Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
I heard about this honey pot feature for network security. I installed them on each users computer, but they keep using the honey in their tea. Maybe it was not installed correctly?
Since you posted this on /. you obviously aren't interested in security through obscurity!
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Think again!
Allow only very few services and open just those ports. Probably HTTP, SMTP, FTP, SSH that's all.
Keep Web and FTP on separate DMZ LANS.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
The way I secure my systems, is not to put them on a network, though it does make email a bitch...
I look on the stock market: diversify. Don't put all your eggs in one basket.
Thanks for the link, I didn't know what diversify meant.
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.
Our network is Novell, our e-mail is groupwise, and we don't use Cisco products. While not necessarily "low budget" in terms that the original poster implied, the net affect is that we don't have to contend with many of the viri that other companies running the typical MS products do. And yes, we most definitly still have to have a good firewall, and a good firewall config with the appropriate ports either shutdown or monitored, and we still run an e-mail scanner on in- and out-bound mail as well as McAfee on the desktops.
Go calculate something
get all your shit working. Cut the lan/wan/internet lines, brick it in with now doors and spray the outside with teflon.
Hire a muscle head with a 8th level Edu to guard the brick box with a baseball bat.
Other than that your just playing the odds like the rest of us.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Step 2) Arange equipment in nice steel shipping container.
Step 3) Toss the entire thing into the bowels of either your local foundry's furnace or your closest actively erupting volcano
Step 4) Giggle because the poster never said the network had to work or anything....
I'm a little tea pot.
... don't put up any security, and don't put anything important (worth losing) on the box. Eventually, boredom will set into the hackers and they'll go onto something more challenging...
At least I hope they will....
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
put firewalls between every server and the rest of the network... not one firewall, but one for each server (a dedicated firewall). You could do that with switches and the like but that's overkill. But in Paranoia mode it's all just good thinking. But can one be too paranoid in the name of security? I think so. Basically, produce a sound strategy that people don't look at and say "you're crazy!" then impliment it and pray that nobody figures it out. The idea of having multiple vendors for security is good, but it will make your administration a little more difficult--which may or may not bother you.
A network is secure if it costs more to an intruder to break in than the value of the information being protected.
Network security must exist within a context of what is being protected and who would want to break in. If you are protecting your personal information, the amount of security that is needed is substantially less than if you are a major bank. Sure, your design might have some holes in it. In fact, I guarantee that it does, but if it's too much hassle to exploit those holes, then nobody's going to bother.
This sig has been temporarily disconnected or is no longer in service
"I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?"
Anybody who considers security important.
The Kruger Dunning explains most post on
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Unfortunately, I suspect that we are among the few that do. Especially when you look at this and this.
I would say that you are definitely on the right track and that your network is probably more secure than most. Certainly more so than those that will respond to you here. The fact is that if you are in doubt, you should have an audit performed by a security expert. This person will review you policies, procedures and configurations and make appropriate recommendations. Additionally they will perform penetration testing both from inside and out and make subsequet recommendations.
As I said above, I think you are on the right track and would guess that you have taken all of the necessary steps, and are hearing the complaints from your user community. But, the only thing that I would add is that you should never become complacent. Test your security regularly and use multiple tools to do it, and always the latest versions. Don't rely soley on a Nessus or nmap scan to validate your security. Also, when testing, remember that it isn't just a matter of whether you get in or not, you should also make sure that the attempt is properly caught in the logs, regardless of the attempts success or failure.
What about approaching the Linux Public Broadcasting Network about doing a [[semi-]regular] show about security? Perhaps they'd be open to content like that?
-vt
US$0.02++
1) Fire developers
2) Fire users
I welcome suggestions as to why Windows or even Linux would be a safer choice in regards to security.
And OpenBSD with Evil Bit checking is even better. ;)
What do you consider to be a secure network?
A properly patched one, Linux or Windows.
The coolest voice ever.
: .. cut the lan/wan/internet lines ..
:
This is a very important part that is often overlooked as demonstrated by the following example
The University of North Carolina has finally found a network server that, although missing for four years, hasn't missed a packet in all that time. Try as they might, university administrators couldn't find the server. Working with Novell Inc. (stock: NOVL), IT workers tracked it down by meticulously following cable until they literally ran into a wall. The server had been mistakenly sealed behind drywall by maintenance workers.
3.243F6A8885A308D313
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
Probably professionals who weren't picked to be the "security guy" by a game of spin the bottle at the last office meeting.
Really, we will.
We won't break too much along the way.
We promise.
(It's humor, laugh.)
NetInfo connection failed for server 127.0.0.1/local
Well, as pointed out earlier, since you posted this on Slashdot, you are not a "closet sysadmin". Colaboration is important. Think about joining a group like DShield ;-) .
By using multiple products, you indeed have a better chance of detecting and defending against attacks... That is, of course, assuming that you have someone trained to set up, monitor, maintain, and tweak each system you put into place AND that the correspondence between the parties responsible for each system allow correlation of seemingly unrelated data that indicates an attack or intrusion that would not be detected otherwise...
o rcement/etc.
The potentially enhanced visibility made available by using a heterogeneous security implementation comes only at the expense of additional training and staff, and more complicated maintenance, monitoring, and communication. Be aware of the trade-off.
Also, security tools are nothing absent policy/procedure implementation/refinement/education/awareness/enf
Invest the majority of your resources into learning how your users make use of the system and then develop and put security procedures into place that encourage secure computing instead of putting systems into place that make their jobs harder and encourage them to bypass your security measures.
In my experience working securing networks, I have found that the best approach is "Security through apathy". Sure I can get rooted easy, but boy do I have loads of free time now!
I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
1) There should be no single point of failiure on a secure network. Can't depend on a single firewall, VPN, or user password. Simpel rule: three keys/passwords/persons to open system critical 'doors'. 2) Secure LAN's are behind rings of security. Three rings is okay. More is better. Anything under 3 rings is SOHO stuff. 3) Use computer generate passwords. Yes, its hard to remember but its better than to depend on Joe to come up with something good. Force it on them. Remeber it will be your arse if security is broken, not theirs. 4) Do regular white hat scans on your network. Try to break in. 5) I don't run anything remotley, if you must than SHA1 and SSH2 are a must. 6) Use linux/bsd 7) Do complete backups every night (with HDAs getting so cheap there is no reason not to) 8) real important, arse critical stuff is not connected on a networked machine, such machine has no fda's, cdrw, cd's, usb's etc.
