What you need to do, is to make it virtually impossible to compromise your system and the data.
Keep in mind that most problems do not arise from outside the netwrk, but from within. So your basic concern should be: Can I prevent things happening?
Not entirely, but you can secure your organisation if you make the right choices.
First, and MOST important: Use an OS that is immune BY DESIGN to ANY virus, worm or other malware, to be installed on any server in your network that is 'directly' exposed to the Internet. These servers should be configured to block spam by mail, contain software to protect other systems in the network against these threats, and be configured that non-privileged users to have access to files, programs, resources and whatever there is in the system, that they are not authoroized for, AND disallow others to gain access to the system at all if they are not authorized to enter it.
The system should also, by design, be able to audit all access when required, block intruders and signal them, and do a lot fo accounting for security reasons.
And, of course, the system should be as free as possible from code errors that would allow malware to function at all.
All this should be BUILT-IN, not ADD-ON - it should be part of the OS itself.
That rules out at least the following OS's as MAIN SERVER:
* Windows (any version) for well-known reasons
* Unix (any flavour and any version) because security is not built-in, but an add-on)
* Linux (any distribution and version) for the same reason
Second: do not run software on any server that is not needed for it to function. Disable all access possibilities that are not required on the system.
Use only software that has been proven to be safe.
Third: Use a router at your boundary that blocks all incoming traffic on ports that are not required, and routes all ports that you explicility need, to the secure servers. Unneccessary to mention that this system should be considered a server as above, itself (access server).
Fourth, all other systems should NEVER be accessable from the Internet itself. Mail should be retrieved from an internal server as described above. All machines MUST have an scanner installed, even if the main server contains one, to detect any malicious software on these systems.
Unsafe protocols should be avoided within the network whenever possible. Use those that are secure by design.
Such systems doesn't come cheap, but security never is. Any whitepapaer will tell you.
If you have any doubt on these matters
take a look on WWW.CERT.ORG and compare OpenVMS's records agains any other. Look around on the Internet to find more proof of this OS's security and other advantages (where can you find a system where, in a period of over 7 years, all hardware have been moved, upgraded and replaced, the OS has been updated, without interrupting user applications - only when these appliactions needed an overhaul?)
Slashdot Mirror
What you need to do, is to make it virtually impossible to compromise your system and the data. Keep in mind that most problems do not arise from outside the netwrk, but from within. So your basic concern should be: Can I prevent things happening? Not entirely, but you can secure your organisation if you make the right choices. First, and MOST important: Use an OS that is immune BY DESIGN to ANY virus, worm or other malware, to be installed on any server in your network that is 'directly' exposed to the Internet. These servers should be configured to block spam by mail, contain software to protect other systems in the network against these threats, and be configured that non-privileged users to have access to files, programs, resources and whatever there is in the system, that they are not authoroized for, AND disallow others to gain access to the system at all if they are not authorized to enter it. The system should also, by design, be able to audit all access when required, block intruders and signal them, and do a lot fo accounting for security reasons. And, of course, the system should be as free as possible from code errors that would allow malware to function at all. All this should be BUILT-IN, not ADD-ON - it should be part of the OS itself. That rules out at least the following OS's as MAIN SERVER: * Windows (any version) for well-known reasons * Unix (any flavour and any version) because security is not built-in, but an add-on) * Linux (any distribution and version) for the same reason Second: do not run software on any server that is not needed for it to function. Disable all access possibilities that are not required on the system. Use only software that has been proven to be safe. Third: Use a router at your boundary that blocks all incoming traffic on ports that are not required, and routes all ports that you explicility need, to the secure servers. Unneccessary to mention that this system should be considered a server as above, itself (access server). Fourth, all other systems should NEVER be accessable from the Internet itself. Mail should be retrieved from an internal server as described above. All machines MUST have an scanner installed, even if the main server contains one, to detect any malicious software on these systems. Unsafe protocols should be avoided within the network whenever possible. Use those that are secure by design. Such systems doesn't come cheap, but security never is. Any whitepapaer will tell you. If you have any doubt on these matters take a look on WWW.CERT.ORG and compare OpenVMS's records agains any other. Look around on the Internet to find more proof of this OS's security and other advantages (where can you find a system where, in a period of over 7 years, all hardware have been moved, upgraded and replaced, the OS has been updated, without interrupting user applications - only when these appliactions needed an overhaul?)