Slashdot Mirror
Getting Started in Network Security?
pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?"
We've touched on these issues before, but it was a while ago. Taking a network
security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?
Perhaps a BS in Applied Networking and System Administration could get you some of the answers you are looking for.
In security you have to have a well rounded education and experience simply because the job demands it. A good start would be probably 5 years in network administration with large user group enviroments, fluent programming skills (java, c, c++, perl), some experience in web server farm administration etc. I don't know any security or computer fornesic who worked for our company who is under 35 yo.
I found Zieglers book 'Linux Firewalls' useful http://www.amazon.com/exec/obidos/ASIN/0735710996/ qid=1053904217/sr=2-2/ref=sr_2_2/002-0456066-36248 65 ; also this is a great site http://www.linux-firewall-tools.com/linux/
Evil ZEN Scientist
SANS InfoSec Reading Room.
Learn everything you can about IP, TCP and UDP. Read the RFCs. Then learn about application level protocols like ssh, telnet, HTTP, FTP and the various mail protocols. Almost all vulnerabilities are caused by a system mishandling a certain type of message.
Admit nothing, deny everything and make counter-accusations.
O'Reilly has a good security bibliography here. Be sure to read Practical Unix and Internet Security (which is now in its third edition). Beyond that, pick some books that seem the most interesting to you.
Comment removed based on user account deletion
I find that while using OpenBSD, you get to learn a lot about security. ;)
The OpenBSD developers are security experts (and that's an understatement), and thus everything in OpenBSD is done the way it should be done, from a security point-of-view.
When you install OpenBSD, it's secure out-of-the-box. Of course no services are enabled by default. While you enable the ones you need, take the time to read through the excellent manpages (which are far superior in quality than linux's manpages), faq,... and you'll learn a lot.
Just don't expect no-brainer pointy-clicky interfaces *shiver*
And, interestingly, getting a job in network security requires a knowledge of network security, but having knowledge of network security without previous employment in the field can make you suspect.
Worst of all is to admit knowledge of security in a corporate environment by pointing out flaws--then you're an easy mark for those "in charge" of security, whom you've made look bad. Like a bad "in Soviet Russia" joke, security problem report you.
Fortunately, I haven't learned any of this by experience, only by obeservation.
CEE5210S The signal SIGHUP was received.
Security is unlike any technical discipline because it is not a technical discipline. When you try to make a web server work, your "enemy" is simply entropy. You learn what you need to know about how the technology works, and you are good to go.
In security, your enemy is another human being. This changes everything. What do you have to know? More than the best cracker you will go up against. The question is not, therefore, what do you have to know, but what don't you have to know. The only effective teacher of security is experience. If you try to play fresh out of college/certification mercenary in the security game, you will get your ass burned.
Security is not an Engineering discipline. Knowing one security tool, or even many tools does little or nothing towards cultivating the approach, process, culture and awareness-in-context that are basic to a professional in the Information Security field.
One could do worse than browse the documents collection in the Reading Room at SANS.org,and the archive of Bruce Schneier's Crypto-gram newsletter.
If Information Security still appeals to you, and you can specialize in an area suited to your temperment -go ahead.
"Flyin' in just a sweet place,
Never been known to fail..."
Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project
Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap
Follow articles/join mailing lists at:
CERT
Securityfocus
Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.
Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.
One of the most important things to remember is that security isn't all hackers and breakins and tiger teams and forensics. The day to day life of a security analyst (at least at a big firm) is fraught with arguments from operations, from development, from management. A very significant part of your job will be to propose The Right Thing To Do, which will almost always cost more and be more complex than the average Mickey Mouse bandaid solution that people tend to come up with. Security absolutely has to be designed into things from the start, not bolted on at the end. Execs and developers don't like to hear this a lot of the time, because it might cost more. Operations hates to hear it because it means they have another box to administer (a firewall instead of just a router) or some procedudes that require them to have accountability.
Definitely develop your people skills. You'll spend a LOT of time trying to convince people that you're worthy of what you're saying, but once you do they'll start coming to you before they do stuff and it gets a LOT easier. The important thing is to convince people that you're not just here to be an asshole and cost people money. That's the image the average security organization projects, but it's really not the case.
Like others have said, learn as much as you can about as many technologies as you can, rely on other experts in the company for depth of knowledge, and you'll be fine. You don't have to be the ultimate CCIE router nerd to perform decent network security. You need to know how and where to research things, how to communicate those results to the people that need to know them, and how to stick to your guns when needed. You won't always win. Management is funny like that. But if you're creative in finding solutions and very firm and confident when you do have to deliver the bad news, you're well on your way to being a decent security analyst.