Probably HTTP, SMTP, FTP, SSH that's all.
:)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you
"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
...anyway? Windows 2003 firewall includes all the security you'll ever need, unless a morgan webb lover hits your site up.
"Securing" your networks hampers our efforts to roam freely through them, searching for any files/activities/writings that contravene the "Freedom from Thoughts" act, thus directly supporting terrorism.
Trying to get advice on how to secure your networks interferes with our self-described legitimate efforts to make sure you aren't doing/listening/reading/thinking/considering thinking about things we've decided you shouldn't.
Now just stand over there in the corner and wait. We'll be by to pick you up in a little while. And remember, running away supports terrorism.
Use WindowsME with file sharing enabled and no patches as your firewall. Hackers will explode with excitement before they can intrude...leaving nothing behind but steaming puddles of Dr Pepper.
You might think I'm joking but this actually works! Go ahead and try it, then post your IP address to this site. Your boss will thank you for the amazing audit!
(-1, Raw and Uncut is the only way to read)
First he says "As I was pondering the review results I wondered what a completely unbiased observer would think of my security." Then, he Asks Slashdot.
Oh, the irony.
(Score: -1, Stupid)
Deny all ports/routes/hosts. As lusers approach asking why the 'network is down', get your bofh on and ponder if their needs warrant opening said routes.
Blacklist it all. Scrupulously whitelist.
Dont let any attachments in.
Have DMZ's.
Pay attention to bugtraq and errata postings.
Nmap every once in a while.
Only have two ssh's open to get in and have the IPs defined in hosts.allow.
ALWAYS upgrade when security bugs are fixed.
Have snort on the main DMZ in a promiscuous switch port, get some nice looking reports going.
Pay attention to bandwidth useage ( cricket ).
Add a dash of portsentry+tcpwrappers.
Dont act macho and send nasty letters to people who try to get in.
Maybe, dont return pings ( tcp-reset ) or portscans.
Bind 9 with zones.
Check all logs all the time (3 times a week).
KISS = keep it simple stupid.
Dont hire lazy admins.
Try out all new security related programs.
I SHOULD be sending most all logs to a central host.
Make sure MS admins dont totally let their guard down.
*pant*pant*. ummmmm, thats about it for now.
Oh and dont enable web crap on routers etc (more ports open).
ssh for everything.
shut down telnet.
https for everything.
Try to protect email, imap, pop (plaintext over the network).
Read the "security section of all apps you install and try to KISS
ummmmmmmm, thats about it for me.
everyone already knows this but im just throwing in my 2 cents :-)
In this, you have a general with N subordinates who, through various channels of communication, give orders to M end-points. The papers on the problem detail how you can have assured communication between the general (you, or the master node of a cluster, or whatever) and any execution nodes.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
... I'll give a serious answer.
I work for a moderate sized engineers consultation company (500+ employees all over the east coast). We have over a dozen offices from Florida to Maine. All are connected by a VPN using frame relay. At each access node, there is a Sisco Router/switch controlling what traffic can come in and out. Behind that is a firewall, NAT, and DHCP server (each office runs on a seperate private IP group). All external traffic (i.e. not on the VPN) must go to the main headquarters and pass through the proxy before making out to the "real world." We also have several web, ftp, and email servers in the private IP realm that are NAT'd to the outside. All incoming packets from the outside worled must go through the Router, Firewall, NAT, Virus Scanner, Mail Content Scanner (read: anti-spam detector) before making it to the target machine.
Software-wise, we are Novell users (mod me down if you want, but it is a hell of a lot better than M$). Every user has 1 concurrent log-in with very few exceptions (IT staff being 1 of them). Users cannot pass through the proxy or access any file servers without full LDAP authentication. this includes email, web browsing, ftp, etc. All logins are fully logged to time, machine and duration. Passworded screen savers automatically kick in after 10 minutes of idleness and users are auto-logged off after 30 minutes of idleness. Strong passwords are enforced (9+ charaters, 3 of 4 ({CAPS, lower, 1234, !@#$}), no repeating of past passwords, no dictionary words). L0phtcrack is used randomly to check for weak passwords.
I consider our systems to be fairly secure, given that most of the system is redundant as well as obscure to all but a few people in IS. It's a combination of cyber-armor and security through obscurity.
Hope this helps.
Nothing fails quite like prayer.
Your network is pretty secure compared to the average. However, ...
Your root password is "sheila".
Your social security number is 182-90-6134.
You just broke up with your girlfriend.
And you really ought to get a disk-wipe program to remove all traces of those deleted pornos.
- For the complete works of Shakespeare: cat
http://www.samsung.com/Products/MobilePhone/PCS/Mo bilePhone_PCS_SPH_N270.htm
Your NATs are bothering us but we still get through.........
I heard about this honey pot feature for network security. I installed them on each users computer, but they keep using the honey in their tea. Maybe it was not installed correctly?
Well, the simple solution would be to hire employees that like honey in their tea.
Ed Wedig
Graphic design services
docbrown.net
Make an attack tree. All it takes is pencil and paper.
For my home network, it's pretty simple. Just me and a few computers, and few assets to protect. One of the trees might be how people might steal my pr0n collection. No big deal.
Once you have your attack trees written out, then you secure and document how you secure against each and every one of the attacks. For my pr0n collection, it comes down to 1) locking the front door and windows to my house 2) setting the burglar alarm 3) running a firewall 4) keeping my software up to date 5) having an offsite backup, encrypted with a trusted method. My pr0n is reasonably safe from being stolen. Notice how my attack tree has some physical attacks in there, thus the listing of good door locks in the security actions?
The end.
If tits were wings it'd be flying around.
wait for a hacker to get caught in my etherNet and then squish him with an open boot.
Sometimes you get a big one who can break his ip chains and you have to go after him with something larger. For these types I usually use a sniffer to find where he's hiding and send in my cat 5 times unil his time to live has expired.
