Network Securities?

[Vulcan]

Originally posted by indy007
It was here before I got here. Also, my annual IT security budget is $0.00. I work with what I've got, which unfortunately is uh... not much.

Yeah I feel for ya. Why is it management never see the need until the network is falling down around their ears.

We run a test lab with a Netscreen 5GT in our office, and my counterpart in another office does the same with the Sonicwalls (we distribute both products among other things in NZ).

We have two demonstrations:
 1) we have several "honeypots", email, ftp, http servers. These attract daily interest from hackers. All sorts of attacks come in. All we have to do is show them the logs and thats enough to scare most people into realizing their security is inadequate. Sometimes you see wierd attacks like this:
2004-11-30 16:51:06 emer optatck_6_IMAP_err has been detected from 202.73.198.140/50819 to 192.168.1.2/143 through policy 4 1 times.

 2) we then demonstrate some basic web browsing with a McAfee protected PC through the firewalls with Deep Inspection/IDP turned off for that PC. McAfee usually pops up some spyware malware. We then repeat the sites we visit with Deep Inspection/IDP turned on, and of course McAfee stays silent, and the firewall logs show stuff like this:
2004-11-30 17:09:47 info HTTP:TUNNEL:CHAT-MSN-IM has been detected from 192.168.10.2/14473 to 65.54.213.62/80 through policy 15 1 times.
2004-11-30 17:08:04 error DB:MS-SQL:SQLXML-ISAPI-OF has been detected from 192.168.10.2/14408 to 207.97.253.208/80 through policy 15 1 times.
2004-11-30 16:35:19 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/14194 to 65.59.207.13/80 through policy 15 1 times.
2004-11-30 16:10:46 warn HTTP:REQERR:REQ-MALFORMED-URL has been detected from 192.168.10.2/13731 to 66.28.224.242/80 through policy 15 1 times.
2004-11-30 15:54:09 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/13619 to 207.246.136.196/80 through policy 15 1 times.  

Now your Cisco PIX is letting that garbage straight through.

After that most people realize their Cisco, Linux, Checkpoint, or brand X firewall is not enough . Just talking about it doesn't seem to acheive much, whereas showing someone the benefits on a live system does. One customer recent customer replaced an old Watchguard with a Sonicwall 4060, first 2 days they had over 4000 attacks detected that previously had been going straight through that watchguard.

[StarOfAfrica2]

Originally posted by Vulcan
Errr that stuff is all crap. sysadmins = people who think they know about networks but don't.  That stuff deals with 5 year old security issues, its not going to help you in todays environment.

Nice bedside manner.  This is why they dont let the network guys out of the back room.  Much of the stuff on the sites I pointed out IS dated, and I said as much.  Its still relevant, and useful, with the proper attention to current threats.  I wouldnt use it on a real network, but for a small one or home one its good stuff.  

Obviously, intelligence and education dont indicate good manners or even good reading comprehension.  At least not in your case.

[Heater]

Originally posted by Vulcan
Yeah I feel for ya. Why is it management never see the need until the network is falling down around their ears.

We run a test lab with a Netscreen 5GT in our office, and my counterpart in another office does the same with the Sonicwalls (we distribute both products among other things in NZ).

We have two demonstrations:
 1) we have several "honeypots", email, ftp, http servers. These attract daily interest from hackers. All sorts of attacks come in. All we have to do is show them the logs and thats enough to scare most people into realizing their security is inadequate. Sometimes you see wierd attacks like this:
2004-11-30 16:51:06 emer optatck_6_IMAP_err has been detected from 202.73.198.140/50819 to 192.168.1.2/143 through policy 4 1 times.

 2) we then demonstrate some basic web browsing with a McAfee protected PC through the firewalls with Deep Inspection/IDP turned off for that PC. McAfee usually pops up some spyware malware. We then repeat the sites we visit with Deep Inspection/IDP turned on, and of course McAfee stays silent, and the firewall logs show stuff like this:
2004-11-30 17:09:47 info HTTP:TUNNEL:CHAT-MSN-IM has been detected from 192.168.10.2/14473 to 65.54.213.62/80 through policy 15 1 times.
2004-11-30 17:08:04 error DB:MS-SQL:SQLXML-ISAPI-OF has been detected from 192.168.10.2/14408 to 207.97.253.208/80 through policy 15 1 times.
2004-11-30 16:35:19 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/14194 to 65.59.207.13/80 through policy 15 1 times.
2004-11-30 16:10:46 warn HTTP:REQERR:REQ-MALFORMED-URL has been detected from 192.168.10.2/13731 to 66.28.224.242/80 through policy 15 1 times.
2004-11-30 15:54:09 info HTTP:SQL:INJECTION:GENERIC has been detected from 192.168.10.2/13619 to 207.246.136.196/80 through policy 15 1 times.  

