Network access control Learning Guide SearchSecurity.com and SearchWindowsSecurity.

com From PDAs to insecure wireless modems, users have myriad options for connecting to -and infecting -- the network. Created in partnership with our sister site SearchWindowsSecurity.com, this guide offers tips and expert advice on network access control. Learn how unauthorized users gain network access, how to block and secure untrusted endpoints, and get Windows-specific and universal access control policies and procedures. TABLE OF CONTENTS

Securing remote access points……………………………………….. 4
Book chapter: Remote access as an attack vector PDF: IPsec and SSL VPNs: Solving remote access problems Product review: 2006 Remote access Products of the Year Technical tip: A five-point strategy for secure remote access Technical tip: Remote user security checklist Technical tip: Five steps to controlling network access Technical tip: Secure data transmission methods Technical tip: How to stop a rogue user from circumventing network security Technical tip: Guarding against malware infection from remote users Technical tip: Remote network access from privately-owned machines Technical tip: Ten tips for safe computing on a public LAN

Endpoint security tactics………………………………………………21
PDF: Five best strategies for endpoint security PDF: Layered access control: Six top defenses that work Product review: Hot Pick: Fireball KeyPoint Product review: End of the line Product review: Hark! Who goes there? Technical tip: Effective endpoint security without a significant investment Technical tip: Painful patching: How to lock down networked devices Technical tip: The key to locking out mobile threats Technical tip: Tips for securing iPods in the enterprise

Network architecture controls………………………………………..35
Glossary definition: DMZ (SearchSecurity.com) Glossary definition: VLAN (SearchSecurity.com) Book chapter: Secure LAN switching (SearchSecurity.com) Expert advice: How to protect a LAN from unauthorized access (SearchSecurity.com) Expert advice: Designing DMZs with various levels of access (SearchSecurity.com) Technical tip: Using 802.1X to control physical access to LANs (SearchSecurity.com) Technical tip: Life at the edge: Securing the network perimeter, Part 2 (SearchSecurity.com) Technical tip: VLAN security (SearchSecurity.com) Technical tip: Popular VLAN attacks and how to avoid them SearchSecurity.com Copyright TechTarget 2006

Firewalls………………………………………………………………46
Product review: 2006 Network Firewall Products of the Year Technical tip: How to choose a firewall Technical tip: Choosing the right firewall topology Technical tip: Placing systems in a firewall topology Technical tip: Auditing firewall activity Technical tip: Activating an XP firewall on a LAN Technical tip: Traffic flow considerations for the Cisco PIX Firewall Technical tip: Firewall security tips Technical tip: Firewall redundancy: Deployment scenarios and benefits

VPNs…………………………………………………………………...61
Glossary definition: SSL Glossary definition: IPsec Book chapter: Crypto basics: VPNs Product review: SSL VPN: AEP SureWare A-Gate AG-600 Product review: Corrent VPN 'connects' with Check Point software Quiz: SSL vs. IPsec VPNs Technical tip: Letting telecommuters in – Your VPN alternatives Technical tip: The inherent capabilities of IPsec selectors and their use in remoteaccess VPNs Technical tip: VPN fast facts: True or false? Technical tip: Client-side security considerations for SSL VPNs

Windows-specific network access control procedures……………...76
Book chapter: Access control entries Book chapter: Six steps for deploying Network Access Quarantine Control Checklist: Hardening Windows School: Advanced checklist on network access quarantining Checklist: Harden access control settings Expert advice: Security risks associated with granting permissions in Windows XP Expert advice: How to deny access when connecting to a share on a Windows 2003 Server Expert advice: How to detect when non-domain laptops are plugged in to Windows Server 2003 Expert advice: How to set up dual administrative controls for tighter security in Windows 2000 Expert advice: How to remove specific permissions from an account operator in Windows 2000 Expert advice: How to check which permissions are assigned to a user or group in Windows 2000 Expert advice: How to set NTFS permissions on Windows 2000 Terminal Services Expert advice: Limiting user and admin access Opinion: Network admins needs Microsoft-Cisco unity SearchSecurity.com Copyright TechTarget 2006 2

Step-by-Step guide: Network Access Quarantine Control Technical tip: Lock down user access and privileges Technical tip: Permissions basics for Windows 2000 Technical tip: NTFS default permissions for Windows 2000 Technical tip: How to implement permissions in Windows 2000/NT

Network access control policies………………………………………124
Expert advice: Distinguishing a remote access policy from a portable computing protection policy Technical tip: Policies for reducing mobile risk Technical tip: Laptop security policy: Key to avoiding infection Technical tip: Work with users to secure new technologies in the enterprise Technical tip: The benefits of writing a policy before a new system deployment Technical tip: Managing network policy Technical tip: Top 10 network security tips

SearchSecurity.com Copyright TechTarget 2006

3

the vulnerability in this mobile communication model is obvious. so it is not practical to have anyone who is logging-in remotely to download this software and then scan the hard drive for half an hour before they can access email. regardless of whether it has network connectivity. In some cases.Securing remote access points Book chapter: Remote access as an attack vector 16 Jun 2005 | Larstan Publishing In this excerpt of Chapter 7 from "The Black Book on Corporate Security. and they're increasingly recommending the deployment of different types of security and scanning technologies. The danger here is extreme. There is SSL VPN. Insider Notes: Corporate resources can now be accessed from anywhere. Vendors are aware of this security threat and they're increasingly recommending the deployment of different types of security and scanning technologies. they are managed machines — a corporate issued asset that is managed by the corporate IT that has all of the corporate security provisioned security programs. is that it is an endpoint machine and is as vulnerable as any other system on the Internet. regardless of the method used. with most places far from trustworthy. The quality that all remote access has in common. some bigger companies like Citrix have secure gateways. Antivirus-type technologies in the "unmanaged space" must be behavioral. The threat of malicious code is even greater in this unmanaged machine space. Corporate resources can now be accessed from anywhere. small. Vendors are aware of this security threat. is huge). Anybody can load whatever they want on it (the risk of a keystroke-logger. There are many different types of remote access solutions for mobile employees. which is a Web-based VPN device. However. because mobile computing environments plug into random places and in unmanaged systems. The problem is that most security technologies are not readily deployable. with most places far from trustworthy." authors Howard Schmidt and Tony Alagna analyze how "unmanaged" remote access can serve as an attack vector. Some are emerging in the marketplace. Besides the general threat of malicious code. The danger here is extreme. Classic IPsec VPNs. A person can walk up five minutes before it was used and five minutes after it was used and capture everything that was done on that machine between those two time points. Antivirus is a very large application. these machines have no physical access restrictions. can also be used for mobile computing. because mobile computing environments plug into random places and in unmanaged systems.com Copyright TechTarget 2006 4 . fast and transactional. Also. There are also different types of Webmail as well as Outlook Web Access. as well as different types of portals and intranets and extranets. Sometimes the people using IPsec VPNs feel safe because this technology prevents splitSearchSecurity.

2006 Remote access Products of the Year 02. "Concentrators have proven to be the most compatible and secure.it's an imperative. particularly SSL VPN products. a VPN purchase is no longer an impulse -. is the VPN series' versatility. Malicious code is basically winning in every environment regardless of the situational defenses. www. documentation and vendor support. promising between 100 and 200 simultaneous IPsec sessions. then so can the malicious code. Recognizing that SSL VPN providers were gaining market share. it cannot stop attacks. A big plus.to mid-sized enterprises.a smart move judging by the number of readers who raved about its endpoint security and ease of use. The offerings have mushroomed. forcing IPsec-dependent market leaders to broaden their scope. Preventing split-tunneling only creates an illusion of safety. or 500 clientless sessions running concurrently in the 3080 model. PDAs and other mobile devices requiring access to the corporate network. according to users.com Copyright TechTarget 2006 5 . if users can see the Internet. including their firewall capabilities through stateless packet filtering and granular access control.tunneling (the ability for two or more applications to be communicating simultaneously while the VPN connection is going).000 IPsec.com With the proliferation of laptops. All situational defenses can do is minimize the types of attacks. supporting up to 10. So. Cisco VPN 3005 and 3015 are designed for small.2006 | SearchSecurity. "An excellent tool." said one user. Scalability is a strong driver." wrote one enthusiastic user.cisco. For this reason. Others who helped make the series' six models collectively tops were especially pleased with the Concentrators' security. Even without Internet access. Cisco made sure its 3000 series offered both IPsecand SSL-based connectivity on a single platform. the Concentrators were awarded the gold medal in remote access. malicious code can be scripted to steal or perform actions whenever it comes back online.com VPN 3000 Series Concentrators Cisco Systems. by initiating its connection sequence inside out. The 3020 and higher are geared more toward larger companies. or 50 and 75 WebVPN sessions. Included in this wave are Cisco Systems' VPN 3000 Series Concentrators -. The majority also gave their thumbs-up approval to the wide range of features. A reverse-connecting Trojan functions in the same way in this environment as it does in a corporate environment. This allows almost any device within SearchSecurity.01. and provide the best ease-of-use out of all the remote access devices I have encountered.

That includes pushing policies and updates through the VPN to users and then scanning for continued compliance before a machine is allowed on to a network. secure remote access device.checkpoint.com Copyright TechTarget 2006 6 .and the network they connect to -safe. www. performance and overall quality. antispyware and desktop firewalls must be installed and configured in a specific manner with the latest signatures. you may need to spell out that antivirus. Another summed it up this way: "[Concentrators are] just plain easy. and a general VPN network policy isn't enough to keep these systems -. robust. The policy should also spell out what ports and services may be exposed on the system. In addition. Often a zero-tolerance policy is best for endpoint security." It wins high praise for security. SearchSecurity. reliable. they pose an increased risk to your network environment." VPN Gateway users particularly like its performance and give it consistent "excellent" ratings for security. Some respondents were glad to discover that the VPN 3000 Concentrators work well with other applications. 1. Just keeps working." one user wrote. VPN Gateway Nortel Networks. No AV.com Managing secure remote access is a tough job.the corporate network to establish an end-to-end secure connection using public networks. For example. Because remote systems may directly connect to the Internet rather than through the corporate firewall. customers like how easily the Concentrators can be managed through their simple Web-based interface to configure mobile devices and monitor all remote-access users. One user calls it "the most compatible. along with which vendors are acceptable. End users should meet a set of guidelines before connecting to the network. Here are five best practices for providing secure remote access. "[We] rarely have problems with these devices. Software controls policy Create a policy that defines the exact security software controls that must exist on systems with remote access. The best practice is to distribute the policy along with the connection setup or similar instructions for end users. Virus and spyware protection. antispyware and desktop firewall? No remote access allowed.com This is the other half of the medal-winning Check Point package (with FireWall-1).com "Stable.nortel. A five-point strategy for secure remote access 25 July 2005 | George Wrenn | SearchSecurity." VPN-1 Check Point Software Technologies. www.

CISSP.com Copyright TechTarget 2006 7 . This is important to ensure that the policy and technical controls are addressing your remote access security needs. but it doesn't come without its drawbacks -. is a technical editor for our sister publication Information Security magazine and a security director at a financial services firm. the solution should tell end users which items are out of compliance so they can remediate the situation prior to attempting to reconnect. It is best to mandate that all remote users use the enterprise sponsored VPN client. Most of the solutions mentioned above offer reporting capabilities to keep admins updated on the status of the connecting endpoints. If you find trends in access violations. Remote user security checklist 22 Nov 2005 | Kevin Beaver | SearchWindowsSecurity. Endpoint security management Choose a vendor that offers comprehensive endpoint security management and policy enforcement as part of their VPN or remote access solution.2. Your chosen remote access solution should be able to refuse connections for endpoint systems that do not meet the policy compliance checks. 4. review policies and reports to identify trends and patterns in access violations.thus offering a direct inbound link to anyone wanting to get inside and poke around maliciously. This cuts down on help desk calls.especially when other access methods to the network may exist. In some cases administrative intervention may be warranted -. 5.com At some point in time.mostly in the form of information security risks. 3. no file sharing and other disallowed use while connected to the corporate network. About the Author: George Wrenn. Reporting features Reporting on end user compliance is critical. Periodically review policy and reports Every couple of months. He's also a graduate fellow at the Massachusetts Institute of Technology. SearchSecurity. Ideally. That's the only way you are going to get true policy compliance and assurance of endpoint security posture. For example. add or modify policies accordingly. Depending on the number of users you have to manage. Telecommuting has several proven productivity and environmental benefits. What happens if your remote users' computers have viruses or they transmit sensitive emails and instant messages over an unsecured wireless link? How about when systems that aren't properly protected can connect directly to your network -. odds are you've had remote users connecting to your network. ISSEP. Enforce corporate policy compliance Inform end users that corporate security policy extends to their remote desktop when connected to the enterprise network. it may be wise to set up alarms that email admins when a machine that is significantly out of compliance tries to connect.

You could even automate this via login scripts and/or Group Policy in Windows. Ensure that personal firewall software is installed (Windows Firewall in XP SP2+. information leakage can occur. Enable strong file and share permissions on remote hard drives and other storage devices -.'s QualysGuard. 2. For example. Doing that not only finds missing patches. and there's always a possibility that malware can seep in through your otherwise hardened network border. null session connections and other exploitable vulnerabilities you would not otherwise be able to dig up easily. but it also digs in deeper to find misconfigurations. if it makes sense. GFI Software Ltd. Qualys Inc. security policy information and more from remote systems. test remote systems owned by your users as well. use the following checklist of common and not-so-common security safeguards to be sure you've got your remote systems locked down: 1. there are reasons your organization's assets must be protected.Arguably. I suggest you use a vulnerability assessment tool such as Tenable Network Security's NeWT. Unauthorized information access can take place. you could easily document instructions for your remote users to do it themselves.com Copyright TechTarget 2006 8 . Implement a VPN (the free Windows-based PPTP is a decent option) or make sure you're running a secure alternative connection such as Windows Remote Desktop or Citrix.'s LANguard Network Security Scanner. Have a written policy and documented procedures in place for managing patches. Before you create any new policies or lock down your remote systems. Consider having them install and run the Microsoft Baseline Security Analyzer (MBSA) on their systems and sharing the reports with you. Disable null session connections to prevent the unauthorized gleaning of user names. 6. Once you've determined where your weaknesses exist and have addressed the issues. enable real-time Automatic Updates or roll out patches using an existing patch management system.outbound application protection is nice. Remember. Use one (or more) of these tools on your internally supported images for laptops and desktops and. many bad things can happen. SearchSecurity. 3. Require malware protection (antivirus and antispyware) on every system and ensure that updates are being applied in real-time if possible to prevent unnecessary infections. BlackICE and so on) and at least provides inbound protection -. 4. especially if you can configure it so your users aren't hindered by the constant outbound connection requests. it's very beneficial to determine which remote access vulnerabilities currently exist in your environment. If the latter is not an option for political or resource limitation reasons. 5. unnecessary shares.especially on Windows 2000 and NT systems that allow everyone full access by default.

SearchSecurity. 6. 8. Remember to include remote users. author and speaker with Atlanta-based Principle Logic LLC. Hacking Wireless Networks for Dummies and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). If possible. 3.11-based wireless (or ones that may be used as such in the future). About the Author: Kevin Beaver is an independent information security consultant. standardize on a small number of applications you can manage comfortably. Your users will likely download and install IM. For systems configured to use 802. it's too risky by default so lock it down. 2. so make sure you and they understand the security implications and have the proper safeguards in place. Otherwise. combined with a reasonable information security awareness program. Enable WEP at a minimum since it's a lot better than nothing. Remember that users may connect to your network via public hotspots. don't forget the following safeguards: 1. Enable MAC address controls. but ideally have users enable WPA2-PSK with strong (20+ random characters) pass-phrases. He has more than 17 years of experience in IT and specializes in performing information security assessments.7. which help keep non-techies from snooping or accessing your network (techies know how to spoof their MAC addresses to get around this). so the latter option might be the easiest. 5. Disable Bluetooth if it's not needed. Or. SMTPs. so be prepared to prevent it in the first place via accounts with minimal privileges (think Windows Vista new feature) and periodic scans of systems looking for such software. will go a long way toward securing your offsite computers and protecting those things you cannot afford to lose. These relatively simple and mostly free remote access safeguards. 4. Webmail via HTTPS and other built-in controls. Enable secure messaging if a VPN or other hotspot protection is not available via POP3s. Beaver has written five books. computers and applications in your security incident response plan and disaster recovery plans.com Copyright TechTarget 2006 9 . P2P and other applications that you can't support or otherwise make you nervous. They're going to do it anyway. require a specific vendor/model of AP and wireless NIC to ensure they're hardened consistently according to your standards and so you can stay abreast of any major security alerts and necessary firmware or software updates. Require your users to use directional antennae instead of the omni-directional ones that come stock on practically all APs. Those are common oversights that can rattle your nerves if they catch you off guard. 7. including Hacking for Dummies (Wiley).

SearchSecurity. You may have separate people maintaining them. Then technologies like star-wired networks and Dynamic Host Configuration Protocol (DHCP) made it exceedingly simple to connect systems to the network. they can gain access to your Windows systems. For instance. At first I rejoiced! But now I realize anyone can connect to the network. approximately 90% of the customers I visit have live network jacks that I can easily plug into to gain network access even if they have some written policy that states unauthorized connections are not permitted. using a VPN to connect Citrix or Terminal Server farms ensures that the only traffic allowed through the VPN is the Citrix traffic to the Citrix servers. separate security policies. It permits network access for both users and viruses. it created excessive administrative overhead. if a remote client's system is infected.com Wes Noonan. Hardening Windows servers will go a long way toward protecting the integrity of the data on those servers. Start by taking the following five steps. separate procedures and so on. reviews steps you can take from both a Windows and network perspective to protect your data regardless of what is occurring at the network perimeter. it will not infect your network. If they aren't. implement network ACLs that restrict remote users only to the servers and resources they need. Implement access control lists (ACLs) If someone can get inside your network. author of Hardening Network Infrastructures. but you must also harden the network infrastructure itself.com Copyright TechTarget 2006 10 . do users in Houston ever need access to systems in New York? If not. chances are the traffic passing between those systems isn't essential to the business. For example.Five steps to controlling network access 16 Nov 2004 | Wes Noonan | SearchWindowsSecurity. Restrict remote connections Implementing a VPN can be a risky endeavor. they are placed in quarantine until the system is patched or updated. 2. you want to define what is an authorized user and ensure connected systems are running the appropriate patches and software versions. In fact. One common security mistake is to treat the network and applications as separate entities that never interact. 3. You need to implement strict ACLs on your network equipment and grant access only to those users that require it. assign addresses and physically connect systems to get them to talk. With NBAC. NBAC seeks to provide an enforcement mechanism to support those written policies. 1. Although this made it difficult for unauthorized systems to easily connect to the network. Implement network-based access control (NBAC) Connecting systems to the network used to be a hassle: You had to build the network drivers. Instead of allowing VPN access to your entire network.

But it's no panacea. is the secure transmission of confidential and proprietary information. specializing in Windows-based networks and network infrastructure security design and implementation.com). The HIPAA Security Rule. The main purpose of this tip is to explore secure data transmission options that are available to help meet regulatory and legal requirements. the conversation generally turns to encryption and encrypted email. Wes recently authored the book Hardening Network Infrastructures for Osborne/McGraw-Hill and previously authored a chapter on network security and design for The CISSP Training Guide by QUE Publishing. He is a senior network consultant for Collective Technologies. it's included as an "addressable" implementation specification. 5. Although the Rule does not require the use of encryption. however. and protected health information (PHI). Restrict and secure wireless connections If implemented behind your firewall. wireless LAN connections create a particularly large.com A significant issue facing security professionals. Due to network de-perimeterization. Secure data transmission methods 17 Jan 2006 | Chris Apgar | SearchSecurity.4. LLC (www. Removing the perimeter entirely is not the solution. IPsec will only ensure the Slammer traffic is encrypted before it is transmitted. references secure transmission and the use of encryption.com Copyright TechTarget 2006 11 . if a machine is infected with Slammer. nor is hardening the perimeter alone. Noonan has been working in the computer industry for over 12 years. You must also harden your Windows systems and network infrastructures to protect data in the event that the network perimeter fails or is circumvented. About the Author: Wesley J. Implement IPsec Implementing IPsec on your network is a great way to protect data in transit from being compromised. In other words. especially in healthcare organizations. For example. While this tip touches on email security.colltech. you can find more in-depth information in Email Security School. SearchSecurity. you can no longer rely exclusively on the network perimeter to protect systems and data. a healthcare organization covered under HIPAA has three choices: implement the specification as it appears in the Rule. gaping hole in your network perimeter. your wireless LAN connections should be treated like any other remote connection: Terminate them outside your firewall and require a VPN connection to gain access to internal and protected resources. implement an alternative that is equivalent to the specification or document why the specification is not applicable and therefore is not implemented. IPsec can serve as an effective method for protecting your internal traffic from prying eyes. When many organizations think of secure transmission. As a result. When used in conjunction with the other hardening methods.

However. In many states. it is difficult for a healthcare organization to justify not using some form of it when transmitting PHI. it means the data transmitted over the Web site is secure. Web site encryption Organizations that use the Web to collect and transmit sensitive data to customers or other organizations need to secure their Web site. securely. is secure file transfer protocol (FTP). a digital signature can be used and is enforceable to the same extent as an original signature on a contract or other legal document. mainly due to it being cumbersome. However. The general standard is the use of secure socket layers (SSL). There haven't been any large PKI deployments as of yet. and the difficultly of administering and managing keys. especially with a digital signature. which encrypts data transmitted via a Web site. If the lock is closed. an open or closed lock appears in the lower right hand corner of the Web site. who then clicks on it and logs on to a secure email server. which the organization either owns or outsources to an appropriate vendor. as well as outsourcing options. The technology is readily available and recommended for organizations transmitting large amounts of data. so he gives her a copy of his public key to open his encrypted message. PKI has been successful with small deployments and is frequently used for sending large files between organizations such as health plans and healthcare clearinghouses. A digital signature is a small electronic file that is unique to each sender and specifically authenticates his or her identity. such as claims transactions and electronic remittance advices through clearinghouses. including email attachments. but the use of SSL and secure Web sites when transmitting data significantly reduces the risk of it being inappropriately intercepted. are easy to use and provide the ability to send private data. Email encryption A number of vendors offer products that encrypt email messages. They work by sending a link to the recipient. and send a secure response including attachments if needed. There is no such thing as security without risks. The recipient can respond using the same encryption method. A number of vendors offer a variety of reasonably priced encryption hardware and software. it is not used for transmission between individuals. the most common of which is public key infrastructure (PKI). This allows the transmission and collection of private data over a Web site. PKI requires an exchange of keys used to unlock the encrypted file. Bob wants to send a secure email to Sue. generally by SSL. The recipient is then able to read the email and any attachments securely. For example. Secure Web sites can SearchSecurity. Upon opening an Internet browser. There is also non-Web-based technology that allows transportation of secure messages from one person or organization to another. to authenticate himself as the sender. One method of secure data transmission often used in conjunction with PKI to encrypt and authenticate large data files. which he can also use. Bob retains the private key he used to encrypt the message or file. without worrying about a hacker accessing it.Given the availability and affordability of encryption technology today. Many of these products are Web-based. Now we'll review the options in more detail.com Copyright TechTarget 2006 12 .

as any message sent over the Internet. encrypt all data transmitted between wireless devices to prevent inappropriate disclosure of confidential information. such as an electronic health record. even for smaller organizations. especially in hospital emergency rooms where medical and health insurance information is collected. This protects the organization against inappropriate data disclosure if the portable device is lost or stolen. Laptops connected to wireless networks are becoming more common. Remote user communication Remote users present an additional security risk. Encryption programs are available for portable devices and the cost of such software is reasonable and affordable. but also other information security risks associated with remote access to confidential information. all data transmitted over the Internet is subject to interception and inappropriate use. To secure communication with remote users.com Copyright TechTarget 2006 13 . health records. it is wise for organizations using these devices to transport confidential information to encrypt the data stored on those devices. This technology is readily available on the market. When transmitting sensitive data between applications. which encrypts all the data sent between its users. Laptops and PDAs These portable devices can be easily lost or stolen. LLC and former HIPAA Compliance officer for Providence Health Plans in Oregon and SW SearchSecurity. This means they not only need to be aware of secure data transmission requirements. It is wise to view such transmissions.be established by using internal Web analysts/programmers or working with a vendor who has expertise in creating an appealing and secure Web presence. if the data travels outside an organization. If a VPN is not established and a modem is not in use (which is generally not an efficient method of accessing a company network). and it is advisable that organizations with remote users install it. it's becoming increasingly important. This data is generally sensitive and needs the extra layer of protection that encryption provides. meaning it's subject to interception and. misuse. These laptops communicate with the organization's wireless server and update applications. Also. CISSP. install a virtual private network (VPN). unless properly protected. Wireless networks Wireless threats are on the rise and unsecured wireless networks are significant points of vulnerability and open up organizations to easy hacker access. it is sound and good security practice to evaluate the encryption capabilities of the application(s) and implement an encryption solution beforehand. Therefore. Application encryption Some organizations transmit data between applications. is president of Apgar & Associates. An organization can obtain this technology from the vendor that manufactures the application or a customprogrammed product that accommodates application functionality while protecting the data as it travels from one point to another. About the Author: Chris Apgar. because they are often communicating between their home and an organization. Therefore. etc. to prevent access by anyone not authorized to access the network.

We have come across a couple and have changed those passwords. Trace back from the desktop to the actual switch port her workstation is connected to. Once you have the port number on the switch. 3. Set a filter in your protocol analyzer to filter to all other systems on her MAC or IP. (you can also use Sniffer or Etherpeek if you have it) and install it on the desktop. Then set the port that the suspect's system is plugged into as the Monitored Port.com The following question and answer thread is excerpted from ITKnowledge Exchange. Other than hiring a consultant. global and detailed business process review. He is a member of the HIPAA Compliance Insider Advisory Board. privacy. because it is clear that this user knows more than you do about network security. if not you'll want to plug a laptop in from inside the wiring closet. transaction and code sets. information systems project development. and lobbyist activity. enable SPAN and set the port you are plugged into as the Monitor Port. How can we monitor her activity to review what she has done? We believe she is using several different user IDs. A user identified as Mouse 3333 posed this question: We have a rogue user who knows more than she should. Apgar now operates an independent consulting firm specializing in security. In order to stop this power user from circumventing your network's security. download Ethereal. I am assuming they are plugged into the same switch. At this point. log on to it. Then trace back your own desktop to the switch as well. 2.com Copyright TechTarget 2006 14 . HIPAA. with the system or systems where the accessed files are stored. there are some technical steps you can take as well. you can use a cheap toner to trace back to the switch. you will need to bring in a security consultant. the Security Compliance Insider Advisory Board. She can grant herself and others the authority to access secure files.Washington. If you don't have a current wiring diagram or a coding system. the URAC Privacy Advisory Committee. Is there anything else we can do to stop her? A user identified as Layer 9 advised: There are some products that allow you to restrict users internally. How to stop a rogue user from circumventing network security 15 Nov 2005 | ITKnowledge Exchange | SearchSecurity. He is a nationally recognized data security. doing the following will likely reveal what she is doing: 1. SearchSecurity. Privacy & Security Forum and the Forum's Transaction & Code Set Workgroup. privacy. and chairs the Oregon and SW Washington Healthcare. Assuming your Layer 2 network is a Cisco or other SPAN-compliant vendor. regulatory and HIPAA expert. These packet captures will show you what she is doing to get in or at least point you in the right direction. Mr. Examine what the packet captures about the activity between the suspect and the logon servers – particularly. but you really have to know what you are doing to use them.

