Upload
yardley
View
29
Download
0
Tags:
Embed Size (px)
DESCRIPTION
How to Set Effective Security Policies at Your Organization. David Strom VAR Business Technology Editor June 20, 2002. My background. Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill Founding Editor-in-Chief, Network Computing - PowerPoint PPT Presentation
Citation preview
How to Set Effective Security Policies at Your OrganizationDavid StromVAR Business Technology EditorJune 20, 2002
My background
Author of “Home Networking Survival Guide” book from Osborne/McGraw Hill
Founding Editor-in-Chief, Network Computing
Tested numerous networking and security products
Things to know before you can set effective policies
Problems with existing network and applications infrastructure
Issues with products and protocolsWays around the various tools that you
are trying to use to lock things down
Who is in charge, anyway?
Do you have a chief security officer?Does s/he have any real authority?Does s/he have control over corporate
directories, network infrastructure decisions, and internal applications development?
Look at your exposure from within
Network admins who have rights to everything
Applications that have access to other applications
Users who temporarily gain access outside of their normal departments
So let’s look at the following:
VPN policies and choicesEmail policies and issueseCommerce issuesFirewalls don’t protect you all the time
Role of integrators with VPNs
Help with their rollout and configurationHelp with remote support and
troubleshootingRecommend equipment and configurationInclude as part of overall telecommuting
application
VPN Issue #1: Ease of use
VPNs still vexingMatched pair problemHardware or software choices not always
obvious
VPN Issue #2: Cable providers don’t like home networks
Getting static IPs can be a problemChanging MAC addresses is an issueAdministering and supporting a home
network is sometimes beyond their abilities or interest
… Yet all cable modems come with Ethernet!
VPN Issue #3: Providers hate VPNs
Well, maybe they are more ignorant than hate them
Some don’t include VPNs in their TOSSome do everything they can to
discourage their use (frequent IP changes, for example)
VPN Issue #4: Remote support
Coordinating a VPN roll out for telecommuters can swamp a small tech support department
Variations in Windows OS, and non-Windows PCs can be difficult!
What if users require more than one tunnel?
State of VPNsSoftware now comes included in residential
gateways like Sonic and NetgearStill too hard for the average consumer,
and the average business computer userBut wider support is inevitableCosts too much and requires some careful
justificationVPN.net: A new way of establishing VPNs
Email policies
How accurate is your employee directory?Do outsiders have access to your email
system? And for how long?Do terminated employees have access still?How often do employees copy all by mistake?
Making email secure
Use Notes or GroupwiseDon’t run Outlook, Outlook ExpressUse PGP or SMIME products
eCommerce issues
Make sure you protect your enterprise network from intrusion
Limit user access, isolate servers, lock down scripts, harden servers
See www.nwfusion.com/netresources/0202hack1.html
Web/database issuesUnderstand security weaknesses and
access controls of local database users Understand web/database interaction
from security perspectiveUnderstand proxy server attacks (ala
Adrian Lamo)Block them CGI scripts!Who is root and what can they really do?
Common mistakes with payment processing
Provide too few or too many order confirmation pages
Confusing methods and misplaced buttons on order page
Make it hard for customers to buy thingsDon’t make your customers read error
screens
ConEd bill payment issue
Claim they needed 100,000 customers to break even
https://m020-w5.coned.com/csol/main.asp
Note: lack of security, anyone with valid account number can see your bill! Try acct no. 434117168910006
Preventing credit card fraud
Don't accept orders unless full address and phone number present
Be wary of different "bill to" and "ship to" addresses
Be careful with orders from free email services
Be wary of orders that are larger than typical amount
Pay extra attention to international orders
Ways around firewalls
Uroam.comGoToMyPC.comNeoteris, other appliancesRemote control software (PC Anywhere,
Ccopy, etc.)Wireless LANs!
Remote control loopholes
Do you even know if they are running?Do port scans for common ports that are
used:• PC Anywhere: 5631-2• Control IT: 799• Carbon Copy: 1680• VNC: 5900
Wireless LAN loopholes
Do you even know if they are running? NetStumbler.com: good resourceRead this article too.
Wireless VPN/firewall appliances
BlueSocketReefEdge
Vernier Networks
Mobility from Netmotion Wireless
Conclusions and questions
David Strom
Technology Editor
VAR Business magazine
(516) 562-7151