In any case the primary focus should be to secure the systems instead of trying to evade the numerous OS fingeprinting techniques. By securing the systems I mean following common practices like
- minimizing the installed software
- minimzing the running services
- minimizing the filesystem and any other access permissions
- keeping everything up-to-date
- defining access lists whenever possible for sensitive services that do not need to be accessible from everyone or everywhere
- seting a good password policy, i.e. use passwords of more than 12 characters that change frequently
- keeping detailed logs for every possible activity
- using encryption wherever possible
- implementing an Intrusion Detection System or Intrusion Prevention System (like
snort
) that will notify you or take some action in case of unusual activity.
Depending on the number and kind of services your systems provide and the importance of data stored or exchanged, you may decide how many resources you want to spent for maximizing their safety. In general, if you follow the first 7 rules, each individual system should be decently secure against random script-kiddies. If you want to mention what services you intend to run and in which platforms, we may be able to suggest specific tips.
Unfortunatelly attacks that take place from the inside of your network, i.e. by infecting windows workstations, are just as dangerous and frequent today. So, especially if you have many workstations in your internal network, you must also emphasize to their protection from less direct threats like virii, worms and phising email messages, that may allow someone at the outside to gain access to the internal network, bypassing any security measures that may be in place to protect from the outside. I've been studying a book these days, called
"Extrusion Detection: Monitoring for Internal Intrusions" that made me reevaluate these kinds of threats!
