- Posts: 8
- Thank you received: 0
security project.. help!!!!
20 years 1 month ago #3322
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: security project.. help!!!!
Well you should start by determining what you are trying to protect, the crown jewels of the company --
Crown Jewels
This could be a database of customer information, or a server that contains source code etc. Once you have isolated this, you must plan a policy that secures the crown jewels from the outside AND from the inside. This will involve most likely firewalling off the server and installing intrusion detection systems (both host based and network based) on the system and its corresponding network. You will also harden this system.
You will ensure that all access to this system is authenticated (in other words passwords etc). All transactions to this system must have integrity (in other words you might want encryption etc).. if need be, transactions should be private (like to medical records etc), and there should be non-repudiation of events.. meaning that any event that occurs must be noted in such a way that it is possible to hold someone responsible for that action. For example if a database is changed, the corresponding user-ID who changes it and date and time should be logged so that there is no way that anyone can say they didn't do something.
Then you will deal with generic threats
1. Viruses and worms -- These will constitute the single largest persistant threat to your network. While a hacker attack might be more damaging, it may or may not ever come, whereas you can gaurantee that virii will be a problem. You should write an effective policy for the following :
1.a. Acceptable email use policy
Are employees allowed to check non-company related email accounts (hotmail etc) on company time ? These email accounts are beyond your control, by allowing someone to use them and possibly get an infection through there, you are trusting these entities.
Will company mail be allowed to recieve attachments ? Your mailserver will be configured to scan all attachments for viruses and quarantine infections. Furthermore attachments with extensions like .exe .zip .pif .scr .bat will be quarantined as a precautionary measure.
All email will end with a company signature that says something to the effect of 'This is confidential correspondence, if you are not the intended recipient of this email you must notify the sender immediately and delete this email' or something similar to avoid untoward information leaks. You can get a canned version of how legal teams write this stuff by searching the net.
1.b. Individual anti-virus policy
There should be anti-virus packages installed on all systems, along with an automatic feature to update them. Since this could result in tremendous WAN bandwidth usage, consider hosting an internal update server that will download the update from the net and clients will update from it as a point of contact. In a large organisation you can have multiple update servers for various subnets / departments.
Individuals should be given a list of policies and procedure to follow when dealing with unknown files and attachments. Proper guidelines should be in place for a person to respond to an incident if they feel they are infected. This policy will call for isolation of the machine from the rest of the network to prevent further infection.
Border Security
Knock yourself out with this one, draw a network diagram and pick places to install firewalls and intrusion detection systems. Weigh the pros and cons of placing an IDS before the firewall -- it will see all attacks going to the firewall, but generate much bigger logs. If you place it just behind the firewall, you will only see attacks that get through (in other words attacks you have to deal with). DMZ any public services you have such as a webserver, DNS and external mailserver. You can have a mailserver on the internal LAN that talks to the DMZ mailserver to collect mail. All other communication between LAN and DMZ *must be prevented*. Perhaps only a few 'trusted' IPs in the infosystems department should be allowed administrative access to DMZ systems. Maybe via SSH or an SSL encrypted web interface.
You can also consider installing Labrea tarpits over the unused address space so as to slow down any worm that gets through to the network or any attacker that is scanning the network. You can also consider deploying a honeynet ( www.honeynet.org ), not just for information purposes, but as a system to confuse attackers, attract attacks, and act as an early warning system. If an attacker believes he has found your database server when he attacks a fully logged honeypot, you have won the game.
Physical Security
This should be fairly simple. Lockdown and isolation of server rooms and IT management workstations. Physical audits of company workspace to make sure people arent writing down passwords on post-its. Checking at entry points for CD's etc. Ensuring there are no switches lying about that people can just plug their laptops into etc.
Wireless security
Analyse whether it is truely a requirement. If it is, then isolate it on a separate network from any critical data. Wireless is insecure -- follow all the guidelines and go with reliable peer-reviewed security protocols rather than some proprietary hidden protocol. Physically scan the area for rogue wireless access points.
Network infrastructure
Patch your routers and switches, isolate traffic and departments on VLANs if possible. Make one monitoring station check for anyone arp poisoning the LAN and attempting to sniff the switched network.
Once all these have been handled, you will need to write up policies for the following :
1. Password policy - [minimum password length, password aging, lockout policies]
2. Incident response - Who is to responsible for responding to incidents ? If possible, appoint a security response team with specific duties.
3. Have a security committee comprising of members from different departments that will oversee security control in their departments. They will come together to discuss what is acceptable and what is not (for example they could help draw up a list of sites that is acceptable for employees to visit).
4. Instant messenger policies and the like. These are a great source of information leaks as well as possible infection vectors for virii. Lock them down. If you need messaging within the company, set up a dedicated messaging server.