It will be your "Pearl Harbor" file. A user identified as Bobkberg advised: Here are some other steps you can take to mitigate this risk: • If you are in a Windows environment. As far as technical methods are concerned.then check regularly. If you are using Network Information Service. you can install a remote control client on the suspect's computer from the server and log her actions. because one "known" violation suggests that there could be others. get management support at an appropriate level before you proceed with your capture and detection measures. make sure your procedural and policy ducks are in a row and carefully adhere to those guidelines. A user identified as This213 advised: I agree with Layer9. check all user IDs there also. Once you know what resources have been accessed -. If you learn more about the initial situation. If you are in a Unix/Linux environment. email them about the matter clearly and keep their response. you should implement IPsec to encrypt the communications that take place on your server. Turn on security auditing for logins and for system/file/folder access for likely machines -. Second. While you have received some sound advice. I strongly encourage you to. If what I suggest sounds foreign. Third. you should consider hiring a security consultant. I find it interesting that there has been no mention of the authentication mechanism in use or what OSes and other resources are involved. It is also necessary to stop Windows 2000 server's support for previous Windows authentication. Seek help from top management personnel to establish and implement IT rules. • Here is the bottom line -.if you don't receive management's support. If you suspect that that one end user acquired "super user" access. There may be options available to you that would not require approval from anyone (depending on your role and your company's policies). regularly check for login time/date as well as where it occurred. If SearchSecurity.whether they are files in a file system or user changes in Active Directory -. A user identified as ChinaBJ advised: I suggest you use a combination of IT rules and technical methods to prevent this from happening again. If you have Windows 98 sharing.com Copyright TechTarget 2006 15 . it's time to upgrade the network. list out all of the members of the administrators group and check their login history. Third. then perhaps your priority should be to rebuild your access control structure. then you should consider hiring a consultant. evaluate your priorities. I also think she may have gotten her hands on someone's password. A user identified as Solutions1 advised: First.If you don't have a switch that supports SPAN.you should be able to trace those who have accessed them. If you're not logging accesses to resources. check all user and group IDs for root equivalence or root group membership. stop it.

the tools are most likely already in place. always follow the maxim: CYA.com Copyright TechTarget 2006 16 . Make sure to define policies that require home users to keep up-to-date AV tools installed on their systems. Create a situation file. I suggest you have your network penetration tested. there are tools for this.com So. AV deployment on all company-owned desktops and laptops? Check. Guarding against malware infection from remote users 2 Sept 2004 | Ed Skoudis. Send emails to your superiors and detail the situation as best as you can. make sure that anyone (management. it's your "Pearl Harbor" file. even if it does turn out to be just a corrupted password. How can you stop this plague in your environment? The solution requires both policy and technology. In today's new-worm-every-day world. Place the emails that discuss the situation into the file as well. Finally. If you're in a Unix/Linux environment. Also. Inform them of the file and its location. regardless of whether the machine is owned by the user or the company. right? Antivirus tools on the mail gateway? Check. I would make sure HR is on board with the fact that circumventing security is a fire-able offense. auditors. collect hard copies of all the logs about the affected systems.spreading the malicious code and bypassing your perimeter defenses. Thorough malware defenses against infected telecommuters using the VPN from their laptops. … Sadly. make sure you document everything. SearchSecurity. document your actions to remedy the situation and put that in the file. including Internet firewalls. Then. you think you've got your malware defenses up to snuff. You never know how strong something is until you try to break it. A user identified as SidZilla advised: Don't overlook the non-technical solutions. and place them in the file. the infected home system acts like the Typhoid Mary on the internal network . Often. so they can read about the entire situation themselves -. etc.you're in a Windows environment. home desktops and even handheld devices? Um … well. If she doesn't answer all three and agree to stop. CISSP | SearchSecurity. Firewalls blocking all services except those with a defined business need? Check. fire her on the spot. a home user gets infected by some pathogen on the Internet and then sets up a VPN connection to the corporate network. why she is doing it. Note that I said a *copy* of the file. both externally and internally. and explain how they can view a *copy* of its contents. many organizations today haven't adequately addressed the potential for malicious code infection via telecommuters. then take the offending employee to HR and ask her what she is doing. Once connected. require that the AV tool be configured to automatically download new signatures each day and define specific penalties for disabling the AV tool and its update capabilities. how she is doing it and most importantly. Plenty of companies out there do this.as Bobkberg said.) can access the file.

" who only need access to their email and the corporate Web portal from their family PC. regardless of whether the system is owned by the employee or the corporation. Enlisting permission from the system owner -. User communities range from casual "day extenders. remote users don't even want a company laptop -. it's the downside that we need to consider.the employee. companies usually don't have too much trouble justifying high-end solutions for the full-time telecommuter by providing them with a company-owned computer.com IT managers are under increased pressure to provide broad remote-access capabilities. Users wanting access to the corporate playground. CISSP. the family system is likely faster (designed for the kids to blast alien spacecraft with). Furthermore. again. SearchSecurity. Also.too much to lug around. so make sure the budget can adequately afford you going that route. you have no business searching an employee-owned machine. But how can we effectively (and affordably) support the low-end needs of other users? The upside of allowing users access from their own computers and network connections is attractive. to full-time telecommuters who use core applications and IP telephony. many VPN gateways now offer the capacity to interrogate the client to ensure the host system is running an active AV tool with up-to-date signatures and a personal firewall. Activate these capabilities if your infrastructure supports them.com Copyright TechTarget 2006 17 . firewall and 24x7 help desk access.this will enable you to detect and thwart attacks early. your company will need to purchase machines for all telecommuters. consider deploying network-monitoring tools. About the Author: Ed Skoudis. specify in your policy that the corporation reserves the right to search the computers of any VPN users across the network.Also. Remote network access from privately-owned machines 25 Aug 2004 | Mark Mellis | SearchSecurity. acknowledging that their personal systems could be searched remotely when an incident occurs. allows your incident-response team to legally conduct the analysis required to address the problem. first must prove they won't infect the other kiddies. Of course. make sure your VPN gateway passes all traffic through a firewall that performs comprehensive filtering -. Employ a warning banner to launch during the VPN login that requires users to click "OK". you can create a policy that limits VPN access to only corporate-owned computers. and author of Malware: Fighting Malicious Code (Prentice Hall. Fortunately.only allowing access to absolutely required services and only to those servers that each remote user needs. Besides. However. 2003). Alternatively. Because they depend upon remote access for all their work. Without this policy and warning banner. is cofounder of Intelguardians Network Intelligence. a security consulting firm. Often. on network segments associated with the VPN and filtering devices . including network-based intrusion-detection and intrusionprevention systems.

file and Web application access in the middle. Educating users about password hygiene and protecting passwords in transit with encryption used to be adequate. Typically. If not. this could provide the motivation to start. Even lockouts as short as five minutes will protect you from dictionary attacks. your systems are vulnerable. Make sure that you track completion and require periodic refresher training. If you choose to stay with usernames and passwords. Many companies can get by with two or three tiers. which are vulnerable to interception and compromise. It's much better to use separate authentication sources for external services or to only lock out accounts for a short period of time. SearchSecurity. appropriate to the needs of each user. The curriculum should include information on the hazards of active content. you need to identify your information assets and how they are classified. It's a simple matter for a disgruntled employee sitting at a cyber cafe to go down the company directory typing three bad passwords for every username on the list and lock out the whole company. If you have an existing data inventory and authorization model. two-factor authentication with hardware tokens is practically mandatory for all remote users. it will pay off. Do you use your internal domain authentication source for remote access and automatically lock out accounts after a certain number of failed login attempts? If manual intervention by an administrator is required to restore an automatically locked-out account. Training End user security education is essential for successful remote-access programs. So. Make the point that this instruction will help them protect their own data as well as that of the company. Authentication You have to know who someone is before you allow them access to any service. internal as well as external. including viruses. with webmail at the low end. even those with low-end privileges. worms and spyware. The best SSL VPN and gateway products have rich accesscontrol models. we use user names and passwords to provide authentication. Try awarding a gift certificate to someone selected from those who took the course to give users a positive incentive for completing their mandatory training. Authorization Appropriate access to internal resources is key. If you haven't classified your data. Also include information on password hygiene and what to do in the event that they suspect an incident might be in progress. the first step in your strategy entails providing tiered access. Don't forget to include requirements for access to company information.com Copyright TechTarget 2006 18 .Risks are proportionate to access provided Users who have full network access to internal enterprise LANs can inflict much more damage than those who can only use webmail. but with today's spyware and keystroke sniffers. make sure that you don't set yourself up for a denial-of-service attack. It should play a prominent part in your ongoing security education program. and full VPN connectivity at the top. but they won't do you any good if you don't know which users should have access to which data and where the data is stored. including webmail. You can use online programs on the company intranet.

and can be useful even for day extenders using webmail. Of course you will want to ensure that users renew their subscriptions each year. That's the bottom line. often you can monitor instead. but you can still provide the consumer editions to your day extenders.com SearchSecurity. And end users often download email messages and attachments. so consider including the renewals in your program. because they can help block spyware back channels. If you can't control. However.and host-based intrusion detection. You may elect to subsidize their use in a manner similar to that discussed for antivirus software. Information leaks Every time a browser loads a clear text Web page. ISACA/CISM. All is not lost. and it likely won't encompass all the services that some users will want. starting at the edge of the network. You may not want to use the corporate edition that you deploy internally. Likewise. It won't be free. Don't forget to protect the systems used by the full-time telecommuters as well. Browsers do not normally cache data downloaded over SSL connections. you shouldn't give up. Obviously this can be a serious problem. Monitoring techniques can include network. you will want to investigate these features. About the Author: Mark Mellis. as well as files to which they might have access. Here's another place where you can provide an incentive for good security practices: consider providing antivirus software to your end users for free or at a discount. system auditing and log analysis -. Further.Active content control Viruses are the scourge of the decade and like all effective security programs. but it can be done safely for many services. some SSL VPN remote access products have special features to clean up after sloppy software and forgetful users. however. specializing in network security.powerful techniques for stopping problems in their tracks. Personal firewalls Personal firewalls are very common in full VPN environments. virus control should be layered. a copy of the page is made in the browser's cache. If you can't control. Ten tips for safe computing on a public LAN 22 Sept 2003 | Ed Yakabovicz | SearchSecurity. since that would increase your support burden. is a consultant with SystemExperts Corporation. If the risk of information leakage is important for your company.com Copyright TechTarget 2006 19 . monitor You won't necessarily have the resources to implement technical controls to compensate for every threat. Of course every computer should have antivirus software installed and maintained. pathnames and other parameters can be captured by the browser's history feature. Your company can allow employees to use their home computers.

Ensure the user ID guest is disabled. Ensure passwords are hard to guess. 9. and do not use administrator unless necessary. but they save much time and hassle. allow no one to connect through Windows to your machine.com Copyright TechTarget 2006 20 . some are free) and keep track of who is trying to access your machine.There may be times when your remote users need to connect to a public LAN. 10. These are also handy tips to distribute to end users for keeping home PCs secure. as recommended by SearchSecurity. 5. Never. Run defrag once a week. 6. Run some type of third party cleaner that will check for malicious code and hidden files that could be Trojans. Using the personal firewall. Keep the system's OS patches up to date. Here is a checklist of ten basic tips for ensuring the security of their systems. 2. 1. 3. These can run $40 to $100. Update the antivirus signature file daily. Use a hardware firewall if you can. 7. Do not share drives.com expert Ed Yakabovicz. SearchSecurity. Use a personal firewall (software. 8. 4. Use antivirus software to protect your system from any virus or malicious code. Conduct a full scan for viruses weekly. never shut it off – for any reason.

Fireball KeyPoint won't permit a connection and will advise the user to try another host. we discovered during testing that using a Web session secured with SSL or SSH will close this hole. Fireball KeyPoint assesses and authenticates the host machine's compliance with enterprise security policies. secure mobile computer that uses host machines as conduits for I/O devices. In reality. connectivity to the Internet and corporate networks. RedCannon's proprietary email is adequate. The connection to the corporate network is secured with an IPsec VPN tunnel. Eudora and Thunderbird.an open invitation to disaster. The token also alerts users to the presence of spyware or malware on the host PC.Endpoint security tactics Hot Pick: Fireball KeyPoint 13 Oct 2004 | Tom Bowers.com Copyright TechTarget 2006 21 . For example. storage and email.com Technically. and what little runs from the host PC is hashed/encrypted. When the Fireball KeyPoint is plugged into a USB port. it has the same basic features and capabilities as free or inexpensive email apps like Calypso. Email messages are stored and encrypted in a token-based vault. The only difference with Red-Cannon's secure email is that almost everything runs from the token. hosts with a low-level adware threat could still be granted email access. erasing all traces of the session. but doesn't remove it. RedCannon's Fireball KeyPoint is an endpoint security solution conveniently packaged in a portable USB token.redcannon. or no access to machines that represent a high security risk. this isn't a requirement.com Fireball KeyPoint RedCannon. limited access to moderately risky machines. secure Web browsing. An area of concern is RedCannon's suggested distribution of policy updates via shared drives -. In light of this review. Enterprises can configure Fireball KeyPoint to securely run common applications (such as Web browsers and email) and avoid untrusted applications on host machines. it connects to the RedCannon Web site or your enterprise's management server for policy and software updates. RedCannon's Fireball KeyPoint provides token-based endpoint security. However. Updates are loaded before it scans the host PC and grants secure access to network-based applications. RedCannon has changed its recommended architecture. if a more dangerous keystroke logger is detected. CISSP | SearchSecurity. www. Fortunately. granting full access to compliant machines. since worms like Blaster and My-Doom could use the open shares to propagate on the LAN. it's a basic. and spyware protection. SearchSecurity.

Although RedCannon claims Fireball KeyPoint leaves no residual data on the host computer.laptops. About the Author: Tom Bowers has worked with computers since the early 80s. A thin Quick Start Guide and poor documentation complicated the Fireball Manager's installation and configuration. just as the scanner limits or blocks access to the corporate network.must be completed before license.com. Its auto-recovery app takes up approximately 50 MB. Product Review: End of the line 1 June 2004 | Curtis Dalton. The tedious process of integrating Fireball KeyPoint's Fireball Manager into Active Directory -. This is disappointing. and completely missing was a diagram showing the entire architecture. since the whole point of this device is to securely browse the Web and access email via an untrusted computer. CISSP | SearchSecurity. And who knows what unauthorized software and spyware are on connecting PCs? SearchSecurity. PMP and Certified Ethical Hacker certifications. a small consulting firm specializing in pen testing and computer forensics.com Copyright TechTarget 2006 22 .but don't let the numbers fool you. which would have prevented serious roadblocks during setup and testing. Home workers may have no AV or firewall protection. Despite a number of first-release shortcomings. our testing found traces of visited Web pages in the Documents and Settings temp directory after the token was removed. RedCannon says the bug will be fixed in the next release. the device lessens the most common remote access security concerns.the only supported directory service -. He is currently the Manager of Information Security Operations for Wyeth Pharmaceuticals. And. Fireball KeyPoint comes in two sizes -. Traveling employees log in without updated AV signatures or the latest OS patches. public terminals.com Endpoint devices -. key and policy distribution. The guide was lacking in nearly every subject. the Fireball KeyPoint is an endpoint security product with potential. etc. SOHO desktops. policies and configurations. Wizard-based installation for the Fireball Manager and authentication to a secure Web site/sharepoint for policies/licenses would be on our wish list for the next version. He also owns Net4NZIX. Whether you're using an Internet cafe or a home computer. We expect future versions only to improve upon this strong foundation. Tom holds the CISSP. it will also lock down the vault if the host machine presents an unacceptable risk.are your biggest security headache. The Encrypted Vault secure storage provides drag-and-drop capability through Windows Explorer. where he leads a team conducting pen testing globally. -. He can be reached at tbowers@net4nzix. Each token must be plugged into a USB port on either the system hosting the management server or with network share to receive licenses.256 MB and 512 MB -.

NT Domain. Required OS patches and registry settings. patches. The downside: Because of the credential caching. Most endpoint solutions attempt to cover these criteria. Even the most up-to-date patching will lag behind the spread of worms and viruses. 90 % of cyber-attacks through 2005 will involve known vulnerabilities for which a patch or remedy already exists. Active Directory. These products ensure that each device complies with policy before it's allowed on your network.user information store that must be stringently protected.com Copyright TechTarget 2006 23 . including public kiosks and SOHO computers? This is the big advantage to the direct login approach. which could introduce additional points of failure and must be compatible with your authentication protocol (LDAP. P2P. Solutions can work for remote and/or LAN-based clients. Firewall and VPN client with approved policy. According to Gartner. Functioning AV software with latest signatures. OS revision. The secure master build installed on each computer before it's released is often rendered obsolete by the latest vulnerability and exploit. this type of endpoint security gateway is an important -. the gateway must be inline with your authentication servers. No wonder the number of endpoint security solutions is growing.and additional -. SearchSecurity. internal employees and contractors disable AV scanners. registry settings.Users jacked into your LAN may not be much better off. Also. A gateway device will intercept the endpoint's authentication request and use native cached account credentials to validate compliance. fiddle with registry settings and run Kazaa and Quake on your network. IT security staffers are often skeleton crews that can't keep up with basic patching. Absence of IM. Endpoint police How do you determine whether a particular host should or shouldn't be allowed to access the network? A solution should cover these compliance criteria: • • • • • • Authorized OS version and hardware platform. spyware or other rogue programs.). etc. Required company software. etc. Most check compliance through direct login to the endpoint client and/or remote scanning. Typically. much less play cop with noncompliant employees and machines. checking for active processes. Policy notwithstanding. Direct Login What if you could validate virtually all client systems. solutions use either a resident agent or thin client. but in different ways. and most require manual remediation.

VPN with split tunneling disabled. These products eliminate the need to cache user names and passwords on the gateway device. Clients can be routed to a customizable URL for remediation. patches and applicable app or file signatures. up-to-date AV signatures. The login sequence is achieved via the Windows RPC service from within the VPN tunnel (all IPSec VPN vendors are supported) between the remote host and the corporate VPN gateway.a preinstalled agent. If a remote device fails the checks. The first version of this product is fairly elementary. ActiveX thin client or browser plug-in. third-party cookies and hacker tools. etc. client-side software of some kind is required -. However. ENDFORCE works in conjunction with most AV solutions. Check Point Software Technologies' Zone Labs Integrity Clientless Security integrates with popular SSL VPNs. Remote Scanning/Agent Queries Many solutions use vulnerability scanning technology to check the remote client or query client-side agents (or a combination of both) to determine if required security programs (firewall. VPNs and personal firewalls. worms. software updates.One example of this type of gateway is StillSecure's SafeAccess. AV. VPN and personal firewall). Since it operates at Layer 2. Its ActiveX thin client uses a combination of signatures and heuristics to detect.) are running. viruses. the user is directed to a Web logon page. quarantine and block systems containing spyware. If a remote host isn't a member of the corporate domain. it offers no quarantining and only works in conjunction with Hercules. The SafeAccess server is a Layer 2 bridge based on Red Hat Linux with Apache for Web-based management. keystroke loggers. Citadel Security Software's ConnectGuard uses a host-based agent to draw policies and remediation instructions from Citadel's Hercules patch and configuration server. If a remote device is connecting to the corporate LAN for the first time. allowing the Safe-Access server to log in to the computer (through Windows support only) and perform the checks. It's installed on a dedicated server that sits between the VPN gateway and firewall. ENDFORCE provides instructions or automated remediation steps. SafeAccess checks for missing patches. The agent monitors all outbound traffic and blocks any connections that violate the corporate security policy. ENDFORCE's ENDFORCE Enterprise uses a resident agent to check host OS. an agentless solution. SearchSecurity. policy settings and required or prohibited programs. SafeAccess assigns a unique identifier so it can recognize it in subsequent connection attempts. it requires no IP addresses for devices in your DMZ. Trojans.com Copyright TechTarget 2006 24 . Noncompliant devices are quarantined using ACLs defined on the SafeAccess server. applications (such as AV.

which is loaded onto the host via the browser. allowing limited access until updates and configuration changes are made. It uses an ActiveX thin client or Netscape plug-in to check for eavesdropping SearchSecurity. or blocked entirely via VLAN manipulation. but no integrated VPN support. Policy enforcement is accomplished via client-side access controls applied to the firewall policy.com Copyright TechTarget 2006 25 . CyberGatekeeper LAN protects the internal LAN and integrates closely with Cisco switches to quarantine noncompliant hosts. Sygate's Secure Enterprise (SSE) employs a resident agent to enforce policy and verify that Sygate's firewall. Sygate plans to release Sygate On-Demand. which checks for IM. registry settings. The resident agent executable (Windows and Linux supported) checks running processes. NetIntelligence provides integrated Kaspersky Labs AV protection. Noncompliant hosts are automatically assigned to a segregated VLAN. Noncompliant endpoints can be blocked or granted limited access. CyberGatekeeper Remote functions much like the LAN product but uses an ActiveX thin client. Iomart Group's NetIntelligence relies on a host-based agent. the policy for accessing company headquarters may be different than logging in to a branch office. This solution is best deployed with Symantec VPN Sentry. a clientless direct login solution. Whole Security's ConfidenceOnline solution is completely transparent and requires no signatures. Its resident agent detects unauthorized activity. registry settings and files requirements.InfoExpress' CyberGatekeeper suite offers appliance-based solutions using a resident agent executable or ActiveX thin client. such as USB flash memory sticks. which assures up-to-date Client Security is running. Noncompliant devices can be monitored and automatically remediated through usergenerated scripts. personal firewall and IDS--all controlled via the management console. It can be used to monitor specific apps and removable devices. IDS and AV (all popular solutions are supported) are current and operational. attempts to disinfect afflicted devices and prevents access to system or network resources via real-time AV protection. which can apply changes individually or by group. Remediation can be implemented through a central console. and Magellan. patches. Symantec's Client Security checks compliance for LAN-based and remote clients. SSE verifies OS version. For example. P2P. and enforces OS security compliance. malware and pornographic files via digital fingerprinting and provides Web content blocking and copyright theft detection. Policies are defined by user and group and are pushed down from a central console on a scheduled or ad hoc basis. OS revision and patches. which can use an ActiveX or Java thin clients instead of agents. Built-in location awareness capabilities ensure that the appropriate security policy is applied.

Config-urable heuristics are also used to identify and disconnect remote clients that display infection symptoms.Network device compliance 6 Apr 2004 | Ben Rothke. is the founder of Principal Security Group. group and role. Examine a corporate campus and count the consultants. Endpoint security solutions should also allow you to quickly tweak policy across client base. or does it have an unused. vulnerable version of H.323.0. end-node security is crucial since so many devices (PDAs. CISSP. CISSP | SearchSecurity. chewy on the inside" method. On the other hand. 2001). you should be concerned with their hardening processes and understand what services are active.com Copyright TechTarget 2006 26 . which has a few known vulnerabilities. Be sure to check under the hood before you buy. which is susceptible to buffer overflows and DoS attacks? From a management standpoint.37. viruses and worms are still the curse of today's IT environments. He has authored numerous magazine articles and co-authored Security Architecture: Design. Weighing the choices It's tempting to steer clear of solutions that require client-side software and all the administrative pain that it entails.com Traditional network security has long been about protecting the network perimeter via the "crunchy on the outside. But that method does nothing to stop viruses and worms from originating inside the network.software and verifies that required processes and applications are running and conform to policy. Since domain administrator credentials are stored somewhere in these boxes. Even for the organization that has an antivirus appliance at their gateway. CISM (cd@psgsite. A network card and DHCP is all SearchSecurity. ensuring they don't introduce viruses and worms to the network? Today. many corporate networks are more open than all-night convenience stores. user ID. Deployment & Operations (Osborne McGraw-Hill.com). insider abuse and much more. such as in response to new threats. an information security consulting firm. look for solutions that offer global policy controls and granular ACLs based on location. How can their access be controlled. With that openness comes lost productivity. service providers and temporary workers accessing the network. industrial espionage. are stored domain passwords encrypted or hashed. clientless solutions require that you either trust the proprietary behavioral traffic analysis or entrust third-party security devices with automated domain administrator login access on your networks. Hark! Who goes there? -.) are now bypassing that first-level gateway of protection. For example. etc. About the Author: Curtis Dalton. laptops. Even with layers of firewalls and IDSes. and what hash or cryptography is used? Is your endpoint security solution utilizing Apache 2.

CTA will be the interface between the desktop and NAC. Others vendor offerings include Infoexpress's CyberGatekeeper and Sygate's Adaptive Protection. If an agent isn't loaded. by Symantec Corp. Two announcements. which includes VPN Compliancy Check. NAC's goal is simple: Ensure hosts can't harm the network. and will be freely available to end-users. Effective end-node security is all about verifying the security compliance of any device that connects to the network. The beauty of such an architecture is that there is compulsory enforcement. default access policies are enforced according to the level of security desired. While the company hasn't announced anything directly. Any developer that wants to integrate NAC into their solution licenses the NAC SDK. announced the release of Symantec Client Security 2. This is atrocious given the risks that arise from a lack of effective end-node security. If not. Until it is isolated. It is Cisco's hope that NAC will ultimately be ubiquitous at the desktop in the form of the Cisco Trust Agent (CTA) software. Symantec Corp. there is little that can be done to stop its lingering effect on the rest of the network. the device is placed in a quarantined area where the required patches are downloaded. End-node security fills the credo of trust but verify. much like the Adobe Acrobat reader. Hosts that aren't compliant are denied network access.that is needed to access many networks. the security risks with this SearchSecurity. StillSecure Safe Access. Seeing the importance of end-node security. were made early this week. many vendors are getting into the game.com Copyright TechTarget 2006 27 . and StillSecure announced its agentless end-node security solution. Microsoft is working on a trust model of analysis and the quarantining of end points. Noncompliant devices can be isolated and denied network access until they are appropriately patched. It's the equivalent of showing one's credentials before admission and having a level of enforcement after admittance. The function of any desktop agent is to collect security state information from the desktop device and to report that information to the connected network where access control decisions are made and enforced. This host isolation is the greatest benefit of NAC. Cisco defined NAC's architecture and the specifications for NAC technology to be integrated into third-party products. NAC isn't a product per se but Cisco's collaborative effort to ensure network devices can't enter a network until they are compliant with the level of enforcement required. cell phones and wireless PDAs easily connecting to the corporate network. access is granted. An example of NAC credentials would be the most recent antivirus definitions and operating system patches. but they don't have the level of infrastructure to leverage as Cisco's Network Admission Control (NAC).so too with a single infected host. If the host is compliant. With laptops. and StillSecure. Typhoid Mary showed what one infected person can do to facilitate the spread of disease -.0.

