End-to-End Network Security

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Wednesday November 14, 2007 @08:36AM from the protect-ya-network dept.

Ben Rothke writes "One of the mistakes many organizations make when it comes to information security is thinking that the firewall will do it all. Management often replies incredulously to a hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone won't protect their enterprise, irrespective of what the makers of such appliances suggest and promise. A true strategy of security defense in depth is required to ensure a comprehensive level of security is implemented. Defense in depth uses multiple computer security technologies to keep organizations risks in check. One example of defense in depth is having an anti-virus and anti-spyware solution both at the user's desktop, and also at the gateway." Read on for the rest of Ben's review. End-to-End Network Security: Defense-in-Depth author Omar Santos pages 480 publisher Cisco Press rating 9 reviewer Ben Rothke ISBN 1587053322 summary Excellent and comprehensive look at how to secure a Cisco infrastructure End-to-End Network Security: Defense-in-Depth provides an in-depth look at the various issues around defense in depth. Rather than taking a very narrow approach to security, the book focuses on the comprehensive elements of designing a secure information security infrastructure that can really work to ensure an organization is protected against the many different types of threats it will face on a daily basis.

The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.

While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.

Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.

The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.

Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.

Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.

Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.

Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

99 comments

Let me be one of the first to say by Nursie · 2007-11-14 09:16 · Score: 4, Insightful

"Duh!"

C'mon, an incoming firewall is a good start, but it's just that. You still need AV, Anti-malware is good. Spam filtering, individual machine firewalls, server security, access limits for users, restrictions on what can be attached to the network, a secure area with limited access for those whose laptops travel a lot...

This is, is it not, pretty elementary stuff?
1. Re:Let me be one of the first to say by JK_the_Slacker · 2007-11-14 09:17 · Score: 0, Redundant
  
  So basically what you're saying is... run Linux? Got it.
  
  --
  I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
2. Re:Let me be one of the first to say by Cajun+Hell · 2007-11-14 09:53 · Score: 1
  
  You still need AV
  If and only if your policy is "run whatever people give you."
  
  --
  "Believe me!" -- Donald Trump
3. Re:Let me be one of the first to say by Bender0x7D1 · 2007-11-14 10:07 · Score: 3, Interesting
  
  This is, is it not, pretty elementary stuff?
  
  It really depends on who you are...
  
  I suppose someone who has a Ph.D. in physics would say that quantum mechanics is pretty elementary stuff. The problem here is that you are assuming everyone who is in charge of a network has the knowledge, background and experience to understand security. Most don't. Many who think they do - don't. There is so much to keep track of that it's a full-time job just to keep up with the attackers. If you have a lot of other work to do, you probably aren't keeping current in every area you need to. That's why there are security experts who get paid a lot of money to help secure systems and networks.
  
  --
  Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
4. Re:Let me be one of the first to say by Jansingal · 2007-11-14 10:25 · Score: 1
  
  No way man.... use a Mac!!!!
5. Re:Let me be one of the first to say by JK_the_Slacker · 2007-11-14 11:50 · Score: 0
  
  Figures... I make the first post in the comments about using Linux, and I get tagged "redundant". How very silly of me to make a point that everybody else is GOING to make at some point in the future.
  
  --
  I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
6. Re:Let me be one of the first to say by pclminion · 2007-11-14 14:42 · Score: 1
  
  I suppose someone who has a Ph.D. in physics would say that quantum mechanics is pretty elementary stuff.
  
  Depends. The mathematic behind quantum mechanics is not exactly "elementary" but the basic ideas are. Wave functions, uncertainty, and quantum collapse, although weird, are easily grasped by most people. Just don't ask them to do the math on it. Same with computer security -- even if you don't know every gory detail, you should at least know what the basic components of a secure system is. Seriously, it isn't that hard to understand.
  
  With all the world's computers connected together these days, it is a matter of personal responsibility to know at least SOME basic ideas behind computer security.
7. Re:Let me be one of the first to say by Anonymous Coward · 2007-11-14 18:23 · Score: 0
  
  if you need an antivirus, that means your os(es) are vulnerable by default. lol. Intrusion prevention and detection at the gateway makes sence to me when it comes down the line of protecting network services. but if you depend on antivirus/anti spyware protection, that means your're already vulnerable. use Linux.
8. Re:Let me be one of the first to say by dfgchgfxrjtdhgh.jjhv · 2007-11-14 19:52 · Score: 1
  
  and if you're responsible for running a network, you should already know these basics, or you dont deserve to have the job.
  
  looks like the book is aimed at trainees or students, any network admin should know this & those that dont are unlikely to read a book.
  
  --
  Web Design
9. Re:Let me be one of the first to say by dfgchgfxrjtdhgh.jjhv · 2007-11-14 19:57 · Score: 1
  
  with the errors in it, its even a poor choice for students & trainees.
  
  it seems to be slightly above the level of what users need to know, not many people run a corporate-style network at home & this kind of thing should be done for them at work.
  
  --
  Web Design
10. Re:Let me be one of the first to say by jotok · 2007-11-14 21:50 · Score: 1
  
  Network security starts with defining the requirements for the network and then determining user policies, and then eventually determining what hardware and software you need. Good policy will make a secure environment regardless of what operating systems you use.
  
  You gave some good examples of this principle. If you provide the users with network shares or a collaboration solution, then they don't need to use thumb drives. If you sandbox Outlook and IE, you don't have to worry about the malware du jour. And so on and so forth.
11. Re:Let me be one of the first to say by fuzzix · 2007-11-14 22:45 · Score: 1
  
  If and only if your policy is "run whatever people give you."
  
  Because we all know how stringently the average office worker sticks to IT policy...
12. Re:Let me be one of the first to say by hesiod · 2007-11-15 02:28 · Score: 1
  
  Hate to break it to you, but not every company can afford to hire a full team of network engineers. Sometimes, small companies have to choose their IT employees (assuming they can even hire more than one) carefully, based on their immediate needs. They can't afford to pay someone to do everyday stuff as well as someone with a CCNA, so they hire the first person and ask him to do his best with what he has.
13. Re:Let me be one of the first to say by hesiod · 2007-11-15 02:32 · Score: 1
  
  > Good policy will make a secure environment regardless of what operating systems you use.
  