I use Windows XP and content advisor. Nobody can touch me now.
Just this morning I saw an ad on the /. homepage for an IDS. I don't quite remember but i think it said something about the maker of snort
/. I kinda wish there was some kind of article moderation implemented here on... Wait! No! Waaiit! Ahh...****
And now this news story on
I wish I could filter out the annoying Pickens articles...
as long as we are on the topic of this OS versus that OS in terms of security, how does old mac classic OS in server mode stack up, strictly from a security angle, not "performance" or whatever, just strictly from a security perspective? Anyone?
Here's what I would offer as a cornerstone for thinking about your systems' security: A secure component is one that keeps its word. That is, it provides guarantees -- assurances -- of its behavior, and it meets those guarantees. Because it provides these guarantees, other components can depend upon it (though they need not depend exclusively upon it). And once a system is built out of dependable components, staff can place their trust in it and not be betrayed.
Take an example: a firewall. A firewall is commonly thought of as a tool for blocking attacks or reducing exposure. I would suggest that it is, rather, a tool for providing assurance that certain traffic will not enter the network from a certain point. Systems behind the firewall should not be thought of as being made "more secure" (what muddy thinking!) on account of the firewall's presence. They should be thought of as receiving a guarantee from the firewall that certain traffic will not enter.
This allows for evaluation. Under the blocking-attacks model, we must rate a firewall as doing its job if it blocks attacks. Which attacks? "Uh -- some attacks, the ones from the other side of the firewall." But what about attacks from other places? "Uh -- the firewall can't help you there, it's only at the border." But then what good is it? "Uh -- it makes your security better. That's what everyone says." With a clear understanding of the guarantees the firewall provides, we can evaluate its success with a clearer mind: does it succeed or fail at meeting those guarantees?
(Microsoft's marketing folks recognize that people want dependability when they talk about "trusted computing". They're using it as a nasty trick, of course, but they have the right words. By "secure system" people don't just want a system that rejects today's attacks, but one that provides dependable assurances of its behavior. Too bad they are wasting the memetic capital of the phrase "trusted computing" on a despicable power grab.)
64.215.164.27 For chrissakes. do a lookup.
You think that I'm crazy, you should see this guy!
Ah, this would be the N(x) time that this exhastive topic has been put forth as "news" on Slashdot, where x is the number of times your mother yelped when I squirted my hot love juice into her tiny asshole.
> the stock market: diversify. Don't put all your eggs in one basket.
That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she can leverage that access to further compromise your network.
Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.
I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today.
Seriously, it's true. Security isn't something you setup and put into place and just let it fester or sit.
What you've done is started packing for the journey. Gathering your tools and getting it all setup to go with you as you move forward.
But as effective as some security measures are, they still need to be tended to. Watched over. Tweaked. That's the journey.
Along the way, you will find new tools. You might even be waylaid by someone with better tools than you. Surely, you haven't arrived.
And you never will. Your security, through watchfulness, effort, and action, will improve as you improve and move forward.
It is bad security to see security as something you plan, implement, and walk away from. That leaves you prone to holes and highly creative or bored individuals out there.
Security is something that is ongoing.
A home user using a simple firewall package who is diligent with watching the logs and keeping up on security bulletins for the software, the os, and the system in general will be much safer than a multi-layer security system that no one bothers to watch or that can't be easily understood by those watching.
Winged Power Photography
You need people like me so you can point your fucking fingers, and say "that's the bad guy."
I think a more accurate version would be...
A network is secure if it appears to an intruder to cost more to break into it than the value of the information being protected.
I'm not sure we yet have people randomly attacking SSL-protected credit card transactions hoping it just happens to be bill gates silver gold platinum centurion amex.
With so many insightful replies, I am almost embarressed to post something meaningful. But I digress... Why are you auditing a security system you devised? If you can afford to, I think hiring an outside auditor would be more benefitial. As far as the rings-of-security, what about different firewalls at different levels. A Cisco PIX on the WAN, followed by Linux firewall, followed by Windows firewall. As long as they all have the latest patches applied, a newly discovered security vulnerability shouldn't affect all of them at the same time.
Please excuse my English. I am American.
You sir, are going to DIE!!!!
Upgrade today. Upgrade often. Upgrade now!!!
What if your IDS breaks or your firewall breaks and you need to run during that repair line without it? What if you never bothered securing the hosts because you HAD a firewall to catch everything so you didn't need to worry.
We have a firewall, IDS, packetshaper, and a few other network toys. And if they were all removed from the network, the servers are still patched, still only have the services needed available, still use tcp wrappers, still use host based firewalls, still have things like tripwire running.
The other things are just additional tools for even more management/logging/whatever.
That would be my advice - make sure your network is safe without all the extra tools.
Step 1: Secure Network
Step 2: ?
Step 3: Profit
I run a completely Windows environment. To protect it was easy with a Linux Firewall distribution that could run on a crappy PI 166 called IPcop: http://www.ipcop.org/cgi-bin/twiki/view/IPCop/WebH ome
It was no problem for me (who had never touched linux before) to install and configure this. Comes with a pretty web interface so if you have even less linux skills than me, you can rempotely manage/configure it from your Windows PC.
Disclaimer: I did end up doing alot of reading through the excellent IPcop forums (just try to avoid getting involved in the ever present smoothwall vs. IPCop arguments) to get the updates installed and some neeto add-ons. But that was way back in version 1.22. Now it should be even easier and more user er... admin friendly with the release of 1.30.
good luck.
I went to battle MC Escher but drew a blank
There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.
.rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux for a while now and I really
But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!
As they say, it is "Military grade security at Open Source prices!"
Have you looked at Intrusion Prevention Devices, such as that from V-Secure? With very little configuration work it will learn your network, identifiy bad guys, and block them. Sounds like magic, but I've seen one really work.
Write a script that filters out non-suspicious activity in the logs so that you're left with only the stuff you want to see.
Of course, creating that data filter is the tough part. You don't want to be too inclusive or too restrictive.
It's perfectly fine to put all your eggs in one basket. Just watch that basket.
Whatever sort of arrangement you decide on, I hope you're taking the time to document it properly. Troubleshooting or modifying multi-layered, redundant configurations (security or otherwise) can get really confusing, even if you're the one who designed it in the first place.
