Slashdot Mirror
Getting Started in Network Security?
pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?"
We've touched on these issues before, but it was a while ago. Taking a network
security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?
Perhaps a BS in Applied Networking and System Administration could get you some of the answers you are looking for.
You FAIL IT, retard. Go back to fucking your men, maybe you can pass your AIDS along even more.
Set up your own Linux firewall with iptables and create your own rules.
You are being MICROattacked, from various angles, in a SOFT manner.
I found Zieglers book 'Linux Firewalls' useful http://www.amazon.com/exec/obidos/ASIN/0735710996/ qid=1053904217/sr=2-2/ref=sr_2_2/002-0456066-36248 65 ; also this is a great site http://www.linux-firewall-tools.com/linux/
Evil ZEN Scientist
SANS InfoSec Reading Room.
O'Reilly has a good security bibliography here. Be sure to read Practical Unix and Internet Security (which is now in its third edition). Beyond that, pick some books that seem the most interesting to you.
Written by Micheal D, Bauer, O'Reilly & Associates, ISBN 36920-00217
"Eve of Destruction", it's not just for old hippies anymore...
Allways remember - (re:CLI)
A PIX (Firewall) is not a Router and a Router is not a PIX
This little morsel of knowledge still eludes me continuously in my day to day work in this field.
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
I find that while using OpenBSD, you get to learn a lot about security. ;)
The OpenBSD developers are security experts (and that's an understatement), and thus everything in OpenBSD is done the way it should be done, from a security point-of-view.
When you install OpenBSD, it's secure out-of-the-box. Of course no services are enabled by default. While you enable the ones you need, take the time to read through the excellent manpages (which are far superior in quality than linux's manpages), faq,... and you'll learn a lot.
Just don't expect no-brainer pointy-clicky interfaces *shiver*
Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project
Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap
Follow articles/join mailing lists at:
CERT
Securityfocus
Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.
Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.
A great primer on some of the fundamentals of the field, along with a few of the more common attacks (mind you, any technique you find in a printed book is liable to be slightly behind the cutting edge.)
Might want to check it out: MIT Network Security Team
"On the following pages you will find information about protecting your computer or network from malicious hackers, dealing with a suspected attack or system compromise, and MIT network security policies"
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
http://www.insecure.org/tools.html
A CISSP book (and maybe a copy of ISO17799) should cover everything you should need to know.
The rest is just details, which you should endevour to become an expert in as/when needed.
Dom
(PS. A good CISSP book is >500 pages)
When you're dealing with risk analysis, it doesn't matter what protocol or application you're protecting. You only have to deal with your definition of risk. Typically, something like: If you're dealing with human threats, then you might use MOMM (Motive, Opportunity, Means, Method) to break it down.
You should also learn other ways of breaking down the anslysis, like the McCumber Cube, the laws that you can use to prosecute perpetrators, oand what you need to do so that you're not sued for monitoring your users (which might be a violation of various privacy acts).
Applications aren't nearly as useful, as well, they might help you on that whole 'detect/protect/correct' front, but they rarely lock down a system completely -- you need multiple layers of protection, from not only technology, but you need the policies so you can actually implement good security practices, and you need to train your employees so they aren't creating security problems. [quite a few books claim that the majority of security incidents come from inside a company, and users will give up authentication information with minimal prompting].
blah, blah, blah...you get the idea...
take a general overview, and work from there. .
Build it, and they will come^Hplain.
Well, this is lovely, but it's not exactly the way to "get a handle" on things. Seriously, if you expect this from everyone in Network Security, you're going be unable to get anyone new. I'll grant you don't want a security team full of people who don't what what they're doing, but you've got to pick up greenhorns sometime. How can one gain experence without having a chance to get it?
True firewalling is a good start, but consider knowing good OS practices too, liking patching up and hardening Solaris, using tools like HFNetChk and others to help harden Windows, up2date and hardening RedHat Linux. Sure that's not all operating systems, but it's a good start. Disable services you don't need, secure the ones you do want to run, and so on.