  Sure, assuming you don't have any employees... Employees break policy routinely and don't give a crap if plugging in a USB drive is "against policy." They'll do it because they feel entitled to do whatever then damn well please. So if you don't lock down your systems to enforce an existing policy, you might as well throw all your PCs, with all their confidential information, out into the street.
14. Re:Let me be one of the first to say by Bender0x7D1 · 2007-11-15 02:45 · Score: 1
  
  If you don't know every gory detail then how can you make intelligent decisions on where to spend your budget? Sure, you can learn the basics of quantum mechanics, but that doesn't make you qualified to determine how money should be spent for experiments. The same holds true here. You might have an idea that you should have firewalls, IDSes, updated systems, anti-everything, physical security, an employee training program, etc. However, you can't have it all - it would be too expensive in terms of time and money. So, how do you decide? If you don't know the gory details, you can't. OK - you can; but you'll probably spend your money on the wrong things.
  
  --
  Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
15. Re:Let me be one of the first to say by jotok · 2007-11-15 03:55 · Score: 1
  
  I thought enacting policy was implied in that statement: e.g., shut off the USB ports to all your user's workstations.
16. Re:Let me be one of the first to say by Jansingal · 2007-11-15 06:34 · Score: 1
  
  >>and if you're responsible for running a network, you should already know these basics, or you dont deserve to have the job.
  
  In a perfect world... yes.
  
  The real world... mgmt cares little about securtiy and pays little to those who are responsible for it.
  
  the outcome = malware invested networks run by those behind the curve.
17. Re:Let me be one of the first to say by hesiod · 2007-11-15 09:04 · Score: 1
  
  Ah, you were unclear. "Policy" is a very different thing than "Windows Group Policy Objects."
18. Re:Let me be one of the first to say by jotok · 2007-11-15 11:02 · Score: 1
  
  Yah, I tend to use them conceptually as the same thing.
  Where I work, "Stuff we don't want the users to do" and "Stuff we don't allow the users to do" are one and the same.
  I also work with an "allow by exception" network with is basically a security guy's wet dream :P
19. Re:Let me be one of the first to say by pclminion · 2007-11-15 16:40 · Score: 1
  
  If you don't know every gory detail then how can you make intelligent decisions on where to spend your budget?
  
  Trusted, informed opinions. We can't know every gory detail on every subject in the world and yet we seem to all do okay, by relying on experts.
So by Anonymous Coward · 2007-11-14 09:16 · Score: 0

How much did Cisco pay for this placement?
1. Re:So by Jansingal · 2007-11-14 11:09 · Score: 1
  
  u think csco pays 4 placement on /. ????
  
  NEVER!!!!
Re:What a bunch of NAZIs we are.... by BlueParrot · 2007-11-14 09:22 · Score: 1

We want freedom for the users to make their systems obey them, and allow them to study and modify it to suit their needs. That is rather different from lettin unauthorized peopel take their controll away. It's all about the user's freedom.
Why not just dump Windows? by webmaster404 · 2007-11-14 09:27 · Score: 2, Insightful

Why not just dump Windows and go for either emulating XP on a Virtual Machine or run OS-X, Linux or BSD? Seriously, if your worried about your employees downloading a "screensaver" for Windows and infecting the network, just run Linux and I bet you over 80% of the time thats what it is. As for "retraining" you would spend more money retraining and getting better hardware (and worse software) to get Vista, and Office 2007 while Ubuntu can be themed like XP/Vista/Amiga/OS-X or any other previous operating system. Open Office has a much lower learning curve then giving them Office 2007. So just switching to Linux takes out just about 100% of malware/virus problems which bring in back-doors and other ways of accessing, not to mention the code is open so you can be 100% sure that you won't get a "stealth update" or delayed patches or even currently unkown flaws in the kernel. As for a firewall, just running your connections through a router would help a bit, set up Firestarter or another iptables front-end for Linux, set secure root passwords and the only way that it can be cracked is if the IT department decided to crack it because they would be the ones that set it up. So moral to the book is, switch to Linux or just about any OS other then Windows, set up a firewall and secure passwords and you will be fine.

--
There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
1. Re:Why not just dump Windows? by El+Lobo · 2007-11-14 09:34 · Score: 1
  
  Here we go again... Why should I? In my department we use Windows and we have no need to replace it. if you have a good It team who secures the OS, there should be minimal risks. A well configured XP or 2003 can be as secure as any other OS.
  OTOH a bad secured Linuzzz, can be as insecure and any other...
  So why just begin from the beginning with a new OS, new applications, emulatiosn, etc if the well configured real thing does the job?
  
  --
  It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
2. Re:Why not just dump Windows? by Anonymous Coward · 2007-11-14 09:41 · Score: 0
  
  So moral to the book is, switch to Linux or just about any OS other then Windows, set up a firewall and secure passwords and you will be fine.
  
  Not having read the book, that may be its point. Decidedly untrue however. Firewalls and passwords might keep the main door locked, but the problem with users is that they often allow them entry through the back door, a window, etc (no puns intended). They use their browser with increased privileges or check their email with a superuser account and poof, their machine is infected, files removed, etc.
  
  And the "we're all IT nazis" may be a bit true: it's a different world from the one even in the early 90s. Bad people have access to the internet. It's like being able to knock on anyone's door in the world. Sometimes they answer. Sometimes you try the lock and it's open. Sometimes it's a poor lock. Regardless, there's so much personally abusable information at each of these doors that we really do need to get in each other's way to keep them securely locked. We're not letting the terrorists win...we're just changing the way we drive now that there are other idiots on the road.
3. Re:Why not just dump Windows? by MikeFM · 2007-11-14 09:46 · Score: 2, Informative
  
  What's really bad is that a clever hacker can bypass much of your companies security just by getting someone running Windows to let themselves be infected with a program that gives the hacker terminal access to their computer and the ability to catch usernames, passwords, etc. Suddenly they have all the right authorization and access to your protected systems from inside the LAN. Worse, they can often infect other Windows systems giving the hacker access to the protected systems with many different user creditials. Would you want a hacker accessing ANYTHING that any Windows user on your network has access to? For most companies that gives access to everything because most data is accessed by a least on Windows user.
  
  If you have Windows on your network then it's not difficult to penetrate your network. I've done this experiment many times with many different companies I've worked for. I can always gain secure access.
  
