Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
I heard about this honey pot feature for network security. I installed them on each users computer, but they keep using the honey in their tea. Maybe it was not installed correctly?
Since you posted this on /. you obviously aren't interested in security through obscurity!
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Think again!
Allow only very few services and open just those ports. Probably HTTP, SMTP, FTP, SSH that's all.
Keep Web and FTP on separate DMZ LANS.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
The way I secure my systems, is not to put them on a network, though it does make email a bitch...
I look on the stock market: diversify. Don't put all your eggs in one basket.
Thanks for the link, I didn't know what diversify meant.
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.
Our network is Novell, our e-mail is groupwise, and we don't use Cisco products. While not necessarily "low budget" in terms that the original poster implied, the net affect is that we don't have to contend with many of the viri that other companies running the typical MS products do. And yes, we most definitly still have to have a good firewall, and a good firewall config with the appropriate ports either shutdown or monitored, and we still run an e-mail scanner on in- and out-bound mail as well as McAfee on the desktops.
Go calculate something
get all your shit working. Cut the lan/wan/internet lines, brick it in with now doors and spray the outside with teflon.
Hire a muscle head with a 8th level Edu to guard the brick box with a baseball bat.
Other than that your just playing the odds like the rest of us.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Step 2) Arange equipment in nice steel shipping container.
Step 3) Toss the entire thing into the bowels of either your local foundry's furnace or your closest actively erupting volcano
Step 4) Giggle because the poster never said the network had to work or anything....
I'm a little tea pot.
... don't put up any security, and don't put anything important (worth losing) on the box. Eventually, boredom will set into the hackers and they'll go onto something more challenging...
At least I hope they will....
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
A network is secure if it costs more to an intruder to break in than the value of the information being protected.
Network security must exist within a context of what is being protected and who would want to break in. If you are protecting your personal information, the amount of security that is needed is substantially less than if you are a major bank. Sure, your design might have some holes in it. In fact, I guarantee that it does, but if it's too much hassle to exploit those holes, then nobody's going to bother.
This sig has been temporarily disconnected or is no longer in service
"I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?"
Anybody who considers security important.
The Kruger Dunning explains most post on
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Unfortunately, I suspect that we are among the few that do. Especially when you look at this and this.
I would say that you are definitely on the right track and that your network is probably more secure than most. Certainly more so than those that will respond to you here. The fact is that if you are in doubt, you should have an audit performed by a security expert. This person will review you policies, procedures and configurations and make appropriate recommendations. Additionally they will perform penetration testing both from inside and out and make subsequet recommendations.
As I said above, I think you are on the right track and would guess that you have taken all of the necessary steps, and are hearing the complaints from your user community. But, the only thing that I would add is that you should never become complacent. Test your security regularly and use multiple tools to do it, and always the latest versions. Don't rely soley on a Nessus or nmap scan to validate your security. Also, when testing, remember that it isn't just a matter of whether you get in or not, you should also make sure that the attempt is properly caught in the logs, regardless of the attempts success or failure.
What about approaching the Linux Public Broadcasting Network about doing a [[semi-]regular] show about security? Perhaps they'd be open to content like that?
-vt
US$0.02++
1) Fire developers
2) Fire users
I welcome suggestions as to why Windows or even Linux would be a safer choice in regards to security.
And OpenBSD with Evil Bit checking is even better. ;)
What do you consider to be a secure network?
A properly patched one, Linux or Windows.
The coolest voice ever.
: .. cut the lan/wan/internet lines ..
:
This is a very important part that is often overlooked as demonstrated by the following example
The University of North Carolina has finally found a network server that, although missing for four years, hasn't missed a packet in all that time. Try as they might, university administrators couldn't find the server. Working with Novell Inc. (stock: NOVL), IT workers tracked it down by meticulously following cable until they literally ran into a wall. The server had been mistakenly sealed behind drywall by maintenance workers.
3.243F6A8885A308D313
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
Probably professionals who weren't picked to be the "security guy" by a game of spin the bottle at the last office meeting.
Really, we will.
We won't break too much along the way.
We promise.