Now your Cisco PIX is letting that garbage straight through.

After that most people realize their Cisco, Linux, Checkpoint, or brand X firewall is not enough . Just talking about it doesn't seem to acheive much, whereas showing someone the benefits on a live system does. One customer recent customer replaced an old Watchguard with a Sonicwall 4060, first 2 days they had over 4000 attacks detected that previously had been going straight through that watchguard.

Well....if these are your logs, a few thing  you do not point out,  your source address is a privet IP and would have to be  NATED,to get to the internet, i.e. the traffic is comming from the internal network.

try again !

[Vulcan]

Originally posted by Heater
Well....if these are your logs, a few thing  you do not point out,  your source address is a privet IP and would have to be  NATED,to get to the internet, i.e. the traffic is comming from the internal network.

try again !

Actually heater, the session is initiated by the internal IP. You see, theres a basic fundamental requirement that the users browse to the webpage, the webpage doesn't browse to the user. Hence the source IP for the session is the NAT'd internal address.

If it were a remote internet using browsing to my web server, then the source IP would be their internet IP.

Back to skool for you pleeb!

[Vulcan]

Originally posted by StarOfAfrica2
Nice bedside manner.  This is why they dont let the network guys out of the back room.  Much of the stuff on the sites I pointed out IS dated, and I said as much.  Its still relevant, and useful, with the proper attention to current threats.  I wouldnt use it on a real network, but for a small one or home one its good stuff.  

Obviously, intelligence and education dont indicate good manners or even good reading comprehension.  At least not in your case.

LOL bedside manner? Your not one of my customers so I can say what I like. Pay me and I'll be polite.

If its not good enough for a "real" network then why the hell would you recommend it for a home network? Theres no reason for a home network to be any less protected than a "real" network, especially given people store lots of personal confidential information on their PC's at home, and may even use their home network to access their corporate network (ie VPN in).

I just don't like people linking to a bunch of crap that they tell others is good security. The worst offenders are sys admins, especially Linux or Microsoft monkeys who don't have a clue about the capabilities of anything beyond their OS.

[bikekil]

Originally posted by BlckMgk
Hey folks,

Was wondering if any of you were in the field of network securities or database management.

If not, do you know folks that you could recommend.

The jist of what I need to done is to secure our office network, and possibly setup a VPN for a few users aswell as a secure connection between databases.

Any advice would be appreciated.

Thanks,
BM

would be glad to help, but i'm in Poland

[StarOfAfrica2]

Originally posted by Vulcan
LOL bedside manner? Your not one of my customers so I can say what I like. Pay me and I'll be polite.

If its not good enough for a "real" network then why the hell would you recommend it for a home network? Theres no reason for a home network to be any less protected than a "real" network, especially given people store lots of personal confidential information on their PC's at home, and may even use their home network to access their corporate network (ie VPN in).

I just don't like people linking to a bunch of crap that they tell others is good security. The worst offenders are sys admins, especially Linux or Microsoft monkeys who don't have a clue about the capabilities of anything beyond their OS.

When I say "real" network, I'm talking more than a handful of computers in a large network.  I'd use the setup any day for up to 5, maybe as much as 7 computers on a network, depending on the bandwidth of the connection.  Not only is it secure, its free.  All you are out is the cost of an older PC to stand as the "visible-to-the-internet" box holding your IP.

I said the links were useful.  I even said IPMasq was good for a small network.  I never said the links were "good security", or made a reccommendation that the info be followed, and again, I even mentioned that some of the information was dated.  It was recommended for reading, and getting ideas, not to be taken as state-of-the-art gospel for IT security issues.  Obviously your reading comprehension skills ARE in need of help.  Of course, you dont need to read do you?  Keep scratching monkey, maybe you'll get lucky eventually and find a clue.  

Its awfully funny, you have such a thing against sysadmins.  Every one I know gets to tell the network guys what to do, not the other way around.  Sour grapes maybe?

[indy007]

Originally posted by StarOfAfrica2
Its awfully funny, you have such a thing against sysadmins.  Every one I know gets to tell the network guys what to do, not the other way around.  Sour grapes maybe?

Prolonged exposure to book learned MCSE has warped the perspectives of many of us. I don't have problems with good system admins. I know a few of them, and learned alot of useful stuff. However, those are few & far between. 90% of the system admins I've met had lots of certifications, but no practical experience. I wouldn't trust them to run a vacuum cleaner, let alone a production database box. They're the same people that quit their day-jobs, took a 2 week course, and flooded the market during the dot-com boom. On the flipside of that, I had to lecture some co-workers on how xDSL worked a few years ago... all of them were CCNA's at the minimum (except me, with no certs).. their eyes glazed over, and a 15 minute briefing turned into 2 hours of "It's irrelevant. You're thinking too much. It's not part of the issue." & "You know we're talking about DSL... right?".