  --
  At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
4. Re:Why not just dump Windows? by Vanessa+MacDougal · 2007-11-14 09:56 · Score: 2, Insightful
  
  There is nothing magical about other operating systems. Denial-of-service (DOS) attacks and the reading of unencrypted data, for instance, know no OS. You need end-to-end security regardless of your platform.
5. Re:Why not just dump Windows? by hal9000(jr) · 2007-11-14 10:03 · Score: 1
  
  Why not just dump Windows and go for either emulating XP on a Virtual Machine or run OS-X, Linux or BSD? Seriously, if your worried about your employees downloading a "screensaver" for Windows and infecting the network, just run Linux and I bet you over 80% of the time thats what it is.
  
  Because that is not how the world works. Companies have a huge investment in Windows and all the apps that run on it. A rip and replace is simply not a viable option.
  
  You know, there are ways that companies can lock down Windows using the GPO, proberly configuring applications, and a bunch of other things without even having to buy more products. But that training is expensive and once you get some peopple properly trained, it's expensive to keep them.
  
  And let's not forget the social aspect either. Employees, rightly or wrongly I am not debating the point, have come to expect the right to download stuff onto their computers, surf the Internet at will, and do other things that are dangerous. IT helps perpetuate this by keeping the myth alive that Winodws can't be locked down and protected from end-users.
  
  Exploits, remote or local, are another issue that can't be ignored and that is something Microsoft is dealng with.
6. Re:Why not just dump Windows? by JrOldPhart · 2007-11-14 10:04 · Score: 1
  
  Yea, back to CP/M.
  
  --
  Nothing is foolproof, fools are too ingenious. - Murphy
7. Re:Why not just dump Windows? by webmaster404 · 2007-11-14 10:08 · Score: 0, Offtopic
  
  Well for one there are sky high system requirements for Vista at least and unless you are buying computers online, you will be stuck with Vista which needs around 1-2 Gigs of RAM for sub-XP level performance and 4 gigs for decent performance, while a more recent Ubuntu then Vista (7.10 which came out a month ago in October 2007) runs happily on my 1.8 GHZ processor with 512 MB of slow RAM while Vista is unbelievably slow on my friend's Intel Dual Core (1.6 GHZ) with 512 MB of RAM thats about 3-4 years newer then my Dell which cost me $25 at a garage sale. Not to mention how slow running
  
  1. A third party antivirus
  2. A third party firewall
  3. A third party anti-spyware
  4. Adobe reader that preloads itself on Windows startup
  Secondly, the license is barbaric,
  
  Here are some examples from the Windows XP professional where you can pick up a PDF from http://www.microsoft.com/about/legal/useterms/default.aspx
  
  Internet Gaming/Update Features. If you choose to utilize the Internet gaming or update features within the Product, it is necessary to use certain computer system, hardware, and software information to implement the features. By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for Internet gaming and/or updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.
  
  So in other words, MS or any one of it's partners can spy on you as long as its for "internet games" and "Windows update" but they can't use it to identify you but anyone who is a "MS partner" can do it. How nice.
  
  Security Updates. Content providers are using the digital rights management technology ("Microsoft DRM") contained in this Product to protect the integrity of their content ("Secure Content") so that their intellectual property, including copyright, in such content is not misappropriated. Owners of such Secure Content ("Secure Content Owners") may, from time to time, request Microsoft to provide security related updates to the Microsoft DRM components of the Product ("Security Updates") that may affect your ability to copy, display and/or play Secure Content through Microsoft software or third party applications that utilize Microsoft DRM. You therefore agree that, if you elect to download a license from the Internet which enables your use of Secure Content, Microsoft may, in conjunction with such license, also download onto your computer such Security Updates that a Secure Content Owner has requested that Microsoft distribute. Microsoft will not retrieve any personally identifiable information, or any other information, from your computer by downloading such Security Updates.
  
  So whoever owns a DRM scheme, can force MS to download a "security update" that can make it so all your DRMed media can't play. How nice of them, you bought the content but now can't watch it.
  
  Consent to Use of Data. You agree that Microsoft and its affiliates may collect and use technical information gathered in any manner as part of the product support services provided to you, if any, related to the Product. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.
  
  So any information about you thats deemed "technical" can be sent to other "Microsoft Partners"
  
  So in other words, MS owns your computer. Linux doesn't have *any* of those problems, yes XP is broken and yes Linux does solve all of those problems.
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
8. Re:Why not just dump Windows? by webmaster404 · 2007-11-14 10:28 · Score: 2, Insightful
  
  Yes I know that they can lock down Windows, I worked for a company for a short time that locked down Windows. The fact though was, between an over-aggressive content-blocking server that blocked non-inappropriate or time wasting sites, the fact that Firefox could never update itself because I didn't have Read, write and execute privileges to update Firefox (which by the way was already installed by the IT department) most IT departments I have found know very very little about computers, they either know how to use Windows and other MS software or a little about hardware, very few know anything about computers and many have irrational fears (like checking your E-Mail from a web based E-Mail account will suddenly infect the entire network, didn't give a reason or anything even when I asked) and so I don't think that "locking down Windows" will solve anything about it, it will just give them more ways to mess everything up.
  
  As for the applications, very few businesses that I have seen, have any "must-need" software on most of their computers, sure there are a few that would need to have a VM running to run a few or have Windows dual-booting but for the average worker, Linux is sufficient. And I am not proposing a total abrupt change, but when the next licensing fee has to be sent in, or when it is time for an upgrade, Linux works 85% of the time for a solution and the other times, just dual-booting Windows or keeping a VM with it installed works.
  
  As for the social aspect, Linux would allow them to download what they choose and surf the internet without IT locking down computers to being unusable. There is very very very little Linux malware, and those that do exist are either not in the wild, or as long as you use a halfway recent distro (like Fedora Core 1) you will be safe from them if you keep up on your patches. Also, most Windows Malware/Adware/Spyware/Viruses are caused by a program that looks legit but isn't, Linux reduces this threat by the package management system, when you type in sudo apt-get install firefox, you can be assured that someone has looked that over and that it matches checksums to make 100% sure its Firefox and not some malware. If you don't trust that, you can compile it completly from source, there is little way unless you are randomly installing binary files, then you won't get any malware on a Linux machine. Also, if there is a problem, a sysadmin can simply SSH into the system and fix the problem.
  