(It's humor, laugh.)
NetInfo connection failed for server 127.0.0.1/local
By using multiple products, you indeed have a better chance of detecting and defending against attacks... That is, of course, assuming that you have someone trained to set up, monitor, maintain, and tweak each system you put into place AND that the correspondence between the parties responsible for each system allow correlation of seemingly unrelated data that indicates an attack or intrusion that would not be detected otherwise...
o rcement/etc.
The potentially enhanced visibility made available by using a heterogeneous security implementation comes only at the expense of additional training and staff, and more complicated maintenance, monitoring, and communication. Be aware of the trade-off.
Also, security tools are nothing absent policy/procedure implementation/refinement/education/awareness/enf
Invest the majority of your resources into learning how your users make use of the system and then develop and put security procedures into place that encourage secure computing instead of putting systems into place that make their jobs harder and encourage them to bypass your security measures.
In my experience working securing networks, I have found that the best approach is "Security through apathy". Sure I can get rooted easy, but boy do I have loads of free time now!
I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
Probably HTTP, SMTP, FTP, SSH that's all.
:)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you
"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
...anyway? Windows 2003 firewall includes all the security you'll ever need, unless a morgan webb lover hits your site up.
"Securing" your networks hampers our efforts to roam freely through them, searching for any files/activities/writings that contravene the "Freedom from Thoughts" act, thus directly supporting terrorism.
Trying to get advice on how to secure your networks interferes with our self-described legitimate efforts to make sure you aren't doing/listening/reading/thinking/considering thinking about things we've decided you shouldn't.
Now just stand over there in the corner and wait. We'll be by to pick you up in a little while. And remember, running away supports terrorism.
Use WindowsME with file sharing enabled and no patches as your firewall. Hackers will explode with excitement before they can intrude...leaving nothing behind but steaming puddles of Dr Pepper.
You might think I'm joking but this actually works! Go ahead and try it, then post your IP address to this site. Your boss will thank you for the amazing audit!
(-1, Raw and Uncut is the only way to read)
Dont let any attachments in.
Have DMZ's.
Pay attention to bugtraq and errata postings.
Nmap every once in a while.
Only have two ssh's open to get in and have the IPs defined in hosts.allow.
ALWAYS upgrade when security bugs are fixed.
Have snort on the main DMZ in a promiscuous switch port, get some nice looking reports going.
Pay attention to bandwidth useage ( cricket ).
Add a dash of portsentry+tcpwrappers.
Dont act macho and send nasty letters to people who try to get in.
Maybe, dont return pings ( tcp-reset ) or portscans.
Bind 9 with zones.
Check all logs all the time (3 times a week).
KISS = keep it simple stupid.
Dont hire lazy admins.
Try out all new security related programs.
I SHOULD be sending most all logs to a central host.
Make sure MS admins dont totally let their guard down.
*pant*pant*. ummmmm, thats about it for now.
Oh and dont enable web crap on routers etc (more ports open).
ssh for everything.
shut down telnet.
https for everything.
Try to protect email, imap, pop (plaintext over the network).
Read the "security section of all apps you install and try to KISS
ummmmmmmm, thats about it for me.
everyone already knows this but im just throwing in my 2 cents :-)
... I'll give a serious answer.
I work for a moderate sized engineers consultation company (500+ employees all over the east coast). We have over a dozen offices from Florida to Maine. All are connected by a VPN using frame relay. At each access node, there is a Sisco Router/switch controlling what traffic can come in and out. Behind that is a firewall, NAT, and DHCP server (each office runs on a seperate private IP group). All external traffic (i.e. not on the VPN) must go to the main headquarters and pass through the proxy before making out to the "real world." We also have several web, ftp, and email servers in the private IP realm that are NAT'd to the outside. All incoming packets from the outside worled must go through the Router, Firewall, NAT, Virus Scanner, Mail Content Scanner (read: anti-spam detector) before making it to the target machine.