Everything depends on what your security concerns are. The expertise needed to secure a small home LAN against high-schoolers with too much free time is a lot different then the experience needed to secure a gigantic corporate WAN against determined crackers, and the training you need to do one is nothing like what you need to do the other.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Denise Richards on the PIX Firewall, she explains why the PIX is not a router.
Might want to check it out: MIT Network Security Team
"On the following pages you will find information about protecting your computer or network from malicious hackers, dealing with a suspected attack or system compromise, and MIT network security policies"
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
More in depth overviews:
any CISSP/GISC/Security+ certification book (plus, after reading it go get certified!).
Topic Specific:
Firewalls (contrary to what others may tell you, there is more to security than firewalls). Some good books: the O'Reilly Firewall book, Building Linux and OpenBSD Firewalls (a bit dated but still on topic).
Do a search for all O'Reilly books with 'security' in the title/description, flip through it, decide if it suits your need (e.g. Web Security, Computer Security Basics, OpenSSL security, etc).
Learning the topic *really*well* is very important - e.g. really understand TCP/IP (something beyond "i plug in the cable, run dhclient, and i get internet!") andlook at it with an eye for security. Same goes for web server, general sysadmin tasks, programming, etc.
Remember: security is a process. and a moving target. and impossible to fix %100 but try anyways.
Experience is essential too. Get yourself an experimental network and try attacks, network sniffing, securing, MiTM'ing, getting around firewalls, DoS'ing, snort'ing, arpspoofing, etc. Once you've run some attacks then you'll have a working idea of what is going on and will hopefully be able to see when a line of thought would lead you in the same direction in setting up your network. Plus it helps to know you could set up a quick demo to show how easy it is to sniff someone's password, even on a switched network.
Become a keen observer of people. The users are your number one enemy in terms of security. They'll give their password away to anyone, try to thwart your attempts to secure the network, print out and take confidential docs to the cafe, etc. Not on purpose, but b/c their priority is getting work done. Understand them so as to best work with them.
And there's a whole lot more, but most importantly remember that security requires a very robust approach. Not just a firewall, not just encrypting everything, not just checking all code, but a well thought out approach that is followed, revised, updated, explained to all employees, etc etc
-f
www.blackant.net
Amen brother. If you're starting out in your parents basement, tcpdump is your friend. Rudamentary C skills are also important.
How small a thought it takes to fill a whole life
When you're dealing with risk analysis, it doesn't matter what protocol or application you're protecting. You only have to deal with your definition of risk. Typically, something like: If you're dealing with human threats, then you might use MOMM (Motive, Opportunity, Means, Method) to break it down.
You should also learn other ways of breaking down the anslysis, like the McCumber Cube, the laws that you can use to prosecute perpetrators, oand what you need to do so that you're not sued for monitoring your users (which might be a violation of various privacy acts).
Applications aren't nearly as useful, as well, they might help you on that whole 'detect/protect/correct' front, but they rarely lock down a system completely -- you need multiple layers of protection, from not only technology, but you need the policies so you can actually implement good security practices, and you need to train your employees so they aren't creating security problems. [quite a few books claim that the majority of security incidents come from inside a company, and users will give up authentication information with minimal prompting].
blah, blah, blah...you get the idea...
take a general overview, and work from there. .
Build it, and they will come^Hplain.
Other ideas
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Fook, don't hit preview then the back button on your browser. :-(
Ok, time to summarise my longer post.
Background: I've worked in security professionally since late '99. I started with Unix and *cough* hacking back in '96.
1. Subscribe to security mailing lists: Best place to start with this is from www.securityfocus.com. These guys have lots of good lists to get onto - including Bugtraq.
2. Work (at home) with the systems you're likely to work with: This means building a home network, running up some unix servers, windows servers, a managed switch (try to find an old one).
3. Get some good books: For introduction to firewalls - "Building Internet Firewalls", for security design - "Security Engineering: A Guide to Building Dependable Distributed Systems", for crypto - "Applied Cryptography". There's heaps more, but those are some good starters. A good all-rounder is "Secrets and Lies" from Bruce Schneier.
4. Learn to hack: My motto for security work is - "You've got to know where the holes are in order to fix them". This means learning what those holes are, and what are common types of security vulnerabilities and threats are out there. The best way to do this (IMHO) is to start hacking your home systems. Grab Nessus (http://www.nessus.org) to begin with, and work from there.