  Free, Easy to use, (it can be customized to behave like XP/OS-X/Vista) Secure, and Functional, theres no reason not to use Linux
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
9. Re:Why not just dump Windows? by El+Lobo · 2007-11-14 11:23 · Score: 1
  
  That was extremly OT. I am saying that we are extremely happy with Windows. Again, please, why should we migrate?
  
  --
  It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
10. Re:Why not just dump Windows? by dave562 · 2007-11-14 12:28 · Score: 1
  
  Free, Easy to use, (it can be customized to behave like XP/OS-X/Vista) Secure, and Functional, theres no reason not to use Linux
  Can it be customized to do what this does? http://www.altec-inc.com/
  How about a Linux accounting package for the SMB market that does the equivalent of what this does? http://www.sagesoftware.com/pfw/
  While you're at it, got any waste management software for Linux? Waste Management went with AS/400. http://www.eweek.com/article2/0,1895,1773666,00.asp
11. Re:Why not just dump Windows? by turbidostato · 2007-11-14 12:46 · Score: 1
  
  "Why should I?"
  
  Maybe you shouldn't. The previous poster just argumented that costs for the migration might be less than others would want you to believe. After all, he showed an scenario where there was the chance of migrating from XP to Vista *or* Ubuntu; from Office whatever to last version *or* Open Office. But, then, "why should you" migrate to Vista or Office last version to begin with? Now, if you state your reasons clear you might find that there're better migration targets than Vista or Office.
  
  "In my department we use Windows and we have no need to replace it"
  
  And that's part of the point. Your deparment surely doesn't use "Windows". You may use "Windows XP" or "Windows 2003" but certainly not "just Windows". Of course Microsoft marketing mill with be delighted at the idea of you really thinking that you use "Windows" because then, on your mind, there can't be migration costs or problems going from "XP" to "Vista" since there's no real migration at all. But once you realize you are not using Windows but "Windows XP" there's the chance you see going from "Windows XP" to "Windows Vista" as a real migration path and, as such, opened to be discarded in favour of a (mightbe) more positive migration path like, may be, from "Windows XP" to "Ubuntu Linux" (or any other else).
  
  "if you have a good It team who secures the OS, there should be minimal risks"
  
  No doubt. But I think that, as news reveals, not everybody seems to have "good It teams" and even then, maybe TCO for Microsoft-based environments *might* be higher than alternatives. Of course you won't see that unless you take the time and effort to study your facts.
  
  "A well configured XP or 2003 can be as secure as any other OS."
  
  Maybe. But this is only part of the equation. Is it as secure as any other OS? And as cheaper? And as flexible? And as reliable? Maybe *your* local answer is "yes", maybe is "no", maybe "yes for some subsystems but not for others".
  
  "So why just begin from the beginning with a new OS, new applications, emulatiosn, etc if the well configured real thing does the job?"
  
  Just remember your own words next time you are about to move from NT to 2xxx to Vista to whatever.
12. Re:Why not just dump Windows? by jc42 · 2007-11-14 12:53 · Score: 2, Insightful
  
  C'mon; asking businesses to dump Windows would be a lot like asking America to dump Christianity, or asking Egypt to dump Islam. All three might be very good ideas, but suggesting any of them in the appropriate crowds will just get you fired/crucified/beheaded/whatever.
  
  When faced with religious beliefs like these, the best you can do is try to make the best of them, while trying to minimize their damage to people and property.
  
  [A couple decades ago I'd have included asking the USSR to dump Communism, but that happened. But I suspect that IBM/Microsoft, Christianity and Islam are much more deeply entrenched than Communism ever was. Anyway, my metaphor generator is redlined as it is. ;-]
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
13. Re:Why not just dump Windows? by Aehgts · 2007-11-14 13:32 · Score: 1
  
  While I agree that linux seems to solve a lot of these problems I still believe that a part of the reason for this is that the average linux user is simply a more informed internet user.
  'nix is great at protecting against passive attacks, but can still suffer from pebcak.
  In my experience, those who run linux tend either to not know what an OS is (parents, grandparents etc) or are curious nerd/geek types who either know what they are doing, or are willing to break a test system finding out. This education is the best security. It is simply common sense to me, and I assumed it was widely accepted common sense. I was wrong.
  I had no problems running a single install of XP on my home computer for ~5 years with no viruses and no non-hardware related crashes. I switched to Linux because I like Linux, not because I hate Windows. Meanwhile, my (windows using) next-door neighbor has a broadband connection that crawls and IE's menu bars take up literally half the screen with add ons. They honestly thought that was normal. The only reason I was in there looking at the computer is that he was having hardware issues.
  Given a linux box, I have no doubt that these types of users will quite happily type in their password for gksu if they clicked a link and it prompted them for it. This social, educational aspect to security knows no borders of OS. There just doesn't seem to be much linux aware malware in the tubes.
  Get more users running linux and more malware will be written for it. There are always those who will fall victim to socially engineered attacks.
  To solve this you would have to withhold root access and/or limit sudo access. This is not hugely different to the available Windows domain security policy lockdowns. You would still be left with a system that won't install arbitrary progams either way.
  
  Food for thought anyway...
  
  --
  "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
14. Re:Why not just dump Windows? by Fred_A · 2007-11-14 18:26 · Score: 2, Funny
  
  While you're at it, got any waste management software for Linux? Sure, both Gnome and KDE have this little trashcan icon nowadays.
  It's all gotten very fancy.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
15. Re:Why not just dump Windows? by Anonymous Coward · 2007-11-15 01:53 · Score: 0
  
  Yeah, thats it. Every IT staff on the planet knows linux well enough to support it and lock it down. Ahh thats it, ever linux distro out of the box is 100% secure. The answer is always just so simple as 'switch to linux' Linux zealots just as MS zealots need to get a clue. The answer isn't 'just switch'. Do what is right for your business and business needs. Having worked in the automotive IT field and currently the airline IT industry, there are soooooo many proprietary apps that won't run if the planets are not in correct alignment, that it is impossible to 'just switch'. Are mainframes still around? Microcomputers? AS400's? You betcha. Why? Because people can't 'just switch'. Besides does open office have the 64 bit math bug that Office 2007 does? Do you want a billion $ deal to fail, because OO doesn't have a flaw that Office 2007 does? There is a reason MS is the market leader. They are the standard. You may or may not like the standard, but it is THE standard. I'm all for making the standard better, but unlike the zealots, I don't care who's name is on that standard. I don't care if I have to pay for it. Put CD in the drive and it works. MS does this for me, it may not for you. It may not be what you are looking for.
16. Re:Why not just dump Windows? by Jansingal · 2007-11-15 06:41 · Score: 1
  
  Common suggestion: Dump windows and we are secure
  Similar argument: Stop hating people and no one will get killed.
  