Take time along the way to write down how everything is configured, why it's configured that way, and any unusual exceptions or special cases. Include "obvious" stuff, too.
After everything is in place, go back and and make sure everything is still accurate, make any necessary updates, and write up an additional summary. And be sure and make notes of later configuration changes with all the same information.
It's not nearly as much fun as playing around with stuff, but it's really vital in any kind of real-world environment. If you don't do this, then someone will inevitably screw it all up the moment you turn your back, or later decide that it should be tossed out or replaced because it can't be reliably maintained. (And they may be right.)
Hi all,
I design a number of web pages but rarely have to deal with in-house networks and their security issues. However, recently my girlfriend got a job at a doctors office where they have their own public website running off their own local network, I believe Windows NT based.
They don't have any person in charge of network security and I have a feeling its ripe for being hacked. She was asked to redesign the website as it really sucks.
As I said, I have a feeling it is probably an easy site to hack, besides the fact that it is super slow to load as it is only running off a dsl connection. I want to tell her its unsafe and suggest she remove the site to a safe site but don't really have any knowledge of how unsafe it is or if someone could access any vital records that are probably on the same server.
Maybe someone could give me an idea what I should tell her so she can tell her boss?
Thanks in advance.
Estimate the cost of the risk (potential impact X probability of occurence).
Compare this risk cost to the incremental cost of the security countermeasure or technique to see if it is really worth it.
Having firewall, servers on DMZ, IDS and all stuff in place won't suffice to achieve high level network security.
You've got to build strict policies regarding all aspects of your systems and network infrastructure and also write down some procedures and guidelines to enforce that policies.
Training also plays a major role and should target the user crowd - stating clearly what is and and what is NOT allowed and why, the admin crew - guidind them through the principles of security-minded system and network administration, and of course the suits - showing them the stakes at risk using eye-candy presentations.
If you can't manage to gather people involvement at every level of the organization, your security plan is certaily deemed to failure.
OPenBSD, the latest, on a machine that is turned off and unplugged from everything. It seems secure so far...
Ok, this is what I do for a living and frankly I find WAY WAY WAY too many companies lock down ports, install patches configure a firewall well and then call their networks secure.
All of the technical fixes in the world are rubbish when the independent auditor requests a list of all users on the network, goes down to HR and discovers 20 or 30 active user IDs for people who don't work there any more. Worse, I'll find 5 or 10 more for people who have changed jobs but still have their old privileges. (The guy in Accounts Payable SHOULD NEVER be able to access the Accounts Receivable systems.)
Everyone in security knows a high percentage exploits and a higher percentage of serious exploits are carried out by people who had valid access to the systems. Security for a network or a system begins in HR and the processes for granting, modifying and revoking system authority are much more critical that what ports are open. So what if you keep the script kiddies out when your CIO's secretary writes herself a cheque for $1,000,000? If you're serious about securing your network, figure out what your users can do that they shouldn't and look to developing systems to prevent internal breaches.
When I do a network security audit, first I test the following: Segregation of duties and appropriateness of access, procedures for adding / changing and removing users, change management and a user access privilege testing. Is everything authorized? By who?
If those things pass mustard, then I start actually looking at server room access, patches, firewall configuration, network diagrams, open ports, system auditing and security levels. It's not as sexy as pitting your skills against the crackers (what a f**ked up notion of sexy I have) but it's where you need to start if you're serious.
People who do well in stocks and real estate don't diversify. They learn to manage risk and invest in a few non-risky (however not necessarily without risk) ventures. It's like in monopoly... you buy a few houses then sell them for a hotel, not necessarily buy nothing but houses.
:P
Learn to manage your risk.. in the case of security, make sure everything is patched and monitored.. not just set up 14 clustered firewalls behind an armed guard and a giant griffon and cross your fingers
-KevinSync
Let's not forget to ambiguously label your threat levels.
If you think you might be hacked go to "High" or "Orange"
If you see (or hear about, through the office grape vine)heightened network traffic, Change it to "Severe" or "Red."
Now you could run OpenBSD and stay at "Low" or "Green" most of the time.
Don't forget to freak out and duct tape the server racks when you reach "Red."
Also Be sure to alarm your users with dire motds.
Aside from this no other actions ae needed or necessary.
(This post was intended to be funny)
Firewalls are really not unlike locks on a door... with time someone'll get through. Intrusion Detection Systems don't do much good unless someone responds when an Intrusion is Detected. -- not unlike a building alarm without an alarm company responding! I think this company counterpane has an interesting approach. They have their own data centers doing 24x7 monitoring of their customers networks so if any IDS has any suspicious activity, someone can respond immediatelly.
Policy...Get signed documents covering IT policy. It helps with mistakes..."I didn't know downloads could contain viruses." AND with deliberate intent...i.e. it's easier to prosecute.
Procedure...equipement and software must be setup with the right mindset i.e. "Do we really need this service? Do we need it RIGHT now? What is the least privledge required to get the task accomplished?" This will go along way towards securing a network.
Education...read the NSA docs, CERT too. Bugtrak is great, but wear asbestos. And educate other administrators and users. It helps.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
Typically only known by network security administrators and greek clasicists, Kerberos is a defacto security protocol at places like MIT and the University of Chicago. The network infrastructure you've described sounds like it could be reaching the point of needing a Kerberos server, which, of course, would consolidate many of your currently existing network security solutions, as well as create new types of headaches you didn't know existed...
Anyhow, as far as low budget goes, Kerberos does run on linux.
Of course, installing a Kerberos network security solution does require that all of your computers run Kerberos enabled operating systems (Win2K, Linux, Solaris, and the like...) and that you and your co-workers can actually complete a secure sneakernet handshake and file transfer between all of your end nodes... Which, in of itself requires a slightly different understanding of network security and network planning...
Just my two cents....
Use layered security...
Layer 1 - External Firewall - nothing comes in except exactly what you need where you need it to go to. HTTP only allowed in to the webservers, VPN to the VPN systems, etc. Tie an IDS into this firewall layer. SNORT works great...