5. Learn to program: You'll eventually get to a point where you want to develop your own tests, checks and scripts that available programs don't provide. If you are feeling game, try to write your own sniffer with libpcap (http://www.tcpdump.org) or your own scanner with libnet (http://www.packetfactory.net/projects/libnet/)
6. Teach yourself: I don't have much faith in security courses out there, primarily because I have had to work with people in "security" whose only experience/qualifications are a certain firewall certification (glances sidewards at Checkpoint). But if you need it to break into the market, go for it - just don't rely on it entirely. I don't have any real certifications, but I have practical experience with the top firewalls out there (most common security job is firewall admin), heaps of Unix's (solaris, digital, aix - and the various *BSD's and Linux), and can also do some programming. If you're going to work for a good company, they'll be more impressed with your skills than your certifications - though they help differentiate you.
Hope this helps.
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
Set up your own Linux firewall with iptables and create your own rules.<sigh>
Network security is slightly more complicated than simply using iptables. Packet filtering is important, but recognizing possibile vulnerabilities in exposed services is also important. (For instance, did you know that -- by default -- most SSHDs allow any authenticated users to establish TCP connections to arbitrary remote machines? This can easily let users, regardless of how much you trust them, punch holes through your firewall.)
Furthermore, another large part of network security is network design. I've seen networks that have two or three DMZs, each guarded by independent machines with different configuartions: authentication systems, CPU architecture, and operating system (i.e. one OpenBSD, one Solaris, one <ack> Windows).
Continuing, most good network security folks can work on either side of the line between attacker and defender. Network security can only be built when you have learned to think like an attacker. (If I expose this port, what can that reveal about my configuration? What happens if this particular protection fails? What could happen if there was a root exploit on server 834?)
Sadly, there are many "security experts" that agree with you.
I would never suggest only *one* tool.
But that is besides the point. Learning iptables is much more *fundamental* than user-land tools. When you understand what is going on at the packet level, then, and only then, does it make sense to deploy higher-level tools. If you don't have your firewall properly configured, you are going to be looking at all kinds of crap with other tools, which may lead to confusion and mis-configuration problems, actually opening up your network to security exploits.
You are being MICROattacked, from various angles, in a SOFT manner.
"Can you teach me how to hack?"
"Do you know what IP subnetting is?"
"Uhh, no. I don't care about that, I just want to break into people's computers!"
"Go away."
I hear this all the time, and it probably applies to the other side of the fence as well. Learn how stuff works and the theory behind it. If you don't know the difference between TCP and UDP, don't try to learn how to do system administration and network security - learn how networking works first. Learn the protocols. If you don't know how to check your POP3 e-mail and retrieve a web page with nothing more than a telnet client, learn how to do that and more. Then you can decide whether security is even where you want to go, or if another path presents itself.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.
Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.
The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.
For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.
Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.
For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.
From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.
Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).
For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.
For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.
I am not sure what to recommend for VPNs, other than you need to know about IPsec.
1. Don't install Telnet, TFTP, RSH, RLOGIN or anyother clear text services. /var/log).
2. Disable remote root login.
3. Use IP Tables and TCP Wrappers.
4. On "gateways", bind services to local interfaces only.
5. Use a strong password.
6. Don't install unused services (Example: Do you really need a BIND or SMTP server on your laptop?).
7. One word... up2date (www.redhat.com).
8. One word... www.chkrootkit.org.
9. Monitor your log files (seriously all of them
10. Anything windows based is a security nightmare (and no that's not a troll).
And don't forget about all the great _free_ tools out there: nmap, ethereal, tripwire, logwatch.
Google search for any of the above pointers that are not slef explanitory.
Karma: The shiznight, mostly because I am the Drizzle.
-Start with a good understanding of the technology with sys-admin's experience.h tml first.t
l l-availability.htm
-Read TCP/IP Illustrated Volume I
-Read Applied Cryptography
-Read Hacking Exposed 4 (shameless plug) or other similar books directly related to hacking activities and have a good networking security section
-Install an old OS version and hack it, understand the flaw and how to fix it.
-Understand and be comfortable with coding.
-Understand the purpose and how to use these well know tools http://www.insecure.org/tools.html
-Pass the CCNP and CISSP tests, I would expect this of any good consultant.
-Ask questions, but read http://www.linuxsilo.net/docs/smart-questions-en.
