Slashdot Mirror
Secure Your Network NSA-style
farker haiku writes "The NSA has unclassified a pdf on how to secure your network in sixty minutes. All in all, it's an interesting and informative read if you are in the security biz. The article covers a variety of topics such as Buffer Overflows, Intrusion Detection Systems and using Tripwire ASR to ensure the integrity of your network server."
The NSA has unclassified a pdf on how to secure your network in sixty minutes.
This was classified? All the information in this document has been freely available on the Web for quite some time now...
I'm still gonna print this up and put it on my shelf...the NSA logo on the front looks pretty impressive. ^_^
____
~ |rip/\/\aster /\/\onkey
What about the "Under 60 seconds method for securing your computer" ?
;)
Step 1. Unplug it.
Ta-daaaa! Secure at last.
"What do you think?" "I think 'What, do you think?!'"
I don't think they finished the job.
A better link is here. Lots of good stuff from these guys. Worth a look.
+++ UGUCAUCGUAUUUCU
The LAN Manager hash algorithm splits a password of up to 14 characters into two blocks of 7 characters, the second block null-padded to size. The LM hash values for single- and dual-character second blocks are well known, so an eight- or nine-character password on Windows using the LM hash is effectively a seven-character password.
This assumes you have some systems which can ONLY use the LM hash. Systems with later capabilities can be forced NEVER to use LM hashing by simply using a 15-character password or longer, which won't fit in an LM hash even if it is enabled (which it shouldn't be these days, *unless* you have legacy systems that require it).
Microsoft cheerleader, blue flag waving, you got a problem with that?
Both Unix and Windows use slightly different one-way hashes for encrypting and storing passwords. These character length recommendations are based on those hash algorithims- and happen to be the number of bytes actually stored. IIRC- and I'm not at all sure that I do- these hash algorithims using one-way mathematics recurse down when they hit their stored character limit- using both the next character and the hash of the first character as input for the second time through the algorithim. Thus a longer password will be more secure- less likely to collide with an entirely different password.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Really, disabling the root account entirely and instead letting users (well, administrators) use sudo doesn't really increase security that much. If you have root access to the box, you have root access to the box, be it via su, login or sudo. If you have the root password of the box because 1) it's your box, or 2) you're supposed to have it, the box is not `ownt'. It's yours, and legitimately so. (`pwned' and similar words suggest that it was taken somehow.)
What forcing people to use sudo does accomplish is 1) helping to remind them not to login as root and do things as root that don't have to be done as root, and 2) to log things better. (And I'm talking about the usefulness of logging what you do when you're not trying to hide it here. A cracker will just erase the logs if he can.)
Somehow I doubt it.
In general, this is a pretty reasonable approach to securing your network. It's much more secure than it was when you started, but it's not locked down so tight that you can't get any work done on it.
Like the rest of the world, the computers at the NSA are probably locked down to varying degrees depending on their function and the type of data they contain.
This general sort of lockdown (as described in this document) might be appropriate for systems that don't contain confidential information and don't perform mission critical services, but I would imagine that `NSA-style' would really apply to the systems that contain confidential, top secret, etc. information, and the degree that these systems would be locked down would be much much more than is described in this document. And is probably still classified, though much of it could probably be figured out by anybody skilled in the area of computer security.
For starters, the `top secret' computers at the NSA probably don't have any network access at all, or if they do have some, it's to a small, secure network of similarly secured systems (and NOT to the Internet) and physical security is taken to the extremes (think movies like Mission Impossible.) Code probably isn't run on these systems that hasn't been gone over, line by line, by the NSA itself. This sort of scrutiny requires lots of time and money, so any software being run is probably relatively old. The hardware itself is probably checked similarly, so it's likely to not be state of the art itself, except for the security components used to protect it.
THAT would be `NSA-style'. And the only way you're likely to read the books on how that works are to 1) get the appropriate clearances from the government (Classified? Top Secret? I don't know), 2) get a job with the NSA, and 3) *need to know* what's in that book.
Sure, there are certainly some differences, with certain types of threats becoming more common and other sorts of threats becoming less common, but I'm not really aware of any fundamentally new threats appearing during that period, at least not anything that the `old' defenses (as described by this paper) aren't effective against.
Probably the biggest change would be the general switch to massive DDoS attacks using an army of compromised machines, rather than an attack from a few machines. The concept certainly existed before 2002, but it's really become a problem since then. And ultimately, the `NSA-style' response is likely to be the same -- the important systems aren't on the Internet, so they're not vulnerable. (And if their internal network did have such a problem, they'd have much bigger problems than just a DoS attack.)
Ultimately, it's not a bad document, but you can find similar things without going to the NSA, and they've been available for a lot longer than three years.