Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Unfortunately, I suspect that we are among the few that do. Especially when you look at this and this.
I would say that you are definitely on the right track and that your network is probably more secure than most. Certainly more so than those that will respond to you here. The fact is that if you are in doubt, you should have an audit performed by a security expert. This person will review you policies, procedures and configurations and make appropriate recommendations. Additionally they will perform penetration testing both from inside and out and make subsequet recommendations.
As I said above, I think you are on the right track and would guess that you have taken all of the necessary steps, and are hearing the complaints from your user community. But, the only thing that I would add is that you should never become complacent. Test your security regularly and use multiple tools to do it, and always the latest versions. Don't rely soley on a Nessus or nmap scan to validate your security. Also, when testing, remember that it isn't just a matter of whether you get in or not, you should also make sure that the attempt is properly caught in the logs, regardless of the attempts success or failure.
To answer the question and second you I *have* read the NSA docs along with a bunch of other stuff and you are %100 right. The knowledge and information to secure a network and secure it right is out there and it is just lazy not to know it if you are a person who is supposed to be doing this stuff. Start with "Secerts and Lies" to get you in the right frame of mind and then start reading the rest of the stuff. Then you can do it right.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
> I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
I honestly have read every NSA guide publically available on nsa.gov, they are usually indepth and are a good starting point(with the exception of the DNS guide). I don't blindly accept everything they say, however its my tax dollars working for me for once.
By using multiple products, you indeed have a better chance of detecting and defending against attacks... That is, of course, assuming that you have someone trained to set up, monitor, maintain, and tweak each system you put into place AND that the correspondence between the parties responsible for each system allow correlation of seemingly unrelated data that indicates an attack or intrusion that would not be detected otherwise...
o rcement/etc.
The potentially enhanced visibility made available by using a heterogeneous security implementation comes only at the expense of additional training and staff, and more complicated maintenance, monitoring, and communication. Be aware of the trade-off.
Also, security tools are nothing absent policy/procedure implementation/refinement/education/awareness/enf
Invest the majority of your resources into learning how your users make use of the system and then develop and put security procedures into place that encourage secure computing instead of putting systems into place that make their jobs harder and encourage them to bypass your security measures.
Probably HTTP, SMTP, FTP, SSH that's all.
:)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you
"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
What does running Cisco gear have to do with security? Your Cisco stuff is talking layers 1, 2, and 3, far below your applications. Unless you can't figure out how to setup an ACL to block packets, your Cisco routers and switches have very little to do with your security, assuming you have decent passwords on them. You can even turn off ports you aren't using to make sure someone can't plug in a rogue PC, or limit ports to only one MAC address.
Dont let any attachments in.
Have DMZ's.
Pay attention to bugtraq and errata postings.
Nmap every once in a while.
Only have two ssh's open to get in and have the IPs defined in hosts.allow.
ALWAYS upgrade when security bugs are fixed.
Have snort on the main DMZ in a promiscuous switch port, get some nice looking reports going.
Pay attention to bandwidth useage ( cricket ).
Add a dash of portsentry+tcpwrappers.
Dont act macho and send nasty letters to people who try to get in.
Maybe, dont return pings ( tcp-reset ) or portscans.
Bind 9 with zones.
Check all logs all the time (3 times a week).
KISS = keep it simple stupid.
Dont hire lazy admins.
Try out all new security related programs.
I SHOULD be sending most all logs to a central host.
Make sure MS admins dont totally let their guard down.
*pant*pant*. ummmmm, thats about it for now.
Oh and dont enable web crap on routers etc (more ports open).
ssh for everything.
shut down telnet.
https for everything.
Try to protect email, imap, pop (plaintext over the network).
Read the "security section of all apps you install and try to KISS
ummmmmmmm, thats about it for me.
everyone already knows this but im just throwing in my 2 cents :-)
... I'll give a serious answer.
