Integrating Network Security
into your Site
Rich Pinder
Los Angeles Cancer Surveillance Progra m
rpinder @ usc.edu
Q
Big Picture thoughts on Security
Q
Co m ponents of organization wide security
Q
Rich’s ‘Top 10’
Q
“Security - it’s TO O co m plicated !!!”
Q
Doing nothing no longer acceptable.
Q
Its HU G E. But why not take it piece meal
? So mething BETTER than nothing!
Q
Little money? Few hours of the techies ?
Couple days time ?? Hire a techie ???
Q
Start s m all – go to the infor mational
websites (look for .org and .gov sites) and
search for ‘getting started’.
Q
Decide which steps you can handle
Q
Consultants sources
Attend local user groups - _nix
Los Angeles costs ~ 100/hr
Q
Big Picture thoughts on Security
Q
Co m ponents of organization wide security
Q
Rich’s ‘Top 10’
Co m ponents
Q
User authentication and environ m ent
Q
Filtering – Port & Process control
Q
Firewalls
Q
Encryption
Q
User authentication and environ m ent
– Password protect ALL machines !
– One point login using to multiple system s can
be dangerous (breach on weak machines
obtains sam e password used on hardened
m achines). Long. Co m plex. Changing (???).
– Use password policy progra m s
– Bio metrics – pro mises both higher security
Q
User authentication and environ m ent
(cont)–
Environ m ent
User Training & Awareness
Part of your annual confidentiality briefings
Ramifications of bad practices
User Accountability
Q
Filtering – Port & Process control
– Control the ‘doors’ to your com p uters
– Should be done for all syste m s.
Should be done for all ALL
A L L
major
syste ms !
– Software to do this exists for your system
(IPSec on WinNT/2k – IP Chains/IPTables on Linux)
– Rules: Inco ming – Outgoing – Forward… … …..
Q
Filtering – Port & Process control
(cont)
– Li mit what’s running on your co m puter – KILL
Unecessary Services ! (watch default installs)
– Port Scans – reports tell which ‘doors’ open
– Threat assess ment – goes one better – tells
you what’s open, and what to D O about it.
– Even so m e ‘Auto mated Mitigation’ software to
Q
Firewalls
– There are really no fla mes involved!
– Firewall is Centralized Filtering – typically
hardware and software solution. (Sa m e
software as we discussed for Filtering)
– T wo NIC’s – pass through design
– Not a panacea! As soon as they’re in place,
requests to bypass the m co me in!
M odifications can induce error.
Q
Encryption
– W hy send info in ‘plain text’ when you can
send it Encrypted ?
Pgp – public key type encryption we’ve heard about for a long tim e (GP G better alternative ?)
‘public’ key algorith m necessary to share with others with out knowing the key.
Q
Virtual Private Network (VP N) &
Tunneling
– Defines a secure interconnected conduit
between geographically separated system s
– Based on encryption
– Includes Filtering concepts
Allows multiple (and future) applications to operate securely – similar in concept to using your ‘server’ at work
Q
Big Picture thoughts on Security
Q
Co m ponents of organization wide security
Q
Rich’s ‘Top 10’
Top 10
Q M ake a security co m mitm ent – to do so mething when you get ho me! Start a “Security Procedures” manual –
docu ment what you do.
Q Do User Training & Authentication Hardening – access control
Q Don’t use Telnet & Ftp. Get SSL enabled apps to substitute. (SSH, SCP)
Q Use (and keep CUR RE N T) virus control software (Sy mantec or McAffee)
Q Encrypt ALL confidential data that you send fro m your organization.
Top 10
Q Run vulnerability scanners (ie Nessus). Co mpare reports to the SA NS/FBI top 20 vulnerabilities list and be SURE to mitigate the biggies
Q Port filtering – Cheap: Install / configure IPSec for windows servers & IPChains or IPTables for Linux
servers. Expensive: Do ‘Cheap’ AND install dedicated Firewall machine. Router: Have your network folks be sure the routers and switches are configured properly
Q Wireless? Secure the access point! (they co me initially wide open). If not implem ented yet, look at 802.11b spec – with W E P2 security.
Security Resources
Q SA N S – GREAT site
http://w w w.sans.org/
Syste m Ad ministration, Networking and Security - since 1989 SA N S incident site: http://ww w.incidents.org/
Good starting place: http://ww w.sans.org/newlook/publications/road map.ht m
Top 20 security issues: http://w w w.sans.org/top20.htm
Q Technical Tutorials
http://w w w.syste mexperts.com /tutorial.html
Hodgepodge tutorial..great for showing what OT HERS are looking to do to get into your site.
Q Good source of info: (not just for linux)
Q Govern ment / University inform ation sources
National Security Agency
http://w w w.nsa.gov/isso/infosec
Windows 2000 security guidelines, including actual .inf files that can be applied to deal with config / do main /ad min stuff
CERT
w w w.cert.org
Carnegie melon Software Engineering Institute
See the ‘tech tips’ section – sign up for mailing list
National Infrastructure Protection Center
http://w w w.nipc.gov/
Q Filtering – port and process control
http://w w w.nessus.org/ Nessus port scaner and threat assess ment tool
http://w w w.tinysoftware.co m relatively inexpensive - $39 for new version. Zonealar m has free version still… but ‘best’ versions around sa me price. Deerfield, Norton (Sy mantec), Black Ice, Zonealar m, Tiny Personal
firewall… all available
http://w w w.citadel.co m Hercules – a threat mitigation tool
Q Locating user groups
Linux user groups: ww w.ssc.co m/glue
Unix user groups: http://dark.wustl.ecu/~newton/othr_uug.html
http://w w w.netip.co m Keith Pal mgren page Check out Articles & Security links pages
Q Virtual Private networks