Slashdot Mirror
Getting Started in Network Security?
pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?"
We've touched on these issues before, but it was a while ago. Taking a network
security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?
In security you have to have a well rounded education and experience simply because the job demands it. A good start would be probably 5 years in network administration with large user group enviroments, fluent programming skills (java, c, c++, perl), some experience in web server farm administration etc. I don't know any security or computer fornesic who worked for our company who is under 35 yo.
Comment removed based on user account deletion
You should understand Stevens' TCP/IP Illustrated Volume I, then Volume II. If you don't understand the protocols, you don't understand network security. Just learning how to deploy a firewall and IDS is of little use without understanding network architecture. Your first tool should be tcpdump.
Oh, and read the security mailing lists religiously.
And, interestingly, getting a job in network security requires a knowledge of network security, but having knowledge of network security without previous employment in the field can make you suspect.
Worst of all is to admit knowledge of security in a corporate environment by pointing out flaws--then you're an easy mark for those "in charge" of security, whom you've made look bad. Like a bad "in Soviet Russia" joke, security problem report you.
Fortunately, I haven't learned any of this by experience, only by obeservation.
CEE5210S The signal SIGHUP was received.
Everything depends on what your security concerns are. The expertise needed to secure a small home LAN against high-schoolers with too much free time is a lot different then the experience needed to secure a gigantic corporate WAN against determined crackers, and the training you need to do one is nothing like what you need to do the other.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
More in depth overviews:
any CISSP/GISC/Security+ certification book (plus, after reading it go get certified!).
Topic Specific:
Firewalls (contrary to what others may tell you, there is more to security than firewalls). Some good books: the O'Reilly Firewall book, Building Linux and OpenBSD Firewalls (a bit dated but still on topic).
Do a search for all O'Reilly books with 'security' in the title/description, flip through it, decide if it suits your need (e.g. Web Security, Computer Security Basics, OpenSSL security, etc).
Learning the topic *really*well* is very important - e.g. really understand TCP/IP (something beyond "i plug in the cable, run dhclient, and i get internet!") andlook at it with an eye for security. Same goes for web server, general sysadmin tasks, programming, etc.
Remember: security is a process. and a moving target. and impossible to fix %100 but try anyways.
Experience is essential too. Get yourself an experimental network and try attacks, network sniffing, securing, MiTM'ing, getting around firewalls, DoS'ing, snort'ing, arpspoofing, etc. Once you've run some attacks then you'll have a working idea of what is going on and will hopefully be able to see when a line of thought would lead you in the same direction in setting up your network. Plus it helps to know you could set up a quick demo to show how easy it is to sniff someone's password, even on a switched network.
Become a keen observer of people. The users are your number one enemy in terms of security. They'll give their password away to anyone, try to thwart your attempts to secure the network, print out and take confidential docs to the cafe, etc. Not on purpose, but b/c their priority is getting work done. Understand them so as to best work with them.
And there's a whole lot more, but most importantly remember that security requires a very robust approach. Not just a firewall, not just encrypting everything, not just checking all code, but a well thought out approach that is followed, revised, updated, explained to all employees, etc etc
-f
www.blackant.net
mod me down as a troll, off-topic or whatever, but I don't understand the ask slashdots when people ask 'how do I begin learning [something]?"
google for the topic, find a book, or a how-to, or whatever and start reading. inevitably you will come across an idea, or jargon, that you don't understand. so google for that. continue until you finish the book.
then find another book/how-to.
all you need to know is avoid books like 'advanced topic X'.
i dunno. maybe i'm just a supergenius. but most likely not.
learn, baby, learn.
"when life gets complicated, I like to take a nap in a tree and wait for dinner" - Hobbes.
The problem with most projects is that they are completed and rolled out before security is addressed. It is not realistic to think security can only happen when "designed in".
Real world situations include "securing" existing LANs/WANs; Internet e-commerce sites; etc.
Learning the basics of TCP/IP *IS* a good idea. And *understanding what a firewall is/is not, and what its limitations are* is CRITICAL.