In the pre-Internet days of the mainframe. Despite the fact that more and more is being spent on information systems security.com Vendors are touting new products to manage endpoint security. Some of them include: • • • • • Internet access Business Partner access External partnership access Internal employee access And more Know your endpoint The banking industry has a federal requirement known as Know Your Customer (KYC). The purpose of KYC requirements is to catch those laundering money or attempting tax evasion. but organizations can save money by effectively managing three technologies they already employ – firewall. About the Author: Ben Rothke. CISSP. systems are becoming increasingly complex. Where is your endpoint? The function of perimeter or endpoint security is to ensure that the infrastructure is protected against external threats. things were either inside or outside of the data center. antivirus and patch management. The endpoint security market grows as more attention is given to the challenges of securing a dynamic digital perimeter. Even the physical perimeter is not simple to define. Before you can secure your endpoint. Organizations willing to pay a hefty price can choose from a variety of products that ensure that endpoint devices comply with policy before connecting to the network. However. is a New-York based security consultant with ThruPoint. He can be reached at brothke@thrupoint. It will be a while before the various end-node security initiatives are complete and fully deployed. Most organizations already employ three effective endpoint security controls: firewall. Banks are required to determine SearchSecurity.com Copyright TechTarget 2006 28 . endpoint security was simple. which is part of the USA Patriot Act of 2001. McGraw-Hill recently published his book Computer Security: 20 Things Every Employee Should Know. and complex systems are much harder to protect. But as a start. Inc. antivirus and patch management. it shows that the best information security defense is a strong offense. effective endpoint security doesn't have to require a significant investment in new software or hardware. The potential endpoints are many.level of network ease of use can be utterly dreadful. you need to define it. Effective endpoint security without a significant investment 2 May 2005 | Ben Rothke.net. CISSP | SearchSecurity.

and are able to detect and respond to anomalous activities. In addition. Effective endpoint security requires an understanding of the infrastructure and a significant commitment to get the job done. Technical controls Firewall A firewall is often the first line of network defense. where one can leisurely decide whether or not to patch. Firewalls are often pristine when initially configured. patch management was something a system administrator did when he had time. A firewall can't be effective unless it's deployed in the context of working policies that govern its use and administration.the source of customer deposits. SearchSecurity. allow far too much traffic and too many protocols through. but after time. organizations are only as good as their virus definition files. Trojan horses. now it is an elemental part of information security. worms. Patch management is a strategic process where it must be decided: • • • • • which patches to install the benefits and implications of implementing the recommended changes the business benefit of installing a patch the regulatory requirements the operational requirements The year 2005 is no longer your mother's patch environment. organizations can ensure that malware does not infect the infrastructure. Those who have management support and are willing to put in the time to get to know their endpoint have a real chance to create a highly effective information security infrastructure. classify them according to pre-determined profiles and monitor their banking activity to detect deviations. organizations must make certain that gateway devices and workstations have updated antivirus signatures on each device. But when it comes to antivirus software. To ensure maximum protection. Antivirus Viruses. much can be achieved. Patch management Until recently. Those in information security can take a similar approach to securing the network perimeter.com Copyright TechTarget 2006 29 . By deploying antivirus technology at the endpoint. If you know your endpoint. Microsoft's Patch Tuesday can easily turn into a Black Wednesday if not handled correctly. management often puts too much confidence in firewalls. How do you obviate such a predicament? Make sure you have an effective and current set of firewall policies. spyware and more are a huge risk to information security. ensuring that only allowed traffic traverses the network.

there are documented cases. I discuss some of your options in difficult patch management situations.com What you will learn from this tip: Options for patching endpoints in heterogeneous environments. About the Author: Ben Rothke. but networked non-PC devices. where Trojans were found running on PDAs. SearchSecurity. you could be exposing your network and the data it contains to exploits. and the author of Computer Security: 20 Things Every Employee Should Know. Endpoint security comes down to knowing what your perimeter is. knowing what your risks are and defending against them. CISSP is a New-York based security consultant with ThruPoint Inc. antivirus and patch management products will help you do that. Posey | SearchWindowsSecurity. Patching networked devices Many people don't realize it.although not impossible. such as personal digital assistants (PDAs). This may not be a big deal in environments consisting only of Windows 2003 servers and Windows XP workstations. can pose a significant threat to your network's security. However. The best way I know to counter such threats is to establish a policy mandating that only PDAs issued by the company are allowed to be connected to the corporate network or to computers belonging to the company. your firewall. how many of those PDAs does your company own and maintain? People often bring PDAs into the workplace running an outof-the-box configuration and attach them to the network. Given the fact that almost all networks are connected to the Internet nowadays. Although PDA-based exploits aren't as common as PC-based exploits. Once you control all of the PDAs used throughout the company. nevertheless. Of all the PDAs you see people using in your company. When managed effectively. keeping everything up-to-date on your network becomes much more complex -. you can focus on patch management. your one hope of staying secure is to constantly patch all machines on the network with the latest vulnerability fixes. In the sections below. but there are ways to manage patches in such environments. Unless you control PDA usage in your company.com Copyright TechTarget 2006 30 . System Management Server (SMS) or any number of third-party tools for patch updates. for which you can simply use Microsoft's Software Update Services (SUS).net. Painful patching: How to lock down networked devices 26 Apr 2005 | Brien M. Comprehensive patch management for heterogeneous environments is considerably more difficult and more expensive than homogenous environments. if your computers are running non-Microsoft operating systems or non-PC devices. He can be reached at brothke@thrupoint. or if your VPN allows connections by computers not controlled by your company.Times are changing and information security must change with them.

HP-UX. he has written for Microsoft. AIX. Patching heterogeneous operating systems Keeping heterogeneous operating systems patched is more difficult than keeping a purely Windows environment patched. so I can't tell you how good it is. to be released later this year. Solaris. you run a query to make sure the operating system has all of the latest patches and the remote system is running an approved antivirus program with upto-date virus definitions. I have never actually used this product. TechTarget. the big problem with quarantine mode is that you practically need a doctorate in computer science to configure it -. However. it does a good job. There are lots of patch-management solutions out there. If the machine does not meet all of the requirements set forth by the corporate security policy. ZDNet. the PC is allowed to connect to the network. but the best choice for your organization will depend greatly on the operating systems being used and on your budget. The solution is called Network Access Quarantine Control. MSD2D.it is script intensive. which places a machine in a quarantined environment when it connects to your network. If you require a more comprehensive patch-management solution. About the Author: Brien M.An easy way to patch your mobile devices is to make sure they are running Windows CE 4. As I mentioned. I like GFI Software Limited's LANguard Network Security Scanner because it's reasonably priced. If everything checks out. CNET. At that point. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox.'s Hercules. Doing so requires third-party software. There is a solution built into Windows Server 2003. but it can be extremely difficult to use. Posey. As a freelance technical writer. but it exemplifies a tool that can patch Windows. You can then use the SMS 2003 Device Management Feature Pack to manage mobile devices exactly as you would computers on your network. and it's easy to use. though. The company also plans to change the name to Network Access Protection (NAP). check out Citadel Security Software Inc.com Copyright TechTarget 2006 31 . MCSE. is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Patching remote computers not controlled by your company Unpatched computers passing through corporate VPNs have proved particularly troublesome for sometime now. For organizations running only Windows and Linux operating systems.2 or higher or Windows Mobile 2003 or higher. rumor has it that Microsoft will greatly simplify quarantine mode in Windows Server 2003 R2. SMS can discover mobile devices and automatically deploy patches to them. SearchSecurity. Relevant Technologies and other technology companies. the patches are either applied on the spot or the connection is severed (your choice). Linux and Mac OSX.

and anything else that might compromise security. For instance. Posey | SearchWindowsSecurity. Company ownership of mobile devices also enables you to dictate what must be running on the devices. or to copy and install a small application on an office workstation. This will cost the company some money up front. there are antivirus programs for mobile devices). PDAs have a much greater storage capacity now than they previously had. Locking down mobile devices To protect your Windows network from mobile threats.com Copyright TechTarget 2006 32 . an unhappy user or unknown intruder who connects a PDA to an office PC could potentially copy sensitive files from the network to the PDA and walk right out the door with them. access credentials to the network can be stolen and transmitted to a server on the Internet. Following those steps should greatly increase mobile device security in your organization. viruses and Trojans are specifically designed to attack mobile devices. He could also use a PDA to bring in virus-infected files. Let me explain. Here I'll explain how they can harm your network and what you can do to prevent exploits. and you can take steps to prevent anyone else from attaching a mobile device to the network. The fact that many people do not think of mobile devices as security concerns is a major issue. but mobile devices can pose threats to your network that must not be ignored. Wi-Fi or dial-up link. create a corporate policy that bans the use of privately-owned mobile devices. it will be the company's responsibility to provide that device. in a sense acting as portable hard drives. People tend to have a personal attachment to their mobile SearchSecurity.com Mobile devices today are so commonplace that few people pay much mind to them.'s Portable Storage Control to prevent users from attaching mobile devices or any other portable storage device to their PCs. insuring the devices are used properly. The first benefit is that you know exactly who is authorized to use mobile devices. Check for unauthorized mobile applications. compromising a user's authentication credentials for potential hack attempts. such as hacker tools. If anyone in the company has a legitimate need for a mobile device.The key to locking out mobile threats 4 Apr 2005 | Brien M. try a product like GFI Software Ltd. New storage features call for greater precautions Mobile devices can threaten your network by allowing hackers to haul away sensitive data or letting malicious freeloaders into your space. whether it be intentional or accidental. This becomes a problem when a device is used to connect to a corporate network over a VPN. Insist that the mobile device is running all of the latest patches and the latest antivirus definitions (yes. Since many mobile devices attach to PCs through a Universal Serial Bus (USB) or Firewire port. These days. If a mobile device is infected with a keystroke logger. but I believe the benefits outweigh the cost. but I also recommend occasionally performing random device audits.

This includes USB keys. there are some exceptions. As you can see. he has written for Microsoft. zip drives – you name it. MP3s. a company may want to consider using podcasts for disseminating information to its employees.com Copyright TechTarget 2006 33 . Relevant Technologies and other technology companies. videos and movies. ATM PINs and other highly sensitive information.date from the network. Insist that mobile device users have power-on passwords (if supported). ZDNet. is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Some users have been known to create text files of passwords. which is what could happen if the device were lost or stolen. the Internet or anything else. they can also introduce spyware and malware into the network. and prevent them from caching passwords for connecting to your network. Generally speaking. As a freelance technical writer. TechTarget. A professor developed software that allows doctors to store and view medical images on their iPods. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. it can hold and move data.or steal -.com Any external storage device connected to a desktop can be a security risk. A project manager may want to use iPods to distribute diagrams too large to send as email attachments to team members. iPods can hold up to 30 GB of photos. music. MCSE. MSD2D. whoever finds it can instantly access your network using that information.devices and might be reluctant to allow the IT department to inspect them. How do you SearchSecurity. mobile devices can easily threaten the integrity and security of your network unless they are properly secured. Posey. If a user has passwords cached within the device. So. despite the security risks. An innovative business use for iPods was recently developed at a hospital in Geneva. If it can be attached to a USB port. About the Author: Brien M. iPods fit neatly into this category and in most cases should be prohibited in the enterprise. iPods have no business purpose and shouldn't be allowed to be connected to your employees' desktops. Using Apple iChat. Mobile devices pose one additional risk. CNET. flash drives. several doctors in far flung departments on the same case can look at the images remotely from their iPods and compare notes simultaneously. Tips for securing iPods in the enterprise 28 Dec 2005 | Joel Dubin | SearchSecurity. Make it clear to your users that such files are a very bad idea. But. The system has saved the hospital the cost of more expensive equipment for medical imaging and storage. and you have the right to inspect it anytime you feel like it. While they can take -. Remember though that the device is company property. as well as any other ordinary data or file type.

iTunes is a harmless music store. but is it necessary in the office? USB ports should be shut off for those users who do not need to connect to the network. SearchSecurity. Access should be logged and monitored for unauthorized or malicious use. Only software pre-approved and reviewed by information security should be allowed for use on iPods. Apple iTunes is an example of another repository for iPod enthusiasts. is an independent computer security consultant based in Chicago. or on Windows machines through the Device Manager. iTunes must be downloaded to the desktop that will be connecting to the iPod. Their use should be approved in writing by the information security department for each employee requiring them. This can be done at the BIOS level. iPods should also be hardened with unneeded services turned off. • Restrict the use of iPods to specific projects. By itself. As they become more sophisticated. CISSP. the Group Policy editor or through registry key settings locked down on the enterprise build of the desktop distributed to your employees. iPods must be scanned by antivirus and antispyware software before connecting to the network. Apple this year also released a patch for a flaw in iTunes that allowed a hacker to remotely gain control of a user's desktop. He specializes in Web and application security and is the author of The Little Black Book of Computer Security available on Amazon.balance the potential security risk with the potential convenience of iPods and podcasts? Here are some suggestions. Dedicated file servers should host podcasts or other data to be shared by iPods. • • • • About the Author: Joel Dubin. Only employees working on the project with a specific need should be granted access. more software becomes available for them. For this reason alone. iTunes wouldn't be allowed on most corporate desktops.com Copyright TechTarget 2006 34 . Exemptions should only be made on a per-project basis and not entitle the employee to unlimited use of their iPod or to connect to the network after the project is complete. Most sane information security policies prohibit employees from downloading software willy-nilly directly off the Web. This should be written into your information security policy.

the leading maker of router s. In the event that an outside user penetrated the DMZ host's security. by department. Users of the public network outside the company can access only the DMZ host. is one company that sells products designed for setting up a DMZ. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN "police action" in the early 1950s. Glossary definition: VLAN SearchSecurity. the DMZ host is not able to initiate a session back into the private network. LANS and VLANs Glossary Definition: DMZ SearchSecurity. the DMZ provides access to no other company data. However. Institute of Electrical and Electronics Engineers 802. SearchSecurity. However. In a typical DMZ configuration for a small company.10. type of user. VLANs are considered likely to be used with campus environment networks. The DMZ may typically also have the company's Web pages so these could be served to the outside world. Bay Networks. There is a proposed VLAN standard.com A virtual (or logical) LAN is a local area network with a definition that maps workstations on some other basis than geographic location (for example. Network management software keeps track of relating the virtual picture of the local area network with the actual physical picture.com In computer networks. and 3Com. The virtual LAN controller can change or add workstations and manage loadbalancing and bandwidth allocation more easily than with a physical picture of the LAN.) A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well. or primary application). The DMZ host then initiates sessions for these requests on the public network. the Web pages might be corrupted but no other company information would be exposed. Among companies likely to provide products with VLAN support are Cisco. It prevents outside users from getting direct access to a server that has company data. Cisco.com Copyright TechTarget 2006 35 . a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It can only forward packets that have already been requested. a separate computer (or host in network terms) receives requests from users within the private network for access to Web sites or other companies accessible on the public network.DMZs.

without suitable measures to restrict traffic on this layer. VLANs lend themselves to providing segregation between logical workgroups. SearchSecurity. It is important to have a good understanding of what VLANs are. 3000 and 4000 series switches) as well." written by Saadat Malik and published by Cisco Press. As such. The protocols that are used to establish VLANs can be compromised rather easily from a security perspective and allow loopholes into the network. Because the connection occurs at Layer 2. 2900. of "Network Security Principles & Practices. In order to provide comprehensive security on a network. We will discuss private VLANs in the context of the 6000 series switches. VLAN protocols are not constructed with security as the primary motivator behind them. VLANs should not be used as the sole mechanism for providing security to a particular group of devices on a VLAN. This is a first step toward segregating portions of the network needing more security from portions needing lesser security.com This excerpt is from Chapter 5. other mechanisms such as those discussed next should be used to secure them. An example of one such attack is one in which a compromised server on a DMZ LAN is used to connect to another server on the same segment despite access control lists on the firewall connected on the DMZ. Secure LAN Switching. VLANs are a logical grouping of devices that might or might not be physically located close to each other. it is prudent to turn them off as well as place them in a special VLAN used to collect unused ports. General switch and layer 2 security Some of the basic rules to keep in mind when setting up a secure Layer 2 switching environment are as follows: • VLANs should be set up in ways that clearly separate the network's various logical components from each other.Book chapter: Secure LAN switching Saadat Malik | Cisco Press | SearchSecurity. similar concepts can be implemented in other types of switches (such as the 1900. This VLAN should have no Layer 3 access. If some ports are not being used. This chapter focuses on the Cisco Catalyst 5000/5500 series switches. Generally.com 36 Copyright TechTarget 2006 • • . this type of access attempt cannot be blocked. Security on the LAN is important because some security threats can be initiated on Layer 2 rather than at Layer 3 and above. Although devices on a particular VLAN cannot access devices on another VLAN unless specific mechanisms for doing so (such as trunking or a device routing between the VLANs) are set up. it is important to take the concept of security to the last step and ensure that the Layer 2 devices such as the switches that manage the LANs are also operating in a secure manner.

The same principles can be applied to setting up security on other types of switches. Two separate switches should be used for the secure and insecure sides of the firewall. For example. This allows the attacker's machine to become a part of all the VLANs on the switch being attacked.1q signaling along with Dynamic Trunking Protocol (DTP). As such.com Copyright TechTarget 2006 37 . This can erroneously allow packets from the trunk port to reach other ports located in the same VLAN. It is generally a good idea to set DTP on all ports not being used for trunking. Layer 3 connectivity such as Telnets and HTTP connections to a Layer 2 switch should be restricted and very limited. An attacker can use trunking to hop from one VLAN to another. and easiest. It's also a good idea to use dedicated VLAN IDs for all trunks rather than using VLAN IDs that are also being used for nontrunking ports. Therefore. if one of these hosts is used to launch an attack. Unless it is critical. SearchSecurity.com The first. How to protect a LAN from unauthorized access What steps should I take to use filters to protect a LAN from unauthorized access? QUESTION POSED ON: 04 November 2005 QUESTION ANSWERED BY: Joel Dubin. This segregates the LAN from other networks and makes it easier to tune any gateways into it through hubs. it becomes difficult to stop it. Ports that do not require trunking should have trunking disabled. SearchSecurity. devices at different security levels should be isolated on separate Layer 2 devices. it is difficult to protect against attacks launched from hosts sitting on a LAN. This can allow an attacker to make itself part of a trunking VLAN rather easily and then use trunking to hop onto other VLANs as well. The discussion in this chapter revolves around the use of Catalyst 5xxx and 6xxx switches. having the same switch chassis on both the inside and outside of a firewall is not recommended. switches or routers. Some of the features we will discuss in the upcoming sections show you ways to further secure the switching environment. it is important to make sure that access to the LAN is secured and is provided only to trusted people.• Because VLANs are not a security feature. It is important to make sure that trunking does not become a security risk in the switching environment. The attacker can do this by pretending to be another switch with ISL or 802. These hosts are often considered trusted entities. way to protect a LAN is to put it in a separate subnet behind its own gateway router or firewall. Trunks should not use port numbers that belong to a VLAN that is in use anywhere on the switched network. • • Generally.

I have more than 1. Security must be addressed as a layered approach. Similarly. Then SearchSecurity.com Copyright TechTarget 2006 38 . But it will do so securely since it's only accepting the traffic from the accepted gateway and not the Internet directly. databases or any other data that is critical to your company in this zone. etc) put them in another network off the DMZ. And. About the Author: Joel Dubin. is to simply shut off port 139 on the gateway router. Now. This prevents a malicious user from trying to map a drive to the LAN. partners and application servers with different levels of access. I always recommend firewalls at both sides of the DMZ and IDS systems external -. Each workstation can also be configured to only accept traffic from specific IP addresses. files. of course. QUESTION POSED ON: 08 January 2004 QUESTION ANSWERED BY: Ed Yakabovicz. If the LAN accesses the Internet through the gateway.com Typically the DMZ is designed as the first stop into any company that is connected to the Internet. tune your firewalls. He specializes in Web and application security and is the author of The Little Black Book of Computer Security available on Amazon. The IP filtering feature can be set to only accept traffic from those IP addresses. If FTP or Telnet isn't needed. This prevents some bad guy from trying to directly map a drive to the workstations inside the LAN by using the NetBIOS name of the computer over a TCP/IP connection from outside the LAN. Every LAN has a range of internal IP addresses assigned by whoever set up the LAN. both at the gateway and on the individual hosts. Do not place any email. 443 to the DMZ. This separates other internal systems from the external and provides a layered approach. Designing DMZs with various levels of access I need some information on designing DMZs for my local users. CISSP. filter them out. create a network subnet with only those devices.one in the DMZ. But might that block Internet access? Not necessarily.The next simplest step. Place servers that you connect for authentication. I appreciate any guidance. SearchSecurity. customers. whose IP is in the network's range of accepted IP addresses. anyone needing to access say email or other data (shares. So a router only letting in say port 80.100 workstations on my LAN. at least for a Windows network. one in the Database zone and others more or less in all zones. The first step is to filter all traffic before it enters the DMZ. then the LAN will still be able to connect to the Internet. turn off NetBIOS over TCP/IP on the workstations within the LAN. to only accept needed TCP protocols. too. Now when these devices connect back through the DMZ to say a database zone. is an independent computer security consultant based in Chicago. and I want to define different levels of access for local users.

which isolates and denies network access to non-compliant devices. 802. 802.com Network security would be so much easier if you could control which physical computers were allowed to join your network. This feature will allow you to protect your network from unhealthy computers by enforcing compliance with network health policies.1X should be combined with the Extensible Authentication Protocol (EAP) to authenticate the client to the network and the network to the client. To prevent this type of attack. The DMZ should only allow valid traffic to the devices behind it. answers user questions on application and platform security. MAC addresses can be spoofed. Please no FTP. Any machine whose MAC address on the network adapter does not match an entry in the account database is not permitted access to the network. Using 802.1X is one way of preventing entry to your network. While NAP and NAC play a different role from 802. as a SearchSecurity.com Copyright TechTarget 2006 39 . 802. This is similar to Cisco's Network Admission Control (NAC). Looking ahead to the release of Microsoft Windows Vista/Longhorn. 802. About the Author: Michael Cobb.1X to control physical access to LANs 29 Dec 2005 | Michael Cobb | SearchSecurity. It would mean a hacker would have to gain physical access to a particular computer before they could even start to attack your network. This creates the possibility of a man-in-the-middle attack.1X in controlling network connections.the DMZ will only allow traffic such as any application in the DMZ email. a consultancy that offers IT training and support in data security and analysis. CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd.1X should also be used in conjunction with IPSec. To really solve the problem of rogue machines.1X features MAC address filtering. Unfortunately. albeit a sophisticated one. SearchSecurity. which provides end-to-end authentication and encryption between hosts on a network. So. it's understood that they will include Network Access Protection (NAP). because it's too insecure. each computer needs to protect itself from the other computers on the network. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.. Mike is the guest instructor for SearchSecurity's Web Security School and. It is mainly used on wireless networks but is increasing in popularity as an access control method on wired networks too. a portbased access control.com site expert. but once it authenticates the connection it assumes all traffic over the connection is legitimate. it will certainly go a long way to ensuring trusted computers on the network stay that way. One technology used to control admission of computers into a network is 802.1X. like IP addresses. SMTP.

com Divide and conquer -." along with additional network defenses. the perimeter security is unavoidably weakened. is suitable for low-budget Web sites that do not connect to a critical internal network. FTP servers. SearchSecurity. and protected by access control lists. called a triple-homed perimeter network. one to the DMZ and one to the corporate intranet (see figure 1 below). which is required for e-commerce and other mission-critical Web sites.DMZs A network DMZ separates and isolates a trusted network from an untrusted network by creating screened subnets. place each service on its own DMZ segment. The disadvantage of this network layout is that there is a single point of failure. Any machine placed in the DMZ is still at risk. Your Web servers. Network layouts There are two DMZ network layouts we'll look at.com Copyright TechTarget 2006 40 .Life at the edge: Securing the network perimeter. over certain ports. By putting these public services in the DMZ. strong authentication and encryption. he has access to both the server in the DMZ and the corporate intranet. to pass through. configuring firewall policies to meet the needs of each server. By dividing the system into segments and creating DMZs where only intermediate levels of trust exist. For the ultimate in DMZ security. The first. Triple-homed perimeter network This topology uses a single firewall to separate the Internet. Part 2 5 Jun 2005 | Michael Cobb | SearchSecurity. Each access point into the DMZ blocks and filters network traffic to only allow activity to or from certain network addresses. he does not automatically have access to the internal network. If an intruder compromises the firewall in this topology. The second is a back-to-back perimeter network. or "perimeter network. but if an intruder compromises the DMZ. When ports are opened through a perimeter guarded by a single firewall. thereby protecting the key resources even if other components fail. The barriers between each segment are controlled and screened by firewalls and routers. Your internal network is where your back-end systems such as database servers should be located. the system has a much greater resistance to successive compromise. you put them on a different subnet to your internal network. It is also known as a single-screened subnet because the DMZ is bounded by only a single firewall with three network cards: one connected to the Internet. mail servers and external DNS servers should be placed in this DMZ. such as an IDS. the perimeter network and the corporate intranet. DMZs work because network traffic cannot travel between two network subnets without being routed. Great care should be taken so that interactions with the DMZ do not expose the internal network.

Note that this topology specifies the use of a secured router between the Internet and the DMZ. while the internal firewall has one network adapter connected to the perimeter network and the other connected to the internal network (see figure 2 below).com 41 Copyright TechTarget 2006 . Although locking down this router is not as important as locking SearchSecurity.Figure 1: Triple-homed perimeter network. This provides an added layer of protection. he does not automatically gain access to resources in the internal network. Ports on this router should be locked down. Back-to-back perimeter network The back-to-back perimeter network topology shown in figure 2 is widely regarded as one of the most secure. Examples of ports that you would typically need open to ensure correct Web server functionality would be port 80 for HTTP and port 443 for HTTPS. The perimeter network is separated from the Internet on one side and from the internal network on the other side by using two firewalls. Each firewall has two network adapters. as there is another barrier between the intruder and the rest of the network. The external firewall has one network adapter connected to the Internet and the other connected to the perimeter network. Figure 2: A dual screened subnet or back-to-back perimeter network using two firewalls. If an intruder from the Internet compromises the perimeter network. Note that there is another secured router separating the network segments that compose the perimeter network.

the firewall should only pass inbound traffic from a server in the DMZ that needs to communicate with one of the internal systems. Although this reduces the cost of purchasing multiple switches.. A hacker is less likely to be able to use the same exploit to defeat both systems. Sure. of course. I wanted to address VLAN security. and block everything else. VLAN security 29 Mar 2004 | Tom Lancaster | SearchSecurity. answers user questions on application and platform security.down the router connected to the Internet. a consultancy that offers IT training and support in data security and analysis. When segmenting a network for security purposes. Security is further enhanced when different makes of firewalls are used on each side of the DMZ. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. always choose physical segmentation. Ethernet is one of those protocols that "just works. Mike is the guest instructor for SearchSecurity's Web Security School and. The inside firewall manages DMZ access to the internal network. It can be removed and the security the switch provides can be easily bypassed. is a mystery to most people.com site expert. but really. and why should they? After all. but seriously. CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd. and of course. A virtual LAN (VLAN) is a network segment that is logically defined and controlled by a switch that can assign its ports to two or more VLAN segments rather than have all its ports belong to the same physical segment.com This week. nobody likes Spanning-Tree Protocol. The outside firewall protects against external attacks and manages all Internet access to the DMZ.com Copyright TechTarget 2006 42 . ensuring that non-essential ports are closed can give additional security. For example. About the Author: Michael Cobb. if a Web server communicates with a database via SQL. when was the last time you really needed to know how your switches implemented VLANs? For the most part. VLANs are pretty much the same way. how many network engineers do you know who could explain Manchester bit encoding or how Fast Link Pulses work? Not very many. allowing only inbound application-specific service calls to reach specified systems and preventing unsolicited inbound port 80 Web traffic into the internal network. That may sound like a strange statement. the segmentation is virtual. open TCP ports in the firewall to pass the SQL queries and responses. as a SearchSecurity. the configuration of a few more advanced topics like VTP and VLAN pruning can give you a mental workout. which like Ethernet." Network administrators don't understand it for the very simple reason that they never have to troubleshoot it. since I'm sure everyone reading this has been using Ethernet for years. This firewall should have different rules than the firewall facing the Internet. you define a SearchSecurity. In other words.

despite being 2 years old. (http://www. absurd.com Configuring three or more switches to support a VLAN and partition a network is a fairly simple and straight-forward process.com/en/US/products/hw/switches/ps708/products_white_paper09186a 008013159f. most recently. such as VTP. is a consultant with 15 years experience in the networking industry.. About the Author: Tom Lancaster. I ran across an @Stake white paper so concise and illuminating.. So as I was checking a few quick facts for this tip. VLAN hopping attacks SearchSecurity. UDLD and of course STP. But it's precisely this simplicity that can lull you into leaving open a raft of security vulnerabilities. ways you can fight them. Popular VLAN attacks and how to avoid them 23 May 2005 | Chris Partsenidis | SearchSecurity. 802. CCIE# 8829 CNX# 1105. minimize their effect. CDP. authenticate all hosts and/or limit their connectivity.com Copyright TechTarget 2006 43 .. If at all possible. Here are a few of the most popular attacks against VLANs. and it just works.1x and Dynamic VLANs are three methods mentioned in this article you can use. and assign ports to it. DTP. and define trunk ports and configure which VLANs can cross it. which is of course. several ways your network can be attacked at Layer 2. Don't allow dynamic protocols to talk to untrusted devices. CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.shtml) The reason I like this article is because it explains at a high level. simple as that.cisco. Many of these aren't nearly as intuitively obvious as the higher-level attacks we witness daily. and co-author of several books on networking. PAgP. however.. that I decided to just link you to it and offer a quick summary.VLAN. and in some cases. Many administrators don't realize there are a lot of these operating around Layer 2. so many administrators think that it's impossible to attack VLANs.1Q trunks. ensuring a VLAN can withstand an attack is a different story! In order to secure a VLAN. which is precisely why you should NEVER use it. Port Security. you need to know what to protect it from. So here are a few key points to remember when configuring your network: VLAN 1 (on Catalyst switches) is the default for both ports and the "Native" VLAN on 802.

