Suggestions on Comprehensive Security

I just want to throw something at you guys to get some opinions and input. Where I'm working as net admin presently, I'm really wanting to purchase some new toys to harden our security, because I think as it is presently, we're lacking a bit. Problem is, my suggestions keep getting met with "I think that's overkill" from the powers that be. Now, personally, I don't think the words "leading financial advising firm in the region" and "overkill" should ever show up in the same sentence when talking security, but that's just me evidently. Nonetheless, I want to find something that's good enough to get the job done well but cheap enough to not get shot down by the boss.

As said, the company is a leading financial advising firm in this region, multi-million dollar corporation. Several satellite offices between here in Arkansas and Texas. I'm the only IT staff they have.

Every ounce of vital information we have on our clients and company is kept on our network at the corporate headquarters, where I am. The network is roughly 20+ computers running on typically 8 or 9 servers, including a file server, terminal servers, mail server, web server, AV server, and three backup servers.

Two active domain controllers, one as a backup to the other.

Our terminal servers are accessed by all employees, often from the outside (company laptops from hotels, employees' homes, etc.).

We give software to clients that allows them to access their data on our servers from wherever they are.

Mostly wired LAN, plus a US Robotics access point for a few wireless laptops.

So, given all that, here's our current security level:
1) Servers run a T1, workstations on DSL, both lines protected by SOHO3 SonicWALL hardware firewalls.
2) No DMZs.
3) Cayman router (discontinued by manufacturer)
4) CA eTrust antivirus on all desktop/server machines, McAfee on laptops
5) Hard to crack network administrative password. User-level privaledges limited.
6) All desktops are Windows 2000 Pro, servers are Windows 2000 Advanced Server. Laptops are Windows XP Home. No SP2 update yet.
7) Laptops have no additional security beyond McAfee antivirus.
8) Wireless AP has 128-bit encryption enabled. SSID broadcast disabled.
9) Servers are upstairs (in a major traffic area unfortunately) and are password locked at all times.

Personally, I think we should add:
1) An intrusion detection system, or at least --
2) Log monitoring software.

Keep in mind though, I gotta keep it low-price to escape having it dubbed "overkill". Heck, I wanted some under-$300 security cameras thrown up in the sever room and transmitted to my office, but I couldn't get that either. :(

So, please, by all means cut loose and play with the info here, throw any ideas at me you have. If this were your network, what would you do? What products do you suggest? What should I look at beyond a good IDS?

Definitely what you indicated, an IDS and/or log monitering software. An IDS is almost a must for any network looking to fully secure itself and it's data. Log monitering software is great for those looking to make sure that those viewing the logs/the logs itself are secure and are thorough.

Some people like to moniter the logs themselves (myself included) but you should experiment with both. There are obvious pros and cons to both, but see what you like and what works best for you, cost efficient, etc.

So given my cost/necessity situation, what packages would you recommend?

IDS? Snort its free! - easy to implement. if you know nothing about linux/snort you can buy the best seller (that one with pig on the cover).

Logs you need to take a look:

Windows
Routers
Firewall
wireless connectin has any?
no htttp proxy?
Ras log

I have some ideas but im checking them to avoid posting crap here :P

I don't mind "crap" ideas, we can always discuss and refine them further if need be. Such is brainstorming!

So snort is a full IDS? I was under the impression it was a form of advanced scanner or something, but I have yet to play with it (it's next on my list of things to get acquainted with).

Stupid question time: Ras log, that's a new term on me. Care to elaborate?

No http proxy.

All the other logs I keep an eye on. In fact, that's why I suggested a tutorial on how to monitor router logs and compare to firewall logs -- thats's something I know little on and would very much like some enlightenment.

Snort is a HIDS/NIDS. Maybe you are thinking about "Nessus", that is a vulner.. scan,..

Ras- Remote access service. Do you have remote users? how they access network? (remote means here "outside your corporate network", like mobile computers).

BTW, upgrade those xp home to xp pro. Windows Home? man i wouldnt like those connecting to my corporate network...

if you don have a proxy, what is controlling access to internet ? (like web surfing) a firewall/

re: RAS log

I presume he was speaking about remote access services.
An example is a RADIUS service like MS IAS.
Can be used to authenticate remote dial in or VPN clients.

Might not apply to your config is you don't provide that.

Yes, firewall is controlling access to the Internet. SonicWALL SOHO3 hardware firewall.

Regarding remote users, as I mentioned initially, we have two terminal servers. Employees can access them from anywhere by using either Terminal Services Client or XP's Remote Desktop Client. Nothing more beyond that, no dialing in or telnet (thankfully). A couple of us use Real VNC, but it's not often used.

What's the security difference between XP Home and Pro? Unfortunately I can't get an upgrade, as Home was chosen, once again, for cost reasons, so I'm stuck with it.

Just so its down in another place than the PM conversation we just had, make sure your offsite backups are in a secure place. It wont help you much if they are stolen or lost.

Yeah, to bring you guys up to speed on that conversation:

*Multiple backups, including tapes, DVDs, hardware appliances, and outsourced backups.
*On-site and offsite backups with disaster recovery plan.

