Getting Started in Network Security?

pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?" We've touched on these issues before, but it was a while ago. Taking a network security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?

Majors?

[krisp]

Perhaps a BS in Applied Networking and System Administration could get you some of the answers you are looking for.

Re:Majors?

[orcaaa]

Steps to foolproof security 1) Get a PhD in Number Theory/Theoretical CS from Harvard/MIT. 2) Write the newest encryption technology which is NP Hard to decrypt, takes O(1) time for encryption. - PROVE it. 3) Make all network applications use this technology (Don't worry, this will be possible once you get the fields medal for proving the Reimann Hypothesis and people know/trust you and your work) 4) Now lay back and enjoy

Its not an easy job

[rxed]

In security you have to have a well rounded education and experience simply because the job demands it. A good start would be probably 5 years in network administration with large user group enviroments, fluent programming skills (java, c, c++, perl), some experience in web server farm administration etc. I don't know any security or computer fornesic who worked for our company who is under 35 yo.

Re:Its not an easy job

[MoreBeer]

Agreed. We try to 'greenhorn' in good network admins/engineers. Start them off in basic fw administration, show them the ropes of the IDS (Snort!), and teach them why it's important to ride their former coworkers like zorro to ensure thier stuff is up to date patchwise.

The basic fact of the matter is, Network Security _requires_ a seasoned network admin/engineer/programmer who has the potential to analyze systems on all levels of the OSI model (when analyzing a production payroll server - is it plugged into a hub all the way up to transmitting passwords in cleartext or non-aged accounts?). I'd say it's damn near impossible for a hair stylist to come into a company as a Network Security Administrator, but a hungry NT admin or Network Engineer has great potential.

iptables; get a book; read the web

[ezs]

I found Zieglers book 'Linux Firewalls' useful http://www.amazon.com/exec/obidos/ASIN/0735710996/ qid=1053904217/sr=2-2/ref=sr_2_2/002-0456066-36248 65 ; also this is a great site http://www.linux-firewall-tools.com/linux/

Start here...

[darthBear]

SANS InfoSec Reading Room.

O'Reilly Security Bibliography

[viega]

O'Reilly has a good security bibliography here. Be sure to read Practical Unix and Internet Security (which is now in its third edition). Beyond that, pick some books that seem the most interesting to you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Nasty Catch-22

[acceleriter]

The corporate/law enforcement security community is fairly tight-knit, and suspicious of newcomers. Attempting to "break in" (no pun intended) to that community will be met with suspicion.

And, interestingly, getting a job in network security requires a knowledge of network security, but having knowledge of network security without previous employment in the field can make you suspect.

Worst of all is to admit knowledge of security in a corporate environment by pointing out flaws--then you're an easy mark for those "in charge" of security, whom you've made look bad. Like a bad "in Soviet Russia" joke, security problem report you.

Fortunately, I haven't learned any of this by experience, only by obeservation.

Materials to start with

[GC]

Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project

Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap

Follow articles/join mailing lists at:

CERT
Securityfocus

Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.

Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.

How I did it.

[rdunnell]

Got a job at a decently large financial firm in their IT shop. Worked my way into supporting the security organization. While I was doing that, I learned as much as I can about good design principles and how to explain them to others. Eventually an opening came about in our network security group and there I am. We're not a Fortune 100 company but that's only because of the way we're structured, that's the size and scope of company I work for.

One of the most important things to remember is that security isn't all hackers and breakins and tiger teams and forensics. The day to day life of a security analyst (at least at a big firm) is fraught with arguments from operations, from development, from management. A very significant part of your job will be to propose The Right Thing To Do, which will almost always cost more and be more complex than the average Mickey Mouse bandaid solution that people tend to come up with. Security absolutely has to be designed into things from the start, not bolted on at the end. Execs and developers don't like to hear this a lot of the time, because it might cost more. Operations hates to hear it because it means they have another box to administer (a firewall instead of just a router) or some procedudes that require them to have accountability.

Definitely develop your people skills. You'll spend a LOT of time trying to convince people that you're worthy of what you're saying, but once you do they'll start coming to you before they do stuff and it gets a LOT easier. The important thing is to convince people that you're not just here to be an asshole and cost people money. That's the image the average security organization projects, but it's really not the case.

Like others have said, learn as much as you can about as many technologies as you can, rely on other experts in the company for depth of knowledge, and you'll be fine. You don't have to be the ultimate CCIE router nerd to perform decent network security. You need to know how and where to research things, how to communicate those results to the people that need to know them, and how to stick to your guns when needed. You won't always win. Management is funny like that. But if you're creative in finding solutions and very firm and confident when you do have to deliver the bad news, you're well on your way to being a decent security analyst.

Re:Oh, what the fuck

[Kadin2048]

The Coward does have one good point--just keeping your system up to date can do wonders for network security. And turning on the built-in security options in your home network (especially wireless) will make a big difference. It won't keep out a determined individual, but it will make your average script kiddie move on to the next joe on your street.

Everything depends on what your security concerns are. The expertise needed to secure a small home LAN against high-schoolers with too much free time is a lot different then the experience needed to secure a gigantic corporate WAN against determined crackers, and the training you need to do one is nothing like what you need to do the other.

MIT Network Secutity Team

[heli0]

Might want to check it out: MIT Network Security Team

"On the following pages you will find information about protecting your computer or network from malicious hackers, dealing with a suspected attack or system compromise, and MIT network security policies"

Computer Security

[friscolr]

Secrets and Lies, by Bruce Schneier, will give you a good overview of computer security (other books exist for this general overview too,but ihappen to have just finished this one). From there you can delve into more in depth overviews or specific topics.