Understand firewalls, NAT, port forwarding; set up an internal LAN mess with doing scans with nmap, try and do some things with nc...
set up things like ssh and scp in place of telnet and ftp. Know about the different forms of encryption their strengths and weakness, when one might be appropriate over the other.
Learn about VirusScan. Maybe McAfee VirusScan and NetShield and centrally administrating it with e-Policy so that you can automatically update all your servers and clients in case of an emergency DAT rollout cause of the latest virus running amok.
Also mail scanning, spam filtering, maybe things like clearswifts mailsweeper product, content filtering, lexical scanning, and other stuff.
Learn to set up postfix and sendmail so that they aren't acting as open relays, etc.
You might also consider something like Websense for URI filtering. Often not only are you trying to keep the bad things from getting in but also your users from getting to harmful material as well; in essence protecting them from themselves.
And of course you can mess with IDS, like say snort.
Learn about IPSec VPN's I'm sure there is free stuff to get you started, also learn about the big players in VPN's like say checkpoint, nortel networks with contivity, netscreen and probably lots of others.
Security only starts with a firewall. It also demands good practices with server updates and patches, mail scanning, web content scanning, virusscan, choosing secure methods over the easy ones....
Some of these programs are free, some you can download demos of, others you may not be able to get your hands on until your in a position to use them, but at least knowing about the different methods of making a network more secure is at least a start.
I'll second that. If the kind of security you're interested in learning is at the bit level, then one of the best things you can do is get a really, really good understanding on IP and related protocols.
1. Use a dedicated firewall - I don't believe a fire wall on the machine you are trying to protect is sufficient, especially windows. Get either a router with a built in firewall, or use linux with iptable masquerade firewall. The latter option is more $$ and more trouble than the former, but I think it's untilmately more robust. You should also use a firewall on your PC, just in case.
2. Secure your browser and mail reader - these are the primary "back doors" into your computer. No firewall will protect you if you download and execute a virus attached to an email message. Sorry, no links here, but ask around, and becareful what you download.
3. Read up - Building Internet Firewalls is excellent for the novice. I have their simplest system at home - one dual homed PC that acts as NAT, firewall, and router. Not as secure, but good enough for me. Then just start reading more books as you have time. The O'Rilley series on Ethernet and the various TCP/IP protocols is good, and so are the relavent RFCs. But also consider more academic books like Comer.
Other ideas
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Real world experience is where its at. Know your packets first and your policies second - but keep in mind that both are equally important.
I've met plenty of tools that have "jumped into security". They try to talk a good game of the which type of firewall is better than what, and why PKI solves or doesn't solve everything. In reality they don't know squat and have even less of a clue on how to apply their solutions to the real world.
The best general network security people I've met are those who understand the systems they are protecting and have the power to tell management and developers 'no'. But apply it only when they absolutly have to. Business has to get done - but when the cost of doing that business unnecessarily puts your assets at risk, it is imperative to have the power to tell people no.
Books, classes, certs all have some value - but for me... if I'm not sitting there dealing with it, configuring it, and applying it to a homemade or real world situation... I'll never get as much out of it.
http://windows.scares.us
Fook, don't hit preview then the back button on your browser. :-(
Ok, time to summarise my longer post.
Background: I've worked in security professionally since late '99. I started with Unix and *cough* hacking back in '96.
1. Subscribe to security mailing lists: Best place to start with this is from www.securityfocus.com. These guys have lots of good lists to get onto - including Bugtraq.
2. Work (at home) with the systems you're likely to work with: This means building a home network, running up some unix servers, windows servers, a managed switch (try to find an old one).
3. Get some good books: For introduction to firewalls - "Building Internet Firewalls", for security design - "Security Engineering: A Guide to Building Dependable Distributed Systems", for crypto - "Applied Cryptography". There's heaps more, but those are some good starters. A good all-rounder is "Secrets and Lies" from Bruce Schneier.