Lack of common sense is universal, and analytical ability is very difficult to train. Now I'm a decently paid desktop tech/system admin/network admin/helpdesk support person, and don't have to play dueling ego's with any technical person. At least the users are still cowed into submission quickly enough with the appropriate jargon...

[Maniac]

What can i say on this topic? Im a admin.

The Admins actually have a life. You "Uber" Nerds really are swinging your dicks in this thread aint you.

Well, i guess being laughed at all your life, you deserve some place to show off.

And by the way, set up your security system. It all comes down to the end user anyway. No matter what crap hardware you buy.

[AKIron]

Originally posted by Vulcan
If its not good enough for a "real" network then why the hell would you recommend it for a home network? Theres no reason for a home network to be any less protected than a "real" network, especially given people store lots of personal confidential information on their PC's at home, and may even use their home network to access their corporate network (ie VPN in).
 

While I agree that both should be protected, a cheap netgear firewall is quite sufficient for most home networks. They aren't easy to hack if you at least change the password and there is much less motivation for someone to spend the effort to break into my home computer than a corporate network. Even if all some bozo is going to do is break in and upload shared filez he'll find a company's measly T1 far more useful than my relatively slow cable uplink speed. I've been continuously up on broadband for at least 6 years now and have never been hacked or at least have seen no evidence of it.

[StarOfAfrica2]

Originally posted by indy007
Prolonged exposure to book learned MCSE has warped the perspectives of many of us. I don't have problems with good system admins. I know a few of them, and learned alot of useful stuff. However, those are few & far between. 90% of the system admins I've met had lots of certifications, but no practical experience. I wouldn't trust them to run a vacuum cleaner, let alone a production database box. They're the same people that quit their day-jobs, took a 2 week course, and flooded the market during the dot-com boom. On the flipside of that, I had to lecture some co-workers on how xDSL worked a few years ago... all of them were CCNA's at the minimum (except me, with no certs).. their eyes glazed over, and a 15 minute briefing turned into 2 hours of "It's irrelevant. You're thinking too much. It's not part of the issue." & "You know we're talking about DSL... right?".

Lack of common sense is universal, and analytical ability is very difficult to train. Now I'm a decently paid desktop tech/system admin/network admin/helpdesk support person, and don't have to play dueling ego's with any technical person. At least the users are still cowed into submission quickly enough with the appropriate jargon...

You have a point.  Its too easy these days to take a class on how to be a sysadmin and pass a test at the local vocational training college and say you are "certified."  In their defense, in many areas its really hard to get hired on without either experience or certifictation.  Guess which is easier to get?  And there for awhile in the mid-90s companies really pushed certs.  Microsoft didnt help matters by posting all over the internet that just having an MCSE cert. was enough to land you a 60k per year and up job.  I can remember reading (from the Microsoft website) that a person with an MCP cert. should be making 25k-30k STARTING pay.  Granted 25k aint much.  I have an MCP and I sure dont brag about it.  Thats like saying I listened to Sally Struthers and learned how to fix cars from home.  It aint getting me a job at the Ford dealership garage.  But seriously, alot of us were suckered into paying for those certs. because we were told companies wanted that.

I quit working on my MCSE after the first 3 tests.  I decided I really wanted to learn UNIX systems but I couldnt afford to go back to college again.  I'd been on the fence about Linux for some time, but it was really catching on in the late 90s.  Even IBM jumped on the bandwagon.  I threw my hat in the ring and went full forward.   A company in St. Louis started training people to pass the Linux sysadmin cert. program, and also was doing switchovers for companies running WindowsNT that wanted to change to Linux, and offering 24 hour tech support.  They promised people who passed the cert. tests out of their classes jobs starting at 40k per year with full benefits.  They had offices in 8 cities, and claimed lots of revenue.  They scammed us.  Turned out they only had one client, had tons of hardware they got fronted to them, had lots of us in the classes providing them with some income, but they had the prospect looming of hiring all of us from the classes if we passed.  Long story short, they folded operations and left us high and dry without our money and without jobs, AND without the certification.  I went ahead and taught myself what I hadnt learned and paid for my own certification, certain that Linux was coming into its own and I wanted to be there, not just to take advantage but to understand it.  It's success varies from city to city, but where I'm at now its pretty hard to find a job.  Even Windows guys here, while in more demand, have a hard time.  Too many of them.  I changed careers and I'm happy enough.  I get to dabble now instead of working in it every day.

[Vulcan]

Originally posted by Maniac
What can i say on this topic? Im a admin.

The Admins actually have a life.

