How to Set Effective Security Policies at Your Organization

David StromVAR Business Technology EditorJune 20, 2002

My background

Author of “Home Networking Survival

Guide” book from Osborne/McGraw Hill

Founding Editor-in-Chief, Network

Computing

Tested numerous networking and

security products

Things to know before you can set effective policies

Problems with existing network and

applications infrastructure

Issues with products and protocols

Ways around the various tools that you

are trying to use to lock things down

Who is in charge, anyway?

Do you have a chief security officer?

Does s/he have any real authority?

Does s/he have control over corporate

directories, network infrastructure

decisions, and internal applications

development?

Look at your exposure from within

Network admins who have rights to

everything

Applications that have access to other

applications

Users who temporarily gain access

outside of their normal departments

So let’s look at the following:

VPN policies and choices

Email policies and issues

eCommerce issues

Firewalls don’t protect you all the time

Role of integrators with VPNs

Help with their rollout and configuration

Help with remote support and

troubleshooting

Recommend equipment and configuration

Include as part of overall telecommuting

application

VPN Issue #1: Ease of use

VPNs still vexing

Matched pair problem

Hardware or software choices not always

obvious

VPN Issue #2: Cable providers don’t like home networks

Getting static IPs can be a problem

Changing MAC addresses is an issue

Administering and supporting a home network is sometimes beyond their abilities or interest

… Yet all cable modems come with Ethernet!

VPN Issue #3: Providers hate VPNs

Well, maybe they are more ignorant than

hate them

Some don’t include VPNs in their TOS

Some do everything they can to

discourage their use (frequent IP

changes, for example)

VPN Issue #4: Remote support

Coordinating a VPN roll out for

telecommuters can swamp a small tech

support department

Variations in Windows OS, and non-

Windows PCs can be difficult!

What if users require more than one

tunnel?

State of VPNs

Software now comes included in residential gateways like Sonic and Netgear

Still too hard for the average consumer, and the average business computer user

But wider support is inevitable

Costs too much and requires some careful justification

VPN.net: A new way of establishing VPNs

Email policies

How accurate is your employee directory?

Do outsiders have access to your email

system? And for how long?

Do terminated employees have access still?

How often do employees copy all by

mistake?

Making email secure

Use Notes or Groupwise

Don’t run Outlook, Outlook Express

Use PGP or SMIME products

eCommerce issues

Make sure you protect your enterprise

network from intrusion

Limit user access, isolate servers, lock

down scripts, harden servers

See www.nwfusion.com/netresources/0202hack1.html

Web/database issues

Understand security weaknesses and access controls of local database users

Understand web/database interaction from security perspective

Understand proxy server attacks (ala Adrian Lamo)

Block them CGI scripts!

Who is root and what can they really do?

Common mistakes with payment processing

Provide too few or too many order

confirmation pages

Confusing methods and misplaced buttons

on order page

Make it hard for customers to buy things

Don’t make your customers read error

screens

ConEd bill payment issue

Claim they needed 100,000 customers to

break even

https://m020-w5.coned.com/csol/main.asp

Note: lack of security, anyone with valid

account number can see your bill! Try

acct no. 434117168910006

Preventing credit card fraud

Don't accept orders unless full address and phone number present

Be wary of different "bill to" and "ship to" addresses

Be careful with orders from free email services

Be wary of orders that are larger than typical amount

Pay extra attention to international orders

Ways around firewalls

Uroam.com

GoToMyPC.com

Neoteris, other appliances

Remote control software (PC Anywhere, Ccopy, etc.)

Wireless LANs!

Remote control loopholes

Do you even know if they are running?

Do port scans for common ports that are

used:• PC Anywhere: 5631-2

• Control IT: 799

• Carbon Copy: 1680

• VNC: 5900

Wireless LAN loopholes

Do you even know if they are running?

NetStumbler.com: good resource

Read this article too.

Wireless VPN/firewall appliances

BlueSocket

ReefEdge

Vernier Networks

Mobility from Netmotion Wireless

Conclusions and questions

David Strom

Technology Editor

VAR Business magazine

dstrom@cmp.com

(516) 562-7151