Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | meryl-manning |
View: | 218 times |
Download: | 4 times |
How to Set Effective Security Policies at Your Organization
David StromVAR Business Technology EditorJune 20, 2002
My background
Author of “Home Networking Survival
Guide” book from Osborne/McGraw Hill
Founding Editor-in-Chief, Network
Computing
Tested numerous networking and
security products
Things to know before you can set effective policies
Problems with existing network and
applications infrastructure
Issues with products and protocols
Ways around the various tools that you
are trying to use to lock things down
Who is in charge, anyway?
Do you have a chief security officer?
Does s/he have any real authority?
Does s/he have control over corporate
directories, network infrastructure
decisions, and internal applications
development?
Look at your exposure from within
Network admins who have rights to
everything
Applications that have access to other
applications
Users who temporarily gain access
outside of their normal departments
So let’s look at the following:
VPN policies and choices
Email policies and issues
eCommerce issues
Firewalls don’t protect you all the time
Role of integrators with VPNs
Help with their rollout and configuration
Help with remote support and
troubleshooting
Recommend equipment and configuration
Include as part of overall telecommuting
application
VPN Issue #1: Ease of use
VPNs still vexing
Matched pair problem
Hardware or software choices not always
obvious
VPN Issue #2: Cable providers don’t like home networks
Getting static IPs can be a problem
Changing MAC addresses is an issue
Administering and supporting a home network is sometimes beyond their abilities or interest
… Yet all cable modems come with Ethernet!
VPN Issue #3: Providers hate VPNs
Well, maybe they are more ignorant than
hate them
Some don’t include VPNs in their TOS
Some do everything they can to
discourage their use (frequent IP
changes, for example)
VPN Issue #4: Remote support
Coordinating a VPN roll out for
telecommuters can swamp a small tech
support department
Variations in Windows OS, and non-
Windows PCs can be difficult!
What if users require more than one
tunnel?
State of VPNs
Software now comes included in residential gateways like Sonic and Netgear
Still too hard for the average consumer, and the average business computer user
But wider support is inevitable
Costs too much and requires some careful justification
VPN.net: A new way of establishing VPNs
Email policies
How accurate is your employee directory?
Do outsiders have access to your email
system? And for how long?
Do terminated employees have access still?
How often do employees copy all by
mistake?
Making email secure
Use Notes or Groupwise
Don’t run Outlook, Outlook Express
Use PGP or SMIME products
eCommerce issues
Make sure you protect your enterprise
network from intrusion
Limit user access, isolate servers, lock
down scripts, harden servers
See www.nwfusion.com/netresources/0202hack1.html
Web/database issues
Understand security weaknesses and access controls of local database users
Understand web/database interaction from security perspective
Understand proxy server attacks (ala Adrian Lamo)
Block them CGI scripts!
Who is root and what can they really do?
Common mistakes with payment processing
Provide too few or too many order
confirmation pages
Confusing methods and misplaced buttons
on order page
Make it hard for customers to buy things
Don’t make your customers read error
screens
ConEd bill payment issue
Claim they needed 100,000 customers to
break even
https://m020-w5.coned.com/csol/main.asp
Note: lack of security, anyone with valid
account number can see your bill! Try
acct no. 434117168910006
Preventing credit card fraud
Don't accept orders unless full address and phone number present
Be wary of different "bill to" and "ship to" addresses
Be careful with orders from free email services
Be wary of orders that are larger than typical amount
Pay extra attention to international orders
Ways around firewalls
Uroam.com
GoToMyPC.com
Neoteris, other appliances
Remote control software (PC Anywhere, Ccopy, etc.)
Wireless LANs!
Remote control loopholes
Do you even know if they are running?
Do port scans for common ports that are
used:• PC Anywhere: 5631-2
• Control IT: 799
• Carbon Copy: 1680
• VNC: 5900
Wireless LAN loopholes
Do you even know if they are running?
NetStumbler.com: good resource
Read this article too.
Wireless VPN/firewall appliances
BlueSocket
ReefEdge
Vernier Networks
Mobility from Netmotion Wireless
Conclusions and questions
David Strom
Technology Editor
VAR Business magazine
(516) 562-7151