thegeezer <thegeezer <at> thegeezer.net> writes:
> > I'm researching where we run all sorts of applications very securely, > > for one person at a time. It's eventually (hopefully) going to be > > a full LMS Learning Management system, something comprehensive, maybe even > > www-apps/moodle and or SWAD. Eventually a full ecommerce system, just > > for one company, not as a service to others. > > sounds interesting. going for full interactive video distance learning > too would be a great direction to take, especially if the teacher > controls who has audio (to speak). > > the only thing i would add is to keep each system seperated as much as > possible. don't put everything on one server. bad things happen to good > people so try to make sure one thing doesn't affect another. depending > on the age of the people you are helping they probably will try to use > latest scriptkiddie toys against you first, so think about the ingress > and egress of the network and of the individual nodes when you think > about security. We're planning on lots of unwanted noise from a range of talented problem hackers. Eventually a massive VM system approach will be deploy, but first I want to test security the old fashion way.... > > But for now, just running various forms of secure, minimized DNS. Some > > machine controls (SCADA) will use the DNS as part of the SSL services. > > > > scada huh. i wouldn't put it on a public facing internet connection. > even on a network connected to things i care about. i'm sure you have > good reasons, i would probably urge you to reconsider them [3] Let me share a little background with you on SCADA. Most networks that have SCADA on them, are really poorly secured. It's just layers upon layers of MS crap. I do not design those sorts of machine networks. I have been given the opprotunity of 'fix' many such networks. Most I just walk away from. I employ techniques I would characterize as "network partitioning" and "asymmetric traffic routing" and loads of passive monitoring and profiling. Many scada networks have all sorts of improperly configured devices, bounced packets, and no sort of 'state machine' design on what is and is not need, how often and why. They have evolved, mostly by technicians and poorly trained IT folks that just 'got it to work' without optimization or system design constraints being enforced. Far too many folks and machines are present on those critical networks. IT folks view a 20 million dollar gas turbine, just like an expensive printer. Hacking them is trivial. Most SCADA networks have MS servers on the same segments for the'convenience' of all sorts of non-essential personel. To boot they put video surveillance networks in place, so the hackers can actually "see" the physical layout of the plants. Stupid does not begin to characterize the mistakes common to scada operations. You have the very wrong impression of my scada network designs. Most companies I talk to, do not like my 'draconian' designs, and I'm never going to be responsible for MS inspired, stupid networks. That said the big vendors do make billions of (scada) dollars and I search pretty hard form companies that will listen and I like enough to work for. Networks with many machines and without humans are easy to secure, you just have to think out of the box a bit.... (sorry trade secrets here). Just keep anybody with an MBA out of the process. > >> if you are looking for dynamic dns updates you want to make sure you > >> have auth by secured ip (encrypted traffic) and you want to guard your > >> keys to allow DDNS. > >> > >> DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you > >> can see some starter material at ISC BIND website [1] > > DNS sec will be down the road. I have time to build, test, research > > and adjust the strategy as this goes along. It's not fixing a desparate > > situation; more along the lines of building up various secure dns > > platforms along an increasing features set. > > if your scada devices are using the public internet to get to your dns > servers i would seriously urge you to rethink things, even if you are > using dnssec. Ok, so even though folks consider these 'devices' as scada, I do not. I mostly work on industrial control systems, when I choose to do scada work. What you are referring to, something like using a cell phone to open your front door, turn on the hot tub, or manipulate your audio gear, is not really what I consider scada, but others do. If those things get hacked, you flood a basement, illegally enter a house etc etc. Bad things but not really catistrophic to the neighborhood. For me, scada means big industry, water supply, chemical plants, manufacturing etc etc. So if you hack them, costs rise astronomically, very quickly. Loss of life is a distinct possibility. These types of things should not depend on MS anything, or using the open internet for anything. Few listen now a days, because of the allure of sexy visual candy for folks that do not need access to the data/controls/equipment. Large telecom companies are the worst offenders, that why the gov. is not considering them to mandate security standards, under the guise that it is for their customers...... Stuxnet was a weakup call. Few listen. Far, far worse is bound to happen, sooner or later. > >> In terms of "hack my dns server" there are many things that can hamper > >> it - something at the bleeding edge like gentoo is ace for this kind of > >> thing (*cough* centos is prehistoric *cough*) and if you were to load up > >> metasploit with ISC specific filters you can try to see what is > >> vulnerable. you can filter by CVE on your favourite website [2] > > Yep: > > http://cyberarms.wordpress.com/2014/04/20/detecting-openssl-heartbleed-with-nmap-exploiting-with-metasploit/ > > > > I got that, hense the advise is being sought out, first. > > > and bear in mind the security in depth. your perimeter will be bypassed > - what happens next is down to you. > you are looking at having possible external user generated web content I'm looking for consolidated information. I have a very very good track record for (2) things. Keeping machines very secure and pissing off managers by designing system with a need to know and very very limited access. I usually save folks signficantly by using the word "No" to all sorts of stupid ideas. One customer paid me out a fraction of the savings they realized, for a very long time. What managers need are reports from databases on systems, production and security scans, not real time access...... However, go to a trade show on scada and it's a feeding freenzy for hackers....... Vendors are putting controls on cell phones and have security equivalent to WEP. Thanks for your input. My goals here are building a series of dns servers from very simple and very secure, and on up, slowly learning and creating a portal for other to experinece what I figure out. My techniques on machines are pretty much unpublished and unique. In a big industrial environment, I teach folks to build something unique, and not follow the vendor main-line approach. Few listen, hence all the noise lately about the chineese hacking industries in the US...... The sad thing is most industries think the US governement is watching their network, will swoop in just in time to save them, and not make the managers look like idiots, when press reports are leaked. They do not understand that government agenices have a singular focus to increase their funding, and not to protect anyone. You nor I can get through to them, until after the pooper has been hacked. idiots....abound, sorry for the digression. peace, James
