Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
Allow only very few services and open just those ports. Probably HTTP, SMTP, FTP, SSH that's all.
Keep Web and FTP on separate DMZ LANS.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.
Go calculate something
A network is secure if it costs more to an intruder to break in than the value of the information being protected.
Network security must exist within a context of what is being protected and who would want to break in. If you are protecting your personal information, the amount of security that is needed is substantially less than if you are a major bank. Sure, your design might have some holes in it. In fact, I guarantee that it does, but if it's too much hassle to exploit those holes, then nobody's going to bother.
This sig has been temporarily disconnected or is no longer in service
"I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?"
Anybody who considers security important.
The Kruger Dunning explains most post on
What do you consider to be a secure network?
A properly patched one, Linux or Windows.
The coolest voice ever.
Here's what I would offer as a cornerstone for thinking about your systems' security: A secure component is one that keeps its word. That is, it provides guarantees -- assurances -- of its behavior, and it meets those guarantees. Because it provides these guarantees, other components can depend upon it (though they need not depend exclusively upon it). And once a system is built out of dependable components, staff can place their trust in it and not be betrayed.
Take an example: a firewall. A firewall is commonly thought of as a tool for blocking attacks or reducing exposure. I would suggest that it is, rather, a tool for providing assurance that certain traffic will not enter the network from a certain point. Systems behind the firewall should not be thought of as being made "more secure" (what muddy thinking!) on account of the firewall's presence. They should be thought of as receiving a guarantee from the firewall that certain traffic will not enter.
This allows for evaluation. Under the blocking-attacks model, we must rate a firewall as doing its job if it blocks attacks. Which attacks? "Uh -- some attacks, the ones from the other side of the firewall." But what about attacks from other places? "Uh -- the firewall can't help you there, it's only at the border." But then what good is it? "Uh -- it makes your security better. That's what everyone says." With a clear understanding of the guarantees the firewall provides, we can evaluate its success with a clearer mind: does it succeed or fail at meeting those guarantees?
(Microsoft's marketing folks recognize that people want dependability when they talk about "trusted computing". They're using it as a nasty trick, of course, but they have the right words. By "secure system" people don't just want a system that rejects today's attacks, but one that provides dependable assurances of its behavior. Too bad they are wasting the memetic capital of the phrase "trusted computing" on a despicable power grab.)
No, he is not the only one ;-). But overall, security doesn't mean buying/installing more "stuff". Keep it simple! However, the idea to colaborate is good (see footer ;o) ).
Syadmins need to work together and top trying to play 'security by obscurity'. Share with others and learn how to improve your network.
---- join dshield.org Distributed Intrusion Detec
> the stock market: diversify. Don't put all your eggs in one basket.
That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she can leverage that access to further compromise your network.
Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.
I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today.
Write a script that filters out non-suspicious activity in the logs so that you're left with only the stuff you want to see.
Of course, creating that data filter is the tough part. You don't want to be too inclusive or too restrictive.
Jesus. They had to get outside help to figure out how to follow the CAT5 from the switch to the server? Amazing.
Classic Macs are generally very secure because they have no built-in facilities for any kind of remote access, let alone remote administration. So it's not just a matter of getting a root password or convincing somebody to execute a shell listening on the right port, these things just don't exist.
However, while classic Mac OS can be stable with the right setup, it's pretty rare and difficult to achieve. A crashed Mac is as secure as a computer can get, but it's not very useful.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
To nail the point down better, I'd rephrase that as "multiple layers of defense".
It goes without saying to this audience, but probably needs to be said multiple times to the people that manage your budget, but having defense in layers (i.e., serial) is more effective than having defense mechanisms side by side (parallel).
Make potential intruders go through all the doors of your dungeon, not just one.
That's easy to say and hard to do. The problem is that many dungeons (workplaces, whatever they're called these days) have obscure, lesser known secret doors that can let in the monsters if only that one door is discovered and compromised. Creative social engineering tricks are particularly devastating this way.
Some internal walls for damage control can be helpful in the event of an incident.
"Provided by the management for your protection."
JUST?!
Thats like saying "oh, a firewall just keeps external network traffic from getting to services and hosts you don't want them to get to". Well duh.
