Getting Started in Network Security?

pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?" We've touched on these issues before, but it was a while ago. Taking a network security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?

Know the protocols

[AstroJetson]

Learn everything you can about IP, TCP and UDP. Read the RFCs. Then learn about application level protocols like ssh, telnet, HTTP, FTP and the various mail protocols. Almost all vulnerabilities are caused by a system mishandling a certain type of message.

tricky question

[stinky+wizzleteats]

Security is unlike any technical discipline because it is not a technical discipline. When you try to make a web server work, your "enemy" is simply entropy. You learn what you need to know about how the technology works, and you are good to go.

In security, your enemy is another human being. This changes everything. What do you have to know? More than the best cracker you will go up against. The question is not, therefore, what do you have to know, but what don't you have to know. The only effective teacher of security is experience. If you try to play fresh out of college/certification mercenary in the security game, you will get your ass burned.

Re:tricky question

[nalfeshnee]

A great point, and one also made by Bruce Schneier (author of *Practical Cryptography* of course). His point that 'security isn't a technical problem, it's a people problem' is one to consider before one charges off down the road to becoming a networking god.

All the networking experience in the world is not going to be of much use if the security *policy* in your company/org. is not well thought-out and implemented, and THAT is another ball game entirely.

Hence the importance of experience: knowing how people work in an environment that is supposed to be secure is just as important as -- no, scratch that, *more* important than -- securing it in the first place.

Passwords + Post-It notes, for example!

Cheers,

Nalfy.

How I did it.

[rdunnell]

Got a job at a decently large financial firm in their IT shop. Worked my way into supporting the security organization. While I was doing that, I learned as much as I can about good design principles and how to explain them to others. Eventually an opening came about in our network security group and there I am. We're not a Fortune 100 company but that's only because of the way we're structured, that's the size and scope of company I work for.

One of the most important things to remember is that security isn't all hackers and breakins and tiger teams and forensics. The day to day life of a security analyst (at least at a big firm) is fraught with arguments from operations, from development, from management. A very significant part of your job will be to propose The Right Thing To Do, which will almost always cost more and be more complex than the average Mickey Mouse bandaid solution that people tend to come up with. Security absolutely has to be designed into things from the start, not bolted on at the end. Execs and developers don't like to hear this a lot of the time, because it might cost more. Operations hates to hear it because it means they have another box to administer (a firewall instead of just a router) or some procedudes that require them to have accountability.

Definitely develop your people skills. You'll spend a LOT of time trying to convince people that you're worthy of what you're saying, but once you do they'll start coming to you before they do stuff and it gets a LOT easier. The important thing is to convince people that you're not just here to be an asshole and cost people money. That's the image the average security organization projects, but it's really not the case.

Like others have said, learn as much as you can about as many technologies as you can, rely on other experts in the company for depth of knowledge, and you'll be fine. You don't have to be the ultimate CCIE router nerd to perform decent network security. You need to know how and where to research things, how to communicate those results to the people that need to know them, and how to stick to your guns when needed. You won't always win. Management is funny like that. But if you're creative in finding solutions and very firm and confident when you do have to deliver the bad news, you're well on your way to being a decent security analyst.

I found Linux Security to be an excellent book

[BoomerSooner]

Link

This book covers more than I could have hoped for. Since reading this book and following it's suggestions I've made my systems significantly more secure. You've still got to keep up with your software patches but if you've done a good job hardening your system, you get more time to implement the patches before the shit hits the fan.

Or at least that's how it's worked for me!

Cisco's offering several classes

at their Networkers conferences in Orlando and L.A., including one entitled 'How to Think Like a Security Administrator When It's Not Your Full-Time Job'.

More details here.

Re:Need solid networking background first

[CausticWindow]

Amen brother. If you're starting out in your parents basement, tcpdump is your friend. Rudamentary C skills are also important.

A couple other notes.

[rdunnell]

1) Sometimes you can get a job in security operations (log monitoring, user account management, etc). They typically pay about what an IT helpdesk does - read, peanuts with a daily bonus of annoying calls. But you can get your foot in the door that way.