1q encapsulation. To avoid possible VLAN hopping attacks. Its setup involves a VTP server. With ARP attacks. minus the VTP server switch. VLAN Trunking Protocol attack The VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol designed to make life easy by automatically propagating VLAN information throughout network switches.The basic VLAN hopping attack is based on the Dynamic Trunking Protocol and. you are able to specify the number of MAC addresses or the specific MAC address allowed to connect through the port. All switches. the trunking encapsulation protocol (802. the intruder obtains IP addresses and other statistics about the network he plans to attack. You can avoid this problem by using the 'port-security' command available to most highend Catalyst switches such as the 4000. telling the network switches that all. effectively a switch. Once the port-security feature is enabled on a port. 5000 and 6500 series. Trunk negotiation can be enabled on a switch interface by entering the following command at the interface level: Switch(config-if)#switchport mode dynamic While this feature might ease the process of configuring switches. Available tools can bypass the switch security feature that creates a virtual communication channel between two nodes and prohibits the rest from 'listening' to their conversation. of IP addresses belong to him. it hides a serious weakness for your VLAN. thereby creating a trunk link and becoming a member of all VLANs. in some cases. A station can easily spoof itself as a switch using the 802. or a range. do not use 'dynamic modes' at the interface level and configure the link as a trunk or access type. The Dynamic Trunking Protocol is used for negotiating trunking on a link between two switches or devices and the type of trunking encapsulation to be used. Lastly. thereby forcing all data packets and conversations to pass through him while he sniffs the data. are configured as client switches SearchSecurity. The command required to enable this security feature is: Switch(config)#set port security port enable Static ARP should be used for critical routers or hosts such as servers.1q or ISL). The intruder floods the network switches with ARP broadcasts. 4500. this vulnerability has been fixed in Cisco's newer IOSes.com Copyright TechTarget 2006 44 . intrusion-detection systems can track and report multiple ARP broadcasts resulting from such attacks. and then uses that information to issue the attack. Address Resolution Protocol attacks The Address Resolution Protocol (ARP) attack is popular in the underground world. Thankfully. in charge of propagating all VLAN information.

Thus. In this case. all switches overwrite their valid information with that obtained by the 'new' VTP server. D-Link Engineer.that are responsible for listening for announcements regarding any VLAN changes made from the VTP server. Microsoft MCP. there are ways to protect a VLAN from this situation. Linux LCP.cx where the topic is extensively covered.Firewall. The commands used to set the VTP password for your VTP Domain are: Switch#vlan database Switch(vlan)# vtp domain password Switch(vlan)#apply Switch(vlan)#exit About the Author: Chris Partsenidis is the founder and senior editor of www. Novell CNA (3. CompTIA A+ & Network+. The VTP attack involves a station sending VTP messages through the network. you can refer to www. Chris has a bachelor's degree in Electrical Technology and holds the following IT certifications: Cisco CCNA. If you wish to read up more on VLAN technologies and their associated protocols.Firewall. all client VTP switches erase their valid VLAN information databases.4. advertising that there are no VLANs on the network. This may also occur if a switch is plugged into the network that is configured as a VTP server and contains a VTP configuration version higher than the existing VTP server.Firewall.com Copyright TechTarget 2006 45 . Thankfully. You can contact Chris via www.5). a Web site dedicated to network security and protocol analysis. Either disable VTP all together (not advised for a large network with more than five switches) or use MD5 Authentication for all VTP messages to ensure no VTP message is processed by the client switches if the password contained in the message is not correct. SearchSecurity.cx.cx.

Both the 5GT and 5XT support key routing protocols -.000 signatures. OSPF and ECMP -. Its embedded Trend Micro antivirus engine scans IMAP. The NetScreen-5GT's and -5XT's stateful packet inspection and signature-based deep inspection threat detection. an unlimited number of trusted IP addresses and up to 4. Its NetScreen-5GT and -5XT firewall appliances earned consistent "excellent" and "good" responses across the board.and application-layer attacks. (It is important to note that the NetScreen-5XT does not support this embedded antivirus gateway scanning. Internet systems specialist for TDS Telecom.net Juniper Networks clearly knew what it was doing when it acquired NetScreen in 2004. the 5GT has embedded network-based AV that scans for viruses in email. whether deliberately or through spyware/phishing attacks. We had no idea we'd be seeing so many other benefits. FTP. Specifically. and checks against an encyclopedia of more than 80. with third-party support for RADIUS. Their Web filtering options (available from third-party vendor Websense) prevent users from leaking sensitive corporate information.) The 5GT's and 5XT's embedded IPsec VPN provides Web-based and XAUTH authentication. LDAP and RSA SecurID. retail outlets and broadband telecommuter environments. and DDoS protection capabilities. The firewalls offer up to 25 concurrent VPN tunnels.juniper.com Copyright TechTarget 2006 46 .including BGP. The zones also offer delineation between home and office users. stop network. Web and file-transfer protocols. earning the gold medal in the network firewall category for two years running. Its integrated security applications. allowing employees to access the corporate network though a secure VPN SearchSecurity." says Matthew Gruett. Restricted security zones protect corporate activity and offer a clear separation between authorized and unauthorized business use. SMTP. routing protocols and policy-based management features have earned it the top spot among surveyed readers. POP3 and HTTP mail protocols.com NetScreen-5GT and -5XT Juniper Networks.and integrate into the network with ease. "We originally selected Juniper because we knew the performance was greater than our previous solution. Dial-backup and dual Ethernet ports support business-critical systems and provide redundancy. This family of network security solutions is ideal for locking down enterprises' remote offices.000 concurrent sessions.Firewalls 2006 Network Firewall Products of the Year SearchSecurity. www.

You're probably thinking to yourself. How will the firewall fit into your network topology? Will this firewall sit at the perimeter of your corporate network and be directly connected to the Internet. What type of traffic inspection do you need to perform? This is where the buzzwords start to come into play. Cisco PIX 500 Series Security Appliances Cisco Systems. How to choose a firewall 17 Oct 2005 | Mike Chapple | SearchSecurity.com Firewall and PIX are synonymous. this sounds like a simple question.com 47 Copyright TechTarget 2006 .com It is no surprise that this granddaddy of firewalls continues to draw great user support. making it easy to under. The simplicity of this SearchSecurity. 1.cisco. and they perform basic packet header inspection. getting especially strong ratings for security. www.com There are dozens of firewalls on the market today. "Because we need one!" But it's important that you take the time to define the technical objectives that you have for implementing a firewall. but there are essentially three different options (listed in order of increasing complexity and cost): • Packet-filtering firewalls use simple rules to evaluate each packet they encounter on its own merits. Why are you implementing a firewall? Sure. Choosing one for your organization can be a daunting task – especially in an industry filled with buzzwords and proprietary trademarks.connection (work zone) and maintain their access to the Internet (home zone) through normal connectivity. In addition. Let's take a look at the basics of firewall technology and five questions you should ask when choosing a firewall for your organization. Every vendor out there has a different trademark for their traffic-inspection technology. These objectives will drive the selection process.checkpoint.11b/g networks. They maintain no history from packet to packet. "It's what I trust between me and the Internet. 2. You don't want to choose an expensive." FireWall-1 Check Point Software Technologies. or will it serve to segment a sensitive LAN from the remainder of the organization? How much traffic will it process? How many interfaces will it need to segment your traffic? Performance requirements such as these contribute a significant amount to the total cost of new firewall implementations.or over-purchase. 3. www. feature-rich firewall that's complicated to administer when your technical requirements could be met by a simpler product. says one user. the 5GT Wireless appliance also offers support for a wide set of wireless authentication and privacy protocols for 802.

Software firewalls. the process of answering these questions can help you solidify your thoughts and put you in the right direction. you should be able to intelligently evaluate the cost/benefit tradeoff for the various products available on the market today.inspection makes them speed demons. • 4. With these answers in hand.e. They also lack the security that's often built into the hardened operating systems of firewall appliances. When combined with Network Address Translation. There's a good chance you already own equipment capable of performing packet filtering – your routers! • Stateful-inspection firewalls go a step further. If you're a Linux jockey. The client connects to the firewall.com Copyright TechTarget 2006 48 . Air Force. perform basic network configuration and you're ready to configure your firewall rules. They track the three-way TCP handshake to ensure that packets claiming to belong to an established session (i. a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated. What's the tradeoff? You guessed it! Appliances are more expensive. you probably want to steer clear of Unix-based solutions. you'll need to work with it at some point in your firewall administration career. While I can't recommend a specific firewall to you without knowing your needs. CISSP is an IT Security Professional with the University of Notre Dame. You normally just plug in the appropriate Ethernet cables. but they are also the least flexible and vulnerable. 5. Mike is a frequent contributor to SearchSecurity. What operating system is best suited for your requirements? Even appliances run an OS and. they broker the connection between client and server. Is your organization better suited for an appliance or a software solution? Appliances are typically much easier to install. the SYN flag is not set) correspond to previous activity seen by the firewall. which analyzes the request (including application-layer inspection of packet contents). On the other hand. They're the most inexpensive option. Requests to open the initial connection are subject to the statefulinspection firewall rulebase. on the other hand. SearchSecurity. chances are.S. About the Author: Mike Chapple. if you don't know ⁄dev⁄null from ⁄var⁄log. both hosts may not even be aware that the other exists – they both believe they are communicating directly with the firewall. He previously served as an information security researcher with the National Security Agency and the U. can be tricky to install and require tweaking. In addition to stateful inspection. you probably don't want to choose a Windows-based firewall. Application-proxy firewalls contain the highest level of intelligence. If the firewall rules indicate that the communication should be allowed. the firewall then establishes a connection with the server and continues to act as an intermediary in the communication..

but is probably not sufficient if you host a Web site or email server. Option 2: Screened subnet The second option.com Copyright TechTarget 2006 49 . offers additional advantages over the bastion host approach. Once someone manages to penetrate that boundary. one of the most common questions is "Where should I place firewalls for maximum effectiveness?" In this tip.) The key factor to keep in mind is that it offers only a single boundary.Choosing the right firewall topology 17 Oct 2005 | Mike Chapple | SearchSecurity.g. Option 1: Bastion host The first and most basic option is the use of a bastion host. they've gained unrestricted (at least from a perimeter protection perspective) access to the protected network. please note that this tip deals with firewall placement only. we'll take a look at the three basic options and analyze the scenarios best suited for each case. This architecture uses a single firewall with three network cards (commonly referred to as a triple homed firewall). Anyone building a perimeter protection strategy should plan to implement a defense-in-depth approach that utilizes multiple security devices including firewalls. Figure 1: Bastion host The bastion host toplogy is well suited for relatively simple networks (e.com When developing a perimeter protection strategy for an organization. An example of this topology is shown in figure 2 below. the firewall is placed between the Internet and the protected network. It filters all traffic entering or leaving the network. Before we get started. In this scenario (shown in figure 1 below). those that don't offer any public Internet services. SearchSecurity. This may be acceptable if you're merely using the firewall to protect a corporate network that is used mainly for surfing the Internet. border routers with packet filtering and intrusion-detection systems. the use of a screened subnet.

In this case. Higher-end firewalls allow for some variations on these themes as well.Figure 2: Screened subnet The screened subnet provides a solution that allows organizations to offer services securely to Internet users. if a malicious user does manage to compromise the firewall. Any servers that host public services are placed in the Demilitarized Zone (DMZ). which is separated from both the Internet and the trusted network by the firewall. This provides an added level of security in the event a malicious individual discovers a software-specific exploitable vulnerability. but provides an added layer of protection. as shown in figure 3 below. Option 3: Dual firewalls The most secure (and most expensive) option is to implement a screened subnet using two firewalls. For example. Therefore. It's very common for security architects to implement this scheme using firewall technology from two different vendors. the DMZ is placed between the two firewalls. he or she does not have access to the Intranet (providing that the firewall is properly configured). While basic firewall models often have a three-interface limit. Figure 3: Dual firewalls The use of two firewalls still allows the organization to offer services to Internet users through the use of a DMZ. the Sidewinder G2 firewall from SearchSecurity.com Copyright TechTarget 2006 50 . higher-end firewalls allow a large number of physical and virtual interfaces.

That's a brief primer on firewall architectures. What does this mean to you? With a greater number of interfaces. Now that you're familiar with the basic concepts. Air Force. all traffic entering or leaving the network passes through the firewall and it has only two interfaces: a public interface directly connected to the Internet and a private interface connected to the intranet. We covered the differences between bastion hosts. For example. making it fairly easy to place systems. you might have the following interface configuration: • Zone 1: Internet • Zone 2: Restricted workstations • Zone 3: General workstations • Zone 4: Public DMZ • Zone 5: Internal DMZ • Zone 6: Core servers This type of architecture allows you to take any of the three topologies described above and add a tremendous degree of flexibility. screened subnets and combining multiple firewalls for maximum security. Once you have decided which topology best suits your IT infrastructure. consider a security zone to be all of the systems connected to a single interface of a firewall – either directly or through network devices other than firewalls. we'll use the concept of security zones to further define our requirements. Placing systems in a firewall topology 17 Oct 2005 | Mike Chapple | SearchSecurity.com Copyright TechTarget 2006 51 . you can implement many different security zones on your network. Bastion host First. About the Author: Mike Chapple. For our purposes. you should be able to help select an appropriate architecture for use in various situations. Mike is a frequent contributor to SearchSecurity. This leaves us with two security zones. As we discuss this topic. CISSP is an IT Security Professional with the University of Notre Dame.com In the previous tip we explored the basics of choosing a firewall topology. He previously served as an information security researcher with the National Security Agency and the U. Additional virtual interfaces may be added through the use of VLAN tagging on the physical interfaces. let's look at the simplest case: the bastion host. In this scenario.S. a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated. you need to decide where to place individual systems within the chosen topology.Secure Computing allows up to 20 physical interfaces. We simply put all systems that we would like protected in the private zone! SearchSecurity.

the screened subnet (or DMZ) -that contains all hosts offering public services. One division you might want to SearchSecurity. Figure 2: Screened subnet Multi-homed firewall The final scenario. SMTP server. You'll need to make these subdivisions based upon the specific security objectives of your organization. This zone contains your public Web server. placing them in the private zone raises the possibility that other. is also somewhat straightforward. poses the most interesting challenge. We add an additional zone -. Figure 1: Bastion host Screened subnet The screened subnet scenario.com Copyright TechTarget 2006 52 . you have more than three zones. Your IMAP/POP server may or may not reside in this zone. so you have the luxury of further subdividing systems. On the other hand. You need to carefully weigh the risks and benefits when making this decision. they don't gain any protection from the firewall and are more vulnerable to attack. If you do need to offer public services (such as DNS. may be compromised if the public server falls victim to an attack. In this case. DNS servers and other similar systems. the most commonly deployed firewall topology. the public zone is directly connected to the Internet and contains no hosts controlled by the organization. you should seriously consider the use of an alternate topology. The private zone contains systems that Internet users have no business accessing. internal file servers and other nonpublic applications. we're assuming that you are not planning to offer any public services to the Internet. In this case. If that is not possible. depending upon your security policy. The DMZ contains all systems that are intended to provide services to the Internet.In the case of a bastion host topology. SMTP or HTTP). a multi-homed firewall with more than three interfaces. such as user workstations. more sensitive systems. you have a difficult decision to face: should you place your public servers in the public or private zone? If you place them in the public zone.

For example. Figure 3: Multi-homed firewall In the end. you might place all systems belonging to accounting into one zone. systems that provide services to the general public (such as a company Web site) may be placed in a different zone than systems that offer services only to authenticated users (such as a Web mail server). SearchSecurity. we're faced with balancing a continuous stream of change requests and vendor patches against the operational management of our firewalls. Once you've made it through the challenging phases of firewall selection and architecture design. Mike is a frequent contributor to SearchSecurity. right? Your rulebase should remain stable and you'll never have a need to make configuration changes.com Copyright TechTarget 2006 53 . we explored choosing a firewall platform.S. Air Force. the choices are yours to make. For example. Auditing firewall activity 17 Oct 2005 | Mike Chapple | SearchSecurity. choosing an appropriate topology. We can only dream! In the real world of firewall management. you're finished setting up a DMZ. He previously served as an information security researcher with the National Security Agency and the U. Sit down and commit them to paper. About the Author: Mike Chapple. Now that you've read this tip. discuss the options with your colleagues and develop a system placement strategy suitable for your organization.com In the first three parts of this series. You also may wish to subdivide systems offering services to the Internet. executive workstations in another zone and other workstations in yet a third zone. and placing systems within that topology.make is to place workstations into different zones to provide isolation for sensitive systems. you should have plenty of ideas running through your mind. a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated. CISSP is an IT Security Professional with the University of Notre Dame.

If it's no longer necessary. a technical editor for Information Security magazine and the author of SearchSecurity.S. Traffic flows Also monitor logs for abnormal traffic patterns. then you have a situation worthy of further investigation. but not quite so eager to let you know when a rule is no longer necessary. Mike is a frequent contributor to SearchSecurity. 4. making it difficult to keep on top of routine maintenance tasks.Configurations change quickly and often. you may not have considered analyzing logs for probes originating from inside the trusted network. they are also often signs of misconfigured systems or attacks in progress. He previously served as an information security researcher with the National Security Agency and the U. I've seen systems where this ratio is as high as 60%. These are extremely interesting. 3. If servers that normally receive a low volume of traffic are suddenly responsible for a significant portion of traffic passing through the firewall (either in total connections or bytes passed). as they most likely represent either a compromised internal system seeking to scan Internet hosts or an internal user running a scanning tool – both scenarios that merit attention. Use them to your advantage! About the Author: Mike Chapple.com Copyright TechTarget 2006 54 . Legacy rules have a way of piling up and adding unnecessary complexity. CISSP is an IT Security Professional with the University of Notre Dame. 2. They're far too frequent and often represent dead ends. In this tip. we explore some ways to leverage the logging capabilities of your firewall to help keep things in order. Air Force. Denied probes If you've ever analyzed the log of a firewall that's connected to the Internet. but analysis of rule violations may also uncover attempts at passing malicious traffic through the device. Monitoring rule activity can provide some valuable insight to assist you with managing the rulebase. I've had a chance to analyze the rulebases of many production firewalls. trim it from your rulebase. Let's take a look at four practical areas where some basic log analysis can provide valuable firewall management data: 1. This is especially true for traffic that originates from inside your network. Your firewall audit logs are a veritable goldmine of network security intelligence. While "flash crowds" are to be expected in some situations (such as a Web server during a period of unusual interest). If a rule that was once heavily used suddenly goes quiet. you know that it's futile to investigate probes directed at your network from the Internet. and I estimate that at least 20% of the average firewall's rulebase is unnecessary. Over the years. you should investigate whether the rule is still needed. The most common cause of this activity is a misconfigured system or a user who isn't aware of traffic restrictions. Rule violations Looking at traffic denied by your firewall may lead to interesting findings. However. Monitor rule activity System administrators tend to be quick on the trigger to ask for new rules.

several information security titles including the CISSP Prep Guide and Information Security Illuminated. I suggest. Tiny. they also contribute to your overall security. I enabled an XP firewall and created 'holes' in it as necessary. Black Ice or Zone Alarm." A user identified as gstornelli advised: "On small. applications and services. You will need to determine which ports/services are in use and open them in the firewalls. the WinXP firewall will have some connectivity problems. as we proceeded. What should we do?" A user identified as hedgehog advised: "I would enable it first on a small test bed of controlled clients and see how it goes. depending upon how much security is needed.com The following question and answer thread was excerpted from ITKnowledge Exchange. This protects the laptops when the user is not on your LAN. I would also recommend configuring the laptops so they use the XP firewall. something a bit more robust.com Copyright TechTarget 2006 55 . and enable the firewall while the workstation is off the network. However. a personal firewall should be mandatory on those machines. If you allow laptops into your corporate LAN. Since we use a hardware (PIX) firewall and an ISA Server. The Terminal Server users." A user identified as csmric advised: "When I initially deployed SP2 throughout our organization. as with most personal firewalls. That way you don't have to deal with apps that are only run while in the office. especially with client-server apps or with those that need to 'ping' the machines to work. well-protected networks. while protecting the notebook users when they're on the road." A user identified as poppaman2 advised: "While I agree that a desktop firewall is a good idea. However. We have used this configuration for 6 months now and haven't experienced any adverse reactions. A user identified as stanslad posted the following question: "We would like to activate an XP firewall in our corporate LAN. the various antispyware and antivirus solutions we employ became too much to keep up with as I opened more and more holes. It is an ingress-only firewall and leaves outgoing data untouched. While having a personal firewall on a desktop is not as critical. Activating an XP firewall on a LAN 10 Oct 2005 | ITKnowledge Exchange | SearchSecurity. I found more and more LAN-related problems. Keep in mind that. I have used group policy to disable the firewall while the workstation is on the network." SearchSecurity. I've been advised not to do so because activating such a firewall causes complications for LANbased users. I decided to disable the XP firewall on all computers. I disagree that the XPSP2 firewall should be deployed. such as Sygate.

And. the ASA sets the default permissions. another firewall and finally the Internet. such as a firewall with three "legs": one for the Internet. In any event. a firewall. again. you should make sure that the security levels on the interfaces reflect the realities of the traffic that flows through your network.A user identified as amigus advised: "I disagree with the notion that an ingress-only firewall is not useful or adequate. This is because of the way the Adaptive Security Algorithm works. But as time goes by. another administrator wants to place a server in a zone where it really doesn't belong. If you're serious about security. With respect to spyware. it does have some quirks that may not be obvious to the casual observer. spend your time making your network work with unprivileged user accounts. SearchSecurity. rather than wasting your helpdesk resources configuring cranky firewalls. Or maybe you want traffic to go in and out of a zone through the same interface. You have spyware problems. there are only two reasons you would want to use egress filtering: 1. I believe egress filtering is more trouble than it's worth and for what it's worth. Egress filtering usually comes with a significant maintenance burden. However. putting firewalls in awkward positions that can compromise your security if you're not careful. the DMZ. For starters. implement it on your network firewall. 2. one for the intranet and one for a DMZ. Another common scheme is two firewalls in series. While it's one of the most highly regarded firewalls. And this is particularly true of the Cisco PIX Firewall. if you really want to limit the scope of workstation communication. and expects you to secure it anyway.com In most small environments. it's rather difficult because (most of the time) if they can install applications. Primarily. firewalls are deployed in simple. By default traffic is allowed to pass from an interface with a "higher" security level to a "lower" security level (such as from the Inside (100) to Outside (0) interfaces) but not from lower to higher. things seem to become more complex. it seems Microsoft agrees. With respect to limiting application network exposure. they can also pass through the firewall using the same privilege they used to install it.com Copyright TechTarget 2006 56 . the user probably has too much privilege. You want to limit the communications of user-installed applications. you need to pay attention to how traffic flows through your firewall. While egress filtering is very useful (and often recommended) on network firewalls it's not that useful on workstations. where you have the intranet. Some designs can get fairly contorted. common schemes. With that said. If you really want egress filtering. use IPSec." Traffic flow considerations for the Cisco PIX Firewall 17 Mar 2005 | Tom Lancaster | SearchSecurity. because. you may be tempted to override those with accesscontrol lists. In my opinion. for example.

your organization's networks) and some of which may be out of your control (e. but what you need to realize is that you may not be getting the benefit of all the PIX's stateful features. Firewall security tips 28 Oct 2004 | Shelley Bard | SearchSecurity. Strategy In the limited space available here. you can configure the PIX in this manner. but designing yourself into a level of protection not much better than ACLs on a regular router.com When When vulnerabilities are identified that apply to your system and whenever patches and upgrades are applied. again because of the way the ASA works. 4009. Specifically. I'll note the considerations that go into doing so and point you to some useful resources. So as a general rule of thumb. Filtering is only from higher to lower. revised May 2003. is a consultant with 15 years experience in the networking industry. you may be paying for and expecting the robust protection of a top-shelf firewall. SMTP inspection is only from lower to higher interfaces." I prefer CERT's definition: "A combination of hardware and software used to implement a security policy governing the network traffic between two or more networks. Examine your guidance policies at least annually. One last caveat: The details of the behavior of these features may change as new versions of the PIX OS are released. CCIE# 8829 CNX# 1105. while NetBIOS inspection only applies from higher to lower interfaces.g. you are vulnerable to attack. For example. and co-author of several books on networking.. Why When your organization's networks are connected to the Internet without adequate security measures.com Copyright TechTarget 2006 57 . National Information Assurance (IA) Glossary defines a firewall as a "system designed to defend against unauthorized access to or from a private network. some of which may be under your administrative control (e. check it yourself on CCO. the Internet). don't put any security device into an unconventional situation without some due diligence. Thus. most recently. Instead." SearchSecurity.. CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex. features like the inspection engines and HTTP(S) and FTP filtering only work in one direction. About the Author: Tom Lancaster. I cannot possibly address how to secure a firewall. so don't rely on my examples above to guide your design.g.So. CNSS Instruction No. and it will block traffic like you configure.

A DMZ (Demilitarized Zone) is a combination of firewalls -- a perimeter network segment logically between internal and external networks. Also called a "screened subnet," its purpose is to enforce the internal network's IA policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding internal networks from outside attacks. In some circles the DMZ is considered a part of the firewall, while other circles consider the DMZ the land of the sacrificial hosts. One way to think of a DMZ is as a group of hosts that are guided by a unique security policy. This policy balances some of the strictest controls against public access and availability requirements. When putting in a firewall, CERT recommends a four-part approach: prepare, configure, test and deploy. To prepare, design the firewall system and have a written firewall security policy for each one that identifies who is allowed to log in to it, configure and update it. It should also outline the logging and management practices. The next step is critical: configure. Here you will acquire the firewall hardware and software; acquire the documentation, training and support; install the firewall hardware and software; configure IP routing, packet filtering, and logging and alert mechanisms. DISA's Network Infrastructure Security Checklist, Version 5 release 2.2, is a combination of minimum security requirements and best practices designed to ensure a system is locked down as much as possible while still being useful. The Checklist requires, for example, that firewalls placed in the network infrastructure are only those having a Common Criteria (CC) Protection Profile evaluation of EAL4 or greater. Check out the CC Protection Profile evaluation product ratings. The Network Infrastructure Security Checklist discusses, among other things, which features of Cisco's IOS and Juniper's JUNOS systems should be present or absent for a more secure network setup. Next, test the firewall and deploy the system into operation. Considerations to fold into your planning and configuration include proxies, stateful inspection or dynamic packet filtering, network address translation, virtual private networks, IPv6 or other non-IP v4 protocols, network and host intrusion detection and prevention technologies, routing and route management, switching and virtual local area networks, and encryption technologies More information Helpful checklists can be found at the NIST Web page. A nifty feature of this page is a sign-up for email notifications when a checklist or implementation guide has been updated. And William R Cheswick & Steven M Bellovin's "Firewalls and Internet Security" will help you appreciate how far we've come and yet how little we've accomplished in firewall technology and practices in 10 years. About the Author: Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia.

SearchSecurity.com Copyright TechTarget 2006

58

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS. Firewall redundancy: Deployment scenarios and benefits 20 Apr 2004 | Mike Chapple | SearchSecurity.com Many network administrators have considered implementing dual firewalls. It is an expensive option, and the administrator who proposes the idea is likely to encounter a response like "$5,000 for a firewall? Don't we have one of those already?" There are, however, several good reasons to deploy multiple firewalls in your organization. Let's take a look at a few scenarios. Fault tolerance and load balancing Many organizations choose to implement dual firewalls in a parallel fashion, as shown in the figure below. When the router is properly configured, this provides the added benefits of fault tolerance and load balancing. Both firewalls should be configured to "fail-safe," that is, in the event of a failure, they should automatically block all traffic. When configured in this fashion, the firewalls provide fault tolerance; when one fails, the other is able to carry the network traffic and keep the failure transparent to users.