I work for a moderate sized engineers consultation company (500+ employees all over the east coast). We have over a dozen offices from Florida to Maine. All are connected by a VPN using frame relay. At each access node, there is a Sisco Router/switch controlling what traffic can come in and out. Behind that is a firewall, NAT, and DHCP server (each office runs on a seperate private IP group). All external traffic (i.e. not on the VPN) must go to the main headquarters and pass through the proxy before making out to the "real world." We also have several web, ftp, and email servers in the private IP realm that are NAT'd to the outside. All incoming packets from the outside worled must go through the Router, Firewall, NAT, Virus Scanner, Mail Content Scanner (read: anti-spam detector) before making it to the target machine.
Software-wise, we are Novell users (mod me down if you want, but it is a hell of a lot better than M$). Every user has 1 concurrent log-in with very few exceptions (IT staff being 1 of them). Users cannot pass through the proxy or access any file servers without full LDAP authentication. this includes email, web browsing, ftp, etc. All logins are fully logged to time, machine and duration. Passworded screen savers automatically kick in after 10 minutes of idleness and users are auto-logged off after 30 minutes of idleness. Strong passwords are enforced (9+ charaters, 3 of 4 ({CAPS, lower, 1234, !@#$}), no repeating of past passwords, no dictionary words). L0phtcrack is used randomly to check for weak passwords.
I consider our systems to be fairly secure, given that most of the system is redundant as well as obscure to all but a few people in IS. It's a combination of cyber-armor and security through obscurity.
Hope this helps.
Nothing fails quite like prayer.
Make an attack tree. All it takes is pencil and paper.
For my home network, it's pretty simple. Just me and a few computers, and few assets to protect. One of the trees might be how people might steal my pr0n collection. No big deal.
Once you have your attack trees written out, then you secure and document how you secure against each and every one of the attacks. For my pr0n collection, it comes down to 1) locking the front door and windows to my house 2) setting the burglar alarm 3) running a firewall 4) keeping my software up to date 5) having an offsite backup, encrypted with a trusted method. My pr0n is reasonably safe from being stolen. Notice how my attack tree has some physical attacks in there, thus the listing of good door locks in the security actions?
The end.
If tits were wings it'd be flying around.
Seriously, it's true. Security isn't something you setup and put into place and just let it fester or sit.
What you've done is started packing for the journey. Gathering your tools and getting it all setup to go with you as you move forward.
But as effective as some security measures are, they still need to be tended to. Watched over. Tweaked. That's the journey.
Along the way, you will find new tools. You might even be waylaid by someone with better tools than you. Surely, you haven't arrived.
And you never will. Your security, through watchfulness, effort, and action, will improve as you improve and move forward.
It is bad security to see security as something you plan, implement, and walk away from. That leaves you prone to holes and highly creative or bored individuals out there.
Security is something that is ongoing.
A home user using a simple firewall package who is diligent with watching the logs and keeping up on security bulletins for the software, the os, and the system in general will be much safer than a multi-layer security system that no one bothers to watch or that can't be easily understood by those watching.
Winged Power Photography
You need people like me so you can point your fucking fingers, and say "that's the bad guy."
There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.
.rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux for a while now and I really
But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!
As they say, it is "Military grade security at Open Source prices!"
True. However, there is another side to this picture: Total security costs should be related to the loss of revenue that is associated with your network being compromised. The level of security should be such that:
p(s) * V - C(s)
is maximized, or
d/ds ( p(s) * V - C(s) ) = 0
Where s is your level of security, C(s) is the total security costs, p(s) the chance that your network is compromised and V is the revenue loss (negative value).
Ok, this is what I do for a living and frankly I find WAY WAY WAY too many companies lock down ports, install patches configure a firewall well and then call their networks secure.
All of the technical fixes in the world are rubbish when the independent auditor requests a list of all users on the network, goes down to HR and discovers 20 or 30 active user IDs for people who don't work there any more. Worse, I'll find 5 or 10 more for people who have changed jobs but still have their old privileges. (The guy in Accounts Payable SHOULD NEVER be able to access the Accounts Receivable systems.)
Everyone in security knows a high percentage exploits and a higher percentage of serious exploits are carried out by people who had valid access to the systems. Security for a network or a system begins in HR and the processes for granting, modifying and revoking system authority are much more critical that what ports are open. So what if you keep the script kiddies out when your CIO's secretary writes herself a cheque for $1,000,000? If you're serious about securing your network, figure out what your users can do that they shouldn't and look to developing systems to prevent internal breaches.