Two days ago I had the head of a medium-sized financial services firm call me and say "my tech here says we don't need virus protection on our desktops because the firewall takes care of that". Oh, and the firewall was simply a VERY basic (and never configured) packet filter on their DSL router.
Learning HOW to think is more important than learning WHAT to think.
When I started playing around with Linux five years ago, I had no understanding of 'real world' network security. Today I consider myself quite knowledgeable on the subject; I oversee network configuration and security for several LANs (including my own business); I've written academic papers on the subject and I am currently involved with university research in networking.
Learning any complicated system is an iterative process. First get started, then keep the ball rolling. I started by setting up an internet connected linux server in my basement, which immediately got hacked. Then I read up to understand how it happened; I started reading USENET groups like comp.os.linux.security and I rapidly gained a pretty good idea of what was going on.
The benefit of playing around with linux is that you immediately have access to all the major tools and technologies that power the internet - and can tinker around with them. Get slackware, and play around with iptables (firewall), ssh, apache configuration, mail, and all the other fun stuff like unix permissions!
Set up your own Linux firewall with iptables and create your own rules.<sigh>
Network security is slightly more complicated than simply using iptables. Packet filtering is important, but recognizing possibile vulnerabilities in exposed services is also important. (For instance, did you know that -- by default -- most SSHDs allow any authenticated users to establish TCP connections to arbitrary remote machines? This can easily let users, regardless of how much you trust them, punch holes through your firewall.)
Furthermore, another large part of network security is network design. I've seen networks that have two or three DMZs, each guarded by independent machines with different configuartions: authentication systems, CPU architecture, and operating system (i.e. one OpenBSD, one Solaris, one <ack> Windows).
Continuing, most good network security folks can work on either side of the line between attacker and defender. Network security can only be built when you have learned to think like an attacker. (If I expose this port, what can that reveal about my configuration? What happens if this particular protection fails? What could happen if there was a root exploit on server 834?)
Sadly, there are many "security experts" that agree with you.
I would never suggest only *one* tool.
But that is besides the point. Learning iptables is much more *fundamental* than user-land tools. When you understand what is going on at the packet level, then, and only then, does it make sense to deploy higher-level tools. If you don't have your firewall properly configured, you are going to be looking at all kinds of crap with other tools, which may lead to confusion and mis-configuration problems, actually opening up your network to security exploits.
You are being MICROattacked, from various angles, in a SOFT manner.
The market is flooded with qualified people who can't find a job. Why would someone choose to enter a career that is so dismal?
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
"Can you teach me how to hack?"
"Do you know what IP subnetting is?"
"Uhh, no. I don't care about that, I just want to break into people's computers!"
"Go away."
I hear this all the time, and it probably applies to the other side of the fence as well. Learn how stuff works and the theory behind it. If you don't know the difference between TCP and UDP, don't try to learn how to do system administration and network security - learn how networking works first. Learn the protocols. If you don't know how to check your POP3 e-mail and retrieve a web page with nothing more than a telnet client, learn how to do that and more. Then you can decide whether security is even where you want to go, or if another path presents itself.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?
First you must understand that security doesn't really exist. It's all about mitigating risks and setting priorities. You just can't close every hole. The basic steps are simple:
1) Define what needs to be protected
2) Identify the potential threats
3) Prioritize (focus on most likely threats)
4) Put obstacles in place to slow down the attack
5) Monitor and react
6) ???
7) Profit
If the obstacles you put in place in step 4 slow the attacker down enough for you to react in step 5, step 6 becomes irrelevant. Step 4 and 5 is where the technical part comes into play and you can have all the flashy tools you want...but if you aren't any good at 1 and 2, you will fail. To answer the second part of your question, there are many tools out there. It's a "horses for courses" situation. What works in one situation might not even be considered in another. A good working knowledge of the relevant platform is more important than third party tools. Often, the right tool for the job is already there.
