Getting Started in Network Security?

pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?" We've touched on these issues before, but it was a while ago. Taking a network security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?

Its not an easy job

[rxed]

In security you have to have a well rounded education and experience simply because the job demands it. A good start would be probably 5 years in network administration with large user group enviroments, fluent programming skills (java, c, c++, perl), some experience in web server farm administration etc. I don't know any security or computer fornesic who worked for our company who is under 35 yo.

Re:Its not an easy job

[MoreBeer]

Agreed. We try to 'greenhorn' in good network admins/engineers. Start them off in basic fw administration, show them the ropes of the IDS (Snort!), and teach them why it's important to ride their former coworkers like zorro to ensure thier stuff is up to date patchwise.

The basic fact of the matter is, Network Security _requires_ a seasoned network admin/engineer/programmer who has the potential to analyze systems on all levels of the OSI model (when analyzing a production payroll server - is it plugged into a hub all the way up to transmitting passwords in cleartext or non-aged accounts?). I'd say it's damn near impossible for a hair stylist to come into a company as a Network Security Administrator, but a hungry NT admin or Network Engineer has great potential.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Nasty Catch-22

[acceleriter]

The corporate/law enforcement security community is fairly tight-knit, and suspicious of newcomers. Attempting to "break in" (no pun intended) to that community will be met with suspicion.

And, interestingly, getting a job in network security requires a knowledge of network security, but having knowledge of network security without previous employment in the field can make you suspect.

Worst of all is to admit knowledge of security in a corporate environment by pointing out flaws--then you're an easy mark for those "in charge" of security, whom you've made look bad. Like a bad "in Soviet Russia" joke, security problem report you.

Fortunately, I haven't learned any of this by experience, only by obeservation.

Re:Oh, what the fuck

[Kadin2048]

The Coward does have one good point--just keeping your system up to date can do wonders for network security. And turning on the built-in security options in your home network (especially wireless) will make a big difference. It won't keep out a determined individual, but it will make your average script kiddie move on to the next joe on your street.

Everything depends on what your security concerns are. The expertise needed to secure a small home LAN against high-schoolers with too much free time is a lot different then the experience needed to secure a gigantic corporate WAN against determined crackers, and the training you need to do one is nothing like what you need to do the other.

Computer Security

[friscolr]

Secrets and Lies, by Bruce Schneier, will give you a good overview of computer security (other books exist for this general overview too,but ihappen to have just finished this one). From there you can delve into more in depth overviews or specific topics.

More in depth overviews:
any CISSP/GISC/Security+ certification book (plus, after reading it go get certified!).

Topic Specific:
Firewalls (contrary to what others may tell you, there is more to security than firewalls). Some good books: the O'Reilly Firewall book, Building Linux and OpenBSD Firewalls (a bit dated but still on topic).
Do a search for all O'Reilly books with 'security' in the title/description, flip through it, decide if it suits your need (e.g. Web Security, Computer Security Basics, OpenSSL security, etc).

Learning the topic *really*well* is very important - e.g. really understand TCP/IP (something beyond "i plug in the cable, run dhclient, and i get internet!") andlook at it with an eye for security. Same goes for web server, general sysadmin tasks, programming, etc.

Remember: security is a process. and a moving target. and impossible to fix %100 but try anyways.

Experience is essential too. Get yourself an experimental network and try attacks, network sniffing, securing, MiTM'ing, getting around firewalls, DoS'ing, snort'ing, arpspoofing, etc. Once you've run some attacks then you'll have a working idea of what is going on and will hopefully be able to see when a line of thought would lead you in the same direction in setting up your network. Plus it helps to know you could set up a quick demo to show how easy it is to sniff someone's password, even on a switched network.

Become a keen observer of people. The users are your number one enemy in terms of security. They'll give their password away to anyone, try to thwart your attempts to secure the network, print out and take confidential docs to the cafe, etc. Not on purpose, but b/c their priority is getting work done. Understand them so as to best work with them.

And there's a whole lot more, but most importantly remember that security requires a very robust approach. Not just a firewall, not just encrypting everything, not just checking all code, but a well thought out approach that is followed, revised, updated, explained to all employees, etc etc

Re:Teach yourself iptables

[delta407]

Set up your own Linux firewall with iptables and create your own rules.<sigh>

Network security is slightly more complicated than simply using iptables. Packet filtering is important, but recognizing possibile vulnerabilities in exposed services is also important. (For instance, did you know that -- by default -- most SSHDs allow any authenticated users to establish TCP connections to arbitrary remote machines? This can easily let users, regardless of how much you trust them, punch holes through your firewall.)

