Multi-Layer Security Platforms

An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"

Security

[Bios_Hakr]

I kinda work in "the industry" and here's my $0.02:

First, a good setup would involve a completely standard desktop solution. From hardware to software, everything needs to be, pretty much, identical. That install would come with a VMWare player image of the user's standard install with full admin rights to the user. The VMWare image would be for special dev tools or just for those times when a user "has to have admin". This should remain hidden/disabled for 99% of the users. Only unlock it when someone shows they need to have admin for some reason.

Next, you need to have good user controls. The user should not be able to save files on their local drive. Every desktop should have a shortcut to the SAN/NAS. Every doc they create should be placed there. The SAN/NAS would be backed up daily.

The desktop should include a firewall. Only 80 and 443 should be open for outgoing. Incoming should have RDP or VNC open for admins to get in. There should be an icon on the desktop with the computer's name and IP address so that the user does not spend an hour reading the label off the back of the PC.

On the e-mail side. Attachments should not be allowed. Internally, there should be a "dump" directory on the SAN/NAS. Idealy, groups would have their own dump area within that group's directory. The dump directory would be deleted every night prior to backups.

HTML e-mail would be allowed, but images would be stripped.

The network center's setup should be as bulletproof as possible. Every server should run a firewall and only allow what is needed. And then, lock them to the IP address ranges they need to connect to.

Webmail would be blocked at the proxy server. We provide you an e-mail for official use. If you want to get your webmail, forward that to your work addy where we at least get a chance to strip attachments, bugged images, and phishing attempts.

Last but not least, have a good contengency plan. We all know about trojans, phishing, bad attachments and the like. But what's the next internet wildfire? For everything you can think of, there are probably 10 things you can't. Have good backups and at least try to keep a virus on the user's desktop from raping your SAN/NAS. Have a plan for fire and earthquakes/floods. Have a few spare desktops with the standard install already done for when a user borks their setup. Have help files on the desktop for things like setting up outlook and mapping SAN/NAS drives.

Remember that it's all a matter of usability vs. security. I could make the most secure airline in the world. But no one would ever want to fly completely naked and cuffed to their seats.

Re:Sorry; I wasn't that impressed...

[Bios_Hakr]

I'd love to let me users run whatever they wanted. But then we'd need to tripple the hell-desk staff. Here's what I'd like:

Secretaries should be running bootable knoppix with an automagic mapping to the SAN/NAS. No worry about them downloading crap. Of course, they'd still call 15 times a day wanting to know how to send an Outlook appointment that some people can decline while others cannot. And they'd still accidentaly overwrite or delete the C*Os' proposals.

Devs should be able to run whatever they like. But a lot of them are dangerous. Devs *think* they are admins. Some of them are good and really know the workings of their chosen platform. But they tend to shut down virus protection "so they can compile faster" or install random tools "because they prefer program X over program Y." Just leave the mofo alone and call the hell-desk before you install. Is that so hard?

Engineers are the worst. They really drive our dependance on MS Office. They are the ones doing crazy-mad macros in Word and making PowerPoint jump like it's a fucking Pixar movie. If I had my way, our engineers would never be allowed to use a PC on the network. They'd have to describe what they want to an intern and then let him write it for them...