Security Policy Tips
Novell Cool Solutions: Tip
Digg This -
Posted: 8 Nov 2002
Current version: BorderManager 3.7
We've been watching with great interest the growing problem of web security breaches and potential breaches, since it falls directly into your laps, as security professionals. A recent survey found that hacker attacks increased by 32% during the first half of this year. Eighty-five percent of companies have reported security breaches, and estimate having lost about $120 million last year due to attacks.
According to IDC, billions are currently being spent on network security, but Web sites and applications continue to be penetrated by hackers and crackers, meaning corporations are still vulnerable. ?Web presence for businesses today is essential, but just as it is essential, it is also the center of security problems,? said Charles Kolodgy, research manager for IDC's Internet Security Software service. ?Securing Web sites and the corresponding applications and databases is a difficult problem as Web sites exist to be accessible and firewall ports need to be left open for communication.?
Protecting your company against hackers requires constant vigilance and a rock-solid security policy that takes advantage of Novell BorderManager. We thought it would be a great idea to have you share interesting tidbits from your security policies, and we can build a library of good examples to help others construct policies that will work for them.
Here's what we've got so far:
- Gregg Berkholtz
- Ricky Gibson
- Mario Quinones
- Martin Bragg
- Jason Schweitzer
- Raymond Meijll
- Joseph Grana
- Siddharth Jagtiani
- Glen VanDenBiggelaar
- Deb Steele
- Tim White
- Hen Savelkoul
- Joe Gilmore
- Eric Gonzalez
- Dan Wurster
- Arie van Cuylenborg
- Kevin McTeague
- Mokete Sekiba
- Justin Arendt
- George Papp
- Leo Blok
- Franz Süss
- George Miller
- Russell Cohen
- Manoj Ghorpade
- Nicolas Neveur
- Pieter van Stokkom NEW
- Bryan Morgan NEW
- Todd Seagraves NEW
Many obvious ideas come to mind, such as:
- Getting upper management to support (and budget for) any policies before embarking on an effort to develop one.
- Assessing the current state of your systems, and your users.
- Educating the weakest link in your security chain (your endusers).
One thing to keep in mind as you develop any kind of security policy is the wealth of free but very good resources available online, such as the SANS Reading Room (http://www.sans.org/rr/catindex.php?cat_id=50) and the SANS Security Policy Project pages (http://www.sans.org/resources/policies/).
The wealth of information on these two sites, and the hundreds of sites and other resources that they refer to, should be more than sufficent to assist anyone in setting up an effective information security policy.
- Have passwords that change daily and would be given to people when they arrive at work.
- Also have login time restrictions that the system can only be on during business hours.
I try to read information from the Internet every day about new security problems and I regularly download software to test it.
The most useful information is always coming from Hacker websites, especially those that have information about multiple platforms and products.
For example, I have found in the last three months information about Novell products. The advantage with those kind of sites is that they show you the procedure to break a system so you can reproduce it to check if you are vulnerable or not. That is one of the problems with Novell or other companies' patches and security pages -- they only give you a brief introduction about the problem but they don't give details.
Invest in contracting with a professional security company to perform network penetration and vulnerability testing in order to provide feedback and it will generate a "TO DO" list for you in the end. Then hire a different company, if possible, to do the same, just to make sure.
Remove the A: Drive
The most obvious problem with security today is that many companies look for a strong internet block (firewall) and do not put up internal network blocks such as gateway servers and virtual networks (VLAN) to protect valuable data.
These are a few basic rules which administrators tend to forget or loosen up on:
- Physical security is #1: locks etc.
- Concentrate on internal threats first, create your policies AND act accordingly.
- Hack your own systems regularly, or hopefully "try" to hack them.
- In eDirectory, use container and organizational roles for 99% of your rights assignments.
- Finally, only use software with a proven track record regarding security. As we all know, this can become difficult if you "have" to use software from certain vendors.
Not in our policy manual but to me a good policy would be --- If you prove yourself to be an idiot then we take your e-mail away.
For each employee, create a SSL Certificate that is signed by the company SSL Ceritficate, which in turn is signed by a global Certifying authority.
Every time a employee logs on, verify the credentials using its Certificate. This way the company will not have to buy a certificate for each employee.
I would build a simple encryption application for the Palm to automaticaly change the password you type in to the Palm for a uniquely generated one that the server will only accept (same idea as the old key cards). Or ONLY accept passwords through the Palm hooked up to the server though the hot snic cable.
We've put our Information Security Training on the Internet via NetG. It's a customized course that we required every employee to take and pass an assessment with at least 80% correct responses. This gives us a way to get the information out and track who's taken it and passed the assessment.
Since my college seems to run an 'out of the box' style setup, it would probably be wise if they were to enable intrusion detection, and make sure on each boot of a Windows client, it deletes the pwl files stored on the C: drive.
I recommend system OS hardening before BorderManager is installed. Before BorderManager is installed you can make sure that most services are bound to the internal IP address by setting this to be the first one to bind in the netinfo.cfg.
Other tips: Disable NCP and SLP on the public interface and all other unnecessary functions such as LDAP, FTP, Remote manager etc. Then start with your firewall config. When using BorderManager proxy only, then disable routing in inetcfg-tcpip. Another hole closed.
Refrain from deploying Windows servers!
When it comes to viruses, users are told not to open e-mails from people they do not know or e-mail that has a strange subject line. Every user has anti-virus software that is password protected from being turned off. The software is set to scan at weekly intervals with auto protect enabled. If a user still happens to be infected the machine should be disconnected from the network and IS should be called at once.