The second benefit to this strategy, load balancing, is a performance benefit. The router may be configured to divide traffic between the two firewalls, either on a priority basis or on a fair-share basis. Spreading the traffic out among multiple firewalls in this fashion helps prevent the bottleneck problems that plague many networks. Enhanced perimeter protection It's also possible to deploy the two firewalls in a series circuit, as shown in the illustration below. When configured in this fashion, all traffic passing into or out of the network must pass through both firewalls. This setup is sometimes deployed in high-security environments to protect against firewall-specific vulnerabilities. In this case, the two firewalls are from different vendors and may even run on different operating systems.

SearchSecurity.com Copyright TechTarget 2006

59

Protected subnets The final scenario we'll discuss is shown in the figure below. In this case, secondary firewall(s) are used to protect subnets of the internal network that have greater security requirements than the network as a whole. This type of scenario may be used, for example, to provide an accounting department added protection for sensitive financial data they wish to protect from other internal users.

Overall, the deployment of multiple firewalls offers a variety of benefits, ranging from greater performance to enhanced security. If your security environment warrants this type of scenario and your wallet is big enough, it's definitely an option worth considering. About the Author: Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of About.com Guide to Databases.

SearchSecurity.com Copyright TechTarget 2006

60

SSL has recently been succeeded by Transport Layer Security (TLS). TLS and SSL are an integral part of most Web browsers (clients) and Web servers. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use.com Copyright TechTarget 2006 61 . SSL can be enabled and specific Web pages can be identified as requiring SSL access. However. which essentially allows authentication of the sender of data. a message sent with TLS can be handled by a client that handles SSL but not TLS. which is based on SSL. IPsec provides two choices of security service: Authentication Header (AH). and Encapsulating Security SearchSecurity. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Glossary definition: IPsec SearchSecurity. If a Web site is on a server that supports SSL.com Secure Sockets Layer The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. Earlier security approaches have inserted security at the application layer of the communications model. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and technologies) and has included support for it in its network routers. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. TLS and SSL are not interoperable. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. IPsec is said to be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security.VPNs Glossary definition: SSL SearchSecurity. Developed by Netscape.com IPsec IPsec (Internet Protocol Security) is a framework for a set of protocols for security at the network or packet processing layer of network communication. SSL uses the public-andprivate key encryption system from RSA. which also includes the use of a digital certificate.

com Copyright TechTarget 2006 62 . the user doesn't have to press a button that says "encrypt" or "decrypt. If you are communicating with someone who doesn't have the same sort of setup. When businesses communicate over the Internet. if someone manages to gain unauthorized access by fooling the access guards or by digging another tunnel that intersects with your tunnel. the way vendors create their VPN hardware and software is not necessarily interoperable. Thus. they are invisible. it may take a few days or weeks of juggling cables and commands to get it working correctly. towns and villages. passphrases.com In this excerpt of Chapter 3 from "Cryptography for Dummies. captured. VPNs have been around for enough years now to consider them a standard security mechanism. and to the people up above. VPNs are considered fairly reliable as far as security mechanisms go.Payload (ESP). If that isn't secure enough for you. It's like cities. That way. encrypted link across the Internet wires. Either they are not happening often. Everything is done out in the open and can be seen. a VPN also has the ability to disguise the packages through encryption. It's like building a tunnel with special access controls between those cities. or companies are just not telling. (I'm not using the word tunnel here because I don't want to confuse you!) The encryption is invisible to the user — other than passwords. Officially spelled IPsec by the IETF. VPNs are capable of encrypting two different ways: transport and tunneling. VPNs use encryption to protect the traffic between any two points. Before you can enter the tunnel. the Virtual Private Network (VPN) was invented. you must prove your identity. which supports both authentication of the sender and encryption of data as well. You transport whatever is on those roads at your own risk. and it encrypts the data (payload) you are sending to the other end. but you really don't hear about too many of them." All the data in transit SearchSecurity. Book chapter: Crypto basics: VPNs Chey Cobb | John Wiley & Sons | SearchSecurity. Businesses began to see the need for a safer alternative as they did business with remote partners and employees in remote locations. the intruder won't know which packages to steal because he can't tell one from another. The tunnels aren't available to everyone. such as the ISAKMP/Oakley protocol. Separate key protocols can be selected. there are hacks. your packages must be of certain types and the delivery address must be verifiable. the term often appears as IPSec and IPSEC. The transport encryption sets up a secure. there is no protection promised or implied. Sure. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. This is the equivalent of the delivery truck carrying a package via the underground passageway. destroyed or copied by anyone who cares to try. or a special card to plug into the computer." author Chey Cobb explains how virtual private networks (VPNs) use encryption to secure data in transit. towns and villages connected by roads. On the other hand. In general.

One point to remember. www.com AEP SureWare A-Gate AG-600 AEP Systems. Just remember to change the default settings such as the administrator password.turn it on and it's yours. In addition to access controls for laptops. As I mention earlier.com Price: $8. you may also want to consider disk encryption to protect the data stored on the laptop. the VPN standards aren't necessarily standard. Maybe not the smartest thing to do considering that intruders may occasionally gain access. not only sets up a secure. Just to give you an introduction. that's like disguising the package and then putting a label on it that says what's inside. The other form of VPN encryption. Just something to keep in mind. here are the tunneling protocols: • • • • • GRE = Generic Routing Encapsulation IPsec = Secure Internet Protocol L2F = Layer 2 Forwarding PPTP = Point To Point Tunneling Protocol L2TP = Layer 2 Tunneling Protocol (PPTP + L2F) If you set up a VPN for your customers. As I mention earlier. but it also encrypts the headers of the data packets. On top of that. tunneling. SSL VPN: AEP SureWare A-Gate AG-600 23 Aug 2005 | George Wrenn | SearchSecurity.aepnetworks. but they do not encrypt the data on your drives -that data is still in the clear. Not only do you have a disguised package. The vendor will have tons of transfer protocols to choose from. and you'll never know it unless the employee alerts you. sometimes it takes a little effort to get two different VPNs talking to one another. The only drawback to transport encryption is the fact that the headers on the data are sent in the clear. VPNs are great at protecting the data in transport. but the tunneling protocols are fairly limited. business partners and employees. encrypted link between two points.is protected from sight. so you'll have to see what protocols the vendor is using. a laptop is not properly protected with proper access controls -. VPNs are relatively easy to set up now. but the address and the contents listed on the package's label are in code so they're not easily recognizable. though: Many road warriors have automated the process of logging in to their VPN and have a shortcut on the desktop.995/400 users SearchSecurity. In this instance. and you can usually find experienced staff to install and manage them. but that doesn't last forever. That's better. a stolen laptop can easily be used to log on to a VPN. In effect.com Copyright TechTarget 2006 63 . Many vendors are including VPN capabilities in their routers so the system is practically plug and play. they can gain some comfort in the fact that their data isn't traveling in the clear.

and again in the portal page. or 'completely automated public Turing test to tell computers and humans apart' (CAPTCHA) utility. You'll need to set a password and options for Web-based administration.com Copyright TechTarget 2006 64 . remote root logins to the network. which is customizable to reflect user's branding. designed for enhancing authentication and preventing automated attacks. was bothersome. CAPTCHA is an image with slightly skewed characters and numbers. Crypt-Card and SecurID. Configuration is a comprehensive process using GUI setup tabs. for instance. adding the Anywhere Web servers to the remote access configuration. to Windows Terminal Services. Booting the box over a serial connection initially blocks access to system resources. authenticated and proceeded to solve the obfuscated text riddle. DNS server. with our new SSL-site identity. and without so much as a password. We methodically assigned IP addresses to Ethernet interfaces and configured the LAN/WAN interfaces. Its RADIUS support hooks into other authentication methods. We launched a browser. allows anyone to configure network and device settings. Enterprises will appreciate its capacity to cluster up to 16 boxes for supporting thousands of users. syslog and SNMP to unlock configuration. AG-600 provides two modes of VPN access: A-Gate Anywhere can proxy application traffic via a Java applet.AEP Systems SureWare A-Gate AG-600 provides SSL VPN remote access for connecting external users to internal systems. Clicking on the site security tab allows you to create a certificate signing request (CSR). A-Gate also integrates with Sun LDAP and Novell NDS servers. we configured the remote access policy. the A-Gate Central is a thin-client SSL VPN that enables access to TCP/UDP applications. and. and the Windows Server Message Block file sharing protocol (SMB) for old-school domain services. an automated mechanism would be easier. SearchSecurity. But. Setting up digital certificates for authenticating users is a breeze. The appliance provides clientless access to HTTP and Windows Terminal Server apps and full access to client-server apps from Windows XP/2000 clients. It has four Ethernet interfaces. AEP packs strong security in the AG-600. although the interface conspicuously lacks a help menu. Our configuration using the internal database and Windows SMB domain authentication worked flawlessly. We pasted our CSR into a VeriSign form to access a trial certificate. You decipher and type a displayed code and enter a user name and password. Establishing WAN access to these services was an easy configuration of A-Gate's host MYSQL database. features high availability and session-level failover and handles 400 simultaneous connections. once connected. AG-600 supports two Windows authentication options: LDAP for AD domains. including CASQUE. Users launch the client by clicking the link on the user A-Gate portal page. which runs a hardened version of Linux. incoming access to port 443 (SSL) and external gateway to route traffic to the Internet. SSH. server names and IP addresses. This is a radical departure from security hardware that.

an IMAP server (using the Connectra integrated client) and several Web-enabled apps. A more intuitive grid or matrix for defining devices. It tunnels endpoint traffic over SSL. However. URL strings as services and authorized users/groups would be simpler. We used the SR110 to access a Windows Server 2003 file server. CISSP (gwrenn@infosecuritymag. While AG-600's granular policy and portal elements could use some tweaking.700 for hardware and software license Corrent's SR110 SSL VPN Web Security Gateway. an intuitive client experience and strong security. Clients are presented with the Connectra portal. the SR110 is priced in the upper tier of VPN appliances.0 Corrent.0 SSL VPN software. an Exchange 2000 Web Outlook server.tra's LDAP interface to perform authentication against Active Directory. About the Author: George Wrenn. which provides a consolidated view of authorized apps. While we easily defined a HTTP global access policy for authenticated users. We used Connec. offers easy administration. It's confusing to decipher how menu branches relate to others in the tree. to add a Web application. The SSL Network Extender ActiveX control.com). allows the use of any network-based Windows application. SearchSecurity. The Connectra software provides point-and-click administration through a well-designed Web interface. an appliance running Check Point Software Technologies' Connectra 2. this hardcore appliance provides enviable security defaults and convenient access to sensitive applications. For example.com Price: Starts at $11. User authentication may be managed through the internal Connectra user database. the GUI made it tough to configure more granular access control rules. RADIUS and SecurID systems for authentication and authorization.com Corrent's SR110 SSL VPN Web Security Gateway with Check Point Connectra 2. He's also a fellow at the Massachusetts Institute of Technology.Policy configuration was a challenge.com Copyright TechTarget 2006 65 . is a technical editor for Information Security and a security director at a financial services firm. The Web-based process for adding applications is straightforward. a Connectra Web plug-in. but enterprises will prefer to integrate with LDAP. we simply specified the name and location of the application and the desired protection level (a combination of allowable authentication techniques and caching status).corrent. www. Corrent VPN 'connects' with Check Point software 7 Jul 2005 | Mike Chapple | SearchSecurity.

but Web portal access is available through IE. Network security controls include protection against DoS attacks (such as Teardrop and LAND). Netscape and Safari. About the Author: Mike Chapple. IPsec VPNs SearchSecurity.com Copyright TechTarget 2006 66 . The SR110's steep price may discourage some enterprises. For example.000 cost of a 50-user Connectra license from Check Point (which increases to $30.com Test your knowledge of IPsec and SSL VPNs with this quiz to help you determine which technology best suits your organization's needs. 1. and $35. Mozilla. SSL Network Extender functionality is limited to IE on Windows 2000/XP.995. application controls include inspection of HTTP and FTP traffic. He's also the author of About. Quiz: SSL vs. The controls stopped several of our URL-based attacks. Transport encryption b. CISSP.000 will purchase a Cisco VPN 3060. which supports 500 clientless Web sessions. The wizard-based installation was smooth. taking about an hour from opening the box to establishing client connections. Tunneling encryption SearchSecurity. including template firewall rules necessary for installing the appliance in a DMZ. the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley.Connectra leverages Check Point's experience in perimeter security by integrating the Smart-Defense network and application security controls. encrypted link between two points.000 for 250 users) makes the price tag soar far above some established competitive products. The installation guide provides detailed instructions for a variety of network configurations. a Cisco VPN 3005 concentrator (which supports 50 SSL VPN sessions) lists at $2. Price notwithstanding. as well as a SQL injection attack against a Web-based form.) Which type of VPN encryption sets up a secure. currently serves as Chief Information Officer of the Brand Institute. an appliance that incorporates ease of use for admins and users and strong security offered by Connectra merits consideration for secure access to enterprise applications. but does not encrypt the headers of the data packets? a.com Guide to Databases. TCP/IP protocolbased attacks and network probes.S. The $3. We were disappointed with Connectra's lack of Fire-fox client browser support.700 cost of Corrent's appliance combined with the $8. The SR110 has six Ethernet ports. two of which support Gigabit Ethernet. a Miami-based marketing consultancy. National Security Agency. He previously worked as an information security researcher for the U. His publishing credits include the TICSA Training Guide from Que Publishing.

None of the above 5. Encryption of the data c. Requires host-based clients and hardware at a central location. Does not require a client download.com Copyright TechTarget 2006 67 . False 8.. Telecommuters without fixed access who want to come in from a variety of sites. Proxy access and protocol conversion b. Users have full office functionality. b.. Extranet support d. Highly granular access controls e. 4. Network extension 6. Remote connections made via a Web browser or a downloadable Java or ActiveX agent. b. but there's very little granularity in access control. Layer 3 b. Secure logout SearchSecurity. a.) Encapsulating Security Payload (ESP) allows for.) Which of the following operational modes is the simplest and most usable. Telecommuters coming from fixed sites. private network on either side.2.) Which of the following is a basic requirement of an SSL VPN? a. and application and client administration is eliminated. Application translation b. Layer 4 c. Port forwarding c. Both authentication of the sender and encryption of the data d.) Which of the following describes an IPsec VPN? a. Role-based access can be assigned for each user. None of the above 9.) In which scenario is an IPsec VPN generally considered a better solution than an SSL VPN for remote access? a. using managed corporate devices and terminating in a secure.) True or False: SSL VPNs are inherently less secure than IPsec VPNs.) Which of the following features of SSL VPNs help avoid the risk of leaving sensitive information on public PCs used to access a corporate network? a. as well as the most supported by SSL VPNs? a. Layers 4 though 7 d. Remote-access orientation c. True b. All of the above 3. a. Authentication of the sender of data b. Proxy d. 7.) Which layer of the network does an IPsec VPN operate on? a.

private network on either side. c. The most secure VPN is the traditional arrangement with the telecommuter coming from a fixed site. Virtual private network c. software and settings. using managed corporate devices and terminating in a secure. Credential scrubbing c. A VPN uses end-to-end encryption to carve out a private tunnel over the public network. a. All of the above 10. Tunneling b. Output feedback d. Proxy 6. Promiscuous mode Answer Key: 1. you need to see that hardware. False 8. a. Quite a bit of effort can go into setting up this arrangement. b. a. Both authentication of the sender and encryption of the data 9. Requires host-based clients and hardware at a central location. All of the above 3. Layer 3 5. e. All of the above 10.Your VPN alternatives 1 Oct 2005 | Rebecca Rohan | SearchSecurity. c. What are the best ways to let telecommuters into your network? The answer that helps administrators sleep most securely is a fixed Virtual Private Network (VPN). a. 7. d. Telecommuters coming from fixed sites.) What is the transmission of data through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network? a. According to this article from Informit. as well as SearchSecurity. Tunneling Letting telecommuters in -. if you weigh your access and security requirements against the cost and complexity needed you might find other options to a traditional VPN.b.com There are other options to give telecommuters access to your network and its applications than a traditional VPN. private network on either side. Users have full office functionality. corporate device and terminating in a secure. but there's very little granularity in access control.com Copyright TechTarget 2006 68 . 4. Transport encryption 2. a. Auto forms completion disabling d. ideally using a managed.

how secure a "neighborhood" he's calling from and so on. You don't want the good doctor looking at your record from the airport. Salespeople are the typical example. part of Windows' NT Server 4. And therein lies the first of the security concerns with SSL VPNs. However. Secure Sockets Layer (SSL) VPN appliances. such as those sold by Aventail and Juniper. L2TP traffic can be read by network sniffers. The administrator manages access rights and authentication rites in advance. In recent years. firmware and hardware. Microsoft Terminal Services Microsoft Terminal Services lets users work on applications in thin client fashion from a remote location. (That's just one way to authenticate. Some SSL VPN vendor tools are available to combat this new threat. it encrypts at the packet level. no matching hardware. is a time-honored institution at many shops with ID badges and telecommuters who sport authentication token fobs.literally. the user may not see those medical records he would get if he were calling from an approved device at home -. Let's throw out some protocols -. Windows 2000 and . but the security can be worth the trouble. when combined with IPSec for encryption.) SearchSecurity.no software installation. L2TP becomes unreadable and offers IPSec authenticated access for multiple protocols. Just be sure the device you buy supports the combined IPSec and L2TP standard. If he phones into the office from an airport kiosk. because he can forget to log out. man. Remote users can come into the VPN from anyplace that has an SSL browser or kiosk. Things may actually be easier for them.NET Server. whenever they need to get in. as they may need to connect to your network from a hotel room or a customer site. despite user changes to software. Only one from this group is secure enough to take seriously: IPSec.at least not if the administrator set things up correctly. There are three or four at this end of the pool. depending on how much trust they request from your network. are set up perfectly and maintained on both ends. along with their login. IPSec is the standard to buy." "Is this thing on?" Talk about letting in the rabble. look at this. SSL Maybe you have mobile employees without fixed access who want to come in from a variety of sites. even though the VPNs have tools to wipe their own caches. Another concern with SSL VPNs is the recent discovery that local desktop search engines cache and index SSL VPN sessions. especially in conjunction with L2TP.0 Terminal Services Edition. PPTP has weak encryption keys. "Hey. They get a new password number each 30 seconds and type it. of course. have sprung onto the planet and ask nothing of the visitor except an SSL-enabled browser -.com Copyright TechTarget 2006 69 . weak password hashing and unauthenticated control traffic.authentication. Terminal Services. setting up different rules based on who the user is.

Currently. as even well-known methods often fail to pass muster once put under scrutiny and. With the addition of Citrix' Secure ICA Services' 128-bit.securityfocus. You have to think about what happens after that secure log-in. Mac. Linux and other platforms. such as Netopia's Timbuktu Version 7. you're getting what Gramma called "a pig in a poke. lowest-budget solution for telecommuter access is remote control software.com/archive/1) and check the product name (in date order) for security reports. such as Symantec's PC Anywhere. However. and the option to hide pcAnywhere hosts from TCP/IP browse lists. 13 different methods of authentication (including RSA SecurID authentication). make sure you can blank the screen in the office so telecommuters don't have an audience watching what they're doing from home. "Term Server. Users may define any key for authentication of the data stream -.'s Carbon Copy uses 128-bit MD5 encryption during authentication only." like its parent Citrix WinFrame from Citrix Systems Inc. use non-standard encryption when sending copies of your screen over the Internet. with a proprietary cipher. The new version of pcAnywhere also offers host address blocking. and it remains so to this day. but you only pay if it works. Symantec Corporation just announced PC Anywhere 11. Altiris Inc. Some remote control software. Experts advise against using home-grown encryption.presumably if they provide the key. end-to-end encryption.When initially released. Go to BugTraq (http://www. it can be more trouble and additional skills are required. These packages allow the remote user to literally control the machine back at the office." (Netopia says it plans to employ an as-yet unannounced form of standard encryption in its next version of Timbuktu. Timbuktu uses a proprietary method to scramble bits and randomize parts of the screen.5 with AES encryption (up to 256-bit cipher strength) for both authentication and the data stream.) Meanwhile. SearchSecurity. Remote Control Perhaps the easiest to set up. became an enticing way for many shops to let employees access applications remotely. because these things change. the ability to specify TCP/IP addresses and subnets that are allowed to connect. (not included) Term Server traffic becomes more secure. Also.. Check security specs before you buy.com Copyright TechTarget 2006 70 . Carbon Copy's data stream is guarded by a 64bit proprietary encryption key for each packet sent. VNC is an open source selection that runs on Windows. and the MD5 collision weakness that came to light in 2004 shouldn't be a problem for Carbon Copy.

Web objects or even application commands.0. Am I missing something here? Good catch. That means that it's possible to create an IPsec selector that permits encrypted access to just one server and just one application (port) on that server (depending upon product support). all outbound traffic is sent via the IPsec tunnel. speaker Lisa Phifer. Inc. but it's more important to decide the level of policy granularity your business requires. You mentioned during the webcast that IPsec can access the entire network behind the firewall whereas SSL can access only the assigned server. I didn't elaborate on this in the webcast. Using this kind of fine granularity can require more complex policy maintenance and so is usually done with group-level policies that apply the same complex filters to a set of users.0). most remote-access VPNs are configured with fairly coarse IPsec selectors.The inherent capabilities of IPSec selectors and their use in remote-access VPNs 31 Mar 2004 | Lisa Phifer. you may listen to the recorded webcast on-demand. allowing access either to an entire subnetwork or (more often) to all destinations (0. whether that's inside the private Intranet or somewhere on the public Internet. SSL VPNs that act as circuit-layer proxies can be configured in a similar fashion to forward all outbound application traffic across the SSL VPN tunnel. This configuration lets the company monitor.0. Core Competence. IPsec selectors can be based on entire IP subnets.for example. But in practice. and then make sure the product you pick can support than level of granularity without a lot of administrative overhead. But I noticed that you set that in IPsec by setting the subnet address range rather than the entire network. individual destinations.0/0.0. no matter what the destination -. The latter is very common. In short. partial subnets. SearchSecurity. filtering on individual URLs. rather than to individual users. stripping a malicious attachment at the VPN gateway that the user might otherwise pick up while downloading shareware from a public Web site.0. to avoid split tunneling. SSL VPN products do tend to allow more granularity in filter configuration than even the most granular IPsec selectors -. vice president and owner of consulting firm Core Competence.com In a SearchSecurity webcast. it is decrypted and forwarded along to the final destination. log and filter all user traffic. New Directions in VPNs. However. product capabilities vary. | SearchSecurity. many SSL VPN products are configured in a more granular fashion to ignore or drop traffic that lies outside the VPN policy and relay only that application traffic covered by the VPN's policy. addressed technological developments in virtual private networks. or would like to review it.com Copyright TechTarget 2006 71 . Here Lisa answers a user-submitted question that she didn't have time to answer during the broadcast. VP. If you missed our webcast. but there's a difference between the capabilities inherent in IPsec selectors (traffic filters) and the way in which most companies use them. Once the traffic reaches the VPN gateway. protocol types and source/destination ports.for example.

implementation and evaluation of security and network management products for more than 20 years. Lisa Phifer advises companies regarding security needs. such as extranet collaboratives or nonwork computers (kiosks and homes).or poorly. encryption via hardware acceleration and redundancy through failover and load balancing. However. True. SearchSecurity. While they differ architecturally. False. SSL VPNs are suitable for enterprise-class deployment.com Copyright TechTarget 2006 72 . implementation and evaluation of security and network management products for more than 20 years. She has been involved in the design. Some SSL VPN gateways are designed for large-scale deployment. Client-side security considerations for SSL VPNs 23 Mar 2004 | Lisa Phifer. About the Author: As owner of consulting firm Core Competence. They support high user volume. using a browserbased VPN to go "clientless" still requires client-side vulnerability analysis and mitigation. Lisa Phifer advises companies regarding security needs. extensibility ultimately depends on how an SSL VPN product is designed and performs in production environments.com Companies tired of VPN client software installation and configuration are being increasingly drawn to "clientless" solutions like SSL VPNs. SSL is better suited in scenarios where VPN administrators have no control over client software installation. | SearchSecurity. IPSec is generally considered a better solution for site-to-site VPNs. False. where it better satisfies broad application needs and performance demands. product assessment and the use of emerging technologies and best practices. IPSec was designed to secure any IP traffic and is configurable to support any IP application. Inc. IPSec VPNs offer more extensible infrastructure. SSL was designed to secure HTTP and has been successfully extended to secure many other applications. SSL VPNs can be used anywhere that IPSec VPNs can be used. VP. She has been involved in the design. Security builds upon standards and products that implement them. VPN fast facts: True or false? 1 Aug 03 | Lisa Phifer. VP. To meet the needs of different constituencies. product assessment and the use of emerging technologies and best practices. Core Competence | SearchSecurity. However. Core Competence. many companies will likely end up with both.com SSL VPNs are inherently less secure than IPSec VPNs. True. but ultimately depends upon appropriate deployment and sound policy definition. both VPNs can be deployed securely -. Many argue that SSL VPNs are more suitable for large populations because they reduce the cost of software distribution.About the Author: As owner of consulting firm Core Competence.

no matter who owns the remote PC. even those who know how to wipe their tracks clean make mistakes. Prevent tunnel compromise Post-session clean up is essential.Avoiding client storage of data entered in private Web page forms that might otherwise be visible to subsequent users.Forced session disconnection and browser window close. Features to look for when considering SSL VPN products include: • • • • • • • Secure logout -. PCs available for public use in cafes. What's more. typically based on centrally defined inactivity or duration timeouts. Travelers can use public PCs at business centers and Internet cafes. Temp file clean up -. Leaving this sensitive data behind on public PCs poses considerable risk. but it doesn't go far enough. Browser history removal -. Business partners can use PCs administered by other companies. Cookie blocking -. Circumventing these IT pain points should cut the cost of remote access.com Copyright TechTarget 2006 73 . Credential scrubbing -. there's a catch: loss of IT control over the hosts used for remote access.Stopping VPN URLs from being used as a launch point for common Web server attacks (e. but relying on users to clean up after themselves is a very bad idea. airports and conference centers are readily accessible to strangers 24/7. Many have no idea what they leave behind. user data commonly integrated with browsers. Permitting remote access from these venues increases convenience. browser-based VPNs enable remote access from more locations.The lure of SSL VPNs According to Frost and Sullivan. browser caches containing Webmail text and password-laced cookies. script injection). Teleworkers can use home PCs without IT oversight. the SSL VPN market exploded in 2002. and use of.. Security policy can be largely dictated by the VPN gateway.Deleting cached credentials at session end or preventing them from being cached on the client in the first place. reducing remote configuration. offline content and downloaded programs. To address this risk. availability and productivity. and file attachments saved to temp directories. most SSL VPNs take steps to automatically clean up after each remote access session. SearchSecurity. The big draw? SSL VPNs leverage browsers present on nearly every desktop and handheld to avoid adding software. Leave nothing behind Most public PCs contain traces of past user activity: Outlook inboxes filled with private email.Removing cookies at session end. password-guessing.g. no personally identifiable or reusable information written to cookies during sessions. But.Deleting files created during the session or blocking their creation. DoS floods.Preventing access to. like Outlook Address Book entries. or better yet. Personal information profile disabling -. growing at a compound annual rate of 49% through 2010. including cached pages. Auto forms completion disabling -.

either directly or by supplying software and instructions to employees. Spyware. To defeat session data capture and client-side malware. These measures are typically part of the "remote access bundle" that IT installs and configures on every host. some SearchSecurity..g. accounts).g.greatly increasing the risk of compromise. However. Scan-on-connect may ensure that desktop security measures are active and up-to-date and can sometimes detect the presence of malware.g.but other mobile methods are widely supported (e. Aventail's End Point Control (integrated with Bluefire and others). For "clientless" access. For example.for example. Examples include Microsoft Windows Server 2003 Quarantine.com 74 Copyright TechTarget 2006 • • . S/Key). A growing number of VPN products now offer scan-on-connect. folders. Although many do require installed client software. passwords and private data. keystroke loggers and even desktop session recorders to obtain usernames. USB tokens or biometric devices require client software -. A narrower window of opportunity can eliminate some vulnerabilities -. use one-time passwords or two-factor authentication. Options are more limited on public PCs -.. Some argue that SSL VPNs pose less risk because network VPNs use secure tunnels to connect remote hosts to private networks. and Neoteris (integrated with WholeSecurity and others). RSA SecurID. Cisco's VPN Client (integrated with ZoneLabs' Integrity). Nokia's Secure Access System can restrict access to applications and features. Attackers can install packet-capture tools. most companies mandate client-side personal firewalls. preventing VPN session establishment by compromised hosts. CheckPoint's VPN-1 SecureClient (integrated with PestPatrol and others). remote access Trojans and denial-of-service zombies can be implanted to probe or attack corporate resources during active VPN sessions. and design your policies with both maintenance and performance in mind. depending upon the system from which a VPN session is initiated. • To adjust permissions to reflect threat level. look for products that support policies that differentiate between company-administered hosts and all others. Stop problems before they start A smaller window of opportunity helps. Granularity is a double-edged sword: Look for incremental or hierarchical grouping features.for example. antivirus software and up-to-date security patches. but also on individual commands (e. To implement more granular policies. while SSL VPNs typically connect individual client applications to private servers.. look for products that can define access rights based not just on application. this may not be practical or possible. To prevent IPsec/L2TP/PPTP VPN tunnel compromise on company laptops. permit read but not write or delete) and user/group-specific URLs and objects (e. look for VPN products that integrate client-side security checks into access policies. To defeat password compromise by keystroke loggers and session recorders. preventing Trojan access to other systems and ports. but is that enough? Depending upon your business risk. additional measures may be appropriate to secure your VPN. this really depends upon the product and policy granularity.

are "clientless" -.for example.com Copyright TechTarget 2006 75 . Lisa Phifer advises companies regarding security needs. Keep in mind that all VPNs pose some risk. product assessment and the use of emerging technologies and best practices. These are just some of the steps you can take to address client-side security concerns for network-level and browser-based VPNs. Zone Labs' download-on-demand host integrity checker. effective VPN deployment requires understanding and managing inherent vulnerabilities. She has been involved in the design. but it still requires client-side vulnerability analysis and mitigation. About the Author: As owner of consulting firm Core Competence. SearchSecurity. Going "clientless" with an SSL VPN may avoid new client-side software. implementation and evaluation of security and network management products for more than 20 years.