-www.cymru.com
-phenoelit.de
-qorbit.ne
-Mailinglists
-bugtraq
-nanog
-isp-security
-checkpoint
-CERT
-first.org
-honeypot
General Topics to understand first hand, and experience.
-Firewall
http://www.qorbit.net/documents/maximizing-firewa
-IDS
-Dynamic Routing
Internet Routing Architectures - Bassam Halabi
-IPSEC
-SSL
Create your own CA, understand the downfalls of our current system
-Token based authentication
RSA and Authenex have free demo packages
-DNS
-packetstormsecurity tools
Try and CONTRIBUTE to non-corporate activities; specifically the opensource community
-VPN
-GLB, HIPPA, FIPS security policy
-Wireless (not just 802.11a/b/g) Security Methodology
-General Cryptography Overview
Know the pro's con's of using AES instead of 3DES for exmple.
Most of all, try and understand things from scratch, read old exploits and advisories and understand the exact source of problems. I've attended and taught several security courses; none of the 7 day security braindumps will make you an expert consultant, you need to think outside the box, and be paranoid on your own. Be one of the few individuals which check the MD5 sums of apps, uses PGP for all sensitive emails, dosen't send enable passwords via AIM or nextel two way, and pushes their snmpv1(v3!) traffic over IPSEC tunnels just because it runs through a piece of fiber in 1 whilsire (shudder!!). An important subject which very few articles cover is your personal habits, be organized, document, and share security responsibility and paranoia with other admins in your organization; this is by far the largest hurdle and largest downfalls of many.
(please excuse any mispellings, gramar, limited details, and bad formatting)
The object wasn't to turn them into security wizzes in a day, but to give them a grounding in some of the more fundamental bits of the game so that they could go away and do sensible things with their new firewall, etc, etc.
I gave a suggested reading list for the keen ones. The list was as follows:
1) Mccarthy, Linda
"Network Security, Stories from the Trenches"
ISBN: 0138947597
For 'fear of god', and a general real-life example of the kind of wierd shit you're dealing with. (Mccarthy is also an excellent book to pass on to your boss when you're done with it. A *Very* usefull tool if you've been having trouble getting security budget - it will scare the bejesus out of him/her. This is not a particularly technical book, but it's very good for laying the groundwork, and getting your head around the security business. Teaches you to think outside the square too.
Perhaps the most important thing about the Mccarthy book is that it almost completely ignores technical subjects, and concentrates on the human and social engineering sides of security. Blocking ports and changing passwords every month is all well and good, but if someone can sweet talk your receptionist into handing over her password, then...
2) Stoll, Clifford
"Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
ISBN: 0743411463
A real world, entertaining, walk-through the process of tracking a bad guy around the world. A nice easy to read book - technologically outdated now, but still interesting from the point of view of forensics and legals. This is not a technical book at all, but your boss still won't understand this one. NOTE: Don't make the mistake of being impressed by this book and running out to buy Cliff's other books. The first is a masterpiece, the rest are the ramblings of a tired and cynical man - not worth, frankly, the paper they're printed on. The Cuckoo's Egg is a nice book - buy it when your brain is just completely full of technical stuff, and you need a nice light (but still on-topic) story to give your brain a break.
3) Cheswick, William/Bellovin, Steven
"Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition"
ISBN: 020163466X
A bible for network and unix security. A detailed run-down on packets, ports, bells, whistles and how it all works. This book spends a lot of time analising specific network services, and their weaknesses. One chapter on a real-life tracking a bad guy, and some discussion of honeypots and lures. If you only buy one book, buy this one.
4) Garfinkel, Simson et-al
"Practical Unix & Internet Security, 3rd Edition" (The Safe Book)
ISBN: 0596003234
A practical, real-world, HOWTO on implementation of sensible security practices for unix administrators in particular. This is one you keep on your desk at work (well, chained to your desk with all your other O'Rielly books!) for day to day use.
5) Hunt, Craig
"TCP/IP Network Administration (3rd Edition)" (The Crab Book)
ISBN: 0596002971
A definitive bible on TCP/IP and how it works. All the guts from a techo (but not a programmer) point of view. This one doesn't spend much time on security per-se, but it is the book for TCP/IP.
The Sixth book in the pentology, for extra keen readers is The Cricket Book...
6) Liu, Cricket/Albitz, Paul
"DNS and BIND, Fourth Edition"
ISBN: 0596001584
Because, if
I find your ideas intriguing and I wish to subscribe to your newsletter.