More in depth overviews:
any CISSP/GISC/Security+ certification book (plus, after reading it go get certified!).

Topic Specific:
Firewalls (contrary to what others may tell you, there is more to security than firewalls). Some good books: the O'Reilly Firewall book, Building Linux and OpenBSD Firewalls (a bit dated but still on topic).
Do a search for all O'Reilly books with 'security' in the title/description, flip through it, decide if it suits your need (e.g. Web Security, Computer Security Basics, OpenSSL security, etc).

Learning the topic *really*well* is very important - e.g. really understand TCP/IP (something beyond "i plug in the cable, run dhclient, and i get internet!") andlook at it with an eye for security. Same goes for web server, general sysadmin tasks, programming, etc.

Remember: security is a process. and a moving target. and impossible to fix %100 but try anyways.

Experience is essential too. Get yourself an experimental network and try attacks, network sniffing, securing, MiTM'ing, getting around firewalls, DoS'ing, snort'ing, arpspoofing, etc. Once you've run some attacks then you'll have a working idea of what is going on and will hopefully be able to see when a line of thought would lead you in the same direction in setting up your network. Plus it helps to know you could set up a quick demo to show how easy it is to sniff someone's password, even on a switched network.

Become a keen observer of people. The users are your number one enemy in terms of security. They'll give their password away to anyone, try to thwart your attempts to secure the network, print out and take confidential docs to the cafe, etc. Not on purpose, but b/c their priority is getting work done. Understand them so as to best work with them.

And there's a whole lot more, but most importantly remember that security requires a very robust approach. Not just a firewall, not just encrypting everything, not just checking all code, but a well thought out approach that is followed, revised, updated, explained to all employees, etc etc

Things you should do

[evenprime]

The most important thing you can do, IMHO, is to join bugtraq or similar lists so you have a rough idea what is happening.

Other ideas

• set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
• Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
• Try adding tripwire and snort to stop/detect attacks. Configure snort with database logging, with syslog/swatch, etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
• Familiarize yourself with as many of the tools in Fyodor's list as possible. Using them will be the bread an butter of your work. That includes scanners like nessus.
• Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
• Practice security. As you install and register software, watch what is happening to the box.
• Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
• Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful

Re:Teach yourself iptables

[delta407]

Set up your own Linux firewall with iptables and create your own rules.<sigh>

Network security is slightly more complicated than simply using iptables. Packet filtering is important, but recognizing possibile vulnerabilities in exposed services is also important. (For instance, did you know that -- by default -- most SSHDs allow any authenticated users to establish TCP connections to arbitrary remote machines? This can easily let users, regardless of how much you trust them, punch holes through your firewall.)

Furthermore, another large part of network security is network design. I've seen networks that have two or three DMZs, each guarded by independent machines with different configuartions: authentication systems, CPU architecture, and operating system (i.e. one OpenBSD, one Solaris, one <ack> Windows).

Continuing, most good network security folks can work on either side of the line between attacker and defender. Network security can only be built when you have learned to think like an attacker. (If I expose this port, what can that reveal about my configuration? What happens if this particular protection fails? What could happen if there was a root exploit on server 834?)

Sadly, there are many "security experts" that agree with you.

General Info

[stikk]

-Start with a good understanding of the technology with sys-admin's experience.
-Read TCP/IP Illustrated Volume I
-Read Applied Cryptography
-Read Hacking Exposed 4 (shameless plug) or other similar books directly related to hacking activities and have a good networking security section
-Install an old OS version and hack it, understand the flaw and how to fix it.
-Understand and be comfortable with coding.
-Understand the purpose and how to use these well know tools http://www.insecure.org/tools.html
-Pass the CCNP and CISSP tests, I would expect this of any good consultant.
-Ask questions, but read http://www.linuxsilo.net/docs/smart-questions-en.h tml first.
-www.cymru.com
-phenoelit.de
-qorbit.net

-Mailinglists
-bugtraq
-nanog
-isp-security
-checkpoint
-CERT
-first.org
-honeypot

General Topics to understand first hand, and experience.
-Firewall
http://www.qorbit.net/documents/maximizing-firewal l-availability.htm
-IDS
-Dynamic Routing
Internet Routing Architectures - Bassam Halabi
-IPSEC
-SSL
Create your own CA, understand the downfalls of our current system
-Token based authentication
RSA and Authenex have free demo packages
-DNS
-packetstormsecurity tools
Try and CONTRIBUTE to non-corporate activities; specifically the opensource community
-VPN
-GLB, HIPPA, FIPS security policy
-Wireless (not just 802.11a/b/g) Security Methodology
-General Cryptography Overview
Know the pro's con's of using AES instead of 3DES for exmple.

Most of all, try and understand things from scratch, read old exploits and advisories and understand the exact source of problems. I've attended and taught several security courses; none of the 7 day security braindumps will make you an expert consultant, you need to think outside the box, and be paranoid on your own. Be one of the few individuals which check the MD5 sums of apps, uses PGP for all sensitive emails, dosen't send enable passwords via AIM or nextel two way, and pushes their snmpv1(v3!) traffic over IPSEC tunnels just because it runs through a piece of fiber in 1 whilsire (shudder!!). An important subject which very few articles cover is your personal habits, be organized, document, and share security responsibility and paranoia with other admins in your organization; this is by far the largest hurdle and largest downfalls of many.

(please excuse any mispellings, gramar, limited details, and bad formatting)