Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
What about approaching the Linux Public Broadcasting Network about doing a [[semi-]regular] show about security? Perhaps they'd be open to content like that?
-vt
US$0.02++
I welcome suggestions as to why Windows or even Linux would be a safer choice in regards to security.
And OpenBSD with Evil Bit checking is even better. ;)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University [colorado.edu] I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you :)
I agree, I also recently made the switch from ftp to sftp/ssh. I thought the users would have a fit, however, I found a great sftp client called 'FileZilla', which most of my users actaully prefer to their old ftp client.
It's a wonderful client, and easy to use. I reccomend it for anyone interested in the switch, and making it easy for users. try it here
And, of course, this software is free (beer/speech), so you should be the most popular guy with the CFO for reccomending it!
Note: I am not affiliated with Filezilla, I just think it's a great tool.
-- p06 "On religious wars: They're essentially wars over whoo's imaginary friend is better"
Having firewall, servers on DMZ, IDS and all stuff in place won't suffice to achieve high level network security.
You've got to build strict policies regarding all aspects of your systems and network infrastructure and also write down some procedures and guidelines to enforce that policies.
Training also plays a major role and should target the user crowd - stating clearly what is and and what is NOT allowed and why, the admin crew - guidind them through the principles of security-minded system and network administration, and of course the suits - showing them the stakes at risk using eye-candy presentations.
If you can't manage to gather people involvement at every level of the organization, your security plan is certaily deemed to failure.
Not entirely true. Often times the only thing a system needs to become a target is a high-speed 'Net connection. The compromised machine can then be used to scan other random subnets to find other machines to compromise to then use those to scan other random subnets...you get the idea.
I'm ashamed to say I learned this particular point of interest myself, and only when root started getting mail from other admins wanting to know why our server was portscanning them.
Live and learn, they say. I say wisdom is learning from someone else's mistake, such as mine. Hint: when Tripwire stops sending you messages, you may be compromised.
Palaces, barricades, threats, meet promises
When you think about it, every data security measure put in place can be bypassed, given enough resource, or enough luck.
Public/Private Key encryption can be broken, given enough CPU.
Passwords can be guessed.
Ask yourself, "can my security system be bypassed with a very lucky guess?"
It's likely a security system of obscurity
Whatever your security, the idea is to make it difficult enough to break so it's uneconomical to get the secrets it's protecting.
ie. $$ Resources to break security > $$ secrets
Does HTTP support file continuation now?
I've seen several download managers on Win32 that support continuation and multithreaded downloading, so I guess that means it does. Don't quote me on that though.
OK, I've never, ever, complained about moderation before. But the people who modded the parent both insightful and informative are on crack.
Of course, but until those vulnerabilities have been documented, they might as well not exist.
With all due respect: bollocks. They may be known by any number of people before they are documented and patched (if they're ever patched). All that time, you're vulnerable.
You should never assume anything is 100% secure. For it to be so means it have a provably secure design and no flaws in the implementation. That's a desperately naive assumption.
I have a dinky little 166MHz Pentium laptop which is parked on my (wired) LAN 99% of the time. Depending on file content, file transmission over sftp or scp happens at about 55K bytes/sec. This is glacial (one-third the speed of a 1X CD-ROM drive). The problem is the time spent encrypting the data for transmission -- a 166 MHz Pentium just can't crank it out much faster.
FTP has no encryption step, so file transfers happen at line speed. Of course, FTP has almost no security measures at all, transmitting passwords in the clear. However, for moving files among machines on my switched LAN (as opposed to the Internet), I see this as less of an issue.
Ideally, I'd like sftp and scp to have the (obviously non-default) option of using secure authentication (encrypted passwords, etc.), but transfer the files themselves in the clear. I believe this would be useful in a wired LAN setting with anemic machines where the file contents are not considered sensitive (uploading MP3s and Vorbis files to your home jukebox, for instance). ssh does have the option of turning session encryption off, but it's a compile-time option none of the distros enable.
Of course, in a wireless "LAN" setting, all the bets are off, and encryption should be de rigueur.
Schwab
Editor, A1-AAA AmeriCaptions
Unfortunately some web development clients only understand FTP and can't use sftp. I've played with replacing FTP with WEBDAV, but the DAV clients and servers out there do not interoperate well, yet. Especially it seems XP.
/etc/passwd. This means that some passwords ARE transmitted in the clear, and these passwords can be used to mangle a website, but the passwords cannot be used to gain shell access.
My partial solution is to use a tool like purefptd and use a different set of passwords and a different login file with pureftpd than what is in
Easy on the sarcasm, brother. Yes plaintext password exchanges are obviously more dangerous than encrypted. That said, sniffing plaintext passwords is a lot harder than it used to be.
Nobody uses coax anymore, and hubs are becoming increasingly rare. The only way to sniff most networks anymore (unless you're interested in broadcast traffic) is to have administrator access to the network equipment between the server and the client. Or be able to insert your own equipment. Both of which are considerably more difficult than firing up tcpdump on your workstation and collecting raw traffic.
The only way to sniff most networks is to have administrator access to the network equipment between the server and the client.
This means you are depdendent on a third party to implement proper security. SSH means you'll have to worry less about the machines your traffic passes by.