Layer 2 - DMZ - Anything in this zone is considered compromised by default. Nothing further in should absolutely trust systems in this domain. Put at least one IDS in this zone..and make sure to not only check traffic from the outside, but track from this inside.
Layer 3 - Internal Firewall - Again...more security. Proxy servers, if you can, secured systems, more IDS systems, preferably a different one than the external one. Again, only let what data that you need to get through to get through.
Layer 4 - Internal network - VLAN's, IDS systems, and access lists. Make sure that traffic stays where it belongs, and make sure every system is backed up. Also, if you can afford it, Tripwire, or something along those lines...
CHECK YOUR LOGS If you don't review your logs regularly, you're begging to get hacked. You have to keep up on what's going on and update your defenses accordingly. A corollary...LOG EVERYTHING YOU CAN Disk space is cheap. Log everything...you may need it at some point...especially for after-attack forensics.
Make sure you are warned of possible intrusions somehow. My pager went off fairly often until I had my IDS systems tuned...but better an extra page and some minor panic than not knowing when a major hack happens...
What I used - Snort IDS, Cisco PIX firewalls, Linux box running IPFW, Cisco NetRanger IDS, Cisco Routers, 3Com & Cisco Switches, patched Windows boxes...(PATCH THOSE SYSTEMS OFTEN!)
-merlyn
To nail the point down better, I'd rephrase that as "multiple layers of defense".
It goes without saying to this audience, but probably needs to be said multiple times to the people that manage your budget, but having defense in layers (i.e., serial) is more effective than having defense mechanisms side by side (parallel).
Make potential intruders go through all the doors of your dungeon, not just one.
That's easy to say and hard to do. The problem is that many dungeons (workplaces, whatever they're called these days) have obscure, lesser known secret doors that can let in the monsters if only that one door is discovered and compromised. Creative social engineering tricks are particularly devastating this way.
Some internal walls for damage control can be helpful in the event of an incident.
"Provided by the management for your protection."
1. Unplug it.
See? Total security, in one E-Z step!!!
Also, restrict access to certain services by IP address if you can. I have IIS set up at home and only allow access to certain folders based on IP address.
In particular I recommend "Real World Linux Security" , second edition, by Bob Toxen, which contains a wealth of useful information.
Full disclosure: I know the author; I am doubtless biased. But I like the book and have found it quite handy.
Here's an excerpt from an Amazon reviewer:
Professional Wild-Eyed Visionary
When you think about it, every data security measure put in place can be bypassed, given enough resource, or enough luck.
Public/Private Key encryption can be broken, given enough CPU.
Passwords can be guessed.
Ask yourself, "can my security system be bypassed with a very lucky guess?"
It's likely a security system of obscurity
Whatever your security, the idea is to make it difficult enough to break so it's uneconomical to get the secrets it's protecting.
ie. $$ Resources to break security > $$ secrets
I'm sure you've tried various different IDSs', firewalls, and whatnot but have you considered aother drastic change at the server level? OpenBSD as your server OS would probably bump your overall security quite a bit. And it's FREE.
This guy is way out there
I post this most every time I run across a discussion of network security and the "evil hacker" protections people try to impliment.
Where is your IDS? At or near the firewall from your Internet connection I'm willing to bet.
Okay, now what about the malicous hacker wanna-be that lives within your trusted network. This could be a student in a campus lab, Jane doe in cubicle 12B who lilives a secret on-line life as Kamander KRak, or Dave Smith the quiet guy in the corder office who thinks he's about to get fired. What about those cleaning crew who have full access to every square inch of the facility at night without any supervision. What about The CEO who just brought a new WiFi notebook in and connected it to the LAN and offeres an open WAP to anyone within 200 feet of the office.
We all spend a whole lot of time and money securing our Internet connections and services from external hackers. Yet most managers/admins almost completely ignore the internal threats. And ONE inside job will do a lot more damage than a dozen attacks from outside.
Those on your LAN already have password access to the network and services. They know what servers to hit, they know what data is stored where. They know where the wiring closet is, and what equipment you run (your memos frequently tell them you are upgrading Windows from NT4 to 2000). They can open a closet door, or slide over a ceiling panel and easily connect a device to the monitoring port of thier distribution switch.
A comprehensive security plan needs to at least acnowledge these threats, and find ways to secure these services and components from otherwise trusted sources. IDS on each major server, physical lockdown of all remote network devices, regular/random physical inspections of the wiring closets. Some facilities may require that the night cleaning crews be cleared with at least a basic background check.
In my experience, protecting against outside attack is really rather trivial compared to protecting against the potential internal threat.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Set up your intranet under the assumption that it is completely exposed to the internet. Lock down the clients tight and allow users only the access they need. Never give users elevated priveleges on their local machines without sufficient justification.
Harden your internal servers with the same considerations and expose only necessary internal services. If possible, run each service on a separate system. For user accounts, use a security model that functions properly in a sizeable network environment. There are a number of choices including MS Active Directory, Novell Netware, or a combination of AFS, Kerberos, and PAM with LDAP. I cannot stress proper access control enough here. If a user doesn't need access to something, don't give it to them.
Central management is also very important. Keep your admin workstations and servers on the same network segment, and don't allow any administrative access from outside that segment. If you have to, VPN between these segments.
Now that the internal clients and servers are good, move on to the firewall/proxy setup. First, if the port/protocol is not necesarry, block it. If the protocol cannot be proxied, strongly consider blocking it, and log it if you have to let iot through. A well configured caching proxy improves security and network efficiency. Additionally, proxy logs can make a good legal hedge against liability for actions commited by your users. They also make an ideal chokepoint for web monitoring software, if necessary.
For external services, create a DMZ using an additional firewall(s). Inside the DMZ, you should use port forwarding and non-routable addresses. Don't configure DNS or allow any access into your internal network, except where absolutely necessary. Since these machines are the most vulnerable, treat them as untrusted. Use only secure protocols for connection to these systems. Generally, user accounts on these systems should be entirely different from your internal accounts.
Once you're comfortable with your configuration, you can look at deploying the IDSs. The keypoints are inside your DMZ and at your server and administration segments. Host based IDSs that take advantage of the native logging facilities are also good. Remmember though, the biggest issue with an IDS is processing the output. If you can not pick out the signal through the noise than it does you no good.