2) A lot of the security industry is based on trust, even though the people that are in it aren't supposed to say that (it's not PC or something). Getting to know the people in security groups and showing them that you're trustworthy is the best approach. I would take someone who's reliable and trustworthy and can learn new stuff any day over someone who's an absolute iptables/snort wizard but has a chip on his shoulder about "enterprise" software and can't keep his mouth shut about sensitive matters. Security is definitely not the field for someone who enjoys frequent casual gossip about their job.

Not just networking

[Gurp]

I'm seeing a lot of comments here that say "Set up your own firewall" or "Learn TCP".

Repeat after me:
Security != firewall
Security != networking

I see this misunderstanding all over the place, but you can't secure a system through the network only. And you certainly won't make it in the "security industry" if that's what you think.

It's a cliche, but security is a process. It starts at the design of <whatever> and never really finishes. A security expert will know enough about each step of the plan that he/she can guide the team to the implementation a secure enough solution to their part of the problem, whether that solution is software or a business process doesn't matter.

I say secure enough on purpose because a truly secure solution is not possible. And this is really another key part of the security experts arsenal - knowing when the cost of more security outweighs the cost of the risk/exposure you're covering up.

Re:Teach yourself iptables

[Jeremiah+Cornelius]

Agreed, If you can't grok what IPTables does, and how it does it... You don't know much about IP security.

I still contend that you can not find a job worth jack, armed with knowledge of IPTables. Nor will you know enough to generalize about network security issues.

It may be a good tool in your kit. It better not be your main one, heaven help you - your only one!

If you were to suggest - for NETWORK security, only one single open-source or free software tool, why wouldn't is be Snort? Or even Nessus?

One of two ways, depending...

[Shoten]

First off, computer security is much like many other forms of security, at the concept level. The particulars of implementation are very different, but the underlying motives of the players and the interactions aren't. The infamous 419 scam was originally done in person, then by phone, and then by fax before it was possible to do it via email, for example, and lesser variants of it (the pigeon scam, for example) have existed in the offline world.

If you're looking to grasp home user or end user security, the first thing I'd do is buy The Gift of Fear by Gavin de Becker. Right off, that will give you a good understanding of intuitive threat modeling for everyday life. Unfortunately, I can't find a book out there that does home-user security for the average joe, nor can I find a class...but I am writing a book myself.

If you're interested in security from a more admin-oriented perspective, I would go to SecurityFocus and check out some of their mailing lists. At first, the material may be over your head, but you'll find that that only pulls you up a bit. Also, get yourself a linux box and learn linux (if you don't already know it). Set up a honeynet and see what's going to happen to an unpatched, exposed box. Or just set up snort with ACID as the front-end console to observe the attacks that are taking place. Once you understand the threat, it becomes a lot easier to decide what to study to defend against it.

Most important....

The most important thing you can do, IMHO, is to join bugtraq or similar lists so you have a rough idea what is happening.

Other ideas

• set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
• Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
• Try adding tripwire and snort to stop/detect attacks. Configure snort with database logging, with syslog/swatch, etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
• Familiarize yourself with as many of the tools in Fyodor's list as possible. Using them will be the bread an butter of your work. That includes scanners like nessus.
• Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
• Practice security. As you install and register software, watch what is happening to the box.
• Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
• Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful

Other side of the coin...

[jrl]

The best way I know to measure something is to test it, and the best methodology I know of to test network security is the Open Source Security Testing Methodology Manual (OSSTMM).

You can download the latest version from http://www.osstmm.org. The latest is 2.0, although the 2.5 version has been slated to come out VERY soon, so check back in the next week or so for the update.

The OSSTMM is the most widely used peer-reviewed "Open Source" security testing methodology in existance. It is contributed to by security testing professionals all over the globe. It is definately worth checking out.

Although the OSSTMM does an excellent job at defining the "What" to do in a security test, ISECOM also has created two courses to teach the "How" and the "Why" in more detail. You can find out more about the OPST (the in the trenches tester/technical course) which teaches how to get the information for an OSSTMM based security test, and the OPSA (manager/analyst) which teaches how to analyze the information and manage the testing team at ISECOM's main site: http://www.isecom.org.