Of the various methods we use, among them are backups sent home with me, the president, and the ops manager. Jarrod brought up the point that this could be a big risk were any of our houses to be burglarized, so I'm going to discuss that soon with them.

found this: http://www.sawmill.net
you may also consider a syslog daemon : http://www.kiwisyslog.com/products.htm#sysloggen to concentrate all logs in one point
I have no exp on those--- i use to scan my logs by my own - (some vb+scripts+php+cobol stuff). if you like programming, you can try :P

Angelic:

Please feel free to show this to your boss.

I believe that as a financial institution your company falls under Sarbanes-Oxley -

Some of the security questions are answered here

Of particular note is the following:-

Quote:

---

Q: What do you see as the most direct tie between Sarbanes-Oxley and an organization's security program?
A: There are several links between Sarbanes-Oxley requirements and a company's security program. They include: ensuring appropriate awareness of company security policies and commitment by management; designing and implementing appropriate security controls; and documenting and auditing security policies, and making sure they are understood by management and end users.

---

Also, from here comes:-

Quote:

---

Yet in the law there is a provision mandating that CEOs and CFOs attest to their companies' having proper "internal controls." It's hard to sign off on the validity of data if the systems maintaining it aren't secure. "It's the IT systems that keep the books," Saidman said. "If systems aren't secure, then internal controls are not going to be too good."

---

Ever considered a risk assessment? Has your boss? Would your boss think that a risk assessment would be a prudent thing to do? It's mandated under Sarbanes-Oxley.

If he doesn't can you please give the name of your company and any other company names or subsidiaries your company may operate under so that I might avoid ever doing business with them in the future.... Thank you.... ;)

[Edit]

Angelic and Caca:

I have a tutorial here on the implementation of a cost effective system.

[/Edit]

"I don’t think that worrying about an employee getting burglarized is that big of a risk."

That's the official word.

See what I'm dealing with guys?! He suggested password protecting the tapes we bring home, so I guess I'll have to look into that...

Quote:

---

Angelic and Caca

---

Man, next time you write wrong my nick AGAIN i will hunt you down ! :ubergun:

Sarbanes Oxley is one federal regulated body that may be mandated under your current employer. Usually SOX is only required of those companies that have public stockholders. If this is not the case then I would recommend reviewing the GLB Act. If your company holds any personal information (which most financial institutions do) about thier clients, then this document may help solidify your position, GLB Act Section 501-504 specifically.

All the suggestions here are right on and would meet your requirements based on the GLB Act. I just finished up an external audit and having these pieces in place went a long way to making the auditors happy.

Good Luck

Quote:

---

Originally posted here by AngelicKnight
"I don’t think that worrying about an employee getting burglarized is that big of a risk."

That's the official word.

See what I'm dealing with guys?! He suggested password protecting the tapes we bring home, so I guess I'll have to look into that...

---

I know how you feel. Getting money out of my company is like getting blood out of a rock. They are willing to buy stuff once something has happened though. I live is southern california and when the fires got going last year (to within 4-5 miles of the office) the CFO was finally coaxed into buying some more stuff for us.

What about the DVD's? They can be played in any $20 DVD player. What if one of your houses burns down? (Then you are without the backups) I know the "what if" situation may not be the best way to approach your boss, butm maybe breaking into his house is. j/k

The DVDs don't go home fortunately. They just stay in the President's office.

So I had never heard of Sarbanes Oxley before. This'll make a good research project!

One suggestion for your tape problem may be keeping them in a safety deposit box in a bank.

what we do where i work is we have the main tape backup system, but then we also have a backup off site tape system who's tapes get sent to a safety deposit box in a bank (since most bank safes are fireproof ;)) with our "everyday" tapes, every 3 weeks (about the life of our tape sets) we move them to an off-site storage that is still close enough for us to walk over, but it will protect the tapes if the IT/computer science building burns and crumbles.

as far as your infrastructure goes, attached is a picture of how ours is and maybe it will help you (it is pretty cheap to impliment) we use smoothwall firewall (free) on an older box that has been "bumped down" from normal use - it is still a p4 1.4 GHz with dual gigabit cards.

i didn't put the routers in there, but for the most part, the router lives where the letters on the line are (ex: DMZ and Rest of Network) and before the first firewall (for the internet connection) we are on a shared OC-3 and have all windows computers (except the firewalls and the servers). Our servers are a mix of win2k AS, win2k3 ES, HP-UX and TRU-64. (many of our servers are internal so they didnt' show up on my little diagram)

I hope this helps, if you need any more details let me know.

I'd make suggestions, but from your description you are really just starting from scratch, and as usual there is as much different advice flowing around here as there are people dispensing it. All I can say is good luck. My experience working for a financial services company was that the industry itself is incredibly backwards in technology adoption. It might take a break-in to illustrate your point. You might also consider getting some consultants in on it as if you have some people whose sole job it is to analyse for security, you will have a better chance of making headway with management. For some reason they seem to be of the opinion that they hired you, so obviously you are just making up ways to spend money. :/