Furthermore, another large part of network security is network design. I've seen networks that have two or three DMZs, each guarded by independent machines with different configuartions: authentication systems, CPU architecture, and operating system (i.e. one OpenBSD, one Solaris, one <ack> Windows).

Continuing, most good network security folks can work on either side of the line between attacker and defender. Network security can only be built when you have learned to think like an attacker. (If I expose this port, what can that reveal about my configuration? What happens if this particular protection fails? What could happen if there was a root exploit on server 834?)

Sadly, there are many "security experts" that agree with you.

Re:Teach yourself iptables

[SpaceLifeForm]

I would never suggest only *one* tool.
But that is besides the point. Learning iptables is much more *fundamental* than user-land tools. When you understand what is going on at the packet level, then, and only then, does it make sense to deploy higher-level tools. If you don't have your firewall properly configured, you are going to be looking at all kinds of crap with other tools, which may lead to confusion and mis-configuration problems, actually opening up your network to security exploits.

The answer is SIMPLE.. DON'T go INTO it

[mrnick]

The market is flooded with qualified people who can't find a job. Why would someone choose to enter a career that is so dismal?

Nick Powers

Re:Need solid networking background first

[Phroggy]

"Can you teach me how to hack?"
"Do you know what IP subnetting is?"
"Uhh, no. I don't care about that, I just want to break into people's computers!"
"Go away."

I hear this all the time, and it probably applies to the other side of the fence as well. Learn how stuff works and the theory behind it. If you don't know the difference between TCP and UDP, don't try to learn how to do system administration and network security - learn how networking works first. Learn the protocols. If you don't know how to check your POP3 e-mail and retrieve a web page with nothing more than a telnet client, learn how to do that and more. Then you can decide whether security is even where you want to go, or if another path presents itself.

Security is a myth

[JonathanX]

Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?

First you must understand that security doesn't really exist. It's all about mitigating risks and setting priorities. You just can't close every hole. The basic steps are simple:

1) Define what needs to be protected
2) Identify the potential threats
3) Prioritize (focus on most likely threats)
4) Put obstacles in place to slow down the attack
5) Monitor and react
6) ???
7) Profit

If the obstacles you put in place in step 4 slow the attacker down enough for you to react in step 5, step 6 becomes irrelevant. Step 4 and 5 is where the technical part comes into play and you can have all the flashy tools you want...but if you aren't any good at 1 and 2, you will fail. To answer the second part of your question, there are many tools out there. It's a "horses for courses" situation. What works in one situation might not even be considered in another. A good working knowledge of the relevant platform is more important than third party tools. Often, the right tool for the job is already there.

Re:How I did it.

[dogfart]

I will second this. What you learn on your own time is very good. What you can learn on-the-job is even better. Corporate folks are very suspicious of individuals claiming to know about network security without the work experience to back it up (are you a hacker? or just another BS artist?)

No matter where you work in IT, there is a security aspct that needs attention. Coding practices, change management are concerns in programming. System administrators need to harden and continually patch systems. People in training and documentation need to include security rpactices for end users.

Security is one of those things that gets too little respect, yet is recognized as as a need. Being pro-active in your job, thinking through how security fits in, and trying to help your overworked security admin will give you precious experience, and also give you the reputation as someone to groom for further security work.

The best security people I know started somewhere else and "volunteered" themselves to be the security point person in their area.

What you first do might not be all that exciting. You may be resetting user passwords, setting up new accounts, or dealing with trivial "non events" that turn out to have nothing to do with security (surprising how many network configuration mistakes look like hostile port scans). Just keep at it, do a good job, enhance your skills on the side. eventually a good opportunity will open up and you will be the first in line.

Most important, learn how the business operates, what are its priorities, what MUST work right, and what are the types of arguments that pursuade upper management. Security in commercial businesses is a give-and-take of cost, risk, and exposure. Learn to be flexible and not rigidly dogmatic about security practices. Your role isn't to make your company's security perfect, it is to educate non-technical managers about the real risks they might be taking, and the various options to limit (NOT eliminate) those risks.

Re:Teach yourself iptables

[Jeremiah+Cornelius]

And Snort is better for this. You capture and analyze traffic as it actually exists on the wire - Layer 2 and up.