Getting Started in Network Security?

pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?" We've touched on these issues before, but it was a while ago. Taking a network security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?

Majors?

[krisp]

Perhaps a BS in Applied Networking and System Administration could get you some of the answers you are looking for.

Re:Majors?

[Jonsey]

I'm a student up at RIT, going into 2nd year, and this is my major. While Network Security is not yet a 6 class focus, it should be before long. Sure 4 years is too long to explode into the field, but if you meet pre-reqs, you can take the classes as night classes, or even on-line with no other offiliation to RIT.

I love the new degree though, it was just presented as a new major last year, technically an off-shoot if IT. It itself is... a bit weak of a major at RIT, trying to cover too many things with too many introductory classes, but cut out some web design and interactive media, and you've got a usable, enjoyable major.

Just my 0.0169284 Euro (as of 3:41 GMT) (thanks XE.com)

- Jones

iptables; get a book; read the web

[ezs]

I found Zieglers book 'Linux Firewalls' useful http://www.amazon.com/exec/obidos/ASIN/0735710996/ qid=1053904217/sr=2-2/ref=sr_2_2/002-0456066-36248 65 ; also this is a great site http://www.linux-firewall-tools.com/linux/

Start here...

[darthBear]

SANS InfoSec Reading Room.

O'Reilly Security Bibliography

[viega]

O'Reilly has a good security bibliography here. Be sure to read Practical Unix and Internet Security (which is now in its third edition). Beyond that, pick some books that seem the most interesting to you.

OpenBSD

I find that while using OpenBSD, you get to learn a lot about security.
The OpenBSD developers are security experts (and that's an understatement), and thus everything in OpenBSD is done the way it should be done, from a security point-of-view.
When you install OpenBSD, it's secure out-of-the-box. Of course no services are enabled by default. While you enable the ones you need, take the time to read through the excellent manpages (which are far superior in quality than linux's manpages), faq,... and you'll learn a lot.
Just don't expect no-brainer pointy-clicky interfaces *shiver* ;)

Re:Teach yourself iptables

[Jeremiah+Cornelius]

One word: WRONG!

Security is not an Engineering discipline. Knowing one security tool, or even many tools does little or nothing towards cultivating the approach, process, culture and awareness-in-context that are basic to a professional in the Information Security field.

One could do worse than browse the documents collection in the Reading Room at SANS.org,and the archive of Bruce Schneier's Crypto-gram newsletter.

If Information Security still appeals to you, and you can specialize in an area suited to your temperment -go ahead.

Materials to start with

[GC]

Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project

Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap

Follow articles/join mailing lists at:

CERT
Securityfocus

Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.

Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.

MIT Network Secutity Team

[heli0]

Might want to check it out: MIT Network Security Team

"On the following pages you will find information about protecting your computer or network from malicious hackers, dealing with a suspected attack or system compromise, and MIT network security policies"

Learn the concepts first, applications second.

[oneiros27]

Applications change with time, but the basic concepts stay the same.

When you're dealing with risk analysis, it doesn't matter what protocol or application you're protecting. You only have to deal with your definition of risk. Typically, something like:

Risk = ( (Threat x Vulnerability) x Impact ) / Countermeasures

If you're dealing with human threats, then you might use MOMM (Motive, Opportunity, Means, Method) to break it down.

You should also learn other ways of breaking down the anslysis, like the McCumber Cube, the laws that you can use to prosecute perpetrators, oand what you need to do so that you're not sued for monitoring your users (which might be a violation of various privacy acts).

Applications aren't nearly as useful, as well, they might help you on that whole 'detect/protect/correct' front, but they rarely lock down a system completely -- you need multiple layers of protection, from not only technology, but you need the policies so you can actually implement good security practices, and you need to train your employees so they aren't creating security problems. [quite a few books claim that the majority of security incidents come from inside a company, and users will give up authentication information with minimal prompting].

blah, blah, blah...you get the idea...
take a general overview, and work from there. .

Things you should do

[evenprime]

The most important thing you can do, IMHO, is to join bugtraq or similar lists so you have a rough idea what is happening.

Other ideas

• set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
• Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
• Try adding tripwire and snort to stop/detect attacks. Configure snort with database logging, with syslog/swatch, etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
• Familiarize yourself with as many of the tools in Fyodor's list as possible. Using them will be the bread an butter of your work. That includes scanners like nessus.
• Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
• Practice security. As you install and register software, watch what is happening to the box.
• Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
• Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful

Personal thoughts

[harikiri]

Fook, don't hit preview then the back button on your browser. :-(

Ok, time to summarise my longer post.

Background: I've worked in security professionally since late '99. I started with Unix and *cough* hacking back in '96.

1. Subscribe to security mailing lists: Best place to start with this is from www.securityfocus.com. These guys have lots of good lists to get onto - including Bugtraq.

2. Work (at home) with the systems you're likely to work with: This means building a home network, running up some unix servers, windows servers, a managed switch (try to find an old one).

3. Get some good books: For introduction to firewalls - "Building Internet Firewalls", for security design - "Security Engineering: A Guide to Building Dependable Distributed Systems", for crypto - "Applied Cryptography". There's heaps more, but those are some good starters. A good all-rounder is "Secrets and Lies" from Bruce Schneier.

