Transcript Its not just a firewall

Information Security
It’s more than just a firewall.
Presented by:
Eric Gruss
Assistant Vice President
Information Technology Manager
Information Security Officer
Reliance Bank
[email protected]
Information Security
Top Down or Bottom Up?
• It doesn’t matter, they meet in the middle. Start
somewhere, and look at everything.
• Remember that it is an Information SYSTEM, you must
look at the complete overall system but also understand
each component as an island in order to achieve the
goal.
• Every facet of an Information System must be examined
in order to understand risk.
Risk Analysis• What sensitive information is housed by
the organization? Is it regulated?
• Where is this information stored? Can or
should it be consolidated?
• Who needs access, when do they need it,
from where will they access it?
• How long can we live without it?
• How much will it hurt if it is leaked?
Risk Analysis• It is only after the risk is understood, that
we can begin to devise a plan to mitigate
it.
• For most of us, there is also a financial
component, you must understand your
exposure to risk, the likely hood that it will
be exploited, and your comfort level with
that. Based on available resources, not all
risks can be completely mitigated.
Firewall• Deny all, permit on exception in BOTH
directions.
• Use names and groups whenever
possible.
• Test it yourself from home- REGULARLY!
Free Software FirewallZone Alarm Free
If you are looking for a free (for individual and not-for-profit use) all-in-one security suite
that includes a Firewall tool, Zone Alarm is hard to beat. Zone Alarm includes a new
DefenseNet feature that leverages the real-time threat data from millions of
community users that aids to detect and block threats.
Firestarter (free)
Firestarter, on the other hand, is a very good Linux firewall tool that is perfect for new
users. Even though this firewall tool is powerful enough for desktops, servers, and
gateways, it is still easy enough for any level of user to leverage. This tool also allows
Internet connection sharing and can set up DHCP for a local network. And for the
advanced user, Firestarter offers advanced kernel tuning for firewall rules.
Free Software FirewallPCTools Firewall Plus (free)
During the installation of Firewall Plus there is a very crucial step that allows the user to
choose between simple or advanced. By choosing the Advanced option the user will
have far more control over how they can use and interact with the Firewall. Another
nice feature of PCTools Firewall Plus it that it will detect when the machine has been
attached to a new network. Once the new network has been detected the user can
then set the trust level for each network they join.
Gufw (free)
This particular firewall tool is an Ubuntu Linux-only tool that rivals Firestarter for ease of
use. Gufw is merely an easy-to-use frontend for UFW (Uncomplicated Fire Wall) and
allows you to block preconfigured, common services. You will not find nearly the
control that you have in Firewall Builder or even the amount of features you will find in
Firestarter. But for those who need a bare-bones, simple firewall on an Ubuntu
machine, Gufw is perfect.
Content Filters• Minimum- maintain an access list of sites
to block either at the firewall or via DNS.
• OpenDNS.org
• Employ a high quality web content filter
such as Websense.
• Employ a high quality SPAM filter such as
Websense or Messaging Architects or
• at least use a well known RBL like
Spamhaus or Spamcop.
Virtual Local Area Networks• Vlans can be a great tool to segregate and
control access at layer 2/3
• Create access list to control traffice flow
between Vlans
Servers• Harden all servers, disable or uninstall
services not required.
• Software Firewall and AntiVirus
• Control local access.
• Control Physical access.
• Monitor System accounts.
User Access Rights• Make every effort to enforce policies through
technology.
• Restrict login access hours.
• Restrict Admin or special user login based on
workstation address.
• Practice the principals of least privilege. All
access is denied unless explicitly permitted.
• Consider adding an auditing product like Blue
Lance or NTP Software File Auditor.
Desktop• Lock boot device to hard disk only, and
password protect bios.
• Disable USB and CD/DVD Recorders if possible.
• Control local access rights.
• MUST have software firewall and anti virus
protection installed and properly configured.
• Use static IP Addresses wherever possible (or
lock IP address by mac address).
• Keep up to date on patches.
• Disable unneeded services.
• No data should be stored locally.
File Level Precautions• Consider using encryption, but understand
the risks.
• File access should be controlled to the
finest granularity that can reasonably be
attained.
Restrict use of Removable
Media• Often this can be accomplished through
the bios.
• On windows machines it can be done
through the registry.
• Third party apps (such as Trigeo) can
control this on a much more granular level.
Control Wireless• Turn off WiFi if not required.
• Consider placing wireless access points
outside the firewall and using isolated Vlan
and VPN.
Control Remote Access• Remote access rights should be well
documented and auditable.
• Use SSL at a minimum, prefer VPN.
• Utilize two factor authentication. (pre
shared key, smart card, fingerprint, and
password)
Backup• Deletion can be nearly as bad as theft.
Maintain good backup practices and test
restore regularly. Move data off site,
either by transporting the tapes or portable
disks, or through backup to offsite
locations.