If you do that stuff, keep your patch levels up, and have decent physical security, then you are relatively safe.
YOU should.
the government produces these documnets for a reason. if anyone knows who to secure a system, its the government. read them and apply them as required.
Also you have much nice hardware. How about policy? Policy is more important. What happens when somone is hired/fired? Who is allowed to do what on the network? Do you have a business continuity plan? Is their a document that states how to recover from a disaster? Has it been tested? Have you ever had a Threat and Risk assesment preformed? If yes when was it last updated.
You have some good technical means to provide security, how about the rest? The government has wonderfull guides on how to do all this stuff, and although thick - they really are helpfull.
LEAF/VLAN gateway: Configured an 802.11q VLAN gateway for 24 independent offices. Independent NAT routing via shorewall. $500 Intel 410 switch, $100 in hardware for leaf box.
LEAF/IPSEC: Multiple offices connected via VPN for file sharing, internal web hosting, DNS, etc.
LEAF/FIREWALL: Just my standard single office firewall. Easy to configure, cheap, all config is on CD, leaves me massive upgrade options without having to buy 'add-ons' garbage like sonicwall offers.
You get money to secure your network properly, and they actually listen when you say that something is a problem?
F***** A. Cool.
1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.
You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.
OK, now that some people have had their fun...
Your idea isn't as lame as some people think it is. I'll tell you how I did essentially just what you suggested at one site I built up. Multiple DMZs.
Here's how it plays. Take a standard 1U rackmount computer. Add 4-port Ethernet card in the PCI slot. Run cross-over cables from each port to each of a Web server, FTP server, mail server, and DNS server 4-port hub (for two BIND servers). Load with a recent distribution of Linux. Code up IPTABLES rules so that each of the three servers only see in-bound requests of the particular type, and can make sensible outbound requests. (In other words, use a mostly-closed policy.) Define a /27 or /28 for each port, and set up your routing tables appropriately.
That's a $500-delta solution to a thorny problem, but when you consider that a firewall appliance is $430 each, you are saving a bundle and protecting the servers from each other and from your internal network.
Got a large intranet? Consider breaking it into zones, with more of those hydra-headed pizza boxes to prevent inter-zone pollution should some moron let a virus loose. (My experience is that the execs should be in their own God's little acre -- the last major virus outbreak I had to fight was caused by a VP!)
Acid Zebra has the right idea, although the admonishment "be careful" seems to be as effective with network users as it does with young unmarried women (and boys).
Come on. You should read some of the NSA docs, they're worth it.
As for security it should be all encompassing. Clients in your DMZ should not be able to get into your internal network. Services should be shut down at external and internal firewalls. VPNs and encryption (software and hardware) should be used at every available point when needed. The list goes on and on and on and on...
A tiny but often overlooked tip: Make sure none of your machines boot from floppy/cdrom by default!
Infact if your really paranoid, remove all the floppy and cdrom drives!
ahh, great advice .. just like a stock portfolio. .. good call :p
.. fix the .. go back to flipping burgers where you
if one box isn't all that secure, maybe this
one will make up for it!
really, better one good basket than a dozen hole
ridden ones. your basket have holes?
holes. you didn't write it, don't know enough to
fix it?
belong.
Why not just install Win2k and IIS/5.0 on every machine using the default settings? That is what my company did.
I tend to view each machine as an independent entity, untrusting of anything else by default. All access should require authentication - including things like NFS mounts (set up SSH tunneling, or a CIPE tunnel, or something) that work machinemachine (private key auth works well here).
This, combined with a minimal number of open ports (HTTP, SMTP, SSH, IMAP (I know, I should set up IMAP over SSL soon)) and good upkeep of patches, means that possible holes are limited, no matter where the attack comes from. This also has the added bonus that I don't have to worry as much about link-level security (like 802.11b - even though I still encrypt that) because I know that all services are encrypted and authenticated.
If those things pass mustard, then I start actually looking at server room access...
Umm, I'll bet you really meant to say "pass muster", not mustard.
Sorry, but I'm just in a nitpicky mood this evening after fighting a problematic Cisco router all day long that turned out in the end to have bad memory in it, but never reported any memory errors.
* Disclaimer * - I work for a Security Testing Company.
1st step in security is to perform a risk assessment. The goal of Risk Assessment is to determine if the security controls for a system are fully commensurate with its risks. Without having an understanding of your risk you are unable to determine the proper security policies, procedures, guidelines, and standards to put in place to ensure adequate security controls are implemented. We want to avoid putting a $1000 fence around a $100 horse, but at the same time avoid undue risk.
Once that is completed, you need to create a security policy. This policy is what your company is officially trying to accomplish with it's security initiatives. Until you know what your goals are, any money or time is not going to be well spent.
Once you believe you have your goals from the policy implemented, you may wish to have a Posture Assessment. Posture Assessment is the act of measuring the gap between your information security posture and your information security policy. This is a thorough review of your existing security policies where each stated goal is converted into a test module. Each test is run until a sufficient amount of data is collected to measure the existing posture (The security Posture is what the company is actualy doing).
Assuming the Policy and the Posture match, you may additionaly with to verify that all the bases are covered and request a verification Penetration Test on a specific set of systems with a stated goal for the test, or an out and out Ethical Hack attempt (same idea as a Penetration test, but not as limited in scope). This will uncover holes in not covered by the Security Policy.
You should also consider periodic testing. Some of this should be done internally, some is best to outsource.
A security test is only valid if it is:
* Quantifiable
-- Can be numerically measured
* Consistent and repeatable
-- Two testers would receive the same test results at the same time
* Valid beyond the "now" time frame
-- Lasts and remains valid longer than the wet ink on the report
* Based on the merit of the tester and analyst not on brands
-- It is based on smarts and not expensive tools
* Thorough
-- A complete test where nothing is left untested from the scope
* Compliant to individual and local laws and the human right to privacy
-- Puts the protection of personal privacy before corporate data
(time == money)
(hacker.time > company.time)
(hacker.time.value < company.time.value)
(hackers > company.employees)
(There's more of them, they more time and less expenses than you... which basically means, your fucked.)