Never open e-mail with an attachment without verifying the source with the sender. Takes a bit longer but can save you hours and days of downtime from virus. Remember there is always a new virus that your virus checker software has not yet found.
Here's a way to create awareness in the people at the office. Let them see how easy it is for you to take over a PC with ZENworks Remote Control, and then tell them that other people can do the same with their PC's. This lets them see for themselves a live hacker working and this makes them shiver.
My IS department has upgraded a firewall and with the help of NOVELL and Verisign (using a corrupt certificate) now denied access to those of us using our Palm i705s to WebAccess... Not an elegant solution but it keeps the bad guys out too, I suspect.
In the past century, our organisation has had a security problem around user's passwords, Internet passwords, e-mail passwords etc. Ten years ago we implemented a Novell infrastrusture and products. Once our systems our systems were integrated, we needed a more password-integrated management product that would give authorized users access to our systems by logging in once. We had many instances of unauthorised corporate business, users and public hacking our network. The first phase was to implement a firewall (Bordermanager)and installed SINGLE SIGN ON for password management.
Too often we see administrators not practicing what they preach with password restrictions. I know people that have had the same admin password and same account password for 4 years because only "they" possess the power to click the "password never expires" box on the account. Change your passwords, admins.
Controlling internet access in secondary schools has always been a headache. With IP Networks we find that the students have been bypassing the NetWare login and logging on to the net and sharing their passwords with others.
By creating the browser caching files in the student's home directory and restricting to one connection, we ensure the students log in to the network and we are able to monitor their access to the web.
No login, no access.
Install Mandrake Linux server and use the firewall, hostsentry, portsentry and logsentry. They give you a report of the system attacks and, more important, they block their ip addresses.
Out of the big range of security this is just one important idea regarding BorderManager VPN:
We allow VPN clients ONLY with ActivCards. Some telecommuters asked me why they cannot surf the internet while connected to our VPN? I told them that I never will open this feature because of security reasons.
In the BM setup in the VPN client-to-site section, always "Encrypt all networks" unless you have full control over ALL (I really mean EACH!) remote computers and their configuration, including personal firewalls, etc. Otherwise telecommuter PCs (especially those on fast DSL lines or cable modems) might easily be hacked and the hacker gets nice highly-encrypted access to the internal network.
We require passwords that expire every 180 days.
I am also in the process of blocking all instant messenger applications from our network.
We use Guinevere on GroupWise to help block viruses and the new version will help with spam.
Conventional wisdom would have us believe that enforcing "strong" passwords and changing passwords frequently leads to a more secure environment. I believe, however, that these practices lead to a less secure IT environment, because it forces Users to write their passwords down in order to "remember" them.
I believe that a combination of (a) minimum password length, (b) unique passwords and (c) enforcing a new password every 30/31 days is far more effective where a Username/Password combination is your only form of autentication.
By allowing "dictionary" passwords which must, however, be changed every month and which cannot be repeated, Users are better able to remember their password, instead of relying on a post-it note for memory.
Another advantage is that all these settings are supported by NetWare/eDirectory by default, so no additional investment in 3rd-party products is required.
The TechRepublic website has a number of useful security-related resources, including this sample Information Security Policy, which can be downloaded at:http://www.techrepublic.com/download_item.jhtml?id=dr00520010108bal01.htm&src=bc
Even if you don't accept the entire policy in toto, it provides a useful starting point for developing your own policies.
These are the areas we cover in our Business Continuity Management policies and plans. Perhaps this list will help others think of areas they should include in their Security Policies.
a.Business Continuity management process
- Risk Understanding (in terms of likelihood & priority of each critical business process)
- Impact of interruptions
- Purchase of suitable insurance
- Formulating and documenting a business continuity strategy
- Regular testing and updating plan and process
- Management of b.c.p is incorporated in the org.'s process and structure
b.Business continuity and impact analysis
- Identify events that cause interruptions to business process,followed by risk assessment to determine impact of those interruptions (damage scale and recovery period)
c.Implementing Continuity Plan
- Identification & agreement of all responsibilities and procedures
- Recovery procedure
- Documentation of agreed procedures and process
- Staff education in agreed emergency procedure and process
- Testing and updating of plan
d.Continuity planning framework
- Conditions for activating the plan describing the process to be followed
- Emergency procedure
- Fallback procedure
- Resumption procedure
- Maintenance schedule
- Awareness and education
- Individual responsibilites
e.Testing,Maintaining and re-assessing business continuity plan
- Table top testing
- Technical recovery testing
- Testing recovery at an alternative location
- Testing of supplier facilities and services
- Complete rehearsals
Simple Tip: Use a IDS machine (Snort) on the three or more sides of your network (inside, DMZ, Outside) to sniff the packets which don't meet your policies. That will help to enforce your business policies, and, DON'T BE AFRAID TO APPLY THOSE POLICIES.
We're blocking a number of extensions that attachments in e-mails can have, including exe, scr, vbs, etc.
Apart from that: our users now are no longer able to download certain files from the internet (like files ending with exe)... Sure saves us a couple of nightmares... :)
The best policy I have come across when using BorderManager is to allow no access to anything at first then slowly allow access to the desired protocols, services, websites etc. This cuts down on admin, prevents unauthorised browsing and reduces exposure from the outside world.
Users need to be held accountable for their actions. Management is too political now, they need to realize that if you don't force people to learn they won't. IS gets criticized for "locking" everything down. We have to; if we don't they WILL break it.
Why should a corporation be held accountable when an employee files a harassment suit because they were offended by a website they went to themselves?
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com