Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
I heard about this honey pot feature for network security. I installed them on each users computer, but they keep using the honey in their tea. Maybe it was not installed correctly?
Since you posted this on /. you obviously aren't interested in security through obscurity!
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Think again!
The way I secure my systems, is not to put them on a network, though it does make email a bitch...
I look on the stock market: diversify. Don't put all your eggs in one basket.
Thanks for the link, I didn't know what diversify meant.
get all your shit working. Cut the lan/wan/internet lines, brick it in with now doors and spray the outside with teflon.
Hire a muscle head with a 8th level Edu to guard the brick box with a baseball bat.
Other than that your just playing the odds like the rest of us.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Step 2) Arange equipment in nice steel shipping container.
Step 3) Toss the entire thing into the bowels of either your local foundry's furnace or your closest actively erupting volcano
Step 4) Giggle because the poster never said the network had to work or anything....
I'm a little tea pot.
... don't put up any security, and don't put anything important (worth losing) on the box. Eventually, boredom will set into the hackers and they'll go onto something more challenging...
At least I hope they will....
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Not just diversify, but think in layers
I laughed my ass off when I read this, because I read it as "think in lawyers". Security through litigation? If only that didn't happen.
Ogres have layers, onions have layers.
Ogres are not like cake.
1) Fire developers
2) Fire users
: .. cut the lan/wan/internet lines ..
:
This is a very important part that is often overlooked as demonstrated by the following example
The University of North Carolina has finally found a network server that, although missing for four years, hasn't missed a packet in all that time. Try as they might, university administrators couldn't find the server. Working with Novell Inc. (stock: NOVL), IT workers tracked it down by meticulously following cable until they literally ran into a wall. The server had been mistakenly sealed behind drywall by maintenance workers.
3.243F6A8885A308D313
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
Probably professionals who weren't picked to be the "security guy" by a game of spin the bottle at the last office meeting.
Really, we will.
We won't break too much along the way.
We promise.
(It's humor, laugh.)
NetInfo connection failed for server 127.0.0.1/local
In my experience working securing networks, I have found that the best approach is "Security through apathy". Sure I can get rooted easy, but boy do I have loads of free time now!
I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
1) There should be no single point of failiure on a secure network. Can't depend on a single firewall, VPN, or user password. Simpel rule: three keys/passwords/persons to open system critical 'doors'. 2) Secure LAN's are behind rings of security. Three rings is okay. More is better. Anything under 3 rings is SOHO stuff. 3) Use computer generate passwords. Yes, its hard to remember but its better than to depend on Joe to come up with something good. Force it on them. Remeber it will be your arse if security is broken, not theirs. 4) Do regular white hat scans on your network. Try to break in. 5) I don't run anything remotley, if you must than SHA1 and SSH2 are a must. 6) Use linux/bsd 7) Do complete backups every night (with HDAs getting so cheap there is no reason not to) 8) real important, arse critical stuff is not connected on a networked machine, such machine has no fda's, cdrw, cd's, usb's etc.
...anyway? Windows 2003 firewall includes all the security you'll ever need, unless a morgan webb lover hits your site up.
"Securing" your networks hampers our efforts to roam freely through them, searching for any files/activities/writings that contravene the "Freedom from Thoughts" act, thus directly supporting terrorism.
Trying to get advice on how to secure your networks interferes with our self-described legitimate efforts to make sure you aren't doing/listening/reading/thinking/considering thinking about things we've decided you shouldn't.
Now just stand over there in the corner and wait. We'll be by to pick you up in a little while. And remember, running away supports terrorism.
Use WindowsME with file sharing enabled and no patches as your firewall. Hackers will explode with excitement before they can intrude...leaving nothing behind but steaming puddles of Dr Pepper.
You might think I'm joking but this actually works! Go ahead and try it, then post your IP address to this site. Your boss will thank you for the amazing audit!
(-1, Raw and Uncut is the only way to read)
Your network is pretty secure compared to the average. However, ...
Your root password is "sheila".
Your social security number is 182-90-6134.
You just broke up with your girlfriend.
And you really ought to get a disk-wipe program to remove all traces of those deleted pornos.
- For the complete works of Shakespeare: cat
I use Windows XP and content advisor. Nobody can touch me now.
Our network is Novell, our e-mail is groupwise, and we don't use Cisco products.
Aaah yes... "Security through obsolescence".
OPenBSD, the latest, on a machine that is turned off and unplugged from everything. It seems secure so far...
Shrek: Ogres are like onions.
Donkey: They both smell?
Shrek: NO! They have LAYERS. There's more to us underneath. So, ogres are like onions.
Donkey: Yeah, but nobody LIKES onions!
Took you long enough. We were talking about how insecure telnet was when I worked at CU back in '93. :)
- Necron69
Why not just install Win2k and IIS/5.0 on every machine using the default settings? That is what my company did.
I stopped paying my DSL bill last month, I will be secure any day now!
What about parfait? Everybody likes parfait.
(If you don't get it, you don't have a 3yr old Shrek junkie in your house)
Do not taunt Happy-Fun Ball
Oh, one other thing.
:)
I like to put the following message in my MOTD, and I don't just say it, I DO it!
-------
Welcome!
You should know that all critical logs are being printed in hardcopy
form at the System Administrator's desk and domicile. Unless you plan
on performing a physical B&E to accompany your virtual one, leave now.
You have also passed through a transparent tracking appliance that is
monitored 24/7 by a third party, and is determining your point of
origin at this time.
Don't let the port hit you on the way out!
-------
Oops, so much for keeping it simple...
- OrbNobz
$posts++; $karma--;