SMP is not supported, although there is some work on it. One of the reasons for this is a whole new set of security problems arising in such an environment. All the bsds exchange code, in fact nearly ALL modern OS' use the bsd networking code, that is including Windows, MacOS and linux. nearly all "unix" implementations use OpenBSD's ssh implementation, and most of their security patches to other apps like Apache, and named are applied to their respective source trees. Isn't this the point with "Open Source"?
You forgot to turn on the humor tag, that wasn't funny at all.
No matter where you work in IT, there is a security aspct that needs attention. Coding practices, change management are concerns in programming. System administrators need to harden and continually patch systems. People in training and documentation need to include security rpactices for end users.
Security is one of those things that gets too little respect, yet is recognized as as a need. Being pro-active in your job, thinking through how security fits in, and trying to help your overworked security admin will give you precious experience, and also give you the reputation as someone to groom for further security work.
The best security people I know started somewhere else and "volunteered" themselves to be the security point person in their area.
What you first do might not be all that exciting. You may be resetting user passwords, setting up new accounts, or dealing with trivial "non events" that turn out to have nothing to do with security (surprising how many network configuration mistakes look like hostile port scans). Just keep at it, do a good job, enhance your skills on the side. eventually a good opportunity will open up and you will be the first in line.
Most important, learn how the business operates, what are its priorities, what MUST work right, and what are the types of arguments that pursuade upper management. Security in commercial businesses is a give-and-take of cost, risk, and exposure. Learn to be flexible and not rigidly dogmatic about security practices. Your role isn't to make your company's security perfect, it is to educate non-technical managers about the real risks they might be taking, and the various options to limit (NOT eliminate) those risks.
"dope will get you through times of no money better than money will get you through times of no dope"
I am a security officer with an ISP and telecom company, here's how I got there: Real-life work experience.
Unless you are already a proficient hacker and have published a couple of advisories, don't try to get started in network security. Start as a sysadmin. Get some experience on how the system works.
When you can run a system (and believe me, if you want to tell admins what to do or not to do, you must be on their level or they'll laugh you out the door), start to concentrate on the security aspects. Dig deeper into the host-based firewall, install an IDS or tripwire, that stuff.
Move up, step by step. There are already way too many people with a solid half-true partial knowledge of the field in the security business. Lay a solid foundation. If you don't know how to operate a server or a network, you have no business securing it.
Assorted stuff I do sometimes: Lemuria.org
I'm also a moderator over at security-forums and we get alot of newbies trying to learn everything overnight! They don't want to take the time and effort to read, read, and read some more, they don't realize that it has taken most of us 10+ years to know everything we know, and still have to learn new things everyday.
I do also believe you should have a test lab enviroment to test and hone your skills. Most security professionals have test labs to test new exploits or try new security prevention technqiues, because in infosec its always cutting edge area which you have to make an everyday effort to keep up with or you'll fall behind quickly.
Read before you do, so when you do, you know what you are doing.
Founder of Securityflaw Creator of
This cannot be overstated.
If you are new to the company and the field, find someone who has been doing this job for a while and pick their brain whenever you can. Then go out to the net and find what information you can. I have found that a mentor can really give you a step up in the game. Talk to people online who have been hacked, find out what they did wrong, read security vulnerability reports, subscribe to CERT and BugTraq and any other security list you can find, then realize that you still don't know enough.
This game is so complex, realize that you can't reasonably expect yourself to learn everything in a week and be an expert. It has been mentioned that the only real teacher is experience, this is so true that it should be mentioned in every book you buy on this subject.
A better way to start is to get a job as a sysadmin for some company and go to town with a test box. Install OpenBSD, about 10 flavors of linux and (I can't believe I'm suggesting this! *dons flame suit*) Windows. For better or worse Windows is here to stay and most companies are using it so you better learn it or you'll be limiting your employment opportunities. (But study Linux more *peeks out of helmet*).
And Snort is better for this. You capture and analyze traffic as it actually exists on the wire - Layer 2 and up.
"Flyin' in just a sweet place,
Never been known to fail..."