Slashdot Mirror

← Back to Stories (view on slashdot.org)

Convincing Management of Network Security Issues?

Posted by Cliff on from the and-getting-the-problem-solved dept.

An Anonymous Coward asks: "Here at work for internet connectivity, we share a Cisco 2600 router with the administrative folks in the other half of the building. Our development network is isolated from theirs, safely behind a Debain firewall--we just show up as one IP with _very_ few ports open. The Cisco connects directly into a Linksys DSL router, which is *supposed* to be providing NAT for both of our networks. Instead, it's acting needlessly as an extra hub, with the incoming feed plugged into its port 2 and the outgoing feed in port 3. The feed from port 3 plugs into a 24-port hub, which connects all of the admin workstations and our Debian box. Each workstation, in turn, has a static IP (we have one too). This is due to a variety of reasons--so we've been told--but what it boils down to is the incompetence of the 'Microsoft Certified (w/Internet) Network Engineer,' who's responsible for the routers, the administrative network, and their Windows 2000 corporate webserver." Now, the workplace is left with no firewall and a Network Engineer that is downplaying the problem to the higher-ups. What would be the best way to communicate that there really is a problem?

"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).

Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"

6 of 62 comments (clear)

  1. Info Security Survey by rakerman · · Score: 4, Informative
    Survey says: The best way to convince management of the need for security is "Conduct vulnerability assessments or penetration tests to demonstrate need for security" (Figure 9, page 4)

    2001 IT Security Survey (PDF)

    It's not easy, but the best you can do is document the vulnerabilities, present your case, and KEEP presenting it. See if there are any corporate policies or legal requirements that support your position.

  2. How to prove your point. by bob_jordan · · Score: 4, Informative

    A better way might have been to have a chat with the MCSE and ask them how things are set up. Take an interest in security saying you are looking for ways to make your home network secure and want to know how it is done at work. Treat someone as an expert in their field and (even if they are not) they will take it as a compliment. Treat them as an idiot and they will take offence. You don't mention if the Cisco has been set up with any access control lists. Is that how she is locking down the network? Now the MCSE is going to be on the defensive since you went to her bosses boss.

    If you still feel the need to prove a point then take it as read that this is how the company wants the system to work and make imaginative use of it. Ask the admin staff to leave a printer turned on over the weekend because you want to do some work from home and may need to print some stuff out. Plug a box in after your debian firewall to do file serving and ask your boss that, since you have access to files on this machine from home, would he mind you working from home one morning while you wait for a plumber.

    Most of all be subtle. The shotgun approach obviously didn't work.

    Bob.

  3. Re:You left a lot out. by Thing+1 · · Score: 3, Informative
    Anyway, learn the politics they are going to be everywhere.

    This is so true. I know several people who lost their jobs due to politics. Stupid fucking internal fighting showing that the company has lost its competitive stance and is now "competing" with itself.

    Beware of politics. Not everyone who treats you nice is your friend, nor has your best interests in mind. I'm shaking a little right now, because I'm so pissed at these events I couldn't stop. No lack of skills on their part, or enthusiasm, track record, etc. -- they just butted heads with a 600-lb gorilla who likes to fire people to show who's the boss.

    Make sure you don't get caught in the cross-fire -- threatening someone's job (which you (the submitter )did to the lady MCSE, whether he understands it or not) isn't the best way to keep your head down.

    --
    I feel fantastic, and I'm still alive.
  4. Classic Dev/Admin problem by j-turkey · · Score: 4, Informative

    This is indicitave of a classic problem between Devs and Sys Admins -- SysAdmins thinking that they know something that the Devs don't, (all the while owning responsibility for the systems in question) and the Devs, who think that they don't necessarily need an overpaid SysAdmin to do fulltime stuff that they can do in a heartbeat (and maintain rights to their development and production systems and networks).

    (Disclaimer: I do not necessarily believe either of the two above statements, it is just a simplfication of my understanding of this canonical problem)

    I think that the first thing that you should do is to make nice with your admin. I know that you might not like her, and its clear that you see her as a know-nothing Microsoft Certified with no real-world expertise...and this may be the case. But its important that you put these feelings aside and first try a little harder to work with her on this.

    Its also important to take a CYA approach and document everything that you suggest to her...especially the stuff that she is not receptive to. This is much easier to do in a mid to larger sized company than a really small one (really small
    Show where the vulnerabilities are in writing, using well-known and respected tools and methodologies. Recommend a course of action (again, in writing). You can keep this informal be doing the "in-writing" stuff over email -- this way its not overtly official, but you have a paper-trail just the same. Also, ask your SA to document her changes.

    Now if she is not receptive to your suggestions, then it will be time to report this stuff to higher-ups. Be careful about trying too hard to point this stuff out, because you'll start looking like you're spending too much time doing someone else's job.

    After all this is said and done, and your butt is covered. The last thing that I'd suggest you do is to recommend an external security audit. If you are being discredited due to your recommendations, you should have a third party come in and do a full write-up on your network's security. This is something that every manager will see, and if the auditors are from the right place, your MCSE will be hard-pressed to discredit them -- and will be forced to make the changes.

    Hope this helps.


    -Turkey

    --

    -Turkey

  5. Talk to her, and protect your subnet by Chacham · · Score: 4, Informative

    First, talk to the lady. She may very well feel threatened by you. That may sound rediculous, but it can easily be true. Once that happens, defense mechanisms go up, and regardless of how correct you are, she'll fight.

    You may want to talk to her. Lose your pride, and ask her if she is willing to set aside an hour, with the next week, to discuss your concerns. With that flexibility she'll probably accept the offer and set aside an hour after work, or the next day. She may be tense, because she may think this is merely a ploy of yours to "one-up" her. So, during the meeting, you must be very carefull to let her know that she makes the decisions, and that you are only offering information and concerns for her evaluation. Be apologetic, this gives her an easy way out of your erstwhile confrontation.

    Finally, should all else fail, ask your boss to allow the developers to have their own subnet. Then, simply, put up a firewall for your subnet. This way, you'll be safe, and (if you don't shove it in their face) the rest of the company may want to be as "safe" as you.

    --
    Have you read my journal today?
  6. Re:Tough position. by The_Final_Word · · Score: 2, Informative

    Absolutely, I would nmap the whole subnet and put the results into a document too. Then point out that if the Administrator didn't know that you'd just scanned the whole network she's not paying any attention to the security of that net.

    I would definitely put a firewall between your dev network and the router, then run Snort on the Debian box and firewall each workstation as well. (paranoid - me? - yes)

    At the end of the day if something happens to your development work because of someone else's lack of knowledge or caring about security issues, it's your stuff that will suffer.

    --
    The Final Word