*disclaimer*: I work for a company that is partners with ISECOM.

in defense of how do's

[chimpslice]

I agree that googling has to be the first step, one that some "how do I . . ." posters clearly haven't taken. The answer is always the same as well - you will have to read a lot, start at the beginning, and work hard, that's how it's done. That said, only a person can show you how knowledge is applied, and I appreciate the responses and advice people give. Some of y'all are true badasses in your particular branch of IT and your time is worth serious money, so I'm thankful that you take a minute to give your opinion and maybe a little direction. It's what makes open source work and it's why you keep reading Slashdot.

Aww shucks, I feel all warm n' fuzzy inside

Re:Its not an easy job

Fact is that you're fine picking up and putting greenhorns in a networking role, but companies will not normally pick those types of people for a network security role.

Re:Need solid networking background first

[poison_reverse]

Your best bet is to pick up a few books and then build a cheap test lab where you practice setting up different scenarios as well as trying to run various exploits to break into the machines. I.e set up a windows server, linux web server with apache and sendmail and see if you can break into them. Some books I recommend are TCP/IP illustrated vol 1, hacking exposed (all of them), Building Internet Firewalls (2nd edition) and a great non-technical background book is one by the godfather of crypto, Bruce Shnier called "Secrets and lies". Hope that helps Happy networking!

More Materials to start with

[Soko]

All very good for the beginner, for sure.

Don't forget tripwire, nmap and Nessus. I find Nessus particularly interesting, especially if you have more than a modicom of network experience under your belt.

I think security is the one area of the IT industry that's growing. Thanks, Microsoft!

Soko

General Info

[stikk]

-Start with a good understanding of the technology with sys-admin's experience.
-Read TCP/IP Illustrated Volume I
-Read Applied Cryptography
-Read Hacking Exposed 4 (shameless plug) or other similar books directly related to hacking activities and have a good networking security section
-Install an old OS version and hack it, understand the flaw and how to fix it.
-Understand and be comfortable with coding.
-Understand the purpose and how to use these well know tools http://www.insecure.org/tools.html
-Pass the CCNP and CISSP tests, I would expect this of any good consultant.
-Ask questions, but read http://www.linuxsilo.net/docs/smart-questions-en.h tml first.
-www.cymru.com
-phenoelit.de
-qorbit.net

-Mailinglists
-bugtraq
-nanog
-isp-security
-checkpoint
-CERT
-first.org
-honeypot

General Topics to understand first hand, and experience.
-Firewall
http://www.qorbit.net/documents/maximizing-firewal l-availability.htm
-IDS
-Dynamic Routing
Internet Routing Architectures - Bassam Halabi
-IPSEC
-SSL
Create your own CA, understand the downfalls of our current system
-Token based authentication
RSA and Authenex have free demo packages
-DNS
-packetstormsecurity tools
Try and CONTRIBUTE to non-corporate activities; specifically the opensource community
-VPN
-GLB, HIPPA, FIPS security policy
-Wireless (not just 802.11a/b/g) Security Methodology
-General Cryptography Overview
Know the pro's con's of using AES instead of 3DES for exmple.

Most of all, try and understand things from scratch, read old exploits and advisories and understand the exact source of problems. I've attended and taught several security courses; none of the 7 day security braindumps will make you an expert consultant, you need to think outside the box, and be paranoid on your own. Be one of the few individuals which check the MD5 sums of apps, uses PGP for all sensitive emails, dosen't send enable passwords via AIM or nextel two way, and pushes their snmpv1(v3!) traffic over IPSEC tunnels just because it runs through a piece of fiber in 1 whilsire (shudder!!). An important subject which very few articles cover is your personal habits, be organized, document, and share security responsibility and paranoia with other admins in your organization; this is by far the largest hurdle and largest downfalls of many.

(please excuse any mispellings, gramar, limited details, and bad formatting)