Snort - a free IDS
<
hackimacation / ip v2.1
> Look for more of a security "architectural" focus here in the
coming months. I'll be moving away from the "how to hack"
message here. I believe we all agree that is what we want to find in
the tech control world. Security Engineering: Integrated, not added on.
Architecture Integration
There is few mistakes bigger than neglecting security in
your network (re)design. Here are some ideas. Add a VLAN on a
non-routable network. This is where you would put a management
network. Have your IDS and firewall management interfaces, out of
band management router and switch ports, and SYSLOG servers here.
Ensure you have the appropriate ACLs on your routers to restrict access to
only management workstations. Point
all logging devices, including routers, to your SYSLOG server.
Alert Management
So now you have all these
devices and lots of alerts. Now what? Now, look into a
Security Incident Management platform. These will take logs and
real-time alerts and normalize them. For instance, your IDS shows an
easy to read port scan. Your firewall logs shows some ACLs being hit
and some unauthorized service requests. Your DNS server logs some Domain
Zone transfer request and filled one of them! Suddenly, your host
IDS (like Tripwire or Dragon Squire) reports system file changes on your
SQL server. Wouldn't it be nice to be able to correlate these alerts
all at the same time? What if you could write an alert script that
would say, "If you see this alert on the IDS, AND the firewall
reports the same source IP address attempting a connection on that
port, AND file1 OR file2 changes on server x, PAGE
me." There is a growing amount of software that does
this. Check out ARCSight and netForensics
for more.
Evaluate Everything FIRST!
Anytime you add a device to a network, always ask, "What does
this expose and how can it be made secure without impacting
users?" Each time you add a service on a device, there is
potential to exploit it. The old adage of "If you do not need
it, do not enable it." is always the first step. Determine your
AAA (Authentication, Authorization, and Accounting) schema. Check
with the vendor's documentation to ensure the latest patches are
applied. Check with Security
Focus and others to find what vulnerabilities are publicized.
With the results of those investigations, update/tune your IDS signatures,
firewalls and other security devices. Here is a quick example bullet
list for standing up an internal Exchange server:
- Update the OS with all the latest patches
- Update Exchange with all the latest patches
- Turn off all non-essential services (like IIS or DHCP)
- Add log exporting or an appropriate host IDS agent
- Update routers/firewalls ACLs to only allow needed IP addresses and sockets
- Update/tune network IDSs to accommodate this particular system
- Use Nessus or other vulnerability scanning software to assess the new box
- Import the Nesses report to your security devices if supported (Arcsight, netForensics and Dragon IDS supports this)
- Add the box to your periodic vulnerability scan schedule
This list is certainly not all-inclusive. It will get you started though. Check with your unit/company's policy to ensure it allows for this and if there are any other things you need to do. You do have a policy, right?
Wireless (802.11): It can be made secure.
There has been much debate over the insecurity of wireless
LANs and Bridging solutions. This is an affordable AND secure
solution if done properly. There are a few simple steps to take that
can secure your implementation of a wireless device.
First, only buy devices with 128 bit encryption...and ENABLE IT! Use good password practice when making your key. Next, on your access points, enable secure access. What this does is suppress the broadcast of your service set identifier (SSID). This part is critical to rendering psuedo-sniffers like Netstumbler ineffective. Third, use RADIUS or 802.1X authentication. Essentially, if a device's MAC, or in the case of 1X a user, doesn't authenticate, that MAC's traffic is not accepted on the network. Lastly, use a VPN technology with 3DES encryption. Users can use software clients and bridges can use VPN hard clients to accomplish this.
For more info, see this white paper (PDF) which describes a wireless DMZ concept.
|
Forensic Focus - computer forensics and data recovery news and discussion: Join our lively computer forensics community today and stay current with other forensic computing professionals through our forum, email discussion list and monthly newsletter. www.nessus.org has a great vulnerability tool. Full assessment reporting with fix actions. Leaves huge foot print on IDSs. Windows version is available here. The
Metasploit Framework is the best point-click-exploit to shell
available. It takes Nessus to the next level. This is basic training
for security/pen test labs. Security
News Portal - a one stop shop for all the latest in computer
security. Start here! |
| Tutorials Data Communications Magazine tutorial page. Very complete. htmlgoodies.com is a great web page authoring site. beginners to pros can find help here. INFO-WAR Sites
Federation of American Scientists
Information Warfare and Information Security on the Web Number two on the ugly/poor
web sites in this list, it has very comprehensive sources on IW and is full of
hyper linked
references. Probably a good place to start an academic research project on the
subject of IW. |