If your only authentication scheme is passwords, then this is crucial, there is no "just" about it. For example, the only thing separating your hosts from being vulnerable to all local-only exploits is a malicious user authenticating through SSH with a stolen password from sniffed FTP traffic, even if your FTP service is patched and non-vulnerable to priveledge escalation and buffer overflows resulting in shell access.
If you want to write off such a simple attack then <sarcasm>you might as well just leave telnet enabled, tie all your systems together with NIS on a public network, and make sure you have stickies with administrative account authentication information at all physical access points.
Oh ya, don't forget to implement some wireless APs too... and remember: WEP and MAC exclusions are for the paranoid. Information wants to be free</sarcasm>.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
Well, in addition to what the other respondent said, which is that keeping passwords from going in the clear is a pretty valuable item, I generally find that ssh/scp stuff is written to a higher standard.
It's security-realm software, and the authors know it, and take a lot of care with it. With XYZftpd, you have no idea, and don't get me started on the variety of slapdash FTP clients that are out there.
I post this most every time I run across a discussion of network security and the "evil hacker" protections people try to impliment.
Where is your IDS? At or near the firewall from your Internet connection I'm willing to bet.
Okay, now what about the malicous hacker wanna-be that lives within your trusted network. This could be a student in a campus lab, Jane doe in cubicle 12B who lilives a secret on-line life as Kamander KRak, or Dave Smith the quiet guy in the corder office who thinks he's about to get fired. What about those cleaning crew who have full access to every square inch of the facility at night without any supervision. What about The CEO who just brought a new WiFi notebook in and connected it to the LAN and offeres an open WAP to anyone within 200 feet of the office.
We all spend a whole lot of time and money securing our Internet connections and services from external hackers. Yet most managers/admins almost completely ignore the internal threats. And ONE inside job will do a lot more damage than a dozen attacks from outside.
Those on your LAN already have password access to the network and services. They know what servers to hit, they know what data is stored where. They know where the wiring closet is, and what equipment you run (your memos frequently tell them you are upgrading Windows from NT4 to 2000). They can open a closet door, or slide over a ceiling panel and easily connect a device to the monitoring port of thier distribution switch.
A comprehensive security plan needs to at least acnowledge these threats, and find ways to secure these services and components from otherwise trusted sources. IDS on each major server, physical lockdown of all remote network devices, regular/random physical inspections of the wiring closets. Some facilities may require that the night cleaning crews be cleared with at least a basic background check.
In my experience, protecting against outside attack is really rather trivial compared to protecting against the potential internal threat.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
YOU should.
the government produces these documnets for a reason. if anyone knows who to secure a system, its the government. read them and apply them as required.
Also you have much nice hardware. How about policy? Policy is more important. What happens when somone is hired/fired? Who is allowed to do what on the network? Do you have a business continuity plan? Is their a document that states how to recover from a disaster? Has it been tested? Have you ever had a Threat and Risk assesment preformed? If yes when was it last updated.
You have some good technical means to provide security, how about the rest? The government has wonderfull guides on how to do all this stuff, and although thick - they really are helpfull.
1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.
You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.
I guess another way to identify the wire would be to start unplugging wires until the connection broke. It's not nearly as nice, but it would probably be faster and easier than using a line sniffer. Of course, you may have users and managers looking for you by the time you're done. :)
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
I know this is Slashdot and all, but I stopped reading your post the second you said you have 'Sisco' routers.
It's a bit difficult to respect your level of experience when you can't spell the company's name that provides your infrastructure and the connectivity of all of your remote sites.
Ya, so the users complain about it, but they'll get over.
What kind of users are you talking about? The non-paying kind methinks, because the paying kind do not complain when they don't get their way, they just go away and stop paying you - that is if they ever paid you in the first place.
This is the primary reason that Frontpage extensions still exist at all, despite the fact that no Unix sysadmin would touch it with a 10 foot pole if they had the choice. They can argue until they're blue in the face that it's insecure, it breaks standards, it makes webmasters look like morons, and it kicked your dog, but it all comes down to the fact that it's blazingly simple to use and it already comes with Office.
Sure, you converted 30,000+ users, but they don't exactly have a choice about which server they can use. Try doing that with paying customers at an ISP and you'll hear your boss using words like "attrition rate" and "loss of revenue", terms he damn sure doesn't want to utter, and you don't want to hear used in your direction. In commercial environments, offering more services - thus giving consumers more choice - is the way to do business.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert