Slashdot Mirror
Securing Your Network?
Barkmullz asks: "I just recently finished yet another security review on the network at my place of employment. I designed the different security features from scratch and I am using a variety of devices and software (firewalls, IDS, DMZs, and so on). I like to look at network security with the same attitude as I look on the stock market: diversify. Don't put all your eggs in one basket. As I was pondering the review results I wondered what a completely unbiased observer would think of my security. I remember thinking that someone should start a radio show similar to James Cramer's RealMoney and ask the listeners: Are you secure? I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff? What do you consider to be a secure network? What low-budget security features have you come up with? I don't think I am the only one spending evenings and weekends playing around with yet another IDS."
I heard about this honey pot feature for network security. I installed them on each users computer, but they keep using the honey in their tea. Maybe it was not installed correctly?
Since you posted this on /. you obviously aren't interested in security through obscurity!
Allow only very few services and open just those ports. Probably HTTP, SMTP, FTP, SSH that's all.
Keep Web and FTP on separate DMZ LANS.
Kevin
"It's not the cough that carries you off, it's the coffin they carry you off in" O. Nash
The way I secure my systems, is not to put them on a network, though it does make email a bitch...
I look on the stock market: diversify. Don't put all your eggs in one basket.
Thanks for the link, I didn't know what diversify meant.
I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
That's like saying you know someone has solved a very hard math problem that you need solved, but that you don't have time to find out how they did it. Why don't you read the literature not only from the NSA, but from the other various institutions that dedicate tremendous resources into investigating the problems you are trying to solve. It makes a lot more sense to do your research there rather than asking laypersons for their haphazard advice.
Go calculate something
I don't think I am the only one spending evenings and weekends playing around with yet another IDS.
Unfortunately, I suspect that we are among the few that do. Especially when you look at this and this.
I would say that you are definitely on the right track and that your network is probably more secure than most. Certainly more so than those that will respond to you here. The fact is that if you are in doubt, you should have an audit performed by a security expert. This person will review you policies, procedures and configurations and make appropriate recommendations. Additionally they will perform penetration testing both from inside and out and make subsequet recommendations.
As I said above, I think you are on the right track and would guess that you have taken all of the necessary steps, and are hearing the complaints from your user community. But, the only thing that I would add is that you should never become complacent. Test your security regularly and use multiple tools to do it, and always the latest versions. Don't rely soley on a Nessus or nmap scan to validate your security. Also, when testing, remember that it isn't just a matter of whether you get in or not, you should also make sure that the attempt is properly caught in the logs, regardless of the attempts success or failure.
1) Fire developers
2) Fire users
Probably HTTP, SMTP, FTP, SSH that's all.
:)
Someone was going to say it.... Why FTP? There is no need for it any more. There is a very long history of remote root exploits and other vulnerabilities. Just use sftp. Ya, so the users complain about it, but they'll get over. The University I attend recently switch from Telnet/ftp to ssh. If we can convert 30,000+ users, so can you
"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
Dont let any attachments in.
Have DMZ's.
Pay attention to bugtraq and errata postings.
Nmap every once in a while.
Only have two ssh's open to get in and have the IPs defined in hosts.allow.
ALWAYS upgrade when security bugs are fixed.
Have snort on the main DMZ in a promiscuous switch port, get some nice looking reports going.
Pay attention to bandwidth useage ( cricket ).
Add a dash of portsentry+tcpwrappers.
Dont act macho and send nasty letters to people who try to get in.
Maybe, dont return pings ( tcp-reset ) or portscans.
Bind 9 with zones.
Check all logs all the time (3 times a week).
KISS = keep it simple stupid.
Dont hire lazy admins.
Try out all new security related programs.
I SHOULD be sending most all logs to a central host.
Make sure MS admins dont totally let their guard down.
*pant*pant*. ummmmm, thats about it for now.
Oh and dont enable web crap on routers etc (more ports open).
ssh for everything.
shut down telnet.
https for everything.
Try to protect email, imap, pop (plaintext over the network).
Read the "security section of all apps you install and try to KISS
ummmmmmmm, thats about it for me.
everyone already knows this but im just throwing in my 2 cents :-)
... I'll give a serious answer.
I work for a moderate sized engineers consultation company (500+ employees all over the east coast). We have over a dozen offices from Florida to Maine. All are connected by a VPN using frame relay. At each access node, there is a Sisco Router/switch controlling what traffic can come in and out. Behind that is a firewall, NAT, and DHCP server (each office runs on a seperate private IP group). All external traffic (i.e. not on the VPN) must go to the main headquarters and pass through the proxy before making out to the "real world." We also have several web, ftp, and email servers in the private IP realm that are NAT'd to the outside. All incoming packets from the outside worled must go through the Router, Firewall, NAT, Virus Scanner, Mail Content Scanner (read: anti-spam detector) before making it to the target machine.
Software-wise, we are Novell users (mod me down if you want, but it is a hell of a lot better than M$). Every user has 1 concurrent log-in with very few exceptions (IT staff being 1 of them). Users cannot pass through the proxy or access any file servers without full LDAP authentication. this includes email, web browsing, ftp, etc. All logins are fully logged to time, machine and duration. Passworded screen savers automatically kick in after 10 minutes of idleness and users are auto-logged off after 30 minutes of idleness. Strong passwords are enforced (9+ charaters, 3 of 4 ({CAPS, lower, 1234, !@#$}), no repeating of past passwords, no dictionary words). L0phtcrack is used randomly to check for weak passwords.
I consider our systems to be fairly secure, given that most of the system is redundant as well as obscure to all but a few people in IS. It's a combination of cyber-armor and security through obscurity.