  We call people who make such crazy arguments weird.
17. Re:Why not just dump Windows? by dave562 · 2007-11-15 08:11 · Score: 1
  
  The way you joke about application needs for Linux is very similar to the way a lot of people joke about switching to Linux in the first place. Sure, it's all great and fine to champion Linux as the cure for the problem of Microsoft dominance in the computerized world. Yet for a lot of real companies, the only "solution" to breaking their dependence on Microsoft on the desktop or the server is to "run your Windows apps in a VM on Linux." Ya, great solution there. Add another layer of complexity to the problem.
18. Re:Why not just dump Windows? by Burz · 2007-11-15 10:31 · Score: 1
  
  But that is not to say that an environment where Windows is integral can actually achieve end-to-end security. Windows is the weakest link, and the difference isn't magic but a matter of design.
  
  System design is why even an "obscure" platform like MacOS could go from having dozens of malwares to about one post BSD transition.
19. Re:Why not just dump Windows? by Burz · 2007-11-15 11:29 · Score: 1
  
  A couple decades ago I'd have included asking the USSR to dump Communism, but that happened. But I suspect that IBM/Microsoft, Christianity and Islam are much more deeply entrenched than Communism ever was. And I suspect the reason for that is because Soviet communism, however much brainwashing was associated with it, did not condition people to supernaturalism. It made false claims because they were falsifiable. Time passed, people saw the results, and stopped believing in the system.
  
  With the supernatualist conditioning to faith for its own sake, credulity becomes much more insidious. Falsifiable claims are more of an embarrassing accident, and esp. when they turn out false the authorities will explicitly make 'faith' itself a burning priority in order to bury the issues.
  
  Religious faith is the explicit training of people to keep refocusing their attention (often on cue) onto something that is necessarily intangible.
20. Re:Why not just dump Windows? by Jansingal · 2007-11-18 15:12 · Score: 1
  
  what the heck are you trying to imply :!
from the protect-ya-network dept. by eikonoklastes · 2007-11-14 09:31 · Score: 2, Funny

I thought this would have come from the preaching-to-the-choir dept.
1. Re:from the protect-ya-network dept. by Anonymous Coward · 2007-11-14 09:37 · Score: 0
  
  Or maybe not. See above.
2. Re:from the protect-ya-network dept. by Jansingal · 2007-11-14 11:54 · Score: 1
  
  yeah... but that choir lost their voice :)
My security dream by blhack · 2007-11-14 09:34 · Score: 1

Does anyone know of a system that works like this?

There is one master drive image that sits on a server somewhere on the Lan.... ..every night, when there is nobody using the workstation, it gets "re-imaged"

My Documents or $home or whatever is mapped onto a server. Similar to a netboot I guess...

keep like 3 copies of the image around and MD5sum them before they go out to make sure that the master hasn't been corrupted or infected or some BS.

Added bonus is any software changes would just get done at the master image...then get moved out to the clients that night....

kindof a netboot + SAN i think...

does anybody do this?

--
NewslilySocial News. No lolcats allowed.
1. Re:My security dream by morgan_greywolf · 2007-11-14 09:44 · Score: 1
  
  Why not just use a diskless workstation, with the master image sitting on the SAN, locked down and mounted readonly?
  
  --
  My blog
2. Re:My security dream by cbelt3 · 2007-11-14 09:46 · Score: 1
  
  Well, back in the 1960's and 70's we called it a mainframe computer. Lots of corporations use "Citrix" which empirically provides a virtual machine for a common, locked to the teeth desktop user. Or some sort of terminal server.
3. Re:My security dream by silas_moeckel · 2007-11-14 09:51 · Score: 1
  
  I used something similar in school systems every time the machine booted it reverted to a fixed image, they could send that image from the network onto the PC's to upgrade them. Worked pretty well once you turned off USB/CDrom booting, locked the bios and locked the systems in place the kids couldn't defeat it easily. Teachers could just hit the reset button to boot to a clean OS.
  
  --
  No sir I dont like it.
4. Re:My security dream by doas777 · 2007-11-14 09:55 · Score: 1
  
  it'll work as long as you have site licenses for everything and no one uses a special app.
  
  the real problem are your artistic and tech staff. not everyone needs Adobe Creative Suite, SQL server, and visual studio. these licenses are pricey and the software is to "heavy" requirement wise to deploy to all PCs.
5. Re:My security dream by everphilski · 2007-11-14 10:01 · Score: 1
  
  Back where I used to work they had a diskless computer cluster similar to this. A master node held the disk image, and when each computer booted up it would request the disk image from the master node and put it on a RAM disk. No hard drive, floppy or CD-ROM drive on the cluster. Once they booted up they got their image with their tasks, started running the tasks, etc.
  