4. Learn to hack: My motto for security work is - "You've got to know where the holes are in order to fix them". This means learning what those holes are, and what are common types of security vulnerabilities and threats are out there. The best way to do this (IMHO) is to start hacking your home systems. Grab Nessus (http://www.nessus.org) to begin with, and work from there.

5. Learn to program: You'll eventually get to a point where you want to develop your own tests, checks and scripts that available programs don't provide. If you are feeling game, try to write your own sniffer with libpcap (http://www.tcpdump.org) or your own scanner with libnet (http://www.packetfactory.net/projects/libnet/)

6. Teach yourself: I don't have much faith in security courses out there, primarily because I have had to work with people in "security" whose only experience/qualifications are a certain firewall certification (glances sidewards at Checkpoint). But if you need it to break into the market, go for it - just don't rely on it entirely. I don't have any real certifications, but I have practical experience with the top firewalls out there (most common security job is firewall admin), heaps of Unix's (solaris, digital, aix - and the various *BSD's and Linux), and can also do some programming. If you're going to work for a good company, they'll be more impressed with your skills than your certifications - though they help differentiate you.

Hope this helps.

Mindset, Language, and Procedure

[plcurechax]

IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.

Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.

The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.

For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.

Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.

For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.

From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.

Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).

For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.

For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.

I am not sure what to recommend for VPNs, other than you need to know about IPsec.

For starters...

[Znonymous+Coward]

1. Don't install Telnet, TFTP, RSH, RLOGIN or anyother clear text services.
2. Disable remote root login.
3. Use IP Tables and TCP Wrappers.
4. On "gateways", bind services to local interfaces only.
5. Use a strong password.
6. Don't install unused services (Example: Do you really need a BIND or SMTP server on your laptop?).
7. One word... up2date (www.redhat.com).
8. One word... www.chkrootkit.org.
9. Monitor your log files (seriously all of them /var/log).
10. Anything windows based is a security nightmare (and no that's not a troll).

And don't forget about all the great _free_ tools out there: nmap, ethereal, tripwire, logwatch.

Google search for any of the above pointers that are not slef explanitory.

A reading list for 'intro to security' class...

[B747SP]

I used to run two and three day 'intro to security' classes for folks who were already competent system admins, but needed a solid grounding in TCP/IP and network security. The classes tended to spend a day or so on TCP theory - network layers, packets, ports, payloads - routing (everyone knew what an IP address and a subnet mask looked like, but they rarely knew what they did) - and then combined those with a bit of basic filtering, and covered proxies and blah-di-blah.

The object wasn't to turn them into security wizzes in a day, but to give them a grounding in some of the more fundamental bits of the game so that they could go away and do sensible things with their new firewall, etc, etc.

I gave a suggested reading list for the keen ones. The list was as follows:

1) Mccarthy, Linda
"Network Security, Stories from the Trenches"
ISBN: 0138947597

For 'fear of god', and a general real-life example of the kind of wierd shit you're dealing with. (Mccarthy is also an excellent book to pass on to your boss when you're done with it. A *Very* usefull tool if you've been having trouble getting security budget - it will scare the bejesus out of him/her. This is not a particularly technical book, but it's very good for laying the groundwork, and getting your head around the security business. Teaches you to think outside the square too.

Perhaps the most important thing about the Mccarthy book is that it almost completely ignores technical subjects, and concentrates on the human and social engineering sides of security. Blocking ports and changing passwords every month is all well and good, but if someone can sweet talk your receptionist into handing over her password, then...

2) Stoll, Clifford
"Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
ISBN: 0743411463

A real world, entertaining, walk-through the process of tracking a bad guy around the world. A nice easy to read book - technologically outdated now, but still interesting from the point of view of forensics and legals. This is not a technical book at all, but your boss still won't understand this one. NOTE: Don't make the mistake of being impressed by this book and running out to buy Cliff's other books. The first is a masterpiece, the rest are the ramblings of a tired and cynical man - not worth, frankly, the paper they're printed on. The Cuckoo's Egg is a nice book - buy it when your brain is just completely full of technical stuff, and you need a nice light (but still on-topic) story to give your brain a break.

3) Cheswick, William/Bellovin, Steven
"Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition"
ISBN: 020163466X

A bible for network and unix security. A detailed run-down on packets, ports, bells, whistles and how it all works. This book spends a lot of time analising specific network services, and their weaknesses. One chapter on a real-life tracking a bad guy, and some discussion of honeypots and lures. If you only buy one book, buy this one.

4) Garfinkel, Simson et-al
"Practical Unix & Internet Security, 3rd Edition" (The Safe Book)
ISBN: 0596003234

A practical, real-world, HOWTO on implementation of sensible security practices for unix administrators in particular. This is one you keep on your desk at work (well, chained to your desk with all your other O'Rielly books!) for day to day use.

5) Hunt, Craig
"TCP/IP Network Administration (3rd Edition)" (The Crab Book)
ISBN: 0596002971

A definitive bible on TCP/IP and how it works. All the guts from a techo (but not a programmer) point of view. This one doesn't spend much time on security per-se, but it is the book for TCP/IP.

The Sixth book in the pentology, for extra keen readers is The Cricket Book...

6) Liu, Cricket/Albitz, Paul
"DNS and BIND, Fourth Edition"
ISBN: 0596001584

Because, if