Foundations: What a Network Security Administrator Should Do
by Steve Fallin and Scott Pinzon
When we were kids, we saw this same scenario in countless TV cartoons: someone [a Foreign Legion sergeant, the sheriff, a Royal Canadian Mountie] addresses a line of men [dogs, cowboys, bees], saying, "This mission will be deadly dangerous, and we need a volunteer. If you want to serve your country, take one step forward!" Then everyone except one clueless guy takes a giant step backwards, leaving our poor hero as the unintentional "volunteer."
Does that describe how you became your company's network administrator or LAN manager? If so, you're probably the most qualified person on the premises -- but you may not feel you know what's involved in securing that network against attackers. This article attempts to list in one place the major elements of network security, with guidelines on what a good security manager does about each aspect. Obviously, it is simplistic; entire books have been written about each of the points below. But our goal is to help you get your arms around the task. Welcome to Security Orientation.
What You Must Do and What You Must Be
Perhaps the most important concept underlying real-world security is the Principle of Least Access, or POLA. Here it is in a nutshell: shut everybody out of everything on your network unless they have a damn good reason to be granted access to it.
Almost every blob of software you install on your network installs with permissive default settings. Vendors set their software that way so you won't call them, accusing their application of arriving broken. But if you start with a permissive environment and try to gradually tighten access, you'll never know for certain that you've closed all the security holes. Know why? Because people who have too much access never complain about it.
POLA requires the courage to break things. Sure, it's easier to permit everybody access to everything, because that generates a gratifying silence from your coworkers. But good security is noisy. In security, nine out of ten times silence equals danger. Silence equals cover up. Shut things down and tighten access until you provoke cries of outrage from workers. Learn to thrive on these cries, because they are your security sensors. If you incrementally ease permissions and open ports just to the point where the howls cease, your settings are probably about right.
If you're going captain this ship, embrace this adage: real boats rock. The complaints cause nowhere near as much trouble as a break-in. Your goal is to be the rocker, not the rockee.
The Elements of Layered Security
Okay, take a deep breath. If you're new to this realm, you may be distressed at the scope of all this. But set your upper lip on "stiff," because this is do-able. Here are the essential layers of your network security.
Policy. The biggest wild card in computer security is the end user. A corporate computer use policy paves the way for training and restraining the user. Drafting good corporate policy is the obvious starting point, yet companies almost never start here. Sooner or later, though, they end up here. For example, if an insider at your company hacks the company Web site and defaces it, you will have problems prosecuting if you don't have a policy forbidding such activity. Comfy with employees running their own personal e-commerce sites on the company Web server? No? Policy is the first place to hold them in check. Write one.
Router. The first company resource that Internet traffic hits is your router. The vendor or the manufacturer who provided your router(s) should have suggestions on what configuration settings "securify" your router. Look 'em up. Do them. Hint: don't leave any user name, account name, or password set to its default.
Log analysis. Lots of stuff on your network generates logs: routers, firewalls, network server, Web servers, file servers, etc. Learn what each of the fields are in a log entry, and what they mean. Scan these logs daily until you can recognize what normal traffic looks like on your network. From then on, question whatever is abnormal. Admittedly, this can take a chunk out of your day. If you can't do it religiously and consistently, remember that any log inspection is better than no log inspection. Shoot for a minimum of thirty minutes, but do the best you can.
Firebox. Refer to POLA, above. The default stance of your Firebox should block off huge ranges of ports -- nearly everything. Permit only traffic that is essential to the company mission. Sometimes you may have to open ports temporarily (say, if the CEO needs to have a Web-enabled video conference with remote offices.) Shut these ports afterwards. A good way to maintain this is to set a standing date when you periodically examine your Firebox configuration and permissions, asking the question, Do I still need to let this service in? When in doubt, shut it down.
Servers. Secure your servers at both an operating system level, and an applications level. At the OS level, restrict user privileges as tightly as you can. Applications such as WatchGuard ServerLock defeat insider attacks by making it impossible for anyone but those authorized to change protected directories or registry entries; consider installing it. On your Domain Name Server, disable the ability for others to perform zone transfers.
At the applications level, passwords are your primary tool for protecting that internally- developed shared software. Establish and enforce a password policy that requires strong passwords: many characters, using numbers, letters, and punctuation; case-sensitive; no default passwords; no words straight from the dictionary. Make a point of protecting the repository where the passwords are stored. On random weekends, take a physical tour of your office in search of written passwords. Look for sticky notes around monitors and under keyboards. Give violators a Severe Talking To.
Anti-virus. The main point about anti-virus software, besides "get some," is that you can't just set it and forget it. Update your A-V software as often as the vendor does. Most modern A-V software has the ability to check the vendor's Web site for updates at a regular interval. Set it to check every few days, and do a manual update when you hear of a big threat coming.
Intruder Detection Systems. If you're lucky enough to have IDS on your network, remember this: an alert from your IDS is the sound of glass breaking. It can only alert you once an attack has begun. If you don't vigilantly monitor IDS logs, you may as well throw the software away. If you keep on top of it, you may be able to change "closing the barn door after the cows have escaped" to "closing the barn door with the rustler trapped inside." Follow the watchword Hogwarts professor Mad-Eye Moody thunders to his students: "CONSTANT VIGILANCE!"
Naturally, there is much more to explain. But the steps above trace your responsibility from before Internet traffic hits your network, to after. This is the base level; these are the processes. Use this as a foundation -- then build your knowledge from here. You can do it.
And thanks for volunteering.