Agreed, this kind of advice is what I was hoping to get on LibTech! On Thu, 28 Feb 2013 14:16:56 +0000 canto...@hushmail.com wrote: >Thanks excellent advice - much to think about. > >On Thu, 28 Feb 2013 14:09:39 +0000 "Tom Ritter" <t...@ritter.vg> >wrote: >>On 28 February 2013 07:39, <anonymous2...@nym.hush.com> wrote: >>> Hi, >>> We are a human rights NGO that is looking to invest in the best >>> possible level of network security (protection from high-level >>> cyber-security threats, changing circumvention/proxy to protect > >>IP >>> address etc, encryption on endpoints and server, IDS/Physical >>and >>> Software Firewall/File Integrity Monitoring, Mobile Device >>> Management, Honeypots) we can get for a our internal network. I > >>was >>> wondering if people would critique the following network, add >>> comments, suggestions and alternative methods/pieces of >>software. >>> (Perhaps if it goes well we could make a short paper out of it, > >>for >>> others to use.) >>> >>> -Windows 2012 Server >>> -VMWare virtual machines running Win 8 for remote access >> >>Windows doesn't scare me, full remote access scares me. (I'm >>amazed >>at how many people are saying "X is insecure" with no >explanations >>how >>or why an alternative is more secure.) Obviously you'll need >>something >>for remote workers, but see the next section... >> >>> -Industry standard hardening and lock down of all OS systems. >> >>Industry 'Standard' hardening isn't particularly good because >>'Standard' is 'Standard' and 'Standard' is also hacked over and >>over >>again. Upgrading your RDP authentication level is a good idea >and >>'Standard' - but what you want most of all is separation of >>privilege. >> I don't mean "Bob the sysadmin is the only person who can >>administer >>the mailserver" I mean "Bob the sysadmin is the only person who >>can >>administer the mailserver, and he can only do it from a separate >>computer that's on a separate airgapped network and he doesn't >use >>USB >>keys". >> >>Airgapping brings thoughts of crazy military-levels of paranoia - > >>but >>it's not all that difficult and it's getting more and more >>important. >>Get a couple cheapish laptops, a separate consumer-level >broadband >>connection, and run red cables plus blue to a few people's desks. >> >>Think about it terms of compartmentalisation, both airgapped and >>non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. >>Draw >>out your network, and then fill an entire section with Red - >>that's >>what the attacker controls. How does he move to another section? > >>What >>data does he get? Brainstorm this part heavily, consider putting > >>it >>up on a permanent whiteboard and referring to it every time >>someone >>comes in and needs access to X group's fileserver, or what-have- >>you. >> >>> -Constantly changing proxies >> >>I have no idea what you intend to accomplish with this. >>Performing >>*more* logging of your employees, or not disabling WPAD sounds >>like >>the opposite of what you'd want. (And a note on the WPAD item: >>disable IPv6 too.) >> >>> -Sophos Enterprise Protection, Encryption and Patch management >>> -Sophos mobile management >> >>Uh, I guess. I guess I shouldn't disparage something I've never >>reviewed and haven't worked with... But my opinion of "Enterprise >>Protection" products isn't too high until I've seen an >independent >>security firm see how secure the product is and how much it >attack >>surface it adds. >> >>> -Encrypted voice calls for mobile and a more secure alternative > >>to >>> Skype via Silent Circle. >> >>So I guess that's RedPhone? >> >>> -TrueCrypt on all drives - set to close without use after a >>> specific time >> >>Bitlocker is a fine alternative, and probably easier to >>manage/query >>via Group Policy. >> >>> -False and poison pill files >>> -Honeypots >> >>Ooookay. This isn't a bad idea, but it's pretty damn complicated > >>to >>set up - you're moving more and more towards something that >>requires a >>24/7 SOC (Security Operations Center) and further away from >>"Architecting a secure network." >> >>> -Snort IDS >>> -Tripwire >> >>And someone full time (or 2 people, really probably a team of >>folks >>operating 24/7) to monitor these? Cause this stuff doesn't help >>you >>if no one's looking at it. >> >>> -Easily controlled kill commands >> >>... Huh? >> >>> -No wifi >> >>Good luck with that. I guess no one's going to have any >>productive >>meetings or use any MacBook airs, tablets, or phones for work >>purposes. (Unlikely.) Having everyone use the cell towers isn't > >>a >>great idea either. This sounds like you haven't done a >>requirements >>gathering phase with your users. >> >>-tom >>-- >>Too many emails? Unsubscribe, change to digest, or change >password >>by emailing moderator at compa...@stanford.edu or changing your >>settings at >>https://mailman.stanford.edu/mailman/listinfo/liberationtech > >-- >Too many emails? Unsubscribe, change to digest, or change password >by emailing moderator at compa...@stanford.edu or changing your >settings at >https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