When I do a network security audit, first I test the following: Segregation of duties and appropriateness of access, procedures for adding / changing and removing users, change management and a user access privilege testing. Is everything authorized? By who?
If those things pass mustard, then I start actually looking at server room access, patches, firewall configuration, network diagrams, open ports, system auditing and security levels. It's not as sexy as pitting your skills against the crackers (what a f**ked up notion of sexy I have) but it's where you need to start if you're serious.
That's OK if you live in magical budget candy land, but for the rest of us, this is not an option.
And besides; firewalls are NOT (read again; NOT) the end-all of security. Most exploits and viri attack the ports that are open anyway, your IIS webserver; your Exchange box(es), the FTP server etc. etc.
My 2 cents:
- lock down servers and workstations
- strip all rights from users and then give them ONLY the rights they need - update, update, update & patch
- firewall the edge of the network
- create a DMZ for all those vulnerable boxes on the edge of your network
- divide the network in VLANs (provided you take care of a big enough network)
- buy antivirus software with server-distributed automatic updates
- run a IDS on the edge of your network (snort et al)
- use Ntop (or a similar sniffer) for network traffic profiling so you can spot any anomalies
- Backup the important stuff every day and move the tapes offsite (make sure your backup WORKS; do a yearly restore drill)
- audit on a regular basis, either yourself or (if you live in magic budget candy land) by external consultants.
- AND MOST IMPORTANTLY:
EDUCATE YOUR USERS!
(which, admittedly, seems to be the hardest thing on my list, as I haven't managed to do it in 10 years+ of network management.
-- No Sig is a Good Sig
Firewalls are really not unlike locks on a door... with time someone'll get through. Intrusion Detection Systems don't do much good unless someone responds when an Intrusion is Detected. -- not unlike a building alarm without an alarm company responding! I think this company counterpane has an interesting approach. They have their own data centers doing 24x7 monitoring of their customers networks so if any IDS has any suspicious activity, someone can respond immediatelly.
Use layered security...
Layer 1 - External Firewall - nothing comes in except exactly what you need where you need it to go to. HTTP only allowed in to the webservers, VPN to the VPN systems, etc. Tie an IDS into this firewall layer. SNORT works great...
Layer 2 - DMZ - Anything in this zone is considered compromised by default. Nothing further in should absolutely trust systems in this domain. Put at least one IDS in this zone..and make sure to not only check traffic from the outside, but track from this inside.
Layer 3 - Internal Firewall - Again...more security. Proxy servers, if you can, secured systems, more IDS systems, preferably a different one than the external one. Again, only let what data that you need to get through to get through.
Layer 4 - Internal network - VLAN's, IDS systems, and access lists. Make sure that traffic stays where it belongs, and make sure every system is backed up. Also, if you can afford it, Tripwire, or something along those lines...
CHECK YOUR LOGS If you don't review your logs regularly, you're begging to get hacked. You have to keep up on what's going on and update your defenses accordingly. A corollary...LOG EVERYTHING YOU CAN Disk space is cheap. Log everything...you may need it at some point...especially for after-attack forensics.
Make sure you are warned of possible intrusions somehow. My pager went off fairly often until I had my IDS systems tuned...but better an extra page and some minor panic than not knowing when a major hack happens...
What I used - Snort IDS, Cisco PIX firewalls, Linux box running IPFW, Cisco NetRanger IDS, Cisco Routers, 3Com & Cisco Switches, patched Windows boxes...(PATCH THOSE SYSTEMS OFTEN!)
-merlyn
Or find one that already exists, is well supported and is widely used.
the growth in cynicism and rebellion has not been without cause
Aaah yes... "Security through obsolescence".
Using that logic, Unix is also insecure.
-- Jim
In particular I recommend "Real World Linux Security" , second edition, by Bob Toxen, which contains a wealth of useful information.
Full disclosure: I know the author; I am doubtless biased. But I like the book and have found it quite handy.
Here's an excerpt from an Amazon reviewer:
Professional Wild-Eyed Visionary
The formula above assumes a simple risk-neutral actor, since the dollars are simply multiplied by probability. This is generally not the case for large negative events, like your house burning down or a major security breach. If it were, few of us would buy insurance, since
p(l) * V q
is rarely true, where p(l) is the probability of loss in the period, V is the value lost, and q is the value of premiums in the period.