4. Learn to hack: My motto for security work is - "You've got to know where the holes are in order to fix them". This means learning what those holes are, and what are common types of security vulnerabilities and threats are out there. The best way to do this (IMHO) is to start hacking your home systems. Grab Nessus (http://www.nessus.org) to begin with, and work from there.
5. Learn to program: You'll eventually get to a point where you want to develop your own tests, checks and scripts that available programs don't provide. If you are feeling game, try to write your own sniffer with libpcap (http://www.tcpdump.org) or your own scanner with libnet (http://www.packetfactory.net/projects/libnet/)
6. Teach yourself: I don't have much faith in security courses out there, primarily because I have had to work with people in "security" whose only experience/qualifications are a certain firewall certification (glances sidewards at Checkpoint). But if you need it to break into the market, go for it - just don't rely on it entirely. I don't have any real certifications, but I have practical experience with the top firewalls out there (most common security job is firewall admin), heaps of Unix's (solaris, digital, aix - and the various *BSD's and Linux), and can also do some programming. If you're going to work for a good company, they'll be more impressed with your skills than your certifications - though they help differentiate you.
Hope this helps.
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.
Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.
The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.
For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.
Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.
For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.
From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.
Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).
For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.
For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.
I am not sure what to recommend for VPNs, other than you need to know about IPsec.
Let me start out with some orthodoxy someone else stated:
Security is a process.
Not something you can bolt-on, buy, or issue a memo on. Beyond that the learning resources mentioned by other posters are all good if not overkill. http://www.insecure.org/tools.html was covered in another article earlier this month.
But let me add a bit of heresy:
You don't have to be an uber-geek to do security, merely figuring out how to be properly secure against skript kiddiez will cover most cases, and the rest are more likely from internal threats - negligence or malice. And there is no anti-social engineering CLI or GUI tool.
Currently, the most common practice it to fire, buy-off, or otherwise silence the "whistleblowers". This is the police state model. So flaws continue since reporting them gets you in trouble with everyone including your boss. The monoculture "corporate load" takes care of everything. (monoculture in the agricultural sense, and in the most narrow one where every stalk of corn is a clone of all the others so one blight can destroy the whole like happened in Ireland in the late 1840s).
There are enough tools to detect and contain break-ins and outbreaks, but a CDC epidemiologist is probably a better model than a KGB officer. Use surveillance and containment, but unless someone insists on being "Typhoid Mary", ignore the user's idiosyncrasies and just make sure things get done.
You don't need to do cryptanalysis for the process to work, buy you need to have some people skills and have a corporation that understands what and how much they are asking for. You also have to take care of details like security patches and deleting old accounts and doing normal auditing.
The most common problems are that they want to be both secure and transparent. This is a tradeoff. And barring that they want to use Brand X software to "solve all their problems". Brand X may be good or bad, but processes create layers and usually Brand X only handles one layer, or can't handle some cases gracefully (abandon security or transparency in that case).
One other difficulty is that the average corporation doesn't really know about network security. They assume because there have been no detected attacks or other problems that there is no problem. Or the "process" is split and is part of an ongoing turf war between the guards insuring you have a visitor's badge and the IT department that has to do this as part of the gazillion other things they do. This usually creates policies but not the process.
If you want to get started, start by securing your home Internet connection. This will benefit you and the Internet community in general. I have a page with some information on home broadband security.
When you move to security in a business environment, in my opinion you need to frame security as a tool for risk management. CERT provides good information on handling security professionally, including their book The CERT Guide to System and Network Security Practices and a large collection of Articles, reports and papers.
Information Security Magazine will give you a sense of where the infosec business is going. On the academic side there's the new IEEE Security and Privacy Magazine and the IEEE Computer Society Technical Committee on Security and Privacy. Also on the academic side there are the more established journals from compsec online.
Not only will it secure your box, one of their major goals is to "teach" you how as it does it. Here's a quote from their site:
Seems like a good source of info to me. Teach a man to fish and all that...
