Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Suggestions on Comprehensive Security

  1. #1

    Question Suggestions on Comprehensive Security

    I just want to throw something at you guys to get some opinions and input. Where I'm working as net admin presently, I'm really wanting to purchase some new toys to harden our security, because I think as it is presently, we're lacking a bit. Problem is, my suggestions keep getting met with "I think that's overkill" from the powers that be. Now, personally, I don't think the words "leading financial advising firm in the region" and "overkill" should ever show up in the same sentence when talking security, but that's just me evidently. Nonetheless, I want to find something that's good enough to get the job done well but cheap enough to not get shot down by the boss.

    As said, the company is a leading financial advising firm in this region, multi-million dollar corporation. Several satellite offices between here in Arkansas and Texas. I'm the only IT staff they have.

    Every ounce of vital information we have on our clients and company is kept on our network at the corporate headquarters, where I am. The network is roughly 20+ computers running on typically 8 or 9 servers, including a file server, terminal servers, mail server, web server, AV server, and three backup servers.

    Two active domain controllers, one as a backup to the other.

    Our terminal servers are accessed by all employees, often from the outside (company laptops from hotels, employees' homes, etc.).

    We give software to clients that allows them to access their data on our servers from wherever they are.

    Mostly wired LAN, plus a US Robotics access point for a few wireless laptops.

    So, given all that, here's our current security level:
    1) Servers run a T1, workstations on DSL, both lines protected by SOHO3 SonicWALL hardware firewalls.
    2) No DMZs.
    3) Cayman router (discontinued by manufacturer)
    4) CA eTrust antivirus on all desktop/server machines, McAfee on laptops
    5) Hard to crack network administrative password. User-level privaledges limited.
    6) All desktops are Windows 2000 Pro, servers are Windows 2000 Advanced Server. Laptops are Windows XP Home. No SP2 update yet.
    7) Laptops have no additional security beyond McAfee antivirus.
    8) Wireless AP has 128-bit encryption enabled. SSID broadcast disabled.
    9) Servers are upstairs (in a major traffic area unfortunately) and are password locked at all times.

    Personally, I think we should add:
    1) An intrusion detection system, or at least --
    2) Log monitoring software.

    Keep in mind though, I gotta keep it low-price to escape having it dubbed "overkill". Heck, I wanted some under-$300 security cameras thrown up in the sever room and transmitted to my office, but I couldn't get that either.

    So, please, by all means cut loose and play with the info here, throw any ideas at me you have. If this were your network, what would you do? What products do you suggest? What should I look at beyond a good IDS?

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Definitely what you indicated, an IDS and/or log monitering software. An IDS is almost a must for any network looking to fully secure itself and it's data. Log monitering software is great for those looking to make sure that those viewing the logs/the logs itself are secure and are thorough.

    Some people like to moniter the logs themselves (myself included) but you should experiment with both. There are obvious pros and cons to both, but see what you like and what works best for you, cost efficient, etc.
    Space For Rent.. =]

  3. #3
    So given my cost/necessity situation, what packages would you recommend?

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    IDS? Snort its free! - easy to implement. if you know nothing about linux/snort you can buy the best seller (that one with pig on the cover).

    Logs you need to take a look:

    Windows
    Routers
    Firewall
    wireless connectin has any?
    no htttp proxy?
    Ras log

    I have some ideas but im checking them to avoid posting crap here :P
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    I don't mind "crap" ideas, we can always discuss and refine them further if need be. Such is brainstorming!

    So snort is a full IDS? I was under the impression it was a form of advanced scanner or something, but I have yet to play with it (it's next on my list of things to get acquainted with).

    Stupid question time: Ras log, that's a new term on me. Care to elaborate?

    No http proxy.

    All the other logs I keep an eye on. In fact, that's why I suggested a tutorial on how to monitor router logs and compare to firewall logs -- thats's something I know little on and would very much like some enlightenment.

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Snort is a HIDS/NIDS. Maybe you are thinking about "Nessus", that is a vulner.. scan,..

    Ras- Remote access service. Do you have remote users? how they access network? (remote means here "outside your corporate network", like mobile computers).

    BTW, upgrade those xp home to xp pro. Windows Home? man i wouldnt like those connecting to my corporate network...

    if you don have a proxy, what is controlling access to internet ? (like web surfing) a firewall/
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    re: RAS log

    I presume he was speaking about remote access services.
    An example is a RADIUS service like MS IAS.
    Can be used to authenticate remote dial in or VPN clients.

    Might not apply to your config is you don't provide that.

  8. #8
    Yes, firewall is controlling access to the Internet. SonicWALL SOHO3 hardware firewall.

    Regarding remote users, as I mentioned initially, we have two terminal servers. Employees can access them from anywhere by using either Terminal Services Client or XP's Remote Desktop Client. Nothing more beyond that, no dialing in or telnet (thankfully). A couple of us use Real VNC, but it's not often used.

    What's the security difference between XP Home and Pro? Unfortunately I can't get an upgrade, as Home was chosen, once again, for cost reasons, so I'm stuck with it.

  9. #9
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Just so its down in another place than the PM conversation we just had, make sure your offsite backups are in a secure place. It wont help you much if they are stolen or lost.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  10. #10
    Yeah, to bring you guys up to speed on that conversation:

    *Multiple backups, including tapes, DVDs, hardware appliances, and outsourced backups.
    *On-site and offsite backups with disaster recovery plan.

    Of the various methods we use, among them are backups sent home with me, the president, and the ops manager. Jarrod brought up the point that this could be a big risk were any of our houses to be burglarized, so I'm going to discuss that soon with them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •