New Section! Security Challenges!

Hi all!

After a long while, I was finally able to start swimming and avoid being drowned by things to do at work! The new job is awesome, but the first couple of weeks were insane (lots to do and learn, etc)! But I confess I’m just loving it!

Well, we all face massive challenges on a daily basis (no secret there). New projects requiring security input, fire fighting security issues, keeping yourself abreast with new technology, security conferences and much more. But most of us find pleasure in doing that, and that’s exactly what I’m proposing here: to solve challenges we deal with at work, while sharing experiences with our fellow security colleagues!

That’s how it works: On a regular basis, I’ll come up with a challenging scenario where securitycontrols should be implemented. The scenarios will vary (network security, application security, security policies, PCI DSS compliance, encryption and many more). The idea is that you guys interact with the diagram by adding comments with your suggestion (you can even add attachments!), always keeping in mind the restrictions imposed (budget is one of them).

The challenge will aid “security rookies” to learn about information security, and “security ninjas” to demonstrate and share their knowledge!

To inaugurate this session, a very basic diagram with a scenario I’m sure we won’t find out there anymore (ha ha). Do your best! Feel free to mention products, brands and whatever else.

Ah! To further stimulate you, the person proposing the best solution will have a diagram representing their suggestion published, and their names will become part of MyInfosecJob’s hall of fame! With the sheer number of recruiters visiting our site, it’s always good to leave your mark for them to see!

As usual, feedback, suggestions, critics are always welcome!

So, get your neurons started and tell everyone how you would secure the network below! Be creative!

Adriano.

Update – 24/03/2011

I have to say that I’m impressed with the answers so far. Although you guys were given a budget of 20k (which is quite enough!), most of the answers were able to harden the environment to a very decent security state for close to nothing!

For those of you willing to present a Visio diagram with your solution, please send me an e-mail at adrianodiasleite at myinfosecjob.com and I’ll send the template!

I’m planning to choose the best answer on the 30th of March, so make sure to send your suggestions!


No related content found.

Filed Under: ArticlesChallenges

Tags:

RSSComments (17)

Leave a Reply | Trackback URL

  1. Dan says:

    Depending on the appetite for risk and budget. I would host the website outside of the network. have a separate private link for employees to access securely assests that they have need to know. Obviously, acquire and implement a gen 4 firewall and basic gen 1 ACLs on the router, I would have the IPS behind the router before traffic hits the firewall. Segment the internal network into trust zones to protect sensitive information. Internet gateway for browsing outbound, and subsequent QoE/QoS so that general traffic does not contend/compete with priority traffic.

    Two Cents

    aussecurity.wordpress.com

  2. Garett Montgomery says:

    From the simplicity of the diagram, I’m going to assume that the company is rather small – and that they are very luck to have such a generous budget available for security. And at a small company, I think they if they even had someone dedicated to IT, they would be lucky. I can’t see this company having the luxury of a dedicated security specialist. So while I would agree with the previous posters that there is a lot that can be done, configuration-wise, that does not require purchasing hardware/software devices, I think the budget might be better spent getting their IT person some security training. SANS GSNA is a good general purpose course with guidelines on how to secure routers, firewalls, web and database servers, and how to perform audits on them. The newly security-trained IT person could then securely configure the existing devices.
    An additional step that could be taken that wouldn’t require additional capital expenditures would be to virtualize the servers, and host them on a single device. The other server could then be configured as an IPS/firewall/UTM or other device – and there are lots of great tools available for free. So I believe that training one (or more) people would be the best way to spend that budget. Set-and-forget tools are very handy, but I think it’s wise having someone who understands what is going on and how to make changes, if necessary. Because it’s great if you can spend a lot on a whiz-bang device, but if you have to get support every time you need to make a change, that cost is going to add up very quickly.

  3. Bent says:

    I

    I would not do IDS and IPS. Good IPS solutions cost far more than budget and running after an IDS to check alarms will ruin the budget.

    What I would do…

    1) Get rid of the hub – do anyone have a hub nowaday ???
    Switch instead. NAC control. 1′st perimeter

    2) Update the router to have acl’s…. 2′nd perimeter

    3) Get a fw – there are a number of ready to install on standard PC’s – get a pc with at least 3 interface – and make a dmz. 3′th perimeter

    4) In DMZ place a proxy and reverse proxy.
    I do not fear web attack through a proxy (some professionals can be used to prevent all attacks, but they ruin the budget). Again – a standard PC can be proxy – and a 2 for reverse proxy.
    4′th perimeter

    5) Put web proxy in DMZ. make sure any attack on DMZ (proxy, web, etc) do only affect the DMZ.

    6) The user who browse the internet. Need only access through the proxy. ACL’s and do not allow critical websites.
    5′th perimeter

    The internal access to internet is more critical that most understand…..

  4. Bent says:

    I

    I would not do IDS and IPS. Good IPS solutions cost far more than budget and running after an IDS to check alarms will ruin the budget.

    What I would do…

    1) Get rid of the hub – do anyone have a hub nowaday ???
    Switch instead. NAC control.

    2) Update the router to have acl’s…. 1 perimeter

    3) Get a fw – there are a number of ready to install on standard PC’s – get a pc with at least 3 interface – and make a dmz. 2 pperimeter

    4) In DMZ place a proxy and reverse proxy.
    I do not fear web attack through a proxy (some professionals can be used to prevent all attacks, but they ruin the budget). Again – a standard PC can be proxy – and a 2 for reverse proxy.

    5) Put web proxy in DMZ. make sure any attack on DMZ (proxy, web, etc) do only affect the DMZ.

    6) The user who browse the internet. Need only access through the proxy. ACL’s and do not allow critical websites.

  5. kelvin says:

    1. Perimeter security
    procure and implement a hardware firewall with IPS or IDS and application security .
    implement ACL on both ports of the router
    create a DMZ on firewall for web server
    procure another pc server as proxy and VPN server (using linux) and put it into DMZ
    create another separated zone for file server only enable internal network zone access.
    create proper firewall rules between zones

    2. Platform security
    upgrade server operating system from win2000 to win2008.
    implement an antivirus and patch management system for client workstations.
    harden web server and enable ips protection on firewall.
    harden endpoint workstation and install antivirus clients.

    3. Access control
    Implement domain directory on file server and enable access base on business requirements.
    implement data classification for sensitive data hold on file server.
    Implement access controls on network devices and servers.

    4. IT security operation
    Design security policy and security operation procedures for daily IT operation covering incident management, log review, capacity and change management.

    5. Information security awareness
    Train the end user and IT

  6. Teja says:

    A small modification to point 2 of my solution. The ‘And NAT?’ doesn’t mean that I am doubtful about implementing NAT at all. I could implement it on my Firewall and/or the Router. (1:1 NAT at router and 1:Many NAT at the Firewall)

    The NAT certainly shields my n/w by keeping only one IP exposed to the internet.

    In fact as an alternative – there can be one Router + Firewall + NAT + VPN device at the perimeter with the same function as the one showed in the diagram.

    I am just considering the complexity of each approach. Please do comment on this – if you have an opinion on one approach better than the other.

  7. Teja says:

    I’m a rookie IT Security auditor and would love to hear comments/criticisms about my approach.

    From a risk stand-point I could immediately list downs the following scenarios:
    1. Outsiders gain access to internal network – though the same route as the employee accessing the file server.
    Internal environment compromised and confidential files exposed.
    Also important company files can be rendered unavailable.
    2. Web server compromised and used to take over the internal environment.
    3. DDOS Attacks on the web server.
    4. Internal user accidentally installs malware that call-home.
    5. Lower Risk: Internal users being malicious can sniff NTLM auth credentials – since it is a windows environment and compromise the whole internal environment in certain cases.

    Solution (in the order of importance):

    1. Implement ACLs at the router. This prevents unwanted and malicious traffic. (Free)

    2. Implement a properly configured stateful-firewall (and NAT?) behind the router. The firewall containing 3 interfaces will create a DMZ and an internal network.
    The firewall being stateful would allow the right traffic to through and enable the internal users go out to the internet. It would also prevent malware calling home and limit access to internal users.

    3. VPN server on the DMZ.

    I am not quite sure at this point if I need to put the VPN on the DMZ or add a 4th N/W interface and place VPN server at the firewall – essentially the VPN on its own DMZ.
    I looked at a forum discussion that had equally compelling arguments for both. Any comments on which is more relevant in this case?

    I went with the current option keeping in mind – the price of a network card and the additional complexity if VPN server is on its own DMZ.

    4. Back Up (Disaster Recovery) file server only if the availability of the files is as important as the confidentiality.

    5. Create a mechanism to push tested-patches regularly to all the machines on the network.

    6. Host based antivirus/firewall software.

    7. Make the internal network switch based – to reduce attack vectors internally.

    It is important that enough time and money are spent on configuring every component in the network properly – otherwise ‘all bets are off’.

  8. JeanMarcel says:

    Let’s try to approch the problem from the risk side. Once the risks (threats and vulnerabilities) are identified, let try to find technical solution.