Software-wise, we are Novell users (mod me down if you want, but it is a hell of a lot better than M$). Every user has 1 concurrent log-in with very few exceptions (IT staff being 1 of them). Users cannot pass through the proxy or access any file servers without full LDAP authentication. this includes email, web browsing, ftp, etc. All logins are fully logged to time, machine and duration. Passworded screen savers automatically kick in after 10 minutes of idleness and users are auto-logged off after 30 minutes of idleness. Strong passwords are enforced (9+ charaters, 3 of 4 ({CAPS, lower, 1234, !@#$}), no repeating of past passwords, no dictionary words). L0phtcrack is used randomly to check for weak passwords.
I consider our systems to be fairly secure, given that most of the system is redundant as well as obscure to all but a few people in IS. It's a combination of cyber-armor and security through obscurity.
Hope this helps.
Nothing fails quite like prayer.
Your network is pretty secure compared to the average. However, ...
Your root password is "sheila".
Your social security number is 182-90-6134.
You just broke up with your girlfriend.
And you really ought to get a disk-wipe program to remove all traces of those deleted pornos.
- For the complete works of Shakespeare: cat
Make an attack tree. All it takes is pencil and paper.
For my home network, it's pretty simple. Just me and a few computers, and few assets to protect. One of the trees might be how people might steal my pr0n collection. No big deal.
Once you have your attack trees written out, then you secure and document how you secure against each and every one of the attacks. For my pr0n collection, it comes down to 1) locking the front door and windows to my house 2) setting the burglar alarm 3) running a firewall 4) keeping my software up to date 5) having an offsite backup, encrypted with a trusted method. My pr0n is reasonably safe from being stolen. Notice how my attack tree has some physical attacks in there, thus the listing of good door locks in the security actions?
The end.
If tits were wings it'd be flying around.
Here's what I would offer as a cornerstone for thinking about your systems' security: A secure component is one that keeps its word. That is, it provides guarantees -- assurances -- of its behavior, and it meets those guarantees. Because it provides these guarantees, other components can depend upon it (though they need not depend exclusively upon it). And once a system is built out of dependable components, staff can place their trust in it and not be betrayed.
Take an example: a firewall. A firewall is commonly thought of as a tool for blocking attacks or reducing exposure. I would suggest that it is, rather, a tool for providing assurance that certain traffic will not enter the network from a certain point. Systems behind the firewall should not be thought of as being made "more secure" (what muddy thinking!) on account of the firewall's presence. They should be thought of as receiving a guarantee from the firewall that certain traffic will not enter.
This allows for evaluation. Under the blocking-attacks model, we must rate a firewall as doing its job if it blocks attacks. Which attacks? "Uh -- some attacks, the ones from the other side of the firewall." But what about attacks from other places? "Uh -- the firewall can't help you there, it's only at the border." But then what good is it? "Uh -- it makes your security better. That's what everyone says." With a clear understanding of the guarantees the firewall provides, we can evaluate its success with a clearer mind: does it succeed or fail at meeting those guarantees?
(Microsoft's marketing folks recognize that people want dependability when they talk about "trusted computing". They're using it as a nasty trick, of course, but they have the right words. By "secure system" people don't just want a system that rejects today's attacks, but one that provides dependable assurances of its behavior. Too bad they are wasting the memetic capital of the phrase "trusted computing" on a despicable power grab.)
> the stock market: diversify. Don't put all your eggs in one basket.
That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she can leverage that access to further compromise your network.
Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.
I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today.
Seriously, it's true. Security isn't something you setup and put into place and just let it fester or sit.
What you've done is started packing for the journey. Gathering your tools and getting it all setup to go with you as you move forward.
But as effective as some security measures are, they still need to be tended to. Watched over. Tweaked. That's the journey.
Along the way, you will find new tools. You might even be waylaid by someone with better tools than you. Surely, you haven't arrived.
And you never will. Your security, through watchfulness, effort, and action, will improve as you improve and move forward.
It is bad security to see security as something you plan, implement, and walk away from. That leaves you prone to holes and highly creative or bored individuals out there.
Security is something that is ongoing.
A home user using a simple firewall package who is diligent with watching the logs and keeping up on security bulletins for the software, the os, and the system in general will be much safer than a multi-layer security system that no one bothers to watch or that can't be easily understood by those watching.
