Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Your Network NSA-style

Posted by timothy on from the good-idea dept.

farker haiku writes "The NSA has unclassified a pdf on how to secure your network in sixty minutes. All in all, it's an interesting and informative read if you are in the security biz. The article covers a variety of topics such as Buffer Overflows, Intrusion Detection Systems and using Tripwire ASR to ensure the integrity of your network server."

3 of 42 comments (clear)

  1. Re:Security Through Sudo by Anonymous Coward · · Score: 1, Interesting

    sudo sh

    ownt!

  2. Re:Security Through Sudo by dougmc · · Score: 2, Interesting
    ownt!
    ... only if your sudo rules allow invoking sh from sudo. This isn't so unreasonable if this user is permitted full root access anyways, but if the user is intended to only run a few things as root, then they should NOT have this access.

    Really, disabling the root account entirely and instead letting users (well, administrators) use sudo doesn't really increase security that much. If you have root access to the box, you have root access to the box, be it via su, login or sudo. If you have the root password of the box because 1) it's your box, or 2) you're supposed to have it, the box is not `ownt'. It's yours, and legitimately so. (`pwned' and similar words suggest that it was taken somehow.)

    What forcing people to use sudo does accomplish is 1) helping to remind them not to login as root and do things as root that don't have to be done as root, and 2) to log things better. (And I'm talking about the usefulness of logging what you do when you're not trying to hide it here. A cracker will just erase the logs if he can.)

  3. NSA-style? by dougmc · · Score: 2, Interesting
    This is securing your network NSA-style?

    Somehow I doubt it.

    In general, this is a pretty reasonable approach to securing your network. It's much more secure than it was when you started, but it's not locked down so tight that you can't get any work done on it.

    Like the rest of the world, the computers at the NSA are probably locked down to varying degrees depending on their function and the type of data they contain.

    This general sort of lockdown (as described in this document) might be appropriate for systems that don't contain confidential information and don't perform mission critical services, but I would imagine that `NSA-style' would really apply to the systems that contain confidential, top secret, etc. information, and the degree that these systems would be locked down would be much much more than is described in this document. And is probably still classified, though much of it could probably be figured out by anybody skilled in the area of computer security.

    For starters, the `top secret' computers at the NSA probably don't have any network access at all, or if they do have some, it's to a small, secure network of similarly secured systems (and NOT to the Internet) and physical security is taken to the extremes (think movies like Mission Impossible.) Code probably isn't run on these systems that hasn't been gone over, line by line, by the NSA itself. This sort of scrutiny requires lots of time and money, so any software being run is probably relatively old. The hardware itself is probably checked similarly, so it's likely to not be state of the art itself, except for the security components used to protect it.

    THAT would be `NSA-style'. And the only way you're likely to read the books on how that works are to 1) get the appropriate clearances from the government (Classified? Top Secret? I don't know), 2) get a job with the NSA, and 3) *need to know* what's in that book.