[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
"Brough, Tom" wrote:
The FUD factor has thus so far limited the "services" we offer online. Since the "solution in a (black) box" type strategies have caused even more FUD and attempts to talk with "network security gurus" have left us with our heads spinning we are continuing with our DIY policy.
Wrong guru? End of the day you have to do it yourself or employ guru's fulltime, although I think an annual external audit for IT security focuses the minds of others. Problem is management always want an audit to say everything is fine (I guess the analogy is with financial audits), where as you want them to point out the rough edges, nothing so glaring as reveal your incompetent ;), but security is a slope of diminishing returns, and you want short cuts, and hints how to get further up that slope as painlessly as possible. More like a dental check, you want to be told "no fillings" but you also want to be told if your brushing technique is flawed, or if you are grinding your teeth in your sleep, and maybe how to make your teeth whiter to enhance your attractiveness.
The first tentative step towards resolving this problem: We have been asked to set up a trial "network infrastructure" in order to test security issues. I am looking for a list of tests, hacking techniques, tools and potiential solutions and strategies, if fact just about anything that can be used to improve network security, or alternatively a highly recommended URL which deals with network security issues listed.
Port Scanner (nmap is the business, and free), needs a little nouse to drive it properly, but for starters it'll show you what is listening (from inside and outside) for connections, and if remote systems can be identified. Netstat is your friend. Vulnerability scanner. Nessus is free but focused mainly on identifying exploitable weaknesses, there are also some good audit tools - nominally I am a reseller as one of my distributor sells one of these - which do a sort of glorified Windows update, telling you what patches you are missing (even if there aren't known exploits in Nessus), and what common security options you should have set, or what common errors you have made. For *nix Satan and Cops did these kind of things for free, I still use "cops" for it's ability to audit basic file permission issues on some production *nix servers, mainly cause it reveals when my colleagues or the vendor (mostly HP) screws up, or break change control procedures. Of course if you have the dosh ISS and friends are nice. Next come tools to let you know you've been cracked, and/or stop it. So fingerprinting tools (tripwire - licence is a bit odd I seem to remember), intrusion detection tools (often you can gather a lot from just logging activity that shouldn't happen, the "why is our webserver port scanning our database server?" question, does someone actually look at the firewall logs and ponder odd traffic?). The same distributor also plugs an NT server lock tool, where actions that would change key files, or read key files are prevented, and reported, they make the usual marketing claims about having stopped all sorts of IIS failing this way (for once I believe them). Much the same can be achieved with chroot'ing apps in *nix, without quite as much hassle when updating things. There are some specific web site weakness tools, look for configuration weaknesses, but often it is hard to generalise these kind of tests, especially if you've customised something, or URLs are being rewritten to hide how servers work to the outside.
There will be at least one Linux box on the network that could be used for monitor ect.
;-)
Any advice ?
You can go overboard with the commercial products to help things, where a little understanding helps. Prevention is better than cure, but you must have enough monitoring so you know a cure is needed, sometimes a tight firewall config will show enough to reveal an active intruder. Best thing securitywise is good build, and firewall procedures. If the builds always switch off unneeded services, and follow the vendors guidelines setting up OSes and services. Firewall out, and log, everything that isn't absolutely required, for a DMZ this could include "all out going connections denied" (except maybe DNS and SMTP traffic from relevant servers - so even if you say left the IIS formmail problem the server never sends the mail and you can clean it up inhouse without embarassment). Scan from the outside to see what it looks like, but use scanning on the inside to identify and lock down rogue services. Defence in depth has to be the motto, so many of the network applications are written in non-type safe languages, load up loads of modules, or rely on dodgy underlying libraries, that you can guarantee they will have future exploits. Sure patching them as weaknesses are revealed is a good move, but it is by "locking down the hatches" in advance that you prevent a minor weakness in a server application becoming an "owned" site. I prefer proxies to packet filters ;-) -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.