Uh huh

[Vulcan]

Originally posted by AKIron
While I agree that both should be protected, a cheap netgear firewall is quite sufficient for most home networks. They aren't easy to hack if you at least change the password and there is much less motivation for someone to spend the effort to break into my home computer than a corporate network. Even if all some bozo is going to do is break in and upload shared filez he'll find a company's measly T1 far more useful than my relatively slow cable uplink speed. I've been continuously up on broadband for at least 6 years now and have never been hacked or at least have seen no evidence of it.

Though I'm inclined to agree with some of what you say, theres a real shift in attack patterns and exploits going on.

Firstly, most attacks used to be of a disabling/damaging kind. This has no shifted to an exploitive/informaton gathering pattern.

Secondly, most attacks/hacks used to be done by hand. This has now shifted towards attack/exploit automation.

Last, most spyware/trojans came from clearly identifiable "dodgey" webpages or software. This has now shifted to hackers exploiting comprimised "good guy" web servers without taking them down.

As an example, say you visit a website like the AH BBS. One day someone hacks the BBS, gets in, but instead the usual kiddie crap uploads a trojan into the HTML. You come here, browse the site totally trusting HTC. Next thing you know you have a trojan. That person then installs keylogger software, and gets routine dumps emailed to them that allows them to search for username/password combinations. Is there anything you log into from home that you don't want others to see? They also sell your IP as part of zombi'd PC deals for spammers (1 million zombi'd pc's for $10k is what I've heard you can get for 24 hours).

Its getting so bad that many organisations like banks who provide online servers are moving down the path of two tier authenticaion systems and looking at making online banking customers subside these tokens. We've just had one start doing it in NZ.

[bikekil]

Originally posted by AKIron
While I agree that both should be protected, a cheap netgear firewall is quite sufficient for most home networks. They aren't easy to hack if you at least change the password and there is much less motivation for someone to spend the effort to break into my home computer than a corporate network. Even if all some bozo is going to do is break in and upload shared filez he'll find a company's measly T1 far more useful than my relatively slow cable uplink speed. I've been continuously up on broadband for at least 6 years now and have never been hacked or at least have seen no evidence of it.

That's the whole truth. There is NO network that can't be compromised... the question is allways "when" not "if". I'm working for the biggest isp in Poland and as a IT manager (before that a sys admin many years) i know who we are hiring and how much we pay them - the security folks... every single one of them discovered and publilshed many hopes in various OS'es but the other thing (browse for lcamtuf, bulba or cliph) is how many of his finding they are keeping for themselves? And believe me, the answer is - not that little. Now think about the number of the guys wh have so great knowledge. Think about the number of the holes in the OS'es and software, then about how long it takes to prepare a security fix for the hole that is published.
That leads to the conclusion - every system/network can be compromised

When you look at it that way, you have to remember that mojority of the hackers are script kiddies who have no real knowledge. They can be stopped without using any sophisticated methods, also they are looking for non-secured systems to hack. A "cheap" firewall is more then enought to stop them.

Then it all dependes on your needs, for example, is not needed to implement the whole DMZ on a home network, but it can be a good idea for the company who really want to protect something while exposing something. There could be many more examples, you could build an advanced IDS/IPS systems and so on...

As for the specific systems youo could use, you allways have to make sure what you need, then how much you can spend on it. If you answer those questions you will only have to check what you can get for the money you cen spend and select the best option.

If you don't have the money to invest, in most cases you will have to invest your time (or someone's time) to build a solution that suits you.... or to recover from losing some of your data

[Vulcan]

Originally posted by bikekil That's the whole truth. There is NO network that can't be compromised... the question is allways "when" not "if".

When you look at it that way, you have to remember that mojority of the hackers are script kiddies who have no real knowledge. They can be stopped without using any sophisticated methods, also they are looking for non-secured systems to hack. A "cheap" firewall is more then enought to stop them.

I disagree, the majority of hackers are no longer script kiddies. The script kiddie stuff is only the stuff thats actually detected the majority of the time. The hackers have switched from bragging mode to lets make some $$$ mode - and thats the stuff that slips by undetected.  A cheap firewall is a almost a complete waste of time. You might as well put no firewall in and hope for the best with your AV software.

I rarely see the type of attacks a cheap firewall protects against coming in. In fact, I could put two PC's side by side, connect one to the internet with a cheap firewall, and average AV software. Connect the other directly to the internet with good AV software like McAfees 8i but no firewall. I guarantee the one with the cheap firewall would be comprised way before the one with McAfee 8i would.

Most network security is also focussed on assuming that a networking can be comprimised AND detecting it. Part of the Netscreen DI package is alerts on potential trojans trying to get out from infected machines.

Let me ask you this bikekil, what type of firewalls does your ISP use? Do you offer clean traffic options to your subscribers?