  If any node was having problems, all they had to do was flip a switch. If it came back up, great, if not pull it offline and see what failed.
6. Re:My security dream by dnormant · 2007-11-14 10:03 · Score: 1
  
  In a mainframe environment ALL of the resources, except the terminal IO and user were in the mainframe. Here he is describing a multi user environment where only the disk and boot image are shared. Big difference.
7. Re:My security dream by neurovish · 2007-11-14 10:09 · Score: 1
  
  kindof a netboot + SAN i think... kindof?
  The computer labs where I went to college were setup this way. It's really the only sane desktop policy for 30,000 users who would love nothing more than to mess up every single computer they touched that they didn't own. Every reboot and you're back to a normal windows image.
8. Re:My security dream by Sproggit · 2007-11-14 10:27 · Score: 1
  
  http://www.preworx.com/
9. Re:My security dream by CotterPin · 2007-11-15 04:30 · Score: 1
  
  Where I work, we're deploying http://www.ardence.com/, which essentially does what you want. You create locked-down master images tweaked the way you want them, and the clients essentially use your Ardence server as a hard disk. The difference between this and a solution such as Citrix is that other than disk I/O, the OS uses local hardware instead of server-side computing. It works very well, and each time the machine boots it gets a pristine fresh install of the OS; all changes the user made are discarded. Not only that, but switching desktop OSes is as simple as a reboot. Changing a master image is very easy, too, and you can keep multiple images in case a change you made blows things up. One example they show in their demo is to boot Windows on the worker-bee desktops during business hours; reboot after hours to Linux to participate in a compute grid, then boot back to Windows before the start of the workday. The only caveat is that it requires a reliable network, obviously, but if a connection is lost, the machine stays up until reconnect (as opposed to kernel panic or such.) That, and you have to use roaming profiles or $home to keep personalized settings. It's a very flexible and cool solution you should check out.
  
  --
  Haiku's are easy
  The best can touch you deeply.
  Hippopotamus.
10. Re:My security dream by Jansingal · 2007-11-15 06:45 · Score: 1
  
  diskless workstations are awesome. the network computer concpept of some years back did the similar.
  
  great concept, really great.
  
  but never took off. beats me why not.
It's all useless by fremean · 2007-11-14 09:35 · Score: 3, Insightful

You can spend billions of dollars securing your network end to end, but so long as you still employ staff (or let them have communication with the outside world) nothing you buy can protect you from ID-10-T security breaches
Choice quote from CSI by mcrbids · 2007-11-14 09:36 · Score: 4, Funny

As they were chasing the bad guy (girl?) through the 2nd Life game, the CSI lab was hacked. Choice quote:

"We're under attack! Get that firewall UP NOW!"

I mean, yes, it's CSI and nobody expects perfection, but that's representative of the way people often see things...

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Choice quote from CSI by ch-chuck · 2007-11-14 09:53 · Score: 0, Troll
  
  In a *real* Enterprise management system, the Supervisor would not only bring the Firewall up but arm the router with photon packets to launch countermeasures and take out the attacker if he doesn't stand down after the communications office issues a warning on all inband channels. Once the threat has been neutralized, a landing party of software agents can be scp'd over to investigate the situation.
  
  --
  try { do() || do_not(); } catch (JediException err) { yoda(err); }
2. Re:Choice quote from CSI by dnormant · 2007-11-14 10:09 · Score: 2, Insightful
  
  My wife looked at me like I was nuts when I started to roll on the floor over that one...
  
  GET THE FIREWALL UP...
I've heard of it. by khasim · 2007-11-14 09:38 · Score: 1

Back when I was consulting, one of the other consultants ran into a situation like that.

The problem was that SOMETHING would go wrong with one or more of the machines and they would not get the image. Which really sucked when the user came in in the morning. Those machines had to be manually imaged.
Defense in depth by starfishsystems · 2007-11-14 09:43 · Score: 4, Insightful

Defense in depth is an important security principle, among several others which have apparently not received any treatment in the book reviewed here.
Considering that the book is cxclusively concerned with configuring proprietary network gear, that's perhaps understandable. But when the same book presumes, by its title, to offer a general treatment of end-to-end security will have badly misled its readers. This is not end-to-end security, but instead the much smaller subset which concerns how to manage network traffic.
If we genuinely want to talk about end-to-end security, we'll have to look closely at the endpoints. We have to look at them in terms of their own architectural security, as well as how they function as communicating agents. And where communication is concerned, all the stuff in the middle, generally speaking, is not trustworthy.
That's a more principled approach to what "defense in depth" means in the context of these endpoints. Sure there might be a few firewalls or encrypted tunnels along the way, but the endpoints have no means of assuring that this infrastructure is in fact secure. Should those layers fail to operate as expected, the security of the communication falls to other layers. Ultimately, the responsibility falls to the endpoints themselves.
Dealing with security in several fragmented pieces is not so great. That's because security is an emergent property of the entire system, not something which can be directly composed from elements of the system. A text which provides a treatment of security princples comprehensively would be most welcome. Let's save the "end-to-end" terminology for when we're really looking at end-to-end architectures.

--
Parity: What to do when the weekend comes.
1. Re:Defense in depth by Jansingal · 2007-11-14 10:30 · Score: 1
  
  i think it was made pretty clear that this is a by cisco, for cisco, there aint nothing in the world but cisco book.
2. Re:Defense in depth by monopole · 2007-11-14 10:39 · Score: 1
  
  We use defense in depth. Two firewalls! One after another, each providing ROT13 encryption for our VPN. Bring it on hackers!!!
3. Re:Defense in depth by trolltalk.com · 2007-11-14 10:39 · Score: 1
  
  "i think it was made pretty clear that this is a by cisco, for cisco, there aint nothing in the world but cisco book."
  Yep. Those Crisco people are sure greasy!
  Better to cut the fat and switch to leanux.
  
  --
  Kevin Smith on Prince
4. Re:Defense in depth by Jansingal · 2007-11-14 14:11 · Score: 1
  
  Waht does anne coulter have to do with it?
Or, just get a Mac/Linux? by Blahbooboo3 · 2007-11-14 09:49 · Score: 0, Troll

Mac for the desktop and Linux for the server room.

I remember reading on slashdot several years ago about a network security idea to scrap all this firewall gateway etc stuff and just implement a secure desktop (i.e. with almost no open ports other than 80 and 443).