There is actually a 3-part Cryptography course (the 1st part of which is merely entitled, "Network Security") that I intend to take the 2nd two parts of pretty soon here.
Since timing will not allow me to take the entire sequence, I'm covering the material of the first course on my own.
To that end, a few resources:
[the following presumes a background in network engineering, the protocols, etc.; it also presumes some number theory but most of that is covered as needed]
1. For starters: Charles & Shari Pfleeger's Security in Computing, 2nd Edition -- this is a nice, intro text for high level (a) security, (b) encryption, (c) OS security, (d) DB security
2. Then move onto more specific texts, i.e. Silberschatz's Operating Systems Concepts, 6th Edition -- this provides a much more detailed look into OS security -- mechanisms/policies/implementations etc.
3. Then there are a couple wortwhile Cryptography only texts: (a) Schneier's Applied Cryptography, (b) Menezes' Handbook of Applied Cryptography
4. Then there is a good course website for the course I referred to, the 1st in the series of three that also has downloadable handouts as well as some coding projects that you could do independently, providing an enviro
5. Finally, I'd suggest a subscription to the Counterpane Crytpogram newsletter -- found at this link. Also, checking out this site periodically or perusing it somewhat in-depth will give you far more visibility into day-to-day threats.
Those who give up their power willingly deserve none.
1. Don't install Telnet, TFTP, RSH, RLOGIN or anyother clear text services. /var/log).
2. Disable remote root login.
3. Use IP Tables and TCP Wrappers.
4. On "gateways", bind services to local interfaces only.
5. Use a strong password.
6. Don't install unused services (Example: Do you really need a BIND or SMTP server on your laptop?).
7. One word... up2date (www.redhat.com).
8. One word... www.chkrootkit.org.
9. Monitor your log files (seriously all of them
10. Anything windows based is a security nightmare (and no that's not a troll).
And don't forget about all the great _free_ tools out there: nmap, ethereal, tripwire, logwatch.
Google search for any of the above pointers that are not slef explanitory.
Karma: The shiznight, mostly because I am the Drizzle.
The object wasn't to turn them into security wizzes in a day, but to give them a grounding in some of the more fundamental bits of the game so that they could go away and do sensible things with their new firewall, etc, etc.
I gave a suggested reading list for the keen ones. The list was as follows:
1) Mccarthy, Linda
"Network Security, Stories from the Trenches"
ISBN: 0138947597
For 'fear of god', and a general real-life example of the kind of wierd shit you're dealing with. (Mccarthy is also an excellent book to pass on to your boss when you're done with it. A *Very* usefull tool if you've been having trouble getting security budget - it will scare the bejesus out of him/her. This is not a particularly technical book, but it's very good for laying the groundwork, and getting your head around the security business. Teaches you to think outside the square too.
2) Stoll, Clifford
"Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
ISBN: 0743411463
A real world, entertaining, walk-through the process of tracking a bad guy around the world. A nice easy to read book - technologically outdated now, but still interesting from the point of view of forensics and legals. This is not a technical book at all, but your boss still won't understand this one. NOTE: Don't make the mistake of being impressed by this book and running out to buy Cliff's other books. The first is a masterpiece, the rest are the ramblings of a tired and cynical man - not worth, frankly, the paper they're printed on. The Cuckoo's Egg is a nice book - buy it when your brain is just completely full of technical stuff, and you need a nice light (but still on-topic) story to give your brain a break.
3) Cheswick, William/Bellovin, Steven
"Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition"
ISBN: 020163466X
A bible for network and unix security. A detailed run-down on packets, ports, bells, whistles and how it all works. This book spends a lot of time analising specific network services, and their weaknesses. One chapter on a real-life tracking a bad guy, and some discussion of honeypots and lures. If you only buy one book, buy this one.
4) Garfinkel, Simson et-al
"Practical Unix & Internet Security, 3rd Edition" (The Safe Book)
ISBN: 0596003234
A practical, real-world, HOWTO on implementation of sensible security practices for unix administrators in particular. This is one you keep on your desk at work (well, chained to your desk with all your other O'Rielly books!) for day to day use.