    In a short time, I tried to list the possible issues with this configuration:
    a) Web server: Defacment, infection, undesired hosted programs, DDOS…
    b) File server: stolen data, unwanted modification of data, infection…
    f) Workstation: infection, untrusted applications installed, configuration error…
    i) Router: DDOS, unmanaged configuration manipulation …

    What can I do for free:
    - Update and patching the OS (Web, file servers, wortkstation, router)
    - Install protection software (antimalware, host firewall)
    - Change all default passwords
    - Remove unnecessary software or OS features (reduce the attack surface)
    - Improve the access rights, encrypt sensitive information (Be carfull to the key managment)

    What configuration changes will protect me against the most important threats
    - Configure the border router with basic ACL (block own and private IP addresses, block unneeded ports and protocols…)
    - Addi a firewall (with VPN features), creating a DMZ for the webserver and configure the FW-rules.

    With the rest of the money, I train the users to report strang system behaviour and how to behave with the system and information.

    With a deaper risk analysis, we could improve more the configuration.

  9. Razdan Khan says:

    I will be solution/product specific for this scenario since I have a budget.

    1. Procure Paloalto Firewall with App ID,IPS,FW,AV,SSL VPN enabled
    2. Procure phonefactor auth for 2 factor
    3. Integrate AD with PA and Phone factor and Configure ssl vpn for users to access network externally
    4. Create an anonymous auth in PA to publish the company webpage as a https enabled page(with the assumption that the page is currently http)
    5. If the file server to be enabled over internet,publish it via ssl vpn with token auth
    6. Configure app id to ensure only required apps can access towards the internal and external network

  10. Nwoke Okechukwu says:

    ******In addition

    The major security appliance would be a Firewall capable of IDS/IPS.A good example would be a cisco ASA or an outright purchase of an IPS (Hp Tipping Point IPS with a digital vaccine toolkit).This will handle protection for web servers as well as internal servers, it will also handle VPN access for staff outside the office.

    Further to that a DRM (Digital rights management) software could be deployed for managing vital company information from unauthorized printing, copying, editing etc.

  11. Kunal says:

    Hi,

    Interesting…!

    There is lots that can be done. However, assuming the budget to be less than 20K, I would do the following:

    -1- Remove the Hub, if it isn’t required
    -2- Add a perimeter firewall cum VPN concentrator (at point “J”) and create a DMZ for the Webserver, and a different IP-Segment for the internal users (“F”)
    -3- In case the file-server needs to be segregated from the internal users, then a third IP-Segment could be created on the firewall to host it.
    -4- Users working from home, should at least use a VPN tunnel to connect to the environment, and use 2FA

  12. Nwoke Okechukwu says:

    I would suggest you put a firewall in front of the router with access control policies and signatures, that would aid filter traffic through the ports and allow only privileged users with approved MAC addresses to access the file server.

    An open source IDS pending on the budget could be implemented to monitor the traffic between the internal users and the web server, to prevent unwanted traffic and malicious data.

  13. Excellent feedback so far, keep it coming guys!

  14. Muhammad Qureshi says:

    Hi

    From the diagram it appeards that the router needs to be configured to restrict access to the file server. restricted ports and serices based on business requirements. Authetication mechanisms should be implemented for users coming from the internet. It could be 2 factor authentication depending on the budget..

    Move the web server in front for users.

    Further secure the file server access encryption controls.

    Try removing the hub if not required…

    Thats all I can think about at the moment…

    take care

  15. Fernando says:

    Hi, without knowing more details, I would say the simplest would be to convert router into Firewall+VPN+NAT+IPS. Lots of options:
    - Consider a “security license” that would enable these features.
    - If people are comfortable with Linux (given internal RH server), consider replacing router with Linux/BSD server/appliance with one of the many, many security packages, from simple iptables to pfsense, monowall.
    - consider another appliance such as Vyatta.

    FW+NAT to provide internet access with internal addresses and enforce access control
    VPN to allow access to external users
    IPS to monitor things

    Fancier things would be to have internal log server to review logs.

    Total HW budget – from 0 to 1000 USD depending on sizing
    Total SW budget – varies depending on router and image

    Use the rest of the budget for staff training and operational costs.

    Hope this helps.

    Fernando

  16. Ajay Porus says:

    This scenario is interesting, even after looking at budget constraints as well I would just like to add 1 device in the network and need to rework on the network diagram. Ist of all we will put an open source UTM like OSSIM or UNTANGLE which can be configured on a normal box and behind that we can have our router and there is no requirement of HUB in network. Now change the position of webserver from internal network to DMZ wherein proper hardening is required. Firewall should be configured in deny all all mode only particular ips, services and post should be configured for in and out network. we will configure File server in a different VLAN all together. All employees and user will be in different VLAN. ACL will be configured as per required access, or on the basis of roles and responsibilities with MAC BINDING of all systems. File server can only be accessed by people who requires nobody else. Now we configure OPEN VPN on 128 bit AES for employees on external networks. so they can access the particular network and system and all external employees will also have access right management. all the logs will be collected at file servers.customer can access the website from webserver which is hardened properly.

  17. kelvin says:

    It is interesting. But what’s the business requirements for security?

Leave a Reply