--
Sorry for the pseudo-code, I've been pulling 14hr days for the last week or so... *twitch*
Sans reading room has a wide variety of papers. It's not the be-all and end-all of network security, but it's a damn good start.
That was all true and pretty comprehensive (if poorly typeset).
wtf - funny?
I stopped paying my DSL bill last month, I will be secure any day now!
... and only two mentions of VLANs and not a single post about ACLs on routers. I'm coming after all your networks...
Start here. You clueless bastards.
Make for a good TV ad.
May we never see th
Don't just limit inbound access, also setup an application proxy as your outbound route, and have all traffic go through it. That way you can not only decide what goes out and what doesn't, but you can also see what users are doing, and perform auditing when it needs to be done.
Here is an easy way to do it with a 4 armed firewall (pix 515 or similar)
|router|
|
|
| fw |-----| mail/dns dmz|
| |____
_________ |
|web dmz| |
--------- |
|
| proxy |
|
|
| corp net|
This thing looks like crap after stripping it down for the damn lameness filter, but hopefully you get the point. You basically have your border router hooked into a firewall, off of which hangs three segments. You have your web server dmz in one (only allowing inbound port 80 and possibly 443 if you're doing ssl, outbound is only established connections), email/dns in another (very closely related, so it makes sense to put them together, but you can segregate them if you wish. This would be inbound port 53 and 25, outbound only established, and port 53. Your last segment would be a connection to the outside interface of a proxy server, which has it's inside interface going to your corporate network.
This provides you with a reasonably secure border with little cost. You'll want to stay away from ISA for the proxy, as it has a nifty "auto-configure firewall" option that allows things like MS Messenger to work transparently through it, which may go against your policies.
1. Install 1 client the way you want it. Remove any unwanted services (i.e. all insecure M$ services = everyone)
2. Install 3'rd party replacement services (i.e. VPN)
3. Clone that system.
4. Configure a firewall to let through ONLY THE SERVICES YOU USE!
5. IDS. (FILE INTEGRETY on servers, HOST BASED on clients and NETWORK @ External/DMZ/Internal)
6. Make sure a competent person (Not an M$ certified retard) update and monitor the security of the network.
If you CANNOT follow these SIMPLE rules; consider disconnecting your network from internet to be secure. The solution can be cheap, u just have 2 look for the right stuff 2 put there.
1. Secure Passwords Most security breeches are from people who either have access to your physical workstations or break in using insecure passwords. Minimum 08 Character passwords with Upper and Lower Case Letters, and Punctuation, and every 90 day password changes.
2. Intrusion Detection Systems Hogwash is my personal favorite, but I am biased as I am a contributer to the Hogwash project. But when configured properly, it can be your best friend... But if you do one thing wrong, your whole network comes to a screeching halt, so have someone do it for you if you dont know how..
3. Bait and Switch or Honeypot's If your a client who is bound by Federal Encryption and data security measures, throw a honey pot like Bait 'n Switch it could be a big help as well with your security set up
4. Limit Access to your IT Systems Dont let the "UPS" Man (or who you think is the UPS man into your Server Room(s) Alone. Social Engineering is still a big thing.
5. Close off Un-Needed Ports Your services (Like FTP, Telnet etc etc..) can be big security risks, So close them if you dont need them. And then monitor your IDS logs.
This is just my advice for beginning to secure a network, if you have any questions please let me know.
---
So, yet again, that horrible imperialist nation of America has provided a resource to make the world a better place at no cost to the rest of the world.
NSA, USA tax $, safer computers for the world.
NIH, USA tax $, SARS research, Cancer Research, AIDS & HIV research, etc.
EPA, USA tax $, Environmental protection, etc.
So I start to wonder...when is the rest of the world going to start paying for this stuff or even thank us for it.
(s)he'd be slashdotted and no one would get through to test his network.
Everyone knows its spelled 'Crisco'
luser.
and, er, loser.
I live in a 2nd-world country where I was informed that the local authorities will steal your business.
One problem with that: they can't.
To steal my business, they'd have to know the processes, and be able to do the work I do. They can't do it, though. Of course, if they want to learn, they have to get through my security procedures:
(1) They have to deal honestly with me. No shiftlessness, no "secret plans", no coming and asking for money or a loan [I loan *once*, then wait for repayment, except with widows], and then if I say no, saying "well, I know how I'll get the money anyhow..." As you say, diversify: limit your losses.
(2) They have to work hard, even when the payoff seems small. Sorry, I can't pay a lot: business expenses beyond paper and wages include taxes and regulations, but that mean business expenses are big. BUT if they work hard, then as soon as I can justify paying them a reasonable or good wage, I will.
(3) They have to be self motivated: if they are capable of carrying a large section of the business, they are also going to be capable of expanding it.
Once they get past those three security procedures, THEY DON'T NEED TO STEAL MY BUSINESS! I make them partners. And by then? They've earned it, and they're capable, and they're interested in the welfare of business.
Meanwhile, on the computer we do have passwords.
Other things I do to help keep the place secure: keep the computers working as much as possible. [A computer with a happy worker is safer than a computer in a safe.] Don't let in people who have no business being there. Don't attract too much publicity in any case. Don't steal from others: you make them want to find a way to steal from you, just to get back. Maintain an attitude of justice and openness: it comes back to haunt you, and that's a good thing. Don't be trivial with other people's lives -- hiring, firing, and such: it is better to pay a lower wage that you can keep on paying, even during dry periods, than to pay a higher wage and then lay the workers off.
Those are *my* basic security measures. Maybe they'll work: we'll see.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
> I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network?
This is almost a meaningless question, posted as such. You also need to ask the following: What is the approximate value of what you're trying to guard? How long until it loses that value? For any given attack that costs less money and time than the answers for the first two questions, can your attackers obtain those resources? Given those considerations, of course the NSA is going to have different considerations than you are about what constitutes a secure network, and so will everyone else. Differences between them aren't necessarily indicative of an insecure network.
For example, if you ask people in here about DES encryption, most will say they don't consider the use of DES as a secure practice. After all, messages with DES has been broken after a short amount of time with a large distributing project, and can be broken even faster by using specialized hardware, which last I heard, was extremely expensive to produce, but possible.