5) Hunt, Craig
"TCP/IP Network Administration (3rd Edition)" (The Crab Book)
ISBN: 0596002971
A definitive bible on TCP/IP and how it works. All the guts from a techo (but not a programmer) point of view. This one doesn't spend much time on security per-se, but it is the book for TCP/IP.
The Sixth book in the pentology, for extra keen readers is The Cricket Book...
6) Liu, Cricket/Albitz, Paul
"DNS and BIND, Fourth Edition"
ISBN: 0596001584
Because, if you're working with the Internet, you're gonna be working with DNS, and if your DNS is broken (or you don't have the skills to tell that your DNS is broken) then you're screwed! You haven't arrived until you have a GOOD understanding of DNS, what it is, and how it works. After reading this one, go back and re-read Cheswick & Bellovin's discussion on securing DNS, and giving different answers to different people depending on who they are.
I find your ideas intriguing and I wish to subscribe to your newsletter.
The object wasn't to turn them into security wizzes in a day, but to give them a grounding in some of the more fundamental bits of the game so that they could go away and do sensible things with their new firewall, etc, etc.
I gave a suggested reading list for the keen ones. The list was as follows:
1) Mccarthy, Linda
"Network Security, Stories from the Trenches"
ISBN: 0138947597
For 'fear of god', and a general real-life example of the kind of wierd shit you're dealing with. (Mccarthy is also an excellent book to pass on to your boss when you're done with it. A *Very* usefull tool if you've been having trouble getting security budget - it will scare the bejesus out of him/her. This is not a particularly technical book, but it's very good for laying the groundwork, and getting your head around the security business. Teaches you to think outside the square too.
Perhaps the most important thing about the Mccarthy book is that it almost completely ignores technical subjects, and concentrates on the human and social engineering sides of security. Blocking ports and changing passwords every month is all well and good, but if someone can sweet talk your receptionist into handing over her password, then...
2) Stoll, Clifford
"Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
ISBN: 0743411463
A real world, entertaining, walk-through the process of tracking a bad guy around the world. A nice easy to read book - technologically outdated now, but still interesting from the point of view of forensics and legals. This is not a technical book at all, but your boss still won't understand this one. NOTE: Don't make the mistake of being impressed by this book and running out to buy Cliff's other books. The first is a masterpiece, the rest are the ramblings of a tired and cynical man - not worth, frankly, the paper they're printed on. The Cuckoo's Egg is a nice book - buy it when your brain is just completely full of technical stuff, and you need a nice light (but still on-topic) story to give your brain a break.
3) Cheswick, William/Bellovin, Steven
"Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition"
ISBN: 020163466X
A bible for network and unix security. A detailed run-down on packets, ports, bells, whistles and how it all works. This book spends a lot of time analising specific network services, and their weaknesses. One chapter on a real-life tracking a bad guy, and some discussion of honeypots and lures. If you only buy one book, buy this one.
4) Garfinkel, Simson et-al
"Practical Unix & Internet Security, 3rd Edition" (The Safe Book)
ISBN: 0596003234
A practical, real-world, HOWTO on implementation of sensible security practices for unix administrators in particular. This is one you keep on your desk at work (well, chained to your desk with all your other O'Rielly books!) for day to day use.
5) Hunt, Craig
"TCP/IP Network Administration (3rd Edition)" (The Crab Book)
ISBN: 0596002971
A definitive bible on TCP/IP and how it works. All the guts from a techo (but not a programmer) point of view. This one doesn't spend much time on security per-se, but it is the book for TCP/IP.
The Sixth book in the pentology, for extra keen readers is The Cricket Book...
6) Liu, Cricket/Albitz, Paul
"DNS and BIND, Fourth Edition"
ISBN: 0596001584
Because, if
I find your ideas intriguing and I wish to subscribe to your newsletter.