That setup is most likely illegal under the new HIPPA regulations that just came into effect in the last couple of weeks. Shut it down. Ask a lawyer. If there are patient records and a website on that server, and the server is compromised, the owner of the server is liable to extremely severe federal penalties, including criminal. If the physician isn't aware of HIPPA (Health Insurance Patient Privacy Act), they need to get with it. Otherwise your GF should resign, because she could get in trouble too. IANAL, but I work in the medical field. Don't risk it. Shut that server down. If they want a website, find a hosting company and upload it there--it's cheap, and you won't have to share the patient-info server with an internet connection. Believe me, this is no joke.
Everything I've ever learned the hard way was based on a statistically invalid sample.
Beyond just trying to make each component secure, consider individually the consequences of each being compromised. You don't get much provably secure stuff out there on store shelves, so assume everything may be vulnerable. Plan accordingly, so any one failure doesn't blow you wide open. And backup off-line. As other people have joked on this thread, the only secure network is switched off. Well having a snapshot of yesterday's data on off-line tape (or whatever) is just that: yesterday's network switched off.
* Disclaimer * - I work for a Security Testing Company.
1st step in security is to perform a risk assessment. The goal of Risk Assessment is to determine if the security controls for a system are fully commensurate with its risks. Without having an understanding of your risk you are unable to determine the proper security policies, procedures, guidelines, and standards to put in place to ensure adequate security controls are implemented. We want to avoid putting a $1000 fence around a $100 horse, but at the same time avoid undue risk.
Once that is completed, you need to create a security policy. This policy is what your company is officially trying to accomplish with it's security initiatives. Until you know what your goals are, any money or time is not going to be well spent.
Once you believe you have your goals from the policy implemented, you may wish to have a Posture Assessment. Posture Assessment is the act of measuring the gap between your information security posture and your information security policy. This is a thorough review of your existing security policies where each stated goal is converted into a test module. Each test is run until a sufficient amount of data is collected to measure the existing posture (The security Posture is what the company is actualy doing).
Assuming the Policy and the Posture match, you may additionaly with to verify that all the bases are covered and request a verification Penetration Test on a specific set of systems with a stated goal for the test, or an out and out Ethical Hack attempt (same idea as a Penetration test, but not as limited in scope). This will uncover holes in not covered by the Security Policy.
You should also consider periodic testing. Some of this should be done internally, some is best to outsource.
A security test is only valid if it is:
* Quantifiable
-- Can be numerically measured
* Consistent and repeatable
-- Two testers would receive the same test results at the same time
* Valid beyond the "now" time frame
-- Lasts and remains valid longer than the wet ink on the report
* Based on the merit of the tester and analyst not on brands
-- It is based on smarts and not expensive tools
* Thorough
-- A complete test where nothing is left untested from the scope
* Compliant to individual and local laws and the human right to privacy
-- Puts the protection of personal privacy before corporate data
Don't just limit inbound access, also setup an application proxy as your outbound route, and have all traffic go through it. That way you can not only decide what goes out and what doesn't, but you can also see what users are doing, and perform auditing when it needs to be done.
Here is an easy way to do it with a 4 armed firewall (pix 515 or similar)
|router|
|
|
| fw |-----| mail/dns dmz|
| |____
_________ |
|web dmz| |
--------- |
|
| proxy |
|
|
| corp net|
This thing looks like crap after stripping it down for the damn lameness filter, but hopefully you get the point. You basically have your border router hooked into a firewall, off of which hangs three segments. You have your web server dmz in one (only allowing inbound port 80 and possibly 443 if you're doing ssl, outbound is only established connections), email/dns in another (very closely related, so it makes sense to put them together, but you can segregate them if you wish. This would be inbound port 53 and 25, outbound only established, and port 53. Your last segment would be a connection to the outside interface of a proxy server, which has it's inside interface going to your corporate network.
This provides you with a reasonably secure border with little cost. You'll want to stay away from ISA for the proxy, as it has a nifty "auto-configure firewall" option that allows things like MS Messenger to work transparently through it, which may go against your policies.