Establish and Document Policies• Most everyone has an internet and email use policy that employees
sign, but what about an information use policy? Policy should state
that data be stored only on secure network storage provided by and
maintained by your information technology department.
• It may seem obvious that your employees are not to copy important
company information and take it home or email it outside the internal
network without permission. However, unless you put such policies
in writing and have workers sign for receipt, you may be hard
pressed to penalize them for violating that policy. Unwritten rules are
much more difficult to enforce.
• Your policies should be specific and give examples of what’s
prohibited. Workers may not understand, unless you spell it out, that
emailing a company document as an attachment to someone
outside the network (or even to their own home account) is just as
much a violation of policy as copying that document to a USB drive
and physically taking it out the door.
• Wording of the policy, however, should make it clear that the
prohibition is not limited solely to the examples you give.
Secure your PDA!
• Poison pill ability?
• Set auto lock timeout.
• Establish what data can be stored.
Disabling USB storage on a
Windows platform:
•
•
•
•
•
•
•
From Explorers folder options ensure that hidden files and folders
are displayed, file extensions are not hidden and simple file
sharing is disabled.
Open up the properties for %systemroot%\Inf\Usbtror.inf
(%systemroot% would normally be ‘C:\Windows’).
Select the security tab and make sure that all options for all users
are set to deny. This must include administrators and SYSTEM.
Repeat the above for %systemroot%\Inf\Usbstor.pnf
If USB storage devices have been used on this machine
previously then open up the registry editor otherwise ignore steps
6 and 7.
Browse to the registry location
‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
UsbStor’.
Open up the registry key ‘Start’ and change the data value to ‘4′.
Close the registry editor.
If you are running Microsoft Windows XP on your desktop system,
consider turning off the following services.
•
•
•
•
•
•
IIS – Microsoft’s Internet Information Services provide the capabilities of a Webserver for your
computer.
NetMeeting Remote Desktop Sharing — NetMeeting is primarily a VoIP and videoconferencing
client for Microsoft Windows, but this service in particular is necessary to remote desktop access.
Remote Desktop Help Session Manager – This service is used by the Remote Assistance feature
that you can use to allow others remote access to the system to help you troubleshoot problems.
Remote Registry – The capabilities provided by the Remote Registry service are frightening to
consider from a security perspective. They allow remote users (in theory, only under controlled
circumstances) to edit the Windows Registry.
Routing and Remote Access – This service bundles a number of capabilities together, capabilities
that most system administrators would probably agree should be provided separately. It is rare
that any of them should be necessary for a typical desktop system such as Microsoft Windows
XP, however, so they can all conveniently be turned off as a single service. Routing and Remote
Access provides the ability to use the system as a router and NAT device, as a dialup access
gateway, and a VPN server.
Simple File Sharing – When a computer is not a part of a Microsoft Windows Domain, it is
assumed by the default settings that any and all filesystem shares are meant to be universally
accessible. In the real world, however, we should only want to provide shares to very specific,
authorized users. As such, Simple File Sharing, which only provides blanket access to shares
without exceptions, is not what we want to use for sharing filesystem resources. It is active by
default on both MS Windows XP Professional and MS Windows XP Home editions. Unfortunately,
this cannot be disabled on MS Windows XP Home. On MS Windows XP Professional, however,
you can disable it by opening My Computer -> Tools -> Folder Options, clicking the View tab, and
unchecking the Use simple file sharing (Recommended) checkbox in the Advanced settings:
pane.
•
•
•
•
•
•
If running Microsoft Windows XP, consider turning off
the following services.
SSDP Discovery Service – This service is used to discover UPnP devices on your
network, and is required for the Universal Plug and Play Device Host service (see
below) to operate.
Telnet – The Telnet service is a very old mechanism for providing remote access to a
computer, most commonly known from its use in the bad ol’ days of security for
remote command shell access on Unix servers. These days, using Telnet to remotely
manage a Unix system may be grounds for firing, where an encrypted protocol such
as SSH should be used instead.
Universal Plug and Play Device Host – Once you have your “Plug and Play” devices
installed on your system, it is often the case that you will not need this service again.
Windows Messenger Service – Listed in the Services window under the name
Messenger, the Windows Messenger Service provides “net send” and “Alerter”
functionality. It is unrelated to the Windows Messenger instant messaging client, and
is not necessary to use the Windows Messenger IM network.
On your system, these services may not all be turned on, or even installed. Whether
a given service is installed and running may depend on whether you installed the
system yourself, whether you are using XP Home or XP Professional, and from which
vendor you got your computer if MS Windows XP was installed by a vendor.
With the exception of Simple File Sharing, all of the above listed services can be
disabled from the same place. Simply click on the Start button, then navigate to
Settings -> Control Panel, open Administrative Tools, and from there open the
Services window. To disable any service in the list, double-click on its entry in that
window and change the Startup type: setting. In general, you should change services
you are turning off for security purposes to a “Disabled” state. When in doubt about
whether a given service is necessary for other services, check the Dependencies tab
in the service’s settings dialog.