But if I am using it to encrypt my email, and the most valuable piece of information I'll send is an Amazon.com coupon that expires in a week? In such a case, the only attacker I am really going to be worried about is a casual observer. After all, the coupon's worth is probably not worth the cost it would take to break DES(question 1). Even if it were a $1000 coupon, then the time it would take to break it would probably exceed the time before the coupon was used or expired(question 2). We can discount the attackers owning specialized hardware to decrypt DES quickly, and attacks with that in account(question 3). Such a party might be reading my email, but if you're being monitored by them, I have bigger problems than an amazon.com coupon.
In such a case, I would argue that the usage of DES is not an insecure practice. Yes, DES won't protect me if the FBI REALLY wants that Amazon.com coupon...but if it has gotten to that point, who cares?
Don't forget that hardware and software solutions such as firewalls, filters, IDS' etc. are only a part of the solution. The humans working with the systems can render almost any security system useless, either on purpose or by accident.
Any security policy worth it's name must address the "soft" security issues. That includes many topics, including how you classify data, how you work with access levels, how you ensure data integrity, how you screen or do background checks on employees (depending on their position). Users needs security training; they aren't supposed to be security professionals, but they do need some basic understanding about the concept of computer security. No systems are 100% perfect, so every now and then something ugly will slip past, and then, scary as it is, users become your last line of defence.
Also, think about the security of employees; with the technical countermeasures in place it might be easier for a dedicated attacker to bribe, threat or fool an employee. Nearly no one has any system in place to stop employees from burning data onto a CD or putting it on a simple USB storage device that fits nicely in the shirt pocket.
The list goes on and on, but I'll stop here. My point is that firewalls, IDS', security audits etc. are only one part of the equation. Anyone who haven't addresses the "soft" issues and answers yes to the question "Are you secure?" might be in for a rude awakening..
Mattias
Has anybody tested this? http://www.astaro.com
Looks somehow interesting, has a nice web-based gui: stateful firewall, ipsec vpn, remote access, anti spam, anti virus, proxies. Seems to be a dedicated linux distro with some proprietary extensions.
In this example, we want to achieve secure webmail. The internal server is running an IMAP server. The VPS (Virtual Private Server) is running Apache and a web mail program that connects over IMAP (e.g. SquirrelMail).
You create a passwordless SSH port forwarding from the IMAP server towards the remote VPS (Virtual Private Server).
And then to create the SSH port forwarding for IMAP.
And then set the webmail to use port 10143. I'm using a high port number so that the SSH forwarding can run as a non-root user.
I now only need to figure out how to automatically reconnect if the SSH connection dies.
So the internal network has no open ports. And even if the VPS gets hacked, they can't connect to the internal network (all the connection start from inside).
Has anyone tried out anything like this?
Can anyone point out any possible security problems?
END TRANSMISSION
People still frequently use hubs, especially if they have a "server" half of the network that is separate from the "office" half.
For example, here at work running ethereal from my desktop machine will only get me traffic to and from my machine, and broadcast chatter. However, running tcpdump on one of the servers I have root access to shows me the traffic to and from just about everything in the server room.
And this isn't just the setup here - it's quite common in small office environments to be set up like this. Now, with unencrypted logins, this would mean that we're one root exploit (though our current firewall situation would make controlling the root exploit a bit difficult; that's a different story) away from all of our servers being compromised. With encrypted traffic everywhere, the damage is contained.
Why isn't anyone mentioning S/Key?
I can't think of anything more safe than disposable passwords.
I talked to the fellow that ports packages over at SunFreeware, but it never got done. I'm beginning to wonder if there is some other disposable password package to which most everyone has switched and I'm not aware.
Anybody?
- OrbNobz
The administrator IS the network.
The purpose of IT security is to protect the 'I', not the 'T'. For those of you who have forgotten, the 'I' stands for 'Information'. Information is power, and power has worth. The cost of your security should not be greater than the replacement value of your Information.
The replacement value can be difficult to calculate, as you may have to include damage-control costs in there as well. (read: public embarassment).
My point is, you can have all the security in the world, given an unlimited budget - but there's no point if the information you're trying to protect is virtually worthless.
Having a dedicated firewall between every PC/server/router and armed guards with semi-automatic weapons, and three-factor authentication on a fully AES-encrypted LAN is probably very good security if you're guarding the login codes to Fort Knoxx. But not necessarily if you're just trying to protect your corporate LAN. There are more efficient ways to provide adequate protection.
[RANT] This goes even further than IT. Look at the Government of Canada gun registry. One billion dollars over-budget. Ok, so it's Candian Pesos, but it's still a lot of money. And they have the nerve to say 'If it saves even one life, then it will be worth it'. That's bull. One billion dollars can save a lot more than one life, if used effectively. [/RANT]
Just like everyone else, my 2c worth.
spot the sysadmin!
3) Profit!!
*ducks*
That's a good one!
Shouldn't you point the link to: http://www.homestarrunner.com/trogdor.html???
HallmarkOrnaments.Com
Feasibility through simplicity:
I wrote a very simple script that I pushed to all the workstation that will call scp and push the files they want to the right workstation.
Never had 1 complain.
The key is to keep users informed! -> Training...!
-- Leeeter than leet
Don't discount the nsa guidelines straight away - there is a lot of valuable, commonsense and straightforward procedural improvements within it. I have recently been using the NSA Router security guide - its quite Cisco specific, but its the the concepts that are important, they can be applied to other vendors as well.
Cheers,
James
Think outside the box -- your wastebasket and telephone can be crippling security holes.
And like FreeLinux said, do it regularly. It's like going to the dentist, you just have to keep doing it over and over.
An urban legend, according to Sun at least.
---- I've fallen, and I can't get up.
OK, assuming you don't need encryption, and don't have the CPU overhead to support it, FTP still is not necessarily the best choice. You speak of "transfers at line speed", but on a multiple access/collision detection network (such as Ethernet) there's no such thing. If the network's not busy, you can get pretty close, and it probably doesn't matter what protocol you use. But my own experience, and what I understand of how the protocols work, suggests that HTTP works better than FTP on a busy network.