An article in the Washington Post in late 2005 highlighted a new and growing trend among hackers: the new focus on security software used by millions of end users. In the “old days,” hackers focused on attacking operating systems and exploiting known vulnerabilities. Although that still occurs, the new threat front is in the very software you rely on to secure your computer from the bad guys.
As hackers look for and exploit these vulnerabilities, they expose users to a whole new realm of risk. Operating systems such as Windows and Linux are now regu- larly updated and patched, but security software programs typically were only updating virus signature files, not the program itself. Now security software pro- gram makers are finding their products under attack and are having to respond as operating system companies once did.
For more information and to read the whole article, head to this URL:
w w w . w a s h i n g t o n p o s t . c o m / w p - d y n / c o n t e n t / a r t i c l e / 2 0 0 5 / 1 1 / 21/AR2005112101424.html.
Network Security Checklist
This section is a lengthy one and is intended to provide you with a thorough review of the types of things you should review, assess, and think about when you prepare your infrastructure security project plan. Even though we’ve created a detailed list, there’s always a chance there are additional elements your plan will need. Certainly, there’s also a strong likelihood that there are things in these checklists that you don’t have and don’t need.That’s okay.The point is to try to help you think through all the details you possibly can about your network infrastructure, to ensure that you are thorough and don’t leave any stone unturned. At the end of this process, you may decide not to address some aspects of infrastructure security, or you might choose to work on some of these items in a Phase 2 or Phase 3 project plan.This should give you a great start in thinking all this through.
We’ve divided the infrastructure project into four main areas, though you may choose to parse it out differently. We’ll look at devices and media and ways to secure
network devices (excluding servers and user computers) and the network media.
Media could mean secure network area storage devices (NAS), backup media, or other storage devices.The “Topologies” section includes how you segment the net- work for security, including creating DMZs and implementing firewalls, and how you secure network traffic. Intrusion detection and prevention systems are pretty popular these days (for good reason), so we’ll look at best practices for implementing IDS/IPS that you can utilize in your project plan. Finally, we’ll look at system hard- ening, including hardening infrastructure servers (DNS, DHCP, and so on), applica- tion and database servers, and other computers on the network. Keep in mind that this is not a “how to” as much as it is a list of things to consider and include in your project plan.There are volumes filled with information on these topics; it would be far outside the scope of this book to talk about how you do these things. Our intent is to provide a framework and a solid starting point for your infrastructure security project-planning process. If you’re not sure what some of these things are or if you’re uncertain as to how to address these issues, you’ll need to do further research on these topics.
Devices and Media
Network devices typically include routers, switches, firewalls, and other communica- tion devices. We cover these items extensively at the end of this section (we placed it there because it’s a long, wide-ranging list).The short story is that routers, switches, and other communication devices should be:
1. Physically secured Place devices in a locked cabinet, locked room, and locked building, where possible. Where that’s not possible, devices should be closely monitored or access should be controlled or limited.
2. Physically inspected Remove extra cables, disable external ports, and disconnect unused connections.
3. Hardened Remove unused software, disable unused ports, stop or unin- stall unused protocols and services, disable unused functionality, remove unused user accounts, change default settings, use strong passwords, and remove or limit all but one administrative account.
4. Monitored Audit, log, and monitor all access to devices, both physical and logical; monitor all successful logons; monitor all failed logons; review log files frequently; and store configuration data in a safe, secure location.
5. Encrypted Encrypt sensitive data files; encrypt and secure all removable media; create a secure system for handling removable media, including backup files; create a log file to track media handling; secure removable media in locked, access-controlled location; and store archives in a secure, off-site location.
Topologies
Network infrastructure security:
1. Create secure boundaries using firewalls, DMZs, and proxy servers.
2. Create secure remote access.
3. Create secure wireless access.
4. Implement a segmented network.
5. Implement network traffic security protocols for sensitive network traffic.
6. Deploy network security technologies.
1. Use Encrypting File System (EFS) or similar file encryption.
2. Require and use strong user authentication, passwords and account policies.
3. Employ the concept of “least privileges” when assigning user rights.
Security infrastructure components include routers, proxy servers, firewalls, and DMZs. Firewalls are pretty straightforward and can be implemented as hardware or software solutions. Let’s take a side street and take a quick look at DMZs.
Demilitarized zones,or DMZs, are isolated network segments that typically sit between the Internet and your network, whether in front of or behind your firewall (or between two firewalls).There are many different ways to set up a DMZ; again, it’s outside the scope of this book to discuss the design, implementation, and config- uration of a DMZ. However, it might be helpful to discuss a few highlights of DMZ design that might help as you look at implementing or tightening a DMZ for your network.
Designing DMZs
DMZ design, like security design, is always a work in progress. As in security plan- ning and analysis, we find DMZ design carries great flexibility and change potential to keep the protection levels we put in place in an effective state.The ongoing work is required so that the system’s security is always as high as we can make it within