WiFi notebook in and connected it to the LAN and offeres an open WAP to anyone within 200 feet of the office.
We all spend a whole lot of time and money securing our Internet connections and services from external hackers. Yet most managers/admins almost completely ignore the internal threats. And ONE inside job will do a lot more damage than a dozen attacks from outside.
Those on your LAN already have password access to the network and services. They know what servers to hit, they know what data is stored where. They know where the wiring closet is, and what equipment you run (your memos frequently tell them you are upgrading Windows from NT4 to 2000). They can open a closet door, or slide over a ceiling panel and easily connect a device to the monitoring port of thier distribution switch.
A comprehensive security plan needs to at least acnowledge these threats, and find ways to secure these services and components from otherwise trusted sources. IDS on each major server, physical lockdown of all remote network devices, regular/random physical inspections of the wiring closets. Some facilities may require that the night cleaning crews be cleared with at least a basic background check.
In my experience, protecting against outside attack is really rather trivial compared to protecting against the potential internal threat.
who reads this stuff? (Score:4, Insightful)
the government produces these documnets for a reason. if anyone knows who to secure a system, its the government. read them and apply them as required.
Also you have much nice hardware. How about policy? Policy is more important. What happens when somone is hired/fired? Who is allowed to do what on the network? Do you have a business continuity plan? Is their a document that states how to recover from a disaster? Has it been tested? Have you ever had a Threat and Risk assesment preformed? If yes when was it last updated.
You have some good technical means to provide security, how about the rest? The government has wonderfull guides on how to do all this stuff, and although thick - they really are helpfull.
Five easy steps. (Score:5, Insightful)
You can get a lot of this from several books and websites, such as Secrets and Lies [counterpane.com] by Bruce Schneier, the SANS Reading Room [sans.org], if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides [cccure.org] even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus [securityfocus.com].
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli [ibm.com] or HP Openview [hp.com] can help here. For security specific vulnerability analyzer [infosecuritymag.com], open-source Nessus [nessus.org] and eEye's Retina [eeye.com], ISS's Internet Scanner [iss.net]
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security [cisecurity.org] for benchmarks, and SANS Reading Room - Auditing and Assessment [sans.org], and Site Security Handbook - RFC 2196 [ietf.org].
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.
Best way to measure security is to measure it... (Score:4, Informative)
1st step in security is to perform a risk assessment. The goal of Risk Assessment is to determine if the security controls for a system are fully commensurate with its risks. Without having an understanding of your risk you are unable to determine the proper security policies, procedures, guidelines, and standards to put in place to ensure adequate security controls are implemented. We want to avoid putting a $1000 fence around a $100 horse, but at the same time avoid undue risk.
Once that is completed, you need to create a security policy. This policy is what your company is officially trying to accomplish with it's security initiatives. Until you know what your goals are, any money or time is not going to be well spent.
Once you believe you have your goals from the policy implemented, you may wish to have a Posture Assessment. Posture Assessment is the act of measuring the gap between your information security posture and your information security policy. This is a thorough review of your existing security policies where each stated goal is converted into a test module. Each test is run until a sufficient amount of data is collected to measure the existing posture (The security Posture is what the company is actualy doing).
Assuming the Policy and the Posture match, you may additionaly with to verify that all the bases are covered and request a verification Penetration Test on a specific set of systems with a stated goal for the test, or an out and out Ethical Hack attempt (same idea as a Penetration test, but not as limited in scope). This will uncover holes in not covered by the Security Policy.
You should also consider periodic testing. Some of this should be done internally, some is best to outsource.
A security test is only valid if it is:
* Quantifiable
-- Can be numerically measured
* Consistent and repeatable
-- Two testers would receive the same test results at the same time
* Valid beyond the "now" time frame
-- Lasts and remains valid longer than the wet ink on the report
* Based on the merit of the tester and analyst not on brands
-- It is based on smarts and not expensive tools
* Thorough
-- A complete test where nothing is left untested from the scope
* Compliant to individual and local laws and the human right to privacy
-- Puts the protection of personal privacy before corporate data
Limit OUTBOUND as well as inbound access (Score:3, Informative)
Here is an easy way to do it with a 4 armed firewall (pix 515 or similar)
|router|
|
|
| fw |-----| mail/dns dmz|
| |____
_________ |
|web dmz| |
--------- |
|
| proxy |
|
|
| corp net|
This thing looks like crap after stripping it down for the damn lameness filter, but hopefully you get the point. You basically have your border router hooked into a firewall, off of which hangs three segments. You have your web server dmz in one (only allowing inbound port 80 and possibly 443 if you're doing ssl, outbound is only established connections), email/dns in another (very closely related, so it makes sense to put them together, but you can segregate them if you wish. This would be inbound port 53 and 25, outbound only established, and port 53. Your last segment would be a connection to the outside interface of a proxy server, which has it's inside interface going to your corporate network.
This provides you with a reasonably secure border with little cost. You'll want to stay away from ISA for the proxy, as it has a nifty "auto-configure firewall" option that allows things like MS Messenger to work transparently through it, which may go against your policies.
Re:Microsoft keeps me safe. (Score:3, Funny)
Re:Newbie question about network security (Score:3, Informative)