Table 5. Of these six ACE types.com Access control entries While the ACL is the overall structure for providing permissions in Windows 2000.com Copyright TechTarget 2006 76 . ACE Accessdenied Accessdenied Accessallowed Accessallowed Systemaudit Type Generic Objectspecific Generic Objectspecific Generic Description Denies access to an object in a DACL. as I mentioned earlier. Although there are different types of ACE structures. Denies access in a DACL to a property or property set or to limit inheritance to a specified type of child object. flags to determine inheritance of the ACE. an access mask.4: The six types of ACEs.Windows-specific network access control procedures Book chapter: Access control entries Paul Cooke | Realtimepublishers. The differences can be categorized primarily by the granularity of access control that they provide for ACE inheritance and object access. Allows access to an object in a DACL. Object-specific ACEs can distinguish between which child objects can inherit them and can be used on a single attribute. Windows 2000 automatically SearchSecurity. Generic ACEs can distinguish between container and non-container objects only when they're inherited. The other three are object-specific and can be used only in ACLs for AD objects. Whenever you modify an ACL. Logs attempts to access an object in a DACL. it's really the ACEs that carry all the real access control information. three are generic and can be used in ACLs for any securable object.4. as shown in Table 5. SystemObjectLogs attempts in a SACL to access a property or property set or audit specific to limit inheritance to a specified type of child object. there are a couple of differences between them. All ACEs are somewhat similar. Whether ACEs are generic or object-specific isn't something that you need to concern yourself with every day. and the ACE type. but Windows 2000 supports six ACE types.com | SearchWindowsSecurity. of an object. Allows access in a DACL to a property or property set or to limit inheritance to a specified type of child object. While generic and object-specific ACEs are extremely similar. or a set of attributes. all ACEs include a SID. and they can only apply to an entire object.

constructs the appropriate ACE and takes care of all the implementation details. However, knowing a little bit about what is going on under the hood is useful. Book chapter: Six steps for deploying Network Access Quarantine Control Jonathan Hassell | Apress | SearchWindowsSecurity.com In this section, you'll look at the actual deployment of NAQC on your network. There are six steps, each outlined in separate subsections ahead. Creating quarantined resources The first step is to create resources that you can actually access while the quarantine packet filters are in place for a remote client. Examples of such resources include DNS servers and DHCP servers, so you can retrieve IP address and connection information and file servers that will download the appropriate software to update out-of-compliance machines. In addition, you can retrieve Web servers that may describe the quarantining process or allow a remote user to contact IT support via email if any problems occur. There are two ways you can specify and use a quarantined resource. The first is to identify certain servers on your network because these quarantine resources without regard to their physical or network location. This allows you to use existing machines to host the quarantined resources, but you also have to create individual packet filters for quarantined sessions for each of these existing machines. For performance and overhead reasons, it's best to limit the number of individual packet filters for a session. If you decide to go this route, you'll need to enable the packet filters shown in Table 7-1. Table 7-1. Packet filters for distributed quarantine resources Traffic Source Destination Alternatives type port port Notifier DHCP DNS WINS HTTP NetBIOS Direct hosting n/a UDP 68 n/a n/a n/a n/a n/a TCP 7250 UDP 67 UDP 53 UDP 137 TCP 80 TCP 139 TCP 445 None. None. You can also specify the IP address of any DNS server. You can also specify the IP address of any WINS server. You can also specify the IP address of any Web server. You can also specify the IP address of any file server. You can also specify the IP address of any file server.

SearchSecurity.com Copyright TechTarget 2006

77

You can also configure any other packet filters peculiar to your organization. The other approach is to limit your quarantined resources to a particular IP subnet. This way, you just need one packet filter to quarantine traffic to a remote user, but you have to readdress machines and, in most cases, take them out of their existing service or buy new ones. When you use this method, the packet filter requirements are much simpler. You simply need to open one for notifier traffic on destination TCP port 7250, and one for DHCP traffic on source UDP port 68 and destination IDP port 67. For all other traffic, you should open the address range of the dedicated quarantine resource subnet. And again, you can also configure any other packet filters peculiar to your organization. Writing the baseline script The next step is to actually write a baseline script that will be run on the client. This is really independent to your organization, but all scripts must run RQC.EXE if the baseline compliance check was successful and they should include the following parameters: The switches and arguments are explained in the following list:
• •

The ConnName argument is the name of the connectoid on the remote machine, which is most often inherited from the dial-in profile variable %DialRasEntry%. The TunnelConnName argument is the name of the tunnel connectoid on the remote machine, which is most often inherited from the dial-in profile variable %TunnelRasEntry%. The TCPPort argument is, obviously, the port used by the notifier to send a success message. This default is 7250. The Domain argument is the Windows security domain name of the remote user, which is most often inherited from the dial-in profile variable %Domain%. The Username argument is, as you might guess, the username of the remote user, which is most often inherited from the dial-in profile %UserName%. The ScriptVersion argument is a text string that contains the script version that will be matched on the RRAS server. You can use any keyboard characters except /0 in a consecutive sequence.

• • • •

Here is a sample batch file script: @echo off echo Your remote connection is %1 echo Your tunnel connection is %2 echo Your Windows domain is %3 echo Your username is %4 set MYSTATUS= SearchSecurity.com Copyright TechTarget 2006 78

REM Baselining checks begin here REM Verify Internet Connection Firewall is live. REM Set CHECKFIRE to 1-pass, 2-fail. REM Verify virus checker installed and sig file up. REM CHECKVIRUS is 1-pass, 2-fail. [insert various commands to verify the presence of AV software and sig file] REM Pass results to notifier or fail out with message to user. if "%CHECKFIRE%" == "2" goto :NONCOMPLIANT if "%CHECKVIRUS%" == "2" goto :NONCOMPLIANT rqc.exe %1 %2 7250 %3 %4 Version1-0 REM These variables correspond to arguments and switches for RQC.EXE REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM RQS on backend listens on port 7250 REM %3 = %Domain% REM %4 = %UserName% REM The version of the baselining script is "Version1-0" REM Print out the status if "%ERRORLEVEL%" == "0" ( set ERRORMSG=Successful baseline check. ) else if "%ERRORLEVEL%" == "1" ( set ERRORMSG=Can't contact the RRAS server at the corporate network. Contact a system administrator. ) else if "%ERRORLEVEL%" == "2" ( set ERRORMSG=Access is denied. Please install the Connection Manager profile from http://location and attempt a connection again. ) else ( set ERRORMSG=Unknown failure. You will remain in quarantine mode until the session timeout is reached. ) echo %ERRORMSG% goto :EOF :NONCOMPLIANT echo echo Your computer has failed a baseline check for updates on echo your machine. It is against corporate policy to allow out of SearchSecurity.com Copyright TechTarget 2006 79

you can modify the RQS_SETUP batch file.BAT file in Notepad. Right-click in the right pane. 2. surf to echo http://location. the batch file is simple.exe file. Do the following: 1.EXE. so this step can be automated for future deployments. Installing the listening components The Remote Access Quarantine Agent service. because the postconnect script option in CMAK allows you to run an . There's a bit of manual intervention required.echo date machines to access the network remotely. Select Find from the Edit menu. This batch file will copy the appropriate binaries to the WindowsRootSystem32RAS folder on your system and modify the service and Registry settings so that the listener starts automatically when the server boots up. NOTE: To remove RQS. Currently echo you must have Internet Connection Firewall enabled and echo an updated virus scanning software package with the echo latest virus signature files.EXE. you can even compile a special program. 2. and select New String. do the following: 1. and run RQS_SETUP /INSTALL from that shell. type RQS_SETUP/REMOVE at a command prompt. 3. Once you've run the installer for the tools. enter Version10. Open the RQS_SETUP. 3. and click OK. For information about how to echo install or configure these components. Double-click the new entry. To make this change manually after you've run RQS_SETUP from the Tools download. Name the string AllowedValue. Echo You will be permitted to access only that location until Echo your computer passes the baselining check. 4. RQS is found in the Windows Server 2003 Resource Kit Tools download. select the Command Shell option from the program group on the Start menu. known otherwise as RQS.com 80 Copyright TechTarget 2006 . however. which you can find on the Microsoft Web site. The listener service will match the version reported by the remote computer to the value stored on the RRAS computer so you can make sure that the client is using the latest acceptable version of a script. Of course. Alternatively. You need to specify the version string for the baseline script. and enter the string that refers to an acceptable version of the script. Navigate to the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRqs key. Open the Registry Editor. The text cursor should be on a line that SearchSecurity. 5. You can make it as complex as you like. In Find What. must be installed on the Server 2003 machines that are accepting incoming calls using RRAS.

4. The process begins to differ at the Custom Actions screen (shown in Figure 7-1).EXE listens on TCP port 7250. To add just one acceptable version. and then exit Notepad.EXE. each separated by the "0" line. I'll assume you're familiar with creating custom connectoids with the Connection Manager Administration Kit (CMAK) wizard. If you want to add more than one acceptable version. 6. Now. replace the text "Version10Version1a0Test" with the acceptable version strings. because the whole process is beyond the scope of this chapter and this book. To change the default TCP port. and set it to the desired port. SearchSecurity.says: REM REG ADD %ServicePath% /v AllowedSet / t REG_MULTI_SZ /d Version10Version1a0Test. However. You also need to add the notifier to the profile. which happens to be a plain-vanilla profile with a few modifications. NOTE By default. Save the file. RQS. create a new REG_DWORD value called Port. so I'll begin this procedural outline there: 1. when RRAS is restarted. For one. you need to add a postconnect action so that your baseline script will run and return a success or failure message to the RRAS machine. RQS doesn't automatically restart. so you'll need to manually restart it if you ever stop RRAS manually. 7. replace the text "Version10Version1a0Test" with the script version string you want to be passed by RQC. Analyzing creating a quarantined connection profile The next step is to create a quarantined Connection Manager profile. 5. RQS is set as a dependency of RRAS. and fill in subsequent screens as appropriate. In this section. Navigate to the Custom Actions screen.com Copyright TechTarget 2006 81 . delete "REM" from the beginning of the line. navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesrqs key.

and you should return to the Custom Actions screen. Click OK. until you come to the Additional Files screen. and then click the New button to add an action. as shown in Figure 7-2. 6. enter the name of your baseline script. Type the command-line switches and their arguments in the Parameters box. 3. The New Custom Action dialog box is displayed. 4. check the two bottom boxes. In Program to Run. Finally. SearchSecurity. Select Post-Connect from the Action type drop-down list.com Copyright TechTarget 2006 82 . Include the Custom Action Program with This Service Profile and Program Interacts with the User. as depicted in Figure 7-3. You can also use the Browse button to look for it. 5. Type a descriptive title for the postconnection action in the Description box. Click Next.Figure 7-1. The Custom Actions screen of the CMAK wizard 2. Continue filling in the wizard screens as appropriate.

click OK. The New Custom Action dialog box Figure 7-3. Distributing the profile to remote users The profile you created earlier is made into an executable file that can be distributed to your remote users and run on their systems automatically. 9. Once you're finished. and then enter RQC. This creates a profile without any intervention after that. 8. You'll be returned to the Additional Files screen. Complete the remainder of the wizard as appropriate. The CMAK wizard Additional Files screen 7.com Copyright TechTarget 2006 83 .Figure 7-2. There are several options for actually getting that executable file to your users. where you'll see RQC.EXE in the dialog box.EXE listed. You can use the Browse button to search for it graphically. Click Add. SearchSecurity. Click Next.

Regardless of which method you choose. Click Next when you've finished. NOTE If RRAS is configured to use the Windows authentication provider. the RRAS machine needs only to be running Server 2003. so that client computers that don't pass your baseline script's compliancy checks can surf to a Web site and download the latest version without compromising the integrity of your network further. 3. you could include instructions to run the file and use those new connectoids for all future remote access. or better yet. 1. it doesn't need to belong to an Active Directory-based domain) to authenticate users and look at their account properties. or wait until the mobile users returned to the home network and connected at the corporate campus to the network. Open the RRAS Manager. I'll create a quarantine policy within RRAS that assumes you've posted the profile installer on a Web server that is functioning as a quarantined resource.com Copyright TechTarget 2006 84 . Incidentally. then the RADIUS server must be a Server 2003 machine running Internet Authentication Service (IAS).You could transmit the executable file as an attachment to an email message. as shown in Figure 7-4. Click Next through the introductory pages. if you want to initially transmit the profile installer to your users. The Policy Configuration Method page appears. IAS also uses Active Directory. you'd need to either have your users log on through a dial-up connection. Configuring the quarantine policy The final step in this process is to configure the actual quarantine policy within RRAS. If RRAS is configured to use RADIUS. then you should always place the latest version of the profile installer on a quarantined resource somewhere. and then select New Remote Access Policy from the context menu. make a link to the executable file hosted on a Web server somewhere. right-click Remote Access Policies. In the left pane. In the email message. 2. SearchSecurity. then RRAS uses Active Directory or an NT 4 domain (remember. Enter Quarantined VPN remote access connections for the name of this policy. In this section. which is an NT domain to authenticate users and look at their account properties. but to do that. You could also have the executable run as part of a logon or logoff script.

You'll be returned to the User or Group Access page. Type in the group names that should be allowed to VPN into your network. On the User or Group Access screen.Figure 7-4. Click Next if it looks accurate. as shown in Figure 7-5. The Policy Configuration Method screen 4. and you'll see the group name you added appear in the list box. Figure 7-5. The Access Method screen appears. 5. The User or Group Access screen SearchSecurity. 6.com Copyright TechTarget 2006 85 . If all domain users have this ability. and then click Add. Click OK. select Group. and then click Next. I'll assume there's a group called VPNUsers on this domain that should have access to VPN capabilities. Select VPN. enter Everyone or Authenticated Users. 7.

9. which is selected by default. Figure 7-6. The Add Attribute dialog box is displayed. as depicted in Figure 7-7. Then click Next. 12. The Authentication Methods screen appears.8. Navigate to the Advanced tab. Finish out the wizard by clicking Finish.com Copyright TechTarget 2006 86 . On the Policy Encryption Level screen. right-click the new Quarantined VPN remote-access connections policy. Figure 7-7: The Add Attribute dialog box SearchSecurity. and click Add to include another attribute in the list. as shown in Figure 7-6. use the MSCHAP v2 authentication protocol. 11. The Policy Encryption Level screen 10. Click Next. 13. and select Properties from the context menu. To keep this example simple. make sure the Strongest Encryption setting is the only option checked. Back in RRAS Manager.

for this demonstration. Use a sample value of 60. 16. select TCP. The IP Filter Attribute Information dialog box 17. In the Destination port field. which displays the Inbound Filters dialog box. Now. Click MS-Quarantine-Session-Timeout. Click the Input Filters button. In the Attribute Information dialog box. and then click Add again. Click OK.14. 19. as shown in Figure 7-8. and then click Add. You'll see the IP Filter Attribute Information screen. enter 7250. Click Add. click MS-Quarantine-IPFilter. In the Protocol field. 18. In the Attribute list. which will be measured in seconds. go back to the Inbound Filters screen. Click OK. Your screen should look like Figure 7-9. and then OK again to return to the Advanced tab. Figure 7-8. 15. The Add IP Filter dialog box is displayed. type the quarantine session time in the Attribute Value field. Figure 7-9. Click New to add the first filter. The completed Inbound Filters screen SearchSecurity. and select the Permit Only the Packets Listed Below option.com Copyright TechTarget 2006 87 .

Make sure to include the appropriate port number and type as described earlier in this chapter. 22. If so. and repeat the previous steps. click OK on the Inbound Filters dialog box to save the filter list. Then. Make sure to include the appropriate port number and type as described earlier in this chapter. where you add a quarantined Web resource 24. Specify the appropriate IP address for the resource in the Destination Network part of the Add IP Filter screen. On the Edit Dial-in Profile dialog box. the simplest way to excuse a user or group of users from participating in the quarantine is to create an exception security group with Active Directory. The Add IP Filter box. to save the changes to the policy. 25.20. Using that group. as shown in Figure 7-10. Click New and add the input filter for DNS traffic. Figure 7-10. and repeat the previous steps. and repeat the previous steps. which is configured with the same settings as the quarantine remote-access policy you SearchSecurity. you should create another policy that applies to the exceptions group. 21.com Copyright TechTarget 2006 88 . 23. such as a Web server. The members of this group should be the ones that need not participate in the quarantining procedure. where your profile installer is located. Click New and add the input filter for WINS traffic. click OK to save the changes to the profile settings. Click New and add an input filter for a quarantine resource. Finally. Make sure to include the appropriate port number and type as described earlier in this chapter. click OK once more. 26. you may find some logistical or political problems within your organization that mitigate this requirement. Creating exceptions to the rule Although it's certainly advantageous to have all users connected through a quarantined session until you can verify their configurations. Click New and add the input filter for DHCP traffic.

Once you've created the policy.a machine running the Routing and Remote Access Service (RRAS) -. This time. The company-standard antivirus software must be installed and running with the latest signature files. but mobile users have traditionally been forgotten or grudgingly accepted as exceptions to the rule. Network Access Quarantine Control (NAQC).created earlier in the chapter. though. Checklist: Hardening Windows School: Advanced checklist on network access quarantining 14 Jun 2005 | Jonathan Hassell | SearchWindowsSecurity. It is not uncommon for remote users to fail any or all of the following guidelines: • • • • The latest service pack and security hotfixes must be installed. move the policy that applies to the exceptions group so that it's evaluated before the policy that quarantines everyone else. You would expect business desktops to follow policy. It's through mobile users trying to connect to your business network while on the road. Therefore. which gives you a chance to vet computers trying to access your network remotely. but an SearchSecurity. effectively closing ports. Sound like a decent idea? Browse through the checklist below to learn more about quarantining. don't add or configure either the MSQuarantine-IPFilter or the MS-Quarantine.Session-Timeout attributes.the destination Dynamic Host Configuration Protocol (DHCP) server gives the remote. That's why I'm going to explain why you need to use a security feature introduced in Windows Server 2003. Internet or network routing must be disabled. Hardening Windows School Checklist: Know your network access quarantine options Understand how Network Access Quarantine Control (NAQC) works Here's basically how NAQC works: Under NAQC. when a client establishes a connection to a remote network's endpoint -.com One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep into your network is not through firewall holes or brute-force attacks -.nor is it any means that might occur at your campus or corporate headquarters. connecting computer an IP address. enabled and actively protecting ports on the computer. they become an active port for malware to enter and infect your network.com Copyright TechTarget 2006 89 . Consider why that is the case: Most remote users are authenticated only on the basis of their identities. Windows XP Internet Connection Firewall (ICF) (now named Windows Firewall) or any other approved firewall must be installed. and no effort is made to verify that their hardware and software meets certain baseline requirements.

and a session timer limits the duration of a remote client's connection in quarantine mode before being terminated.Internet Authentication Service (IAS) server establishes a "quarantine mode. SearchSecurity. Decide on your preferred criteria for allowing regular access to your network What would you like to check when remote users try to connect? Here are some ideas: • The latest approved operating system service packs installed • Antivirus software installed. and Chapter 11 of my book Learning Windows Server 2003 explains how to set up RRAS." In quarantine mode. contacts the listening service running on the Windows Server 2003 back-end machine to report it. and teaches you how to use policies and quarantining. About the Author: Jonathan Hassell is an author. consultant and speaker residing in Charlotte.com. You might also include a link to the latest service pack. the client computer automatically executes the baseline script. His work is seen regularly in popular periodicals such as Windows IT Pro magazine. PC Pro and Microsoft TechNet magazine. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. a copy of your corporate antivirus software and individual links to hotfixes that you require. working and updated with the latest signature files • Firewall protections enabled • Internet routing disabled Begin planning your resource areas for users in quarantine mode Under NAQC. if satisfied with the result. Explore the Routing and Remote Access Service (RRAS) policy functionality A great guide to RRAS can be found at ServerWatch.com Copyright TechTarget 2006 90 . Quarantine mode is then removed and normal network access is restored. the client is eventually disconnected when the session timer reaches the configured limit as described above. you can establish a limited set of resources within the quarantine area where users can download information and software to help them rectify any issues that prevent them from accessing the unrestricted network. SecurityFocus. Windows runs the script and. If Windows is not satisfied with the result. security and Windows administration. North Carolina. Include information on how to get help from the help desk. Consider posting a Web page explaining the quarantine process. Once the remote computer is in quarantine mode. He speaks around the world on topics including networking. Give your users the power to self-correct their problems while still enhancing security on your network. a set of packet filters restricts the traffic sent to and received from a remote access client.

Second. Another account with administrative privileges can always be used to re-enable the Administrator account. how can they administer the computer? Preventing the use of the Administrator account does not mean you or others can't have administrative rights on the computer. So what are the problems with disabling or renaming the Administrator account? First. Each user requiring such access can have an account with SearchSecurity. many people will complain that this is security through obscurity. An attacker might be able to deduce the account name or SID. so disabling or renaming the account is not a sure preventative. If it's disabled. Attackers are well aware of it and its all-powerful presence on the computer. If the attacker knows the Administrator account SID. Security Option: Use "Accounts: Rename Administrator Account" to rename this account in Windows 2000. An attacker or wellcrafted malicious program can easily determine the Administrator account SID. Security Option: Use "Accounts: Administrator account status" to disable the Administrator account on Windows XP and Windows Server 2003 computers. (A future checklist will tell you how to protect Windows from such attacks. please keep in mind that internally Windows computers use a unique security ID (SID) -. then the attack will not work.Checklist: Harden access control settings 12 Jul 2005 | Roberta Bragg | SearchWindowsSecurity. he won't have the chance to try if the account is disabled. you have your work cut out for you when it comes to access control. simply renaming the account does nothing. She details specific steps to take in locking down default Windows access control settings and offers access control best practices. Checklist 1: Three security mandates for any Windows environment Disable or rename the Administrator account It's important to prevent or restrict access to the local Administrator account.com Copyright TechTarget 2006 91 . This SID is composed of a unique number and a standard relative ID (RID). they say. If an attack involves the use of an account named "Administrator" and no such account exists. However. Malicious software is often written to use this account. Instead you can thwart attacks by renaming the Administrator account. This collection of checklists written by Roberta Bragg will help you along your way.) Even on computers where you can disable the Administrator account you should rename the account. On Windows 2000 computers this option is not available. some people are under the false impression that they must use the Administrator account to administer the computer. While the attacker would still have to know or deduce the account's password to use it.not a name.com Whether you're protecting sensitive data from malicious outsiders or preventing internal users from accessing systems not assigned to them. unless you change that as well.

In a domain environment The first step in making any change to Group Policy in a domain environment is to ensure that the change does not violate official organization security policy. Group Policy management should be assigned to a limited number of administrators. Navigate to Local Policies/Security Options 3. some people will say these measures are security by obscurity and offer little value. Remember that not every user has limited access. it is included in the Everyone group when permissions are being evaluated -. In a domain environment. How to find and set the above Security Options On a workgroup server or desktop (computers that are not joined in a domain) 1. Make sure you clear changes appropriately. and doing so will typically cause no problems. Start/Administrative Tools/Local Security Policy 2.and the Everyone group can access many systems. Requiring users to enter their information each time also ensures that they know their account names. giving him half of the information he needs to access the computer and perhaps the network. Baloney! A few keystrokes are all it takes. Hiding the logon name can help you guard that information. Security Option: Use "Accounts: Rename Guest Account" to rename the account.com Copyright TechTarget 2006 92 .membership in the Administrators group. You just have to make sure it stays that way or rename it. You really don't want others to know the logon account names for administrators or other highly privileged users. They'll ask who cares if someone knows Joe User's logon name. Hide logon names By default the last account used to logon is displayed on the logon screen after the user has logged off. Disabling and renaming this account may only remove low access rights. it just makes it harder for would-be attackers to get in. The Guest should be disabled by default. but this is a step that can be done quickly and easily. Security Option: Use the "Interactive: Do not display last user name" option to ensure the previously used logon name is removed from the logon screen. Disable or rename the Guest account While the Guest account has few privileges. Make the recommended change. They'll also maintain that it's a nuisance for users to enter their account names each time they logon. Use the following steps to stay in compliance: SearchSecurity. 4. Once again. This allows anyone in close proximity to the machine to read the name. He still has to know or deduce the password. but his job is easier than if he had to obtain both the account name and its password. Technical controls should also be in place to enforce this. Disabling and renaming the account does not prevent administrative access. Scroll down to the appropriate setting.

" SearchSecurity. If share permissions are not correct.1." When enabled. Keep this option disabled to prevent access." On Windows XP and Windows Server 2003 systems. once disabled. retrieves the computer part of the SID. prevents anonymous SID/name translation. When both this and the above security options are used. Scroll to the appropriate setting. 2. Disable the option "Network Access: Allow anonymous SID/name translation. Combine this option with the one below to keep an attacker from using an anonymous connection to deduce account names. Enter the names of named pipes if necessary in option "Network Access: Named Pipes that can be accessed anonymously. you need to block anonymous connection to stop data theft.com Copyright TechTarget 2006 93 . adds the known Administrator account portion and then uses the deduced SID in a logon attack or to figure out the new name of the Administrator account. Create or open the Group Policy Object that will apply to computers you want to manage. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts/shares. translates the account into a SID. you can keep the changed name of the Administrator account hidden from an attacker using an anonymous connection. which block anonymous access and other types of attacks that use anonymous access. Shares offer opportunities for system connections and data theft. Navigate to Windows Settings/Security Settings/Local Policies/Security Options. 3. where the group is given access permissions. Checklist 2: Block anonymous access To deduce the SID of the Administrator account. then anonymous access won't matter. this option also prevents anonymous enumeration of shares. If shares are properly protected by permissions." This option. 4. anonymous users are excluded from the Everyone group and cannot gain access to resources given to that group. or when they inadvertently offer access to an anonymous connection. this option prevents the enumeration of the user account list via an anonymous connection." When enabled. To foil this process. This option comes in handy on systems like Windows 2000. Disable the option "Network Access: Let Everyone permissions apply to anonymous users. Make the recommended change. Enable the option "Network Access: Do not allow anonymous enumeration of SAM accounts. which include the anonymous SID in the Everyone group. the attacker obtains the account list. use the security options below.