In many ways, it makes sense to me.
1. Re:Or, just get a Mac/Linux? by nine-times · 2007-11-14 10:04 · Score: 2, Interesting
  
  I remember reading on slashdot several years ago about a network security idea to scrap all this firewall gateway etc stuff and just implement a secure desktop
  That's all well and good so long as you can really trust each individual machine. Also, you'll probably want to wait after the move to IPv6, or else you'll probably want to have some kind of gateway w/NAT. Even if you had all that, I wouldn't mind having a firewall anyway, just as an added layer of security.
2. Re:Or, just get a Mac/Linux? by Jansingal · 2007-11-14 11:07 · Score: 1
  
  big initiative.... but it was quashed by msft :)
Godwin says... by kensan · 2007-11-14 09:50 · Score: 2, Funny

nothing for you to see, move along.
1. Re:Godwin says... by doas777 · 2007-11-14 11:05 · Score: 1
  
  I don't think godwins law applies in this case. it's primarily for adversarial situations.
  
  if someone said:
  "you're a nazi" => bad; the law applies
  
  "I'm/We're nazi(s)" !=> bad ; law is N/A.
2. Re:Godwin says... by Jansingal · 2007-11-18 15:16 · Score: 1
  
  this has as much to do with godwin as.... well nothing
Anti-spy-malware = bad by Anonymous Coward · 2007-11-14 10:10 · Score: 0

Anti-malware or anti-spyware is bad. It relies upon the enemy already making a foothold in your machine and then kicking them out.

If you can see them that is.

What about a OS that is so secure and self checking that malware doesn't even have a chance to exist?

How about a OS that checks itself from a ultra secure location and reverts a boot drive back to the original state before the malware gained entry? All seemlessly done in the background?

The offending code sent to the OS maker?

How long would the anti-spy/malware industry exist if a major OS maker did that?
Firewalls are your LAST line of defence... by rHBa · 2007-11-14 10:30 · Score: 1

...for web servers or any DMZ server anyway.

I know many security guys (mostly on FreeBSD servers) who don't even bother with a firewall. You shouldn't have insecure services running in the first place.

Of course it's a whole other world when it comes to protecting a LAN where you can't effectively control the services running locally.
1. Re:Firewalls are your LAST line of defence... by Martin+Blank · 2007-11-14 10:48 · Score: 3, Informative
  
  You don't always know if you have insecure services, though. You can limit the rights of the accounts under which services run, but there may still be ways of using vulnerabilities to get around that. This is one of the reasons that application-level firewalls are becoming so popular, as allowing only RFC-compliant (at least essentially so) traffic can prevent numerous exploits. Having dropped such a firewall into the middle of a network before, I've seen what suddenly gets blocked.
  
  --
  You can never go home again... but I guess you can shop there.
2. Re:Firewalls are your LAST line of defence... by guruevi · 2007-11-15 01:43 · Score: 1
  
  Of course those "application firewalls" also run software that can be (if not more easily) exploited or run the same operating systems as your server boxes (BSD or Linux). I run a full Linux/BSD/Mac shop and every computer has it's own public IP (1 to 1 NAT). The firewall is basically a Cisco router that does filtering on ports/IP. I don't really trust the firewall because it's not owned by me rather, IT Services (I'm part of a larger institution) has full control from a few computers over all the firewalls and they have a huge list with passwords. Their practices, keeping password lists laying around in the office, calling over the (wireless, unencrypted) phone to get them, running Windows on the desktop is not really what I would call secure so I trust my firewalls less than I trust my users and their computers.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
Human Factors by handy_vandal · 2007-11-14 10:33 · Score: 3, Interesting

Also consider the human factors angle.

I used to do tech support at a major US university. I'd show up at the user's desk, flip the keyboard upside down ... there's the password, taped to the underside of the keyboard. Hell, sometimes it was taped to the monitor. Not every time, of course -- a minority of users, really -- but often enough to make it a Bad Habit.

-kgj

--
-kgj
1. Re:Human Factors by firstnevyn · 2007-11-14 11:45 · Score: 2, Insightful
  
  If Mallory is sitting at the console you've already lost.
  
  A critical question is what are you attacking against? if it's Joe Random Cracker out on the interweb then the password being taped to the keyboard is BETTER than having a weak password that's memorised (and easilly bruteforced).
  
  If the threat is unauthorised access internally then it's a problem that it's taped to the keyboard written on a card in your wallet would still be better imho than a weak password.
  
  In short it's bad.. but when the threat isn't in the building (which is secure) it's not SO bad.
  
  --
  Good, fast and cheap pick two.
Re:What a bunch of NAZIs we are.... by tjstork · 2007-11-14 10:45 · Score: 2

We want freedom for the users to make their systems obey them, and allow them to study and modify it to suit their needs.

That's all very noble sounding but its not at all the truth.

No we don't. We want to impress our corporate masters with all of these shiny reports showing how much we know about everyone is on the system, trying to candy up our asses in the name of safety. We're no different from the people pushing camcorders in grocery stores. Security is a protection racket industry... "buy from us, before some hacker/muslim/bigfoot, gets you..." And really, it seems to me that the climate of fear that we are imposing on IT far and away outweighs the perceived benefit, just as it does, whenever security becomes an industry by itself.

I guarantee that there is not a single developer on this board that has not written a security / tracking system for some product, somewhere, and not marveled at the possibilities of all that information they collect.

--
This is my sig.
Networks, military bases, banks, whatever ... by ScrewMaster · 2007-11-14 11:03 · Score: 4, Insightful

if you're depending entirely upon a perimeter defense you will get pwned.

--
The higher the technology, the sharper that two-edged sword.
Antivirus on the desktop? by rastoboy29 · 2007-11-14 12:57 · Score: 1

Am I the only one who's never found a single antivirus app to be worth a damn?

--
expandfairuse.org
1. Re:Antivirus on the desktop? by Jansingal · 2007-11-14 14:17 · Score: 1
  
  >>>Am I the only one who's never found a single antivirus app to be worth a damn? that is the stupidest thing i ever heard. if you run windows, you need av apps, plain and simple. av apps might not catch everthing, but they are worth a damn, no question about it. you MUST redo your comment. it makes no sense.
2. Re:Antivirus on the desktop? by rastoboy29 · 2007-11-14 18:40 · Score: 1
  
  No, I will not, and I despise Windows as much as the next slashdotter. With a simple firewall and a router, don't run IE, not running a server, and admittedly a little technical knowledge, I have been virus/malware free, well, forever. I don't ever "click here" randomly and stuff, you know? You only need AV software if you're technically incompetent. I realize those people are out there, but I'm just saying it's not necessary if you understand a few things about how computers work.
  
  --
  expandfairuse.org
3. Re:Antivirus on the desktop? by Jansingal · 2007-11-15 03:49 · Score: 1
  
  >>>You only need AV software if you're technically incompetent.
  