Winged Power Photography
You need people like me so you can point your fucking fingers, and say "that's the bad guy."
There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.
.rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux for a while now and I really
But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!
As they say, it is "Military grade security at Open Source prices!"
Write a script that filters out non-suspicious activity in the logs so that you're left with only the stuff you want to see.
Of course, creating that data filter is the tough part. You don't want to be too inclusive or too restrictive.
Having firewall, servers on DMZ, IDS and all stuff in place won't suffice to achieve high level network security.
You've got to build strict policies regarding all aspects of your systems and network infrastructure and also write down some procedures and guidelines to enforce that policies.
Training also plays a major role and should target the user crowd - stating clearly what is and and what is NOT allowed and why, the admin crew - guidind them through the principles of security-minded system and network administration, and of course the suits - showing them the stakes at risk using eye-candy presentations.
If you can't manage to gather people involvement at every level of the organization, your security plan is certaily deemed to failure.
yeah, I keep all my linux boxes behind a windows 98 box with internet connection sharing.
Ok, this is what I do for a living and frankly I find WAY WAY WAY too many companies lock down ports, install patches configure a firewall well and then call their networks secure.
All of the technical fixes in the world are rubbish when the independent auditor requests a list of all users on the network, goes down to HR and discovers 20 or 30 active user IDs for people who don't work there any more. Worse, I'll find 5 or 10 more for people who have changed jobs but still have their old privileges. (The guy in Accounts Payable SHOULD NEVER be able to access the Accounts Receivable systems.)
Everyone in security knows a high percentage exploits and a higher percentage of serious exploits are carried out by people who had valid access to the systems. Security for a network or a system begins in HR and the processes for granting, modifying and revoking system authority are much more critical that what ports are open. So what if you keep the script kiddies out when your CIO's secretary writes herself a cheque for $1,000,000? If you're serious about securing your network, figure out what your users can do that they shouldn't and look to developing systems to prevent internal breaches.
When I do a network security audit, first I test the following: Segregation of duties and appropriateness of access, procedures for adding / changing and removing users, change management and a user access privilege testing. Is everything authorized? By who?
If those things pass mustard, then I start actually looking at server room access, patches, firewall configuration, network diagrams, open ports, system auditing and security levels. It's not as sexy as pitting your skills against the crackers (what a f**ked up notion of sexy I have) but it's where you need to start if you're serious.
That's OK if you live in magical budget candy land, but for the rest of us, this is not an option.
And besides; firewalls are NOT (read again; NOT) the end-all of security. Most exploits and viri attack the ports that are open anyway, your IIS webserver; your Exchange box(es), the FTP server etc. etc.
My 2 cents:
- lock down servers and workstations
- strip all rights from users and then give them ONLY the rights they need - update, update, update & patch
- firewall the edge of the network
- create a DMZ for all those vulnerable boxes on the edge of your network
- divide the network in VLANs (provided you take care of a big enough network)
- buy antivirus software with server-distributed automatic updates
- run a IDS on the edge of your network (snort et al)
- use Ntop (or a similar sniffer) for network traffic profiling so you can spot any anomalies
- Backup the important stuff every day and move the tapes offsite (make sure your backup WORKS; do a yearly restore drill)
- audit on a regular basis, either yourself or (if you live in magic budget candy land) by external consultants.
- AND MOST IMPORTANTLY:
EDUCATE YOUR USERS!
(which, admittedly, seems to be the hardest thing on my list, as I haven't managed to do it in 10 years+ of network management.
-- No Sig is a Good Sig
Firewalls are really not unlike locks on a door... with time someone'll get through. Intrusion Detection Systems don't do much good unless someone responds when an Intrusion is Detected. -- not unlike a building alarm without an alarm company responding! I think this company counterpane has an interesting approach. They have their own data centers doing 24x7 monitoring of their customers networks so if any IDS has any suspicious activity, someone can respond immediatelly.
Use layered security...