Hope this helps.
Nothing fails quite like prayer.
Your network is pretty secure compared to the average. However, ...
Your root password is "sheila".
Your social security number is 182-90-6134.
You just broke up with your girlfriend.
And you really ought to get a disk-wipe program to remove all traces of those deleted pornos.
- For the complete works of Shakespeare: cat
> the stock market: diversify. Don't put all your eggs in one basket.
That is certainly true in the stock market, but I would be careful about applying it to network security. Adding a new stock to your portfolio does not place your other stocks at greater risk. Yet every new network service/machine you add _does_ increase the risk to the rest of your network. If an attacker manages to get a foothold into one of your machines, there are a myriad of ways that she can leverage that access to further compromise your network.
Adding a new service is like having to defend a new front in a war. You have to divide your administrative effort into securing all of your systems, while the bad guys need only break through one of the defenses. So I would generally recommend standardizing on (say) a locked-down qmail, rather than putting out a "diverse" network that includes qmail, postfix, sendmail, exim, etc. Choosing one of those (even if you have instances on many machines) allows you to put more effort into locking it down, learning about it, and watching for & patching vulnerabilities. Meanwhile, attackers must have an exploit for that exact server rather than for any one of the mail servers you are running. Remember that even if you somehow manage to patch every announced vulnerability within 12 hours, there is still some window of exposure there. And many bugs will still float around underground for months before you hear about them - take a look at the recent SAMBA exploit for just one example.
I'm certainly not saying that diversity is always bad. In some cases it makes sense. But don't treat it as a tenet of secure network design like "deny by default" or "defense in depth".
-Fyodor
Concerned about your network security? Try the free Nmap Security Scanner. Version 3.27 was released today.
You need people like me so you can point your fucking fingers, and say "that's the bad guy."
Our network is Novell, our e-mail is groupwise, and we don't use Cisco products.
Aaah yes... "Security through obsolescence".
Ok, this is what I do for a living and frankly I find WAY WAY WAY too many companies lock down ports, install patches configure a firewall well and then call their networks secure.
All of the technical fixes in the world are rubbish when the independent auditor requests a list of all users on the network, goes down to HR and discovers 20 or 30 active user IDs for people who don't work there any more. Worse, I'll find 5 or 10 more for people who have changed jobs but still have their old privileges. (The guy in Accounts Payable SHOULD NEVER be able to access the Accounts Receivable systems.)
Everyone in security knows a high percentage exploits and a higher percentage of serious exploits are carried out by people who had valid access to the systems. Security for a network or a system begins in HR and the processes for granting, modifying and revoking system authority are much more critical that what ports are open. So what if you keep the script kiddies out when your CIO's secretary writes herself a cheque for $1,000,000? If you're serious about securing your network, figure out what your users can do that they shouldn't and look to developing systems to prevent internal breaches.
When I do a network security audit, first I test the following: Segregation of duties and appropriateness of access, procedures for adding / changing and removing users, change management and a user access privilege testing. Is everything authorized? By who?
If those things pass mustard, then I start actually looking at server room access, patches, firewall configuration, network diagrams, open ports, system auditing and security levels. It's not as sexy as pitting your skills against the crackers (what a f**ked up notion of sexy I have) but it's where you need to start if you're serious.
Use layered security...
Layer 1 - External Firewall - nothing comes in except exactly what you need where you need it to go to. HTTP only allowed in to the webservers, VPN to the VPN systems, etc. Tie an IDS into this firewall layer. SNORT works great...
Layer 2 - DMZ - Anything in this zone is considered compromised by default. Nothing further in should absolutely trust systems in this domain. Put at least one IDS in this zone..and make sure to not only check traffic from the outside, but track from this inside.
Layer 3 - Internal Firewall - Again...more security. Proxy servers, if you can, secured systems, more IDS systems, preferably a different one than the external one. Again, only let what data that you need to get through to get through.
Layer 4 - Internal network - VLAN's, IDS systems, and access lists. Make sure that traffic stays where it belongs, and make sure every system is backed up. Also, if you can afford it, Tripwire, or something along those lines...
CHECK YOUR LOGS If you don't review your logs regularly, you're begging to get hacked. You have to keep up on what's going on and update your defenses accordingly. A corollary...LOG EVERYTHING YOU CAN Disk space is cheap. Log everything...you may need it at some point...especially for after-attack forensics.
Make sure you are warned of possible intrusions somehow. My pager went off fairly often until I had my IDS systems tuned...but better an extra page and some minor panic than not knowing when a major hack happens...
What I used - Snort IDS, Cisco PIX firewalls, Linux box running IPFW, Cisco NetRanger IDS, Cisco Routers, 3Com & Cisco Switches, patched Windows boxes...(PATCH THOSE SYSTEMS OFTEN!)
-merlyn
To nail the point down better, I'd rephrase that as "multiple layers of defense".
It goes without saying to this audience, but probably needs to be said multiple times to the people that manage your budget, but having defense in layers (i.e., serial) is more effective than having defense mechanisms side by side (parallel).
Make potential intruders go through all the doors of your dungeon, not just one.
That's easy to say and hard to do. The problem is that many dungeons (workplaces, whatever they're called these days) have obscure, lesser known secret doors that can let in the monsters if only that one door is discovered and compromised. Creative social engineering tricks are particularly devastating this way.
Some internal walls for damage control can be helpful in the event of an incident.
"Provided by the management for your protection."
1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.
You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.
2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)
Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner
3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.
Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.
4. Implement -- Using your education, audits and policies you can now implement decent security.
Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.
5. Be vigilant - "Security is a process, not a product" - Bruce Schneier
Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.