Named pipes are another way network connections can be made by client/server programs. some legacy applications may require anonymous access to shares. On the other hand. Enter the name of shares if necessary in the option "Network Access: Shares that can be accessed anonymously. A would-be attacker can't use the account unless he's capable of guessing the password within the number of tries you set. Still. 2. SearchSecurity. (Even I don't think I'd enter an incorrect password 25 times!) This should keep the authorized user from locking themselves out just because they are having a brain hiccup. setting this option may also bring two disadvantages: 1. let's take for example the usual advice to set account lockout options in a Windows domain. the account will automatically lock after the specified number of tries -. If you have enabled auditing. Set account lockout threshold to 25 invalid logon attempts After 25 tries the account will be locked out. one part of a program runs on one computer and another part on another computer. you may discover these attempts at compromise. In this scenario. You'll find them at Windows Settings/Security Settings/Account Policies/Account Lockout Policy. Checklist 3: How to properly set account lockout options It seems some true and tested security recommendations are backfiring. 2. Does this seem far-fetched? I once did so in front of an audience of 500 people. Specifically. If anonymous access is blocked. Some legacy programs require anonymous access over these named pipes. The password cracking attempt becomes a denial-of-service attack (and some say that may have been the goal). Instead of allowing anonymous access to all shares.and no one can logon using it. If you do set account lockout and someone tries to logon to an account using the wrong password. I believe that properly-implemented account lockout options can work to your advantage. Account lockout settings should be set in a Group Policy Object linked to the domain." Here again. use this option to allow it where required. It does give the attacker a little more time to get the password. Legitimate users may fumble-finger attempts at logon and lock themselves out. but unless the password is simple. 25 tries is hardly enough to compromise the account. Here's how to use them. Setting this option is supposed to provide two advantages: 1. enter the names of shares that require anonymous access. Automated attacks on accounts can trigger whole-scale lockout of multiple accounts.com Copyright TechTarget 2006 94 . configured it to record these events and reviewed your logs.

That can also keep the help desk calls down. But she'd have to know your settings. It also allows an attacker to program around your defense. On second thought. All the attacker has to do is wait out the lockout time and try again. then continue the cycle until she succeeds. you're missing many other more subtle attempts at compromise. SSL or other secure remote-access processes.. a time-consuming venture in a large environment -. It may be the only way to nip such an attack in the bud or prevent it from occurring again by helping you discover the source of the attack. Unless an attacker can establish such an authenticated. and if you're doing a good job of reviewing your audit logs. Your legitimate users have to be able to authenticate to the domain. you will increase the risk that an attack can succeed. then none for a couple of minutes. However. he can't run an automated attack from the Internet. you should notice this pattern pretty quickly. for example. this is the default if the threshold is set. Isolate resources you make available to these users. How can you protect yourselves from their abuse of this privilege? Every SearchSecurity. the counter won't continue to increase if the time limit is reached. customers and others whom you may allow access to your networks. Yes. By providing a time here. All she has to do is fly in under your radar (so to speak). This setting returns that total to zero after the number of minutes you prescribe.a real showstopper should you get massive account lockout due to an automated attack. The alternative is to require administrators to reset accounts. Set the "reset account lockout counter after . Protect accounts from insider attacks This is the really rough one. You shouldn't be able to logon from the Internet without some remote-access service such as a VPN. 24 tries in 30 minutes. make your account lockout duration something other than 30 minutes. sending. They shouldn't have free access to your entire network. Protect accounts from automated attacks originating from external users Protect accounts from automated attacks originating from partners. That should let you know that something is amiss. Protect accounts from automated attacks originating from the Internet Where would such attacks come from? Intuition says from the Internet. It's a good idea to set this feature." option to 30 minutes Windows keeps track of the number of bad password attempts in a lockout counter. Set auditing for logon events and monitor logs Account lockout locks out accounts.com Copyright TechTarget 2006 95 .. Let's foil the would-be attacker reading this document. Block NetBIOS ports from Internet access and require the use of VPNs. if you aren't auditing logon events.Set account lockout duration to 30 minutes For Windows Server 2003. authorized connection. The account lockout duration is the length of time that the account will remain locked out before it is reset.

and then remove the Everyone group. User rights configuration is similar to file permission settings. Limit your losses by preventing users from accessing sensitive systems and logging on to machines other than those assigned to them. Checklist 4: Restrict access to prevent insider hacks Insiders are often to blame for more computer compromises than outsiders. by default. quarantine users so they can only access and log on to a limited number of computers. and in GPOs linked to organizational units when you want to impact a subsection of computers joined in the domain. That means your employees and fellow workers create more havoc for your network than all the malicious people on the Internet. the user does not have it. configure user rights. and may not want that. if the right is not granted. simply add those computer names. Step 2: Restrict rights that directly impact computer access. The following rights directly impact access to computers and should be limited. To do so.com Copyright TechTarget 2006 96 . You'll want to set file permissions. Use this right sparingly to define SearchSecurity. just enter the name of a non-existent computer. open their account property pages in Active Directory Users and Computers. • Access this computer from the network This right only allows identified user groups access to the computer. the Everyone group has this right. he is denied access implicitly. If users must have access to multiple desktop computers and laptops. Next click "The following computer" button. Setting log-on-to computers does not restrict users from accessing data on other computers across the network. To limit network access. if a user does not have the right to access the computer. User rights specify what a user can do on a computer. Be careful not to lock out service accounts. Step 1: Keep users out of systems that don't concern them. To restrict this right. This works well when multiple people need to use any one of several computers in a lab or department. Please do the following steps in a test environment. By default. add groups that should have the right to access the computer. User rights are located in the GPO under Windows Settings --> Security Settings --> Local Policy --> User Rights Assignment. WARNING: You can seriously hamper user ability to log on by setting the wrong user rights. select Account tab and click the Log On To button.practice that you adopt that limits users' ability to install and run unauthorized software helps you to mitigate this risk. Set them in the default domain controller Group Policy Object (GPO) to limit access on domain controllers. • Deny access to this computer from the network Remember. If you want to keep an account from logging on at any computer. but before you do. enter the name of a computer the user is allowed to access and click the Add button.

You don't make everyone an administrator. Limit this right only to accounts that might be used to run these types of jobs -.just use native Windows tools like account options to limit system access. under any circumstances. Ordinary users do not need it. Windows Server 2003 locks out the support_388945a0 account. User right Meaning Recommendation Restrict access to all servers by adding groups that represent those authorized to configure or manage the server. Allow log If this machine is a on through Restrict terminal services to those users who are terminal server. terminal actually authorized to use the servers. If the machine is a terminal server. nor should employees with accounts have unrestricted access to your systems. users need this right. locking up local log on is not the choice to make. Limit this right to services that may need it (by default the network service account is given this right). Use deny rights sparingly. right? So why not restrict access using all the tools at your disposal? I don't mean you should invest in chains. Step 3: Harden log on and deny logon rights. Accounts used for SUPPORT_388945a0. Log on as a Services also run in service the background. services Batch jobs are jobs that run in the Log on as a background. Be careful handling log on and deny logon rights. Follow the table below for recommendations. as you'll learn in the checklist below. Checklist 5: Set account options to limit systems access Password policies aren't the only way to control access to your Windows systems. The SUPPORT_388945a0 account is denied this right. local service and Internet Information Services-related (IUSR. Be cautious here. he can sit at on locally the console and log on. whips or restrictive leather gear -. You could use this right to prevent the local administrator account from being used on the network. IWAM and IIS) WPG (Microsoft Word for Windows vector graphics) are given this right. access the computer from the network. By default. Then remove the users group.and then only if the accounts need it. If a user has this Allow log right.those accounts that should never. usually only to manage those accounts that should never have the right. Don't remove these groups unless the tasks they perform are no longer necessary on these computers. They batch job are often scheduled with the task scheduler.com Copyright TechTarget 2006 97 .a deny user right. An account that grants access to your computer systems is a privilege not a right. Not everyone should have an account. Each right has an associated counterpart -. Following the SearchSecurity.

If all accounts have expiration dates set. you'll find steps for actually locating and changing account options in Active Directory. As a general rule. at least the account will be expired. users should never store PIN numbers with their smart cards. contractors and other temporary workers. If a user reports a missing smart card and must receive a new one to logon. revoke the certificate assigned to the smart card to prevent the use of the lost card. if the wrong person finds an envelope with a smart card inside and the PIN number written on it -. temporary workers. However. SearchSecurity.checklist. It enables you to delegate authority for access. but there is no way to guarantee they won't. Set "Smart card is required for interactive logon" where smart cards are used If you don't require smart cards for interactive logon. temporary workers will need to have it extended in order to work past their length of service. but it's a bit too risqué for me. are you immediately made aware of the change so you can disable and eventually delete their accounts? Leaving excess accounts enabled on your systems is not a good security move. delegating administrator accounts is not a good idea. Set log-on-to machines Being able to logon from any computer in the domain is a nice convenience. Setting logon hours can also hamper unauthorized use of remote access during those hours. Prevent that from happening by checking the "Account is sensitive and cannot be delegated" box. students and contractors. Also. or anyone who learns their account and password information.game over. You don't want this to happen. Set an account expiration date Many of you hire part-time help. If setting account expiration dates for all employees is difficult to manage. at least set expiration dates for temporary workers. you've lost that advantage. users may forgo their smart card and use a password instead." at least for administrator accounts Account delegation is a useful tool for multi-tiered applications. If they leave early. If users can choose whether or not to use their smart cards.com Copyright TechTarget 2006 98 . Set "Account is sensitive and cannot be delegated. users won't have to report a lost smart card in order to get a new one. from accessing your network at off hours when few people are around to discover the unauthorized access. Smart card technology helps you escape the many weaknesses of password use. Set logon hours This is the span of time users are authorized to logon. It is especially important to limit guests. When they (or any regular employees) leave their jobs. Selecting specific computers to use for logon may help prevent unauthorized actions that could result in data theft or damage. The compromise and use of these accounts might go unnoticed for a very long time. and gain tighter control and accountability of that access. Restricting logon to normal work hours prevents users.

User details on a standalone Windows 2000. Alternatively write a script. To use those that make sense. Meanwhile. like eating good food and not standing on a hill during a lightening storm. Windows XP or Windows Server 2003 computer can be found in the Computer Management\Local Users and Groups\Users container. Even if you spend lots of money.com Copyright TechTarget 2006 99 . Instead of bemoaning what you don't know.11 wireless network connections SearchSecurity. doing so.' You may need these connections on some systems but you should have a security policy that defines how and when to use these connections and how they may be secured. you also reduce risk.your network and your computers will be penetrated. Truth be told. Sure as letting a bull loose in a glass shop. Start by disabling unnecessary network connections. Net User is also helpful in a domain. Checklist 6: Tighten default settings to prevent unauthorized access Many people say information security is a journey: No action you take to secure Windows will make much difference if you don't keep doing more and stay one-step ahead of your nemesis. take the attitude that all things should be locked down. you're still going to lose. Someone will be one step ahead of you. Disable 802. You have to modify Windows system defaults. The key word here is not 'disable' -. navigate to the container where user accounts are stored (either the Users container or possibly several organizational units depending on your Active Directory design) and double click on the user account. These network connections are enabled by default. You should address this issue from the standpoint of what you want your users to be able to do with their systems. what you can't do and what the enemy knows.it's 'unnecessary. and loosened only after need versus risk has been evaluated. click on the check boxes or manipulate other controls. get a grip and start hardening systems. many of the account details described above are not accessible there. hire the best people. If you reduce their possibilities.How to locate and change account options in an Active Directory domain Open Active Directory Users and Computers. implement Fort-Knox-like physical security and antilogic bomb bunker technologies. know security backward and forward. can protect you from an extraordinary percentage of common attacks. it will result in damaged goods -. you'll have to use the Net User command. Information on doing both can be found at Microsoft's support site and Microsoft TechNet. Use it to change account options for multiple accounts at one time. However. Hogfeathers! This kind of attitude will leave you open to attack. Defaults are established to help the most people get the most use out of their systems. To make changes.

She is an MCSE. Files are stored using your privileges.com Copyright TechTarget 2006 100 . Firewall the connection. When another infrared system is in range.11 network connection property page and use the advanced tab to firewall the connection. turn off Bluetooth unless you know you absolutely need it for wireless devices to work. Even administrators and trained technical users may indivertibly expose their systems to risk by leaving wireless unprotected.If enabled.11 wireless cards can serve as connection points for attackers even if users don't know that they have wireless capabilities. and then disable this device. and its owner wants to transfer a file to your system. then and only then should you enable them. 802. which each organization must weigh for itself. many systems do not need this capability. and a well-known information systems security consultant. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. If secure wireless networks are implemented and security practices extend to the workstation. CISSP and Microsoft MVP.may be used to network computers together and can be bridged with an Ethernet connection that enables a system with only Firewire access to access your network. and your security policy may deny it to others.that's your job.com resident expert. short-range network connection often used for connecting audio and video devices -. It is enabled by default. This protects the connection when it is enabled. Disable Bluetooth connections Bluetooth connections are used for short-range wireless synch or to communicate with a range of wireless devices. SearchSecurity. Disable infrared connections Infrared technologies allow wireless connectivity primarily for synching with handheld systems. a popup asks you if you want the file. you're taking a risk. It will not distinguish between malware or important files -. Disable FireWire FireWire -. but they may also be used for printing or file transfer. open the 802. Before disabling. such as phones and printers. columnist and speaker. But by all means. Unchecking the Allow others to send files to your computer using infrared communications box in the Wireless Link Control Panel applet prevents accidental transfer.a fast. However. Firewire is configured using the 1394 network connection viewable in Network Connections. If you have to rely on Bluetooth.

There is far less risk granting selected users permission on selected keys. many companies have found that they need to make users members of administrative groups just so they can run certain applications. then try granting and not granting permissions while running applications to determine if there are some you can eliminate. I get an access denied message. but none explain the impact of not granting those permissions. files. Therefore. QUESTION POSED ON: 05 August 2003 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity." Here is a list of things to check: SearchSecurity. and therefore access to many more keys and files. than there is in giving them administrative privileges.com Copyright TechTarget 2006 101 . CISSP and Microsoft MVP. You may want to review the situation by using test groups. It sounds like you have checked the first obvious thing. I have found white papers from Microsoft and CIS that recommend certain permissions. or when configuring the share. do so as another user by entering a password and user ID in the "Connect using a different user name. She is an MCSE. then you should not be granting permissions. These permissions are required to allow applications to function. The free utilities regmon and filemon available from Sysinternals can help you determine exactly which items are being accessed. as well as elevated privileges. and a well-known information systems security consultant. Is there anything else I can check to give this user access? QUESTION POSED ON: 19 July 2004 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com Share permissions can be complicated. The reason permissions are necessary is that some applications insist on making changes or opening files and keys as if to make changes -permission usually granted only to administrators. When I try to connect to the share on the server.com resident expert. On the other hand. We need to define the security risks associated with granting permissions to select directories and registry settings for the average user (member of local users).. The next issue is the user ID. you must be either using the same user ID and password on both machines. etc. Both the permissions on the share and the security permissions on the folder must be considered before access is granted.Security risks associated with granting permissions in Windows XP I am in the process of a desktop lockdown review for a Windows XP deployment. columnist and speaker. How to deny access when connecting to a share on a Windows 2003 Server I have a Windows XP Professional workstation that is trying to connect to a share on a Windows 2003 Server in a workgroup environment.com The reason for granting permissions on registry keys and so forth is to allow custom groups the ability to run applications. In a Windows workgroup. I checked sharing and security permissions for this user. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. and they are set to full control. if you are not using applications that require this level of access.

Every once in a while we see a crazy workgroup name on the network. Cisco has a product Secure Access Control Server for Windows that can configure access control lists on firewalls. Security permissions on the folder that is shared (and permission on any files and subfolders you want to access).security options.com resident expert. Check the local security policy of the server -.com Copyright TechTarget 2006 102 . If you do. make all accounts use passwords) 6. columnist and speaker. the security review can look for things like computer identity and refuse access to those not authorized. switches and so on to control access. Make sure the local user account on the server is enabled. 5. Or they are based on preventing unauthenticated computers from accessing network resources. QUESTION POSED ON: 13 September 2004 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity. routers.com Some network management products may have this facility. Make sure the user name you are using has the right to connect to the server remotely and is not denied the right to logon to this machine. The user might plug the computer into a jack. Check the local security policy of the server -. This is similar to the Network Quarantine control process available with Microsoft Windows Server 2003. 7. (Don't change this. Accounts limit local account use of blank passwords to console. How to detect when non-domain laptops are plugged in to Windows Server 2003 We are trying to stop users from plugging in laptops that are not part of the domain for security reasons. CISSP and Microsoft MVP.user rights. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. They are based on either requiring every computer to be scanned and pass a security review before being able to connect to the network or requiring a set of access control lists on switches and other network devices.1. 3. Check to see if any changes have been made to security policy. There are also some new technologies that might help. but cannot access anything since the computer cannot pass the security test. Share permissions. 2. and a well-known information systems security consultant. This is a new technology that Microsoft is working on. SearchSecurity. In the first case. She is an MCSE. but for the LAN. My question: Is there any way I can set up some type of alert so when this does happen I will be notified? Thanks. Are you using an account and password for the server? 4. and not locked out.

Using the features of Windows authentication is good because it reduces finance's need to know IT and maintain an IT infrastructure. assuming that users have been made members of the appropriate global groups that have access to the network/database resources (group membership is controlled exclusively by a group manager within finance in this case). She is an MCSE. a network agent were able to monitor members of the global SearchSecurity. we can piggyback on IT's engineered solution rather than having to support our own.com resident expert. Microsoft has a document on how they implemented this solution which is called Domain isolation. We have Active Directory in place worldwide. a malicious. knowledgeable helpline person could reset a user's password and then enter our sensitive finance system. too.In the second case. replication and otherwise making sure it works from an IT perspective. If somehow. columnist and speaker. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. unrelated person to confirm the validity of the action from within finance for users of this particular system. IPSec policies are used on domain resource computers and require any computer to have its own certificate and authenticate before accessing resources.com Copyright TechTarget 2006 103 . because that person would probably possess much more knowledge about our sensitive system and how to violate it. The question is how. What we want is dual administrative activities to take place when a user requests their password to be reset -. for which we don't have either the expertise or the budget. What I want is a little finance/business-relevant functionality. finance is at risk if that authority resides completely within finance.a single helpline person has the authority to reset passwords for user IDs. and a well-known information systems security consultant. but require a second. Desktop systems owned by your company will need appropriate certificates provided. CISSP and Microsoft MVP. In the worst case. but they never talk about anything other than monitoring performance. How to set up dual administrative controls for tighter security in Windows 2000 I work in a large corporation as a liaison between finance and IT. The user may be able to plug his computer into the network. But there is one critical issue for us following our corporate security standards implemented through AD -. Finance can't tolerate a single administrative authority outside our organization with the ability to control access to our system in this manner (our back door). but any attempt at accessing a network resource will be "access denied" since the computer cannot pass the security test. Corporate documentation on AD consists of mountains of intranet documents on the rollout and objectives. It can be set up to use Windows authentication to grant access. posing as an authorized user. Instead. We have an application used to conduct very sensitive transactions. as will servers. On the other hand.allow the helpline to reset the user password as per our corporate standard.

when she tries to log on next.) However. We tend to hire and vet administrators and expect a little more of them. the help desk can reset a password if they remove a user from group. if the administrator does not know the user's password.e. We believe they know the rules. and will have to contact the help desk to have her password reset. your solution might work.group that grants access to our application and then. will not be able to. but an admin could change them back. but. You can match these with user requests. add them back to the group). which only finance can administer (i. however. There would have to be collaboration for a malicious act. Is there any way that AD could be configured such that a password reset could trigger removal from certain sensitive network groups that the AD administrator would NOT have control over? This would allow for dual administration and less risk of an internal hacker accessing sensitive network resources. and we watch these privileged persons a little more closely.com Yes. and pay them well. Finance can put a user in group. have less education and turnover is rampant. users do forget their passwords.com Copyright TechTarget 2006 104 . a password reset by the helpline would also require finance to restore membership to the group with access to the application (dual administrative control when a password reset takes place). When the reset password privilege is delegated to a help desk. The help desk uses this instead of Active Directory Users and Computers. In that case. Help desk personnel are often not paid well. you can set up EFS so that an administrator would have to access the files from the user's workstation in order to decrypt them. even more interesting issues abound. too. Is there another way that dual administration could be implemented when resetting a user's password? Would group policies help? Should we monitor event logs and send alerts that would run VB scripts to remove the member? QUESTION POSED ON: 05 June 2003 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity. Yes. In addition. of course. couple this with a strong audit policy in the event log.. then resets the password. (There may be some deep and dirty AD config in the ACLS. Even if you solve all those issues for the help desk person in your case. And. You could script removal from a group after password reset. if a password change was made to any member. and uses the reset function. So the user. that is. write a password reset script that first removes the user from a group. the administrator could reset the user's password. This activity. yes. Neither can do both. he cannot reset the password back to what the user used. should be investigated. I know of no way to take out-ofthe-box AD and make it remove this privilege for the administrator. and event 627 "A user's password was changed" will be recorded. You could also make that a requirement. It separates duties. I like the concept. they'd be automatically removed from the global group. you still should work on getting some monitoring (see the audit route above). that would be ideal. SearchSecurity.

Delegation of administrative authority to security groups may be of help. After creating the group. Let me know what you do. When you are done. you can just use it for the finance group and you can require that the smart card. no -. it cannot be used without the PIN. you need to adapt some other method of authentication like a smart card or biometrics.com 105 Copyright TechTarget 2006 . Even if the card is lost.com resident expert. A number of things can go wrong. certificate services come free. and a well-known information systems security consultant. you can deny account operators the "Delete all child objects" permission on the users container in Active Directory users and computers. If all user accounts do not reside in this container. you do not have to make every user use a smart card. but the software is there. and. You would have to securely implement them. 1. With Windows 2000.Still.once done. columnist and speaker. The second option is to create a custom security group and only give it the permissions over user accounts that you desire.com There are two ways to approach this problem. How to remove specific permissions from an account operator in Windows 2000 How can I remove the permissions to delete a user account from the account operator in Windows 2000? QUESTION POSED ON: 02 April 2003 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com resident expert. Developing sound and secure business practices from mounds of technical information is not always easy. Ideally. use the delegation of control wizard. To allow account operators to do everything to manage accounts except delete user accounts. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. if files are that sensitive and the risk cannot be tolerated. columnist and speaker. a rogue admin or a help desk person (if the privileges aren't worked out correctly) can access the normal password reset functionality in Active Directory Users and Computers. This can be done in a way in which only the user sees the PIN. is used. add members to this group that you wish. CISSP and Microsoft MVP. How to check which permissions are assigned to a user or group in Windows 2000 SearchSecurity. 2. not the password." the card self-destructs. If a smart card is lost or damaged. You would have to purchase the cards and/or readers. CISSP and Microsoft MVP. She is an MCSE. After a small number of PIN "guesses. She is an MCSE. and a well-known information systems security consultant. and how it works for you. a new one can be issued. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. you will have to make the same change to all user account containing organizational units (OUs).

What access do you wish to adjust? System access? Data file access? As you know. like NT. QUESTION POSED ON: 21 May 2003 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity. a product by the folks that provide the free one. Since you say you were told to create a new group and restrict NTFS permissions to that group.com resident expert. but Windows 2000. CISSP and Microsoft MVP. does not grant access to anyone implicitly. The "deny access" permissions help with more granular access restrictions.8? I have been told by Microsoft technical support NOT to mess with the group "Everyone. I would like to take a user or group and see where and which permissions on the file system level they have. a free utility. Instead.I'm using Windows 2000 server and NTFS file system. create the group and set "deny permissions" for it.com 106 Copyright TechTarget 2006 . because tons of files are stored on the server and I cannot check every file properties step-by-step. but you must make sure to replace it by giving the SearchSecurity. In many cases you can remove this access. I'm assuming you want to restrict access by setting deny permissions. Since deny access is usually applied first. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. the group Everyone is explicitly given access. She is an MCSE. no amount of "allow access" will override this. so I have lost control of where and which permissions have been changed. in some areas. grant "allow access" to those who need access. Thanks. and a well-known information systems security consultant. if you do so. 2. It's easy to open folder or file properties and find which permissions are applied to whom. How to set NTFS permissions on Windows 2000 Terminal Services What is the guideline for setting NTFS permissions on a Windows 2000 Server Terminal Services with Citrix MetaFrame 1. If this is so. columnist and speaker. Roberta. You cannot deny access to the Everyone group. How do I get that. then yes.0 Terminal Server Edition.com Use the SomarSoft Utility DumpSec.com There appears to be more than one issue here: 1. Those without access will be denied by default. Is that correct? QUESTION POSED ON: 23 September 2002 QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity. deny access to everyone." to leave permissions at default and create a new group and restrict NTFS permissions to that group. you will do just that. see also Hyena. Does that sound correct? I have been told you cannot set the permissions like you could in NT 4. but I would like to get another view. There have been a lot of permission changes for certain folders and files.

She is an MCSE.SYSTEM and appropriate users access explicitly.com resident expert. make the group that you created a member of the appropriate local groups on the server to grant them the level of access you desire. Citrix Metaframe and user accounts. and that may be the cause of some problems. A: One effective method of doing this would be to add the user to a group that you create (for example Server A Users) and then remove them from the domain users group. where it is getting that access because of default group "everyone.com 107 Copyright TechTarget 2006 . you could specify the list of computers they SearchSecurity. you may need to know the access required by Windows.09. Q: How can I prevent certain users who are domain administrators from logging onto domain controllers? A: That depends on the kind of user they are. you must determine what access is required before you blithely change access. but there is no easy answer here. Limiting user and admin access 03. you can add the global group to the local "Users" group. I am unable to find out if Citrix Metaframe also requires explicit access to areas. It's always easier to just leave the defaults. I know of no explicit reason why you cannot make some adjustments to file permissions. Windows 2000 is different than Windows NT 4. 4. In this set of questions and answers. if you want them to be just a regular user." If this is so. then if you could determine where that is necessary. You cannot merely set permissions in Windows 2000. I suggest you work with your Citrix support to determine if this is possible.0 Terminal Server edition. If your domain is small enough. Windows network security expert Wes Noonan shares how to selectively limit object access from users and admins alike. This could be the answer here. If they are a member of a group that grants them rights on domain controllers (for example. Next. Domain Admins) there really isn't a way to do that. Permissions set on the system files are not the same. For example. then you can make the appropriate adjustments.com Allowing granular access to the many objects on your Windows network to various users can present some problems. Q: How can I prevent a domain user or computer from accessing all servers on the network? I only want them to be able to access one server. Depending on where you wish to change permissions. and do so on test systems. You should always use caution when doing this. and a well-known information systems security consultant. As always. as you may have in Windows NT. About the Author: Roberta Bragg is author of Hardening Windows Systems and a SearchWindowsSecurity. columnist and speaker.2006 | Wes Noonan | SearchWindowsSecurity. 3. CISSP and Microsoft MVP.

are allowed to login to. SearchSecurity. rather than modifying the default domain policy. Even though the group policy MMC snap-ins will display the "Password Policy" branch for OU's and sites. This is because there can only be a single password policy in a given Active Directory. Navigate using the Group Policy Object Editor to the following branch: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment In the right hand window. Also. you should create a new group policy object with the settings you want.do you apply the account policy setting at the site? What account policies should you use? A: You would need to apply the account policy separately on each domain. You can view this by right clicking on the Domain Controllers OU in Active Directory Users and Computers and selecting "Properties". you can only define the password policy at the domain level. assuming that this is not a domain admin. look for either "Log on locally" or "Allow Logon Locally" (it differs depending on which version of Windows you are using). be advised that changing the default settings can cause unexpected and potentially damaging results to your systems. select the policy and click "Edit". potentially you need to update the list of computers they can login to) as well as being rendered ineffective if the users in question are domain admins (they can always come in behind you and undo it). the following accounts/groups can logon locally to domain controllers: 1. you should go ahead and create an additional group policy object with the password policy settings that you want to apply. just as a note regarding best practices.com Copyright TechTarget 2006 108 . Print Operators 5. excluding the domain controllers. Account Operators 2. but I think this would rapidly become unmanageable (every time you add a computer. which effectively means that you can only define it at the domain level. the ability to logon to a domain controller is defined in the Default Domain Controllers Group Policy. rather than directly editing the Default Domain Controllers Group Policy. Backup Operators 4. Administrators 3. Double click on the policy and add/remove users from that list accordingly and check the box next to "Define these policy settings:" to define who will be allowed to logon locally. Now. Server Operators 6. Click on the "Group Policy" tab. Corresponding Internet Users (IUSR_) As always. Also. Q: If you have two domains on your network that are located at the same physical site and you want to implement an account policy that requires passwords of at least eight characters and should meet complexity requirements -. By default.