Layer 1 - External Firewall - nothing comes in except exactly what you need where you need it to go to. HTTP only allowed in to the webservers, VPN to the VPN systems, etc. Tie an IDS into this firewall layer. SNORT works great...
Layer 2 - DMZ - Anything in this zone is considered compromised by default. Nothing further in should absolutely trust systems in this domain. Put at least one IDS in this zone..and make sure to not only check traffic from the outside, but track from this inside.
Layer 3 - Internal Firewall - Again...more security. Proxy servers, if you can, secured systems, more IDS systems, preferably a different one than the external one. Again, only let what data that you need to get through to get through.
Layer 4 - Internal network - VLAN's, IDS systems, and access lists. Make sure that traffic stays where it belongs, and make sure every system is backed up. Also, if you can afford it, Tripwire, or something along those lines...
CHECK YOUR LOGS If you don't review your logs regularly, you're begging to get hacked. You have to keep up on what's going on and update your defenses accordingly. A corollary...LOG EVERYTHING YOU CAN Disk space is cheap. Log everything...you may need it at some point...especially for after-attack forensics.
Make sure you are warned of possible intrusions somehow. My pager went off fairly often until I had my IDS systems tuned...but better an extra page and some minor panic than not knowing when a major hack happens...
What I used - Snort IDS, Cisco PIX firewalls, Linux box running IPFW, Cisco NetRanger IDS, Cisco Routers, 3Com & Cisco Switches, patched Windows boxes...(PATCH THOSE SYSTEMS OFTEN!)
-merlyn
To nail the point down better, I'd rephrase that as "multiple layers of defense".
It goes without saying to this audience, but probably needs to be said multiple times to the people that manage your budget, but having defense in layers (i.e., serial) is more effective than having defense mechanisms side by side (parallel).
Make potential intruders go through all the doors of your dungeon, not just one.
That's easy to say and hard to do. The problem is that many dungeons (workplaces, whatever they're called these days) have obscure, lesser known secret doors that can let in the monsters if only that one door is discovered and compromised. Creative social engineering tricks are particularly devastating this way.
Some internal walls for damage control can be helpful in the event of an incident.
"Provided by the management for your protection."
In particular I recommend "Real World Linux Security" , second edition, by Bob Toxen, which contains a wealth of useful information.
Full disclosure: I know the author; I am doubtless biased. But I like the book and have found it quite handy.
Here's an excerpt from an Amazon reviewer:
Professional Wild-Eyed Visionary
That setup is most likely illegal under the new HIPPA regulations that just came into effect in the last couple of weeks. Shut it down. Ask a lawyer. If there are patient records and a website on that server, and the server is compromised, the owner of the server is liable to extremely severe federal penalties, including criminal. If the physician isn't aware of HIPPA (Health Insurance Patient Privacy Act), they need to get with it. Otherwise your GF should resign, because she could get in trouble too. IANAL, but I work in the medical field. Don't risk it. Shut that server down. If they want a website, find a hosting company and upload it there--it's cheap, and you won't have to share the patient-info server with an internet connection. Believe me, this is no joke.
Everything I've ever learned the hard way was based on a statistically invalid sample.
I post this most every time I run across a discussion of network security and the "evil hacker" protections people try to impliment.
Where is your IDS? At or near the firewall from your Internet connection I'm willing to bet.
Okay, now what about the malicous hacker wanna-be that lives within your trusted network. This could be a student in a campus lab, Jane doe in cubicle 12B who lilives a secret on-line life as Kamander KRak, or Dave Smith the quiet guy in the corder office who thinks he's about to get fired. What about those cleaning crew who have full access to every square inch of the facility at night without any supervision. What about The CEO who just brought a new WiFi notebook in and connected it to the LAN and offeres an open WAP to anyone within 200 feet of the office.
We all spend a whole lot of time and money securing our Internet connections and services from external hackers. Yet most managers/admins almost completely ignore the internal threats. And ONE inside job will do a lot more damage than a dozen attacks from outside.
Those on your LAN already have password access to the network and services. They know what servers to hit, they know what data is stored where. They know where the wiring closet is, and what equipment you run (your memos frequently tell them you are upgrading Windows from NT4 to 2000). They can open a closet door, or slide over a ceiling panel and easily connect a device to the monitoring port of thier distribution switch.