That should be more than enough to get you started.
You can be kind and credit firewall.cx in your report --- not to mention spread the word !
Crown Jewels
This could be a database of customer information, or a server that contains source code etc. Once you have isolated this, you must plan a policy that secures the crown jewels from the outside AND from the inside. This will involve most likely firewalling off the server and installing intrusion detection systems (both host based and network based) on the system and its corresponding network. You will also harden this system.
You will ensure that all access to this system is authenticated (in other words passwords etc). All transactions to this system must have integrity (in other words you might want encryption etc).. if need be, transactions should be private (like to medical records etc), and there should be non-repudiation of events.. meaning that any event that occurs must be noted in such a way that it is possible to hold someone responsible for that action. For example if a database is changed, the corresponding user-ID who changes it and date and time should be logged so that there is no way that anyone can say they didn't do something.
Then you will deal with generic threats
1. Viruses and worms -- These will constitute the single largest persistant threat to your network. While a hacker attack might be more damaging, it may or may not ever come, whereas you can gaurantee that virii will be a problem. You should write an effective policy for the following :
1.a. Acceptable email use policy
Are employees allowed to check non-company related email accounts (hotmail etc) on company time ? These email accounts are beyond your control, by allowing someone to use them and possibly get an infection through there, you are trusting these entities.
Will company mail be allowed to recieve attachments ? Your mailserver will be configured to scan all attachments for viruses and quarantine infections. Furthermore attachments with extensions like .exe .zip .pif .scr .bat will be quarantined as a precautionary measure.
All email will end with a company signature that says something to the effect of 'This is confidential correspondence, if you are not the intended recipient of this email you must notify the sender immediately and delete this email' or something similar to avoid untoward information leaks. You can get a canned version of how legal teams write this stuff by searching the net.
1.b. Individual anti-virus policy
There should be anti-virus packages installed on all systems, along with an automatic feature to update them. Since this could result in tremendous WAN bandwidth usage, consider hosting an internal update server that will download the update from the net and clients will update from it as a point of contact. In a large organisation you can have multiple update servers for various subnets / departments.
Individuals should be given a list of policies and procedure to follow when dealing with unknown files and attachments. Proper guidelines should be in place for a person to respond to an incident if they feel they are infected. This policy will call for isolation of the machine from the rest of the network to prevent further infection.
Border Security
Knock yourself out with this one, draw a network diagram and pick places to install firewalls and intrusion detection systems. Weigh the pros and cons of placing an IDS before the firewall -- it will see all attacks going to the firewall, but generate much bigger logs. If you place it just behind the firewall, you will only see attacks that get through (in other words attacks you have to deal with). DMZ any public services you have such as a webserver, DNS and external mailserver. You can have a mailserver on the internal LAN that talks to the DMZ mailserver to collect mail. All other communication between LAN and DMZ *must be prevented*. Perhaps only a few 'trusted' IPs in the infosystems department should be allowed administrative access to DMZ systems. Maybe via SSH or an SSL encrypted web interface.
You can also consider installing Labrea tarpits over the unused address space so as to slow down any worm that gets through to the network or any attacker that is scanning the network. You can also consider deploying a honeynet ( www.honeynet.org ), not just for information purposes, but as a system to confuse attackers, attract attacks, and act as an early warning system. If an attacker believes he has found your database server when he attacks a fully logged honeypot, you have won the game.
Physical Security
This should be fairly simple. Lockdown and isolation of server rooms and IT management workstations. Physical audits of company workspace to make sure people arent writing down passwords on post-its. Checking at entry points for CD's etc. Ensuring there are no switches lying about that people can just plug their laptops into etc.
Wireless security
Analyse whether it is truely a requirement. If it is, then isolate it on a separate network from any critical data. Wireless is insecure -- follow all the guidelines and go with reliable peer-reviewed security protocols rather than some proprietary hidden protocol. Physically scan the area for rogue wireless access points.
Network infrastructure
Patch your routers and switches, isolate traffic and departments on VLANs if possible. Make one monitoring station check for anyone arp poisoning the LAN and attempting to sniff the switched network.
Once all these have been handled, you will need to write up policies for the following :
1. Password policy - [minimum password length, password aging, lockout policies]
2. Incident response - Who is to responsible for responding to incidents ? If possible, appoint a security response team with specific duties.
3. Have a security committee comprising of members from different departments that will oversee security control in their departments. They will come together to discuss what is acceptable and what is not (for example they could help draw up a list of sites that is acceptable for employees to visit).
4. Instant messenger policies and the like. These are a great source of information leaks as well as possible infection vectors for virii. Lock them down. If you need messaging within the company, set up a dedicated messaging server.
That should be more than enough to get you started.
You can be kind and credit firewall.cx in your report --- not to mention spread the word !
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.156 seconds