  And that is conservatively 90% of the end-user base in the world. so for you and the few thousand people who do security right, fine.
  
  for the other few hundred million people, they DO NEED AV SOFTWARE.
4. Re:Antivirus on the desktop? by Jansingal · 2007-11-15 03:53 · Score: 1
  
  >>>You only need AV software if you're technically incompetent.
  
  And that is 90% of the end user base in the world.
  
  yes, for you and your friends, your premise is correct.
  
  for the other few hundred million end users, AV IS A MUST!!! That is undisputable!!!
5. Re:Antivirus on the desktop? by Jansingal · 2007-11-15 04:17 · Score: 1
  
  After reading your comment 5 times, and sending it to 5 people, all of us agree that no matter how correct you are, this is a Windows and IE world.
  
  Suggesting Not running windows, not using IE, is plain impossible.
  
  And what you did describe is HIGHLY TECHNICAL!!!
  
  Most people cant find control panel, let alone configure it.
6. Re:Antivirus on the desktop? by Anonymous Coward · 2007-11-15 05:43 · Score: 0
  
  Just switch to Mac. It's no excuse to let security holes within a network just because you have end-users (and using Windows).
It's about integrating security into design! by netnull · 2007-11-14 16:17 · Score: 1

I'm constantly befuddled about the time and energy wasted on the concept of end-to-end security. The plain basic truth is this: Productivity does not require security! What this means is we end up in a cycle of building networks and applications without considering the potential risks and security requirements. Security, whether it's a firewall to an end-to-end implementation with so-called defense in depth, is a bolt-on patch to something can could have been designed securely to begin with. There's never enough time and money to do something right, but tons of it to do it over. Start with zero, and define your applications, from routing protocols all the way up to e-mail and databases, and put security controls in place relative to those applications. If you support mobile hosts, figure out how they can be securely mobile, or treat them as external hosts at all times. Once you design security into your processes and hosts, deny the rest of the traffic. It just seems that users think they have some God given right to do as they choose on the Net as they do at home. This is just not the case.
1. Re:It's about integrating security into design! by Jansingal · 2007-11-18 15:10 · Score: 1
  
  >>>he plain basic truth is this: Productivity does not require security!
  
  I have no idea what that means, please explain.
2. Re:It's about integrating security into design! by netnull · 2007-11-23 05:19 · Score: 1
  
  What I mean by "productivity does not require security" is that most organizations are guilty of deploying networking technologies without consideration of the security risks involved. Anyone can setup a productive Apache server, but properly locking it down, setting permissions and associated firewall and routing policies, etc., is something that should be considered, but is often devolved down to a set of so-called best practices, if followed at all. You can stand up a wireless AP, but setting one up securely is something beyond most people (I can walk around my neighborhood and remain connected with the number of open APs available). When you look at convergence technologies, such as VoIP, everyone sees the benefits, but no one factors the risk mitigating costs, such as ensuring that your routed infrastructure's reliability matches that expected of your phone system.
  
  We are so often blinded by the fact that something works, that we fail to examine if it is secure until it is too late.
Well, yes... by jd · 2007-11-14 18:50 · Score: 2, Interesting

...but Cisco IOS supports more than firewalls - which seems to be the only focus of the book. IPSec in certificate-based router-to-router mode should be a fundamental consideration in business-to-business connections over the public Internet. Duplicating the endpoint would be essentially impossible.
Active NIDS is usually discouraged when placed in serial with the network, as it usually can't block the network when in parallel. But if the NIDS server can log onto the managed switch or router, it can disable the connection on an intrusion being detected. If it's sniffing the packets on the regular network only (ie: not providing any service to the network), it can't be seen or disabled.
If servers on the network aren't intended for outside use, make them IPv6-only and either make the router an IPv4/IPv6 gateway or use IPv6 tunnels to the extranets of interest. You can't crack what you can't connect to, putting those servers out of reach.
PAM supports OPIE and S/KEY, so you can always make passwords MUCH harder to obtain or crack. Kerberos V is also good for that.
Banning open protocols and .rhosts, requiring SSH or SSL/TLS-based protocols would likely do wonders for security as well. Even if passwords are technically encrypted, you can learn a huge amount from the rest of a session if it's not encrypted. Ergo, mandate encryption.
Next, as far as possible, servers should use mandatory access controls (to limit the use of any bugs for escalation) and software that has been as audited as possible (to minimize the risks of such bugs existing in the first place). The greater the risk of holes, the less the value of protecting all the other avenues that could be used for attack.
Finally, password files and other authentication data should be protected by means of strong encryption or strong cryptographic hashes according to requirements. That way, if a service ends up proving exploitable or some other hole is discovered, an attacker can't use such data to access the system with greater rights.
Sure, this is (a) imperfect, (b) clock-cycle expensive and (c) costly if done right, but it WILL be better than any firewall on its own, no matter how good the firewall.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I grant you the ... by Anonymous Coward · 2007-11-15 01:07 · Score: 0

Mmmmmmonster Kill!
Yes, yes it can. by Nursie · 2007-11-15 01:10 · Score: 1

That's why you have restrictions on what users can do with their machines, especially non technical users.

Oh, sorry Mr Marketing guy, you can't install new software, you don't need it.

No, you're not authenticated for full office network access mr homeworker, not until your machine's been fully scanned. Until then you can access your mail account and the web from this sandbox area.

Uh, no, mr software developer, you can't have root access to the main source repository...

There are many things you can do to protect yourself from the ID-10-T problem.
Um...one big problem with this book by pulse2600 · 2007-11-15 02:34 · Score: 1

The use of one vendor for all security products is not a good idea. To truly have defense in depth, there needs to be variety in your security products across your system or infrastructure. If all your security products have a common base (Cisco IOS, in this case), then one security vulnerability in the IOS software can render most or all of your defense useless. As an example, I might have a network built on Cisco Catalyst switches, with a Cisco VPN concentrator, Cisco Secure IDS, and a PIX firewall. I might have another that has a Checkpoint Firewall, with a Sonicwall VPN device, Snort IDS running on Linux, and Cisco routers with 3Com Switches. All of a sudden, an exploit comes out for IOS that allows full enable/administrator access via a specially crafted packet. Which network is more secure?

From the review, I can not tell if the author suggests this at all. If he does not, then he is missing one very important part of security...don't put all your eggs in one basket!