Thanks excellent advice - much to think about. On Thu, 28 Feb 2013 14:09:39 +0000 "Tom Ritter" <t...@ritter.vg> wrote: >On 28 February 2013 07:39, <anonymous2...@nym.hush.com> wrote: >> Hi, >> We are a human rights NGO that is looking to invest in the best >> possible level of network security (protection from high-level >> cyber-security threats, changing circumvention/proxy to protect >IP >> address etc, encryption on endpoints and server, IDS/Physical >and >> Software Firewall/File Integrity Monitoring, Mobile Device >> Management, Honeypots) we can get for a our internal network. I >was >> wondering if people would critique the following network, add >> comments, suggestions and alternative methods/pieces of >software. >> (Perhaps if it goes well we could make a short paper out of it, >for >> others to use.) >> >> -Windows 2012 Server >> -VMWare virtual machines running Win 8 for remote access > >Windows doesn't scare me, full remote access scares me. (I'm >amazed >at how many people are saying "X is insecure" with no explanations >how >or why an alternative is more secure.) Obviously you'll need >something >for remote workers, but see the next section... > >> -Industry standard hardening and lock down of all OS systems. > >Industry 'Standard' hardening isn't particularly good because >'Standard' is 'Standard' and 'Standard' is also hacked over and >over >again. Upgrading your RDP authentication level is a good idea and >'Standard' - but what you want most of all is separation of >privilege. > I don't mean "Bob the sysadmin is the only person who can >administer >the mailserver" I mean "Bob the sysadmin is the only person who >can >administer the mailserver, and he can only do it from a separate >computer that's on a separate airgapped network and he doesn't use >USB >keys". > >Airgapping brings thoughts of crazy military-levels of paranoia - >but >it's not all that difficult and it's getting more and more >important. >Get a couple cheapish laptops, a separate consumer-level broadband >connection, and run red cables plus blue to a few people's desks. > >Think about it terms of compartmentalisation, both airgapped and >non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. >Draw >out your network, and then fill an entire section with Red - >that's >what the attacker controls. How does he move to another section? >What >data does he get? Brainstorm this part heavily, consider putting >it >up on a permanent whiteboard and referring to it every time >someone >comes in and needs access to X group's fileserver, or what-have- >you. > >> -Constantly changing proxies > >I have no idea what you intend to accomplish with this. >Performing >*more* logging of your employees, or not disabling WPAD sounds >like >the opposite of what you'd want. (And a note on the WPAD item: >disable IPv6 too.) > >> -Sophos Enterprise Protection, Encryption and Patch management >> -Sophos mobile management > >Uh, I guess. I guess I shouldn't disparage something I've never >reviewed and haven't worked with... But my opinion of "Enterprise >Protection" products isn't too high until I've seen an independent >security firm see how secure the product is and how much it attack >surface it adds. > >> -Encrypted voice calls for mobile and a more secure alternative >to >> Skype via Silent Circle. > >So I guess that's RedPhone? > >> -TrueCrypt on all drives - set to close without use after a >> specific time > >Bitlocker is a fine alternative, and probably easier to >manage/query >via Group Policy. > >> -False and poison pill files >> -Honeypots > >Ooookay. This isn't a bad idea, but it's pretty damn complicated >to >set up - you're moving more and more towards something that >requires a >24/7 SOC (Security Operations Center) and further away from >"Architecting a secure network." > >> -Snort IDS >> -Tripwire > >And someone full time (or 2 people, really probably a team of >folks >operating 24/7) to monitor these? Cause this stuff doesn't help >you >if no one's looking at it. > >> -Easily controlled kill commands > >... Huh? > >> -No wifi > >Good luck with that. I guess no one's going to have any >productive >meetings or use any MacBook airs, tablets, or phones for work >purposes. (Unlikely.) Having everyone use the cell towers isn't >a >great idea either. This sounds like you haven't done a >requirements >gathering phase with your users. > >-tom >-- >Too many emails? Unsubscribe, change to digest, or change password >by emailing moderator at compa...@stanford.edu or changing your >settings at >https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