A comprehensive security plan needs to at least acnowledge these threats, and find ways to secure these services and components from otherwise trusted sources. IDS on each major server, physical lockdown of all remote network devices, regular/random physical inspections of the wiring closets. Some facilities may require that the night cleaning crews be cleared with at least a basic background check.
In my experience, protecting against outside attack is really rather trivial compared to protecting against the potential internal threat.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
YOU should.
the government produces these documnets for a reason. if anyone knows who to secure a system, its the government. read them and apply them as required.
Also you have much nice hardware. How about policy? Policy is more important. What happens when somone is hired/fired? Who is allowed to do what on the network? Do you have a business continuity plan? Is their a document that states how to recover from a disaster? Has it been tested? Have you ever had a Threat and Risk assesment preformed? If yes when was it last updated.
You have some good technical means to provide security, how about the rest? The government has wonderfull guides on how to do all this stuff, and although thick - they really are helpfull.
1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.
You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.
* Disclaimer * - I work for a Security Testing Company.
1st step in security is to perform a risk assessment. The goal of Risk Assessment is to determine if the security controls for a system are fully commensurate with its risks. Without having an understanding of your risk you are unable to determine the proper security policies, procedures, guidelines, and standards to put in place to ensure adequate security controls are implemented. We want to avoid putting a $1000 fence around a $100 horse, but at the same time avoid undue risk.
Once that is completed, you need to create a security policy. This policy is what your company is officially trying to accomplish with it's security initiatives. Until you know what your goals are, any money or time is not going to be well spent.
Once you believe you have your goals from the policy implemented, you may wish to have a Posture Assessment. Posture Assessment is the act of measuring the gap between your information security posture and your information security policy. This is a thorough review of your existing security policies where each stated goal is converted into a test module. Each test is run until a sufficient amount of data is collected to measure the existing posture (The security Posture is what the company is actualy doing).
Assuming the Policy and the Posture match, you may additionaly with to verify that all the bases are covered and request a verification Penetration Test on a specific set of systems with a stated goal for the test, or an out and out Ethical Hack attempt (same idea as a Penetration test, but not as limited in scope). This will uncover holes in not covered by the Security Policy.
You should also consider periodic testing. Some of this should be done internally, some is best to outsource.
A security test is only valid if it is:
* Quantifiable
-- Can be numerically measured
* Consistent and repeatable
-- Two testers would receive the same test results at the same time
* Valid beyond the "now" time frame
-- Lasts and remains valid longer than the wet ink on the report
* Based on the merit of the tester and analyst not on brands
-- It is based on smarts and not expensive tools
* Thorough
-- A complete test where nothing is left untested from the scope
* Compliant to individual and local laws and the human right to privacy
-- Puts the protection of personal privacy before corporate data
Don't just limit inbound access, also setup an application proxy as your outbound route, and have all traffic go through it. That way you can not only decide what goes out and what doesn't, but you can also see what users are doing, and perform auditing when it needs to be done.
Here is an easy way to do it with a 4 armed firewall (pix 515 or similar)
|router|
|
|
| fw |-----| mail/dns dmz|
| |____
_________ |
|web dmz| |
--------- |
|
| proxy |
|
|
| corp net|
This thing looks like crap after stripping it down for the damn lameness filter, but hopefully you get the point. You basically have your border router hooked into a firewall, off of which hangs three segments. You have your web server dmz in one (only allowing inbound port 80 and possibly 443 if you're doing ssl, outbound is only established connections), email/dns in another (very closely related, so it makes sense to put them together, but you can segregate them if you wish. This would be inbound port 53 and 25, outbound only established, and port 53. Your last segment would be a connection to the outside interface of a proxy server, which has it's inside interface going to your corporate network.
This provides you with a reasonably secure border with little cost. You'll want to stay away from ISA for the proxy, as it has a nifty "auto-configure firewall" option that allows things like MS Messenger to work transparently through it, which may go against your policies.