We
all know that security is inversely proportional to convenience. And,
we know from experience that security is secondary to users' ability to
get to the information and
services they need. Users' apathy and ignorance is the reason why we
spend more of our time responding to security problems than ensuring
that our infrastructures are as secure as possible.
Making
a network secure requires technical finesse and user cooperation.
Overcoming technical obstacles is nothing in comparison to defeating
the roadblocks erected by inconvenienced users. If security ever gets
in the way of them doing what they want, we're sure to hear about it.
How
can you improve security without upsetting the masses? Think about the
boiling frog parable. As the story goes, if you try to put a frog in a
pan of boiling water, it will jump right out. But, put a frog in a pan
of cool water and gradually raise the temperature, and the frog will
happily swim around--his temperature adjusting up--until he's boiled
alive. This is what we want to do with our users: gradually raise the
level of security in such a way that they don't notice the change. I
want to suggest two ways to accomplish this.
Gateway Filtering
Gateway
filtering is the job of border routers, which sit between networks of
different levels of trust. Most networks allow far too many services
through their border gateways, and every permitted service represents a
potential risk. You should allow only the services required for
business. While turning back the clock and doing away with all of the
extraneous services isn't an option, you can tighten up your gateways
to limit network traffic to those services being used.
Using
a commercial or free packet sniffer, gather statistics on what
services, ports and protocols are being used between your network and
the Internet. These statistics provide you with a list of all services
in use (including those that are necessary for business). The list
doubles as a basic roadmap for tightening up border gateways by
gradually turning off unnecessary services.
In
addition, ensure that outgoing connections for well-known services,
such as e-mail, are permitted only from e-mail systems, rather than
from any internal host. The result will be a more secure network with
fewer incoming attack paths. You'll also prevent Trojan horses from
making outgoing connections.
Server Hardening
Next,
turn your attention to your Internet-facing servers. The more complex a
system, the harder it is to secure. The more network services running
on a server, the greater the risk of a security breach.
Many
servers come with too many services turned on by default. IIS is a good
example. Or, perhaps we have inherited someone else's server, complete
with its previous settings. If it's a Web server, all that needs to be
running is HTTP--and perhaps SSL. If it's an e-mail gateway, then only
SMTP is required. Yet, we run DNS, Telnet and Microsoft SMB on many of
our servers. Why? They're unnecessary, not to mention potential avenues
of attack. The fewer services running, the fewer vectors for an
attacker to exploit.
Run
a commercial or free port scanner against your servers, which will
report the services available on each box. Disable all but those
required. Additionally, configure border routers to talk only to
servers using that limited list of ports, protocols and services. These
adjustments will dramatically cut down on your network's vulnerability.
Are
these suggestions idealistic? Of course. Unless an organization is
building its IT infrastructure from scratch, it's probably too far
along to immediately implement changes for better security. But it's
not impossible.
Remember the goal: Slowly make security changes so users don't notice
them. Like an audio engineer adjusting a sound system to get maximum
volume with no feedback, we want to get maximum security while
minimizing user complaints. Achieving 100 percent security--or 100
percent user satisfaction--isn't realistic. But small, incremental
changes will make a difference.
Columnist FRED AVOLIO (favolio@infosecuritymag.com) is president and founder of Avolio Consulting, a Maryland-based computer and network security consulting firm.