How can I do this? A: This can be done by editing the advanced security properties of the folder and files. and as new features go. Hunter | SearchWindowsSecurity. About the Author: Wesley J.com Copyright TechTarget 2006 109 ." Select the Security tab and click "Advanced. while at the same time they are able to save and make changes in that folder. it was a bear. This little toy could look at your incoming remote access clients. check their patch levels. Noonan has been working in the computer industry for over 12 years specializing in Windows-based networks and network infrastructure security design and implementation. I admit it. SearchSecurity. it was amazing how little attention she garnered. people! OK. admit it. antivirus signatures and other pertinent security details. Opinion: Network admins needs Microsoft-Cisco unity 30 Jul 2004 | Laura E. All right.com You were at the coming out party for Windows Server 2003 in April of 2003. To do this. The key is to remember to NOT grant the "Delete Subfolders and Files" and "Delete" permissions. I want to set rights to this folder so that users are not able delete files or folders. right click on the folder in question and select "Properties. But did you notice that neat little feature standing alone in the corner because nobody was asking her to dance? Her name was Network Access Quarantine Control." Add or edit the appropriate users and specify the following permissions: Traverse Folder/Execute Data List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Read Permissions Change Permissions You may or may not need all of the above permissions for your specific requirements.Q: I have an NTFS folder on Windows 2000 Advanced Server. But it was still a major leap forward in perimeter security for Microsoft products. This was huge. so maybe it wasn't all that easy to deploy. Keep in mind that you may need to remove inheritance to allow you to make the necessary changes. and then grant or deny access to your internal network based on the client's overall "fitness" level.

this may be putting the cart before the horse somewhat.1x or some future model -. network administrators who rely on both vendors' products will be forced to jury-rig a solution. since their security and well-being affect us all.R2 -. and am of the opinion that competition is good for any industry. rather than the extensive scripting needed for NAQC. It extends the functionality of the protection to all types of connections. I don't know about you.the security of all those who rely on Microsoft and Cisco technology will certainly benefit. since there isn't much in the way of clearly defined standards for secure network access.The next major advance will arrive in the next release of 2003 -. At the moment. SearchSecurity. In addition. the idea of the network perimeter has ceased to be a physical entity like a border router. Currently dubbed "Network Access Protection. I'm a big bad capitalist. In many ways. both remote access and LAN-based. including antivirus and existing remote-access technologies. the idea of a "greater good" needs to extend to the Internet and Internet-connected machines. If the two offerings don't end up working and playing well together. But a significant positive indicator for the future is Microsoft's support for 802. Microsoft's entry into this market seems likely to place it in competition with existing network perimeter security software. interoperability must trump the desire to turn a profit." this tool improves on NAQC in two significant ways: • It creates simpler. At the risk of sounding utopian. If current or future iterations of the Microsoft and Cisco perimeter security offerings can be built according to industry standards -. This part is key because the pervasiveness of "always-on" Internet connectivity. and has become a much more logical concept. most notably Cisco's Network Access Control. Competition for customer dollars almost inevitably leads to better products for the money. Granted. • However. NAP is slated to use PEAP (Protected Extensible Access Protocol). but I get nervous whenever I'm forced to use the word "jury-rig" in connection with network security. Given the prominence of both vendors' products in the enterprise network.either 802. Now. as different vendors develop more desirable features to "get the contract.1x authentication. the Microsoft and Cisco perimeter security products are gearing up to not quite speak to one another. especially the software business. either by building their own or using a product from a third-party vendor to create interoperability. this could prove problematic. wireless hotspots and smaller Internet-capable devices like cell phones and PDAs has greatly blurred the distinction between what is a locally connected versus a remote-access client." But when security is at stake. whereas Cisco's NAC is only meant to run on Cisco equipment. GUI-based administration and implementation.com Copyright TechTarget 2006 110 . Microsoft has promised interoperability with a number of third-party products. both in Windows Server 2003 and Longhorn.scheduled for release in mid-2005.

you'll need a NAQCcompliant RADIUS server. These elements are united into one profile using the Connection Manager (CM) Administration Kit (CMAK) in Windows Server 2003. free access to a network from a remote location until after the destination computer has verified that the remote computer's configuration meets certain requirements and standards. because that is the only agent available at press time. you'll need at least one Windows Server 2003 machine on the back end running an approved listening component. NAQC provides a different sort of security and addresses a different. You would expect your business desktops to follow policy. your remote access clients must be running Windows 98 Second Edition.exe) from the Windows Server 2003 Resource Kit. but equally important. which allows you to prevent remote users from connecting to your network with machines that aren't up-todate and secure. mobile users have traditionally been forgotten or grudgingly accepted as exceptions to the rule. Finally. However.exe on the back end from the Resource Kit: SearchSecurity.exe on the client end from the CMAK and rqs. such as the Internet Authentication Service in Windows Server 2003.com Copyright TechTarget 2006 111 . containing three essential elements: • • • Connection information. or brute-force password attacks. but in the past. Here is a detailed outline of how the connection and quarantining process works. sector of communications than VPN or IPSec. A notifier component. as outlined in a script. encryption requirements and so on. Windows 2000. I'll assume you're running the Remote Access Quarantine Agent service (called rqs. for the purposes of this guide. such as the remote server IP address. Step 1: Learn how it works NAQC prevents unhindered. which is simply a dial-up or VPN connection profile located in the Network Connections element in the user interface. or Windows XP Home or Professional.Step-by-Step guide: Network Access Quarantine Control 5 Jan 2006 | Jonathan Hassell | SearchWindowsSecurity. To use NAQC. It's through your mobile users. which talks to the destination network's backend machine and negotiates a lift of the client's quarantine. which is a simple batch file or program used to assess the suitability of the client computer (more on this in a bit). so that network access can be restricted using specific RADIUS attributes assigned during the connection process. Additionally. called Network Access Quarantine Control (NAQC). Windows Millennium Edition. assuming you're using rqc. The baselining script.com One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep onto your network is not through holes in your firewall. when they try to connect to your business network while on the road. Windows Server 2003 includes a new feature in its Resource Kit. or anything else that might occur at your corporate headquarters or campus. These versions of Windows support a connectoid.

SearchSecurity. The listener component on the RRAS server verifies the script version string in the notification message with those configured in the registry of the RRAS and returns a message indicating that the script version was either valid or invalid. The remote user authenticates.and can only remain connected for the value. 7. 10. the rqs. 3. rqc.exe creates an event describing the quarantined connection in the System event log. The IAS server verifies the remote user's credentials successfully and checks its remote access policies. 2. 14.exe calls the MprAdminConnectionRemoveQuarantine API. The CMAK profile runs the quarantine script. the remote user can only send traffic that matches the quarantine filters -. The quarantine script runs and verifies that the remote access client computer's configuration meets a baseline. including a text string representing the version of the quarantine script being used. which includes leasing an IP address and establishing other network settings. the remote user has normal access to the resources on the network. The IAS server sends a RADIUS Access-Accept message. using the quarantine CM connectoid to the quarantine-enabled connection point. to RRAS. At this point. If the script version was acceptable. The notification is received by rqs.exe sends a notification to RRAS. The connection is accepted. but with quarantine restrictions in place. The remote user completes the remote access connection with the RRAS server. The remote user connects his computer. If so. indicating that the script ended successfully. 8. The connection attempt matches the configured quarantine policy. including the MS-QuarantineIPFilter and MS-Quarantine-Session-Timeout attributes. now in quarantine mode.com Copyright TechTarget 2006 112 . rqs. which is a machine running RRAS.exe on the back end. 4. RRAS configures the MS-Quarantine-IPFilter and MS-Quarantine-SessionTimeout settings for the connection. 5. 11. 6. 12. RRAS sends a RADIUS Access-Request message to the RADIUS server -.exe with its commandline parameters. a Windows Server 2003 machine running IAS. the script runs rqc. of the MS-Quarantine-Session-Timeout attribute before the quarantine baselining script must be run and the result reported back to RRAS." 9. which indicates to RRAS that it's time to remove the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings from the connection and reconfigure the session for normal network access. currently defined as the "postconnect action. 13. 15.in this case.all other traffic is filtered -. in seconds. Once this is done.1.

You also can specify the IP address of any web server. You also can specify the IP address of any file server. but you might need to readdress machines and. Packet filters for distributed quarantine resources Source Destination Alternatives (instead of specifying port Traffic Type Port Port information) Quarantine Notifier DHCP DNS WINS HTTP NetBIOS None UDP 68 None None None None TCP 7250 UDP 67 UDP 53 UDP 137 TCP 80 TCP 139 TCP 445 None None You also can specify the IP address of any DNS server. but you also have to create individual packet filters for quarantined sessions for each existing machine. as these quarantine resources. it's best to limit the number of individual packet filters for a session. You also can specify the IP address of any WINS server. You can specify and use a quarantined resource in two ways. The first is to identify certain servers. in most cases. This allows you to use an existing machine to host the quarantined resources.com Copyright TechTarget 2006 113 . For performance and overhead reasons. fileservers to download appropriate software to update out-of-compliance machines. Examples of such resources include DNS servers and DHCP servers. This way. SearchSecurity. and the like can be retrieved. and Web servers that can describe the quarantining process or allow a remote user to contact IT support via email if any problems occur. you'll need to enable the packet filters shown in the following table: Table 1. Direct Hosting None You also can configure any other packet filters that are particular to your organization. The other approach is to limit your quarantined resources to a particular IP subnet. so that IP address and other connection information such as suffix addresses. take them out of their existing service or buy new ones. You also can specify the IP address of any file server. If you decide to go this route. which can be spread across your network.Step 2: Create quarantined resources You need to create resources that actually can be accessed while the quarantine packet filters are in place for a remote client. you need just one packet filter to quarantine traffic to a remote user. DNS server addresses.

This script can check whatever you want -. ) else if "%ERRORLEVEL%" = = "1" ( set ERRORMSG=Can't contact the RRAS server at the corporate network. REM Pass results to notifier or fail out with message to user. or even as a compiled EXE program. REM Verify virus checker installed and sig file up. you can configure any other packet filters that are particular to your organization.exe %1 %2 7250 %3 %4 Version1-0 REM These variables correspond to arguments and switches for RQC. You can write this script in any scripting environment supported by your Windows clients. SearchSecurity. as it's only what you feel comfortable with letting onto your network. CHECKVIRUS is 1-pass. Step 3: Write the baselining script The next step is to write a baselining script that will be run on the client. You just need to open one for notifier traffic on destination TCP port 7250. Contact a system administration. one for DHCP traffic on source UDP port 68 and destination IDP port 67. the packet filter requirements are much simpler. The baseline script is very flexible and can use whatever software resources you have available.EXE REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM RQS on backend listens on port 7250 REM %3 = %Domain% REM %4 = %UserName% REM The version of the baselining script is "Version1-0" REM Print out the status if "%ERRORLEVEL%" = = "0" ( set ERRORMSG=Successful baseline check. and for all other traffic.Using this method.com Copyright TechTarget 2006 114 . Here is an example batch file script: @echo off echo Your remote connection is %1 echo Your tunnel connection %2 echo Your Windows domain is %3 echo Your username is %4 set MYSTATUS= REM Baselining checks begin here REM Verify Internet Connection Firewall is enabled.there is no standard level of baseline. 2-fail. Set CHECKFIRE to 1-pass. And again. You also can use any sort of interaction with any program that your scripting environment will allow. if "%CHECKFIRE%" = = "2" goto :NONCOMPLIANT if "%CHECKVIRUS%" = = "2" goto :NONCOMPLIANT rqc. the address range of the dedicated quarantine resource subnet. 2-fail.

surf to echo http://location. most often inherited from the dial-in profile variable %Domain%. The Domain argument is the Windows security domain name of the remote user. For information about how to echo install or configure these components.) else if "%ERRORLEVEL%" = = "2" ( set ERRORMSG=Access is denied. The TunnelConnName argument is the name of the tunnel connectoid on the remote machine. you even can compile a special program because the post-connect script option in CMAK allows an . Echo You will be permitted to access only that location until Echo your computer passes the baselining check.exe file to be run. This default is 7250. Please install the Connection Manager profile from http://location and attempt a connection again. ) else ( set ERRORMSG=Unknown failure. this batch file is simple. the username of the remote user. SearchSecurity. Currently echo you must have Internet Connection Firewall enabled and echo an updated virus scanning software package with the echo latest virus signature files. as you might guess. the port used by the notifier to send a success message. The one requirement of every baseline script is that it must run rqc. It is against corporate policy to allow out of echo date machines to access the network remotely.exe if the baselining compliance check was successful and included the following parameters: rqc ConnName TunnelConnName TCPPort Domain Username ScriptVersion The switches and arguments are explained in the following list: • • The ConnName argument is the name of the connectoid on the remote machine. It's important to keep in mind that you can make the script as complex as you want. most often inherited from the dial-in profile %UserName%.com Copyright TechTarget 2006 115 • • • . The TCPPort argument is. obviously. most often inherited from the dial-in profile variable %DialRasEntry%. :EOF Of course. You will remain in quarantine mode until the session timeout is reached. ) echo %ERRORMSG% goto :EOF :NONCOMPLIANT echo echo Your computer has failed a baseline check for updates on echo your machine. I've added the necessary comments throughout the script so that you can follow the action. most often inherited from the dial-in profile variable %TunnelRasEntry%. The Username argument is.

and enter the string that refers to an acceptable version of the script. Navigate to the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Rqs key. RQS is found in the Windows Server 2003 Resource Kit Tools download. double-click the new entry. Then. This batch file will copy the appropriate binaries to the %SystemRoot%System32RAS folder on your system and modify service and registry settings so that the listener starts automatically when the server boots up. known otherwise as rqs. 3. Open the Registry Editor. Once you've run the installer for the tools.microsoft. SearchSecurity. Let's look at using the CMAK to create a custom connectoid including the necessary NAQC components. however.com Copyright TechTarget 2006 116 . with only a few modifications. which happens to be a normal profile you might create for any standard dial-up or VPN connection. and select New String.The ScriptVersion argument is a text string that contains the script version that will be matched on the RRAS server. Right-click in the right pane. 5. Step 5: Creating a quarantined connection profile The next step is to create a quarantined Connection Manager profile. 2. The listener service will match the version reported by the remote computer to the value stored on the RRAS computer to make sure the client is using the latest acceptable version of a script. which you can find on the Microsoft Web site at http://www. follow these steps: 1. You also need to add the notifier to the profile. you need to add a post-connect action so that your baselining script will run and return a success or failure message to the RRAS machine.exe. A bit of manual intervention is required. and then click Next off the introductory screen. Step 4: Install the listening components The Remote Access Quarantine Agent service. For one. and run RQS_SETUP /INSTALL from that shell. To make this change manually after you've run RQS_SETUP from the Tools download. select the Command Shell option from the program group on the Start menu. Open the CMAK from the Administrative Tools menu. must be installed on the Windows Server 2003 machines accepting incoming calls using RRAS.com/windowsserver. 4. This is a great way to enforce changes you make to your baseline scripts: if a user isn't using the latest version of the scripts (and therefore isn't making the latest analysis of the system based on your needs). You can use any keyboard characters except /0 in a consecutive sequence. 1. to finish the installation: you need to specify the version string for the baselining script. Name the string AllowedValue. he won't be released from the quarantine mode.

(Here is where the quarantine steps begin. Click Next. I'll assume here that you do not have an existing CM profile to merge." This is optional. Click Next. click Add.2. Include the custom action program with this service profile and Program interacts with the user. and then click Next. Do not use any of the following characters in the filename: < SPACE > ! . Select Post-Connect from the Action type drop-down box and then click the New button to add an action. email support@hasselltech. 10. You also can use the Browse button to look for it. type a name that you want to use for the connection. Click Next. 16. Specify the server in the Server address box. specify whether you want to assign specific DNS or WINS server addresses and whether to use the same user credentials that are used for a dial-up connection. and you should return to the Custom Actions screen. 13. click to select the This service profile checkbox. Click Next when you've finished. If you want to add a line of support information to the logon dialog box. 7. 15.for example. 11. 14. Type a descriptive title for the post-connection action in the Description box. until you come to the Additional Files screen. If you want to configure custom Dial-Up Networking entries. This should be something familiar to users. enter the name of your baselining script. SearchSecurity. * = / : ? ' " < > 5. check the two bottom boxes. This name is used for the files that CMAK creates while building the service profile. The New Custom Action dialog box is displayed.net. 12. Finally. such as "Connect to Corpnet" or something similar. Click Next. Type the command-line switches and their arguments in the Parameters box. In the File name box. . 8. In the Service name box. 6. type a name that you want to use for the service profile. Click Next. Specify whether you want to assign specific DNS or WINS server addresses or a Dial-Up Networking script. 9. type it in the Support information box -. and then click Next. Select Create a new service profile. so simply click Next to bypass the screen that appears that asks you to merge profile information. In the Phone-book Dial-Up Networking entry dialog box. and then click OK. Continue filling in the wizard screens as appropriate. If you want to add VPN support to the service profile. type the phonebook Dial-Up Networking entry that you want.com Copyright TechTarget 2006 117 . 4. 3. Click OK. In Program to run. Specify whether the service requires a realm name. "For customer support. and then click OK.) The Custom Actions screen appears. and then click Next.

enter Everyone or Authenticated Users. so client computers that don't pass your baselining script's compliancy checks can surf to a web site and download the latest version without compromising further the integrity of your network. and then enter rqc. You also can have the executable run as part of a logon or logoff script. You'll be returned to the Additional Files screen. On the User or Group Access page. Complete the remainder of the wizard as appropriate. SearchSecurity. creating a profile without any intervention after that. In this section. 6. You can transmit the executable file as an attachment to an email message. 2. Select VPN. 4. right-click Remote Access Policies. Type in the group names that should be allowed to VPN into your network. you can include instructions to run the file and use the new connectoids for all future remote access. If all domain users have this ability. I'll assume this domain has a group called VPNUsers that has access to VPN capabilities. 3. 1. you need to either have your users log on through a dial-up connection. In the email message. You have several options for actually getting that executable file to your users. Regardless of which method you choose to initially transmit the profile installer to your users. Enter Quarantined VPN remote access connections for the name of this policy. click OK. 18. Step 6: Distribute the profile to remote users The profile you just created is made into an executable file that you can distribute to your remote users so that they can run it on their systems automatically. The Access Method page appears next. Open the RRAS Manager. Step 7: Configuring the quarantine policy The final step in this process is to configure the actual quarantine policy within RRAS. The Policy Configuration Method page appears. as a link to the executable file hosted on a web server somewhere. 5.exe in the dialog presented next. In the left-pane. or wait until the mobile users return to the home network and are connected at the corporate campus to the network. and click Next.exe listed. and click Add. Once you're finished. Click Add. or better yet. You can use the Browse button to search for it graphically. select Group. I'll create a quarantine policy within RRAS that assumes you've posted the profile installer on a web server that is functioning as a quarantined resource.17. Click Next. where you'll see rqc. Click OK. and then select New Remote Access Policy from the context menu. Click Next when you're finished.com Copyright TechTarget 2006 118 . Click Next through the introductory pages. 19. but to do that. you always should place the latest version of the profile installer on a quarantined resource somewhere.

Click Next if it looks accurate. 15. The Add IP Filter dialog box is displayed. Click New and add an input filter for a quarantine resource. Then. make sure the Strongest Encryption setting is the only option checked. which is selected by default. 23. 24. repeating the preceding steps and including the appropriate port number and type as described earlier. The Authentication Methods page appears. where your profile installer is located. and you'll see the group name you added appear in the list box. 22. Enable SearchSecurity. Hassell is a systems administrator and IT consultant residing in Raleigh.com 119 Copyright TechTarget 2006 . In the Attribute list. click OK once more. Click New and add the input filter for DHCP traffic. and then click Add. On the Policy Encryption Level page. You'll see the IP Filter Attribute Information screen. such as a web server. which will be measured in seconds. 17. Click Add. select TCP. for the purposes of this demonstration. He runs his own Web-hosting business. click Next. which displays the Inbound Filters dialog box. You'll be returned to the User or Group Access page. Click OK. Follow the same directions to allow DNS and WINS traffic. The Add Attribute dialog box is displayed. 12. 19. 20. 9. Finally. 8. Click OK. click OK on the Inbound Filters dialog box to save the filter list. right-click the new Quarantined VPN remote access connections policy. About the Author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity. select the Permit only the packets listed below radio button. and click Add to include another attribute in the list. Then. Back in RRAS Manager. 10. click OK to save the changes to the profile settings. Finish out the wizard by clicking Finish. 14. Click Next. type the quarantine session time in the Attribute value box.7. back on the Inbound Filters screen. 16.C. enter 7250. N. and then click Add again. to save the changes to the policy. In the Destination port field. who has extensive experience in networking technologies and Internet connectivity. Now. 18. 21. and select Properties from the context menu. Navigate to the Advanced tab. and then OK again to return to the Advanced tab.. In the Attribute Information dialog box. Click MS-Quarantine-Session-Timeout. To keep this example simple. On the Edit Dial-in Profile dialog box. 13. In the Protocol field. use the MS-CHAP v2 authentication protocol. Click the Input Filters button. Specify the appropriate IP address for the resource in the Destination network part of the Add IP Filter screen. click MS-Quarantine-IPFilter. 11. Use a sample value of 60. Click New to add the first filter.com site expert.

" If. is a guide to implementing the RADIUS authentication protocol and overall network security. Many users. If the user did not have access to key system files and was not authorized to install software. Unfortunately. you need to use NTFS: they are not available on FAT. This is normally done during the upgrade process.com Users should not be Administrators. general access should be limited. Use caution when applying the deny permission. All other permission is cumulative or additive. the user's effective permission to the file is "Write. Permissions basics for Windows 2000 09. His previous book.Hosting. if a user has been assigned the "Read" permission to a file. in most cases users do have Administrator privileges on their own machines. RADIUS (O'Reilly & Associates). To do that. which means that malware executed under their privileges has carte blanche on the system as well. Malware tends to execute with the privileges of the currently logged-in user. a user has been assigned the "Deny SearchSecurity. One of the benefits of using Windows 2000 over Windows 98 or Me.com Plan before you assign permissions All Windows 2000 administrators want to allow the right people access to the right information. Most network administrators are already familiar with the setting up of permissions to files/folders. Lock down user access and privileges 16 Jun 2005 | SearchWindowsSecurity. uphill battle which requires the support of senior leadership to have any chance of success. particularly those in the executive suites. You need to do proper planning before you actually assign permissions. the malware would be stopped dead in its tracks. For the sake of security. jump and holler when talk begins of removing or restricting their access to their own machines. is the ability to use file and folder permissions. for workstations as well as servers. For example. So when you upgrade to Windows 2000. because the deny permission takes precedence over any allow permission. so this article looks at the major concepts you should consider when applying permissions to files/folders. if you are concerned about file/folder security. you must understand the most basic form of security -permissions. but is also a member of a group that has been assigned the "Write" permission. To enable file and folder permissions.18. on the other hand.com Copyright TechTarget 2006 120 .2002 | Adesh Rampat | SearchWindowsSecurity. you must convert that FAT partition to NTFS. but that is a tough.

" For example. that using NTFS as the file system in Windows 2000 for the workstations in your company is the better security decision to make. of course. the Institute for Network Professionals. and Full Control is less restrictive than Read. then his effective permission (combined permission) would be Change since this is the most restrictive between the shared folder (Change) and the file permission (Full Control). 2. it's worth it for the security available.com We all know. or should. The former requires a "clean install. Permission for files and shares are always additive or least restrictive. Still. the shipping folder is now shared. Paul is assigned change permission. He has also lectured extensively on a variety of topics. there are some default permissions the installer grants. you get the option of installing NTFS or using the FAT system. although there may be a slight performance hit when using this file system. Permissions for files/folders are "least restrictive. SearchSecurity. He is a member of the Association of Internet Professionals. because the "least restrictive" permission will apply to users. But when you do this. Therefore Paul's effective permission is Change. The shipping group (of which Paul is a member) has been assigned Read Only permission. He also is a member of the shipping group that was assigned Full Control to the same file. even if he/she also belongs to a group that has been assigned Full Control. For example. Calculate what permissions you are going to use for files/folders. The result is that Paul's permission for the file will be Full Control. So because Paul is accessing the file (for which he has Full Control) through the shared folder (for which he has Change permission). and the International Webmasters Association. Paul is a user that has been assigned Read permission to a file. About the Author: Adesh Rampat has 10 years experience with network and IT administration. then that user will not be able to write to the file or folder. To properly assign permissions: 1. What would Paul's effective permission be? It is the combined permission for Paul when he accesses files and folders within the shared folder. This is calculated using the most restrictive rule. Based on the "least restrictive" rule this user now has Change permission to the shared folder.com Copyright TechTarget 2006 121 . and you need to know what they are and where they're applied.Write" permission. NTFS default permissions for Windows 2000 11 Feb 2003 | Adesh Rampat | SearchWindowsSecurity. Paul has Full Control for the file and Change permission for the share folder. When you upgrade to Windows 2000." which means you must wipe out the computer's drive and restore all the data in some way. Then perform separate calculations for shares using the "least restrictive" rule.

Assigning individual user permission can create some manageability problems especially for larger networks. Since the list of permissions is lengthy I have included the following link. A good idea when deciding to implement permissions to folders is that the network administrator can group users who require various forms of permissions and then apply the assigned permissions to the folder.) About the Author: Adesh Rampat has 10 years experience with network and IT administration. however. if necessary.com/default.en-us. He is a member of the Association of Internet Professionals. You should perform periodic checks to ensure that the permissions assigned to the current group are appropriate. As we know this filing system offers much more enhanced security features than the standard FAT system. He has also lectured extensively on a variety of topics. How to implement permissions in Windows 2000/NT 20 Mar 2002 | Adesh Rampat | SearchWindowsSecurity. SearchSecurity. and the International Webmasters Association. so that they can. Administrators should. you have the option to convert to NTFS after installation.com Copyright TechTarget 2006 122 .com/default.290403. especially when sharing a drive. the Institute for Network Professionals. http://support.The NTFS filing system has been around since the introduction of Windows NT. Simply type Q244600 (the knowledge based article) then click the go button.microsoft. which should be used as a guide for administrators and anyone one else who might be interested in the various permission that are available when sharing a resource.aspx%3Fscid=kb%3BEN%2DUS%3Bq244600 This link will take you to the Microsoft TechNet page. For all new folders that are created the default permissions assigned to the "Everyone" group is Full Control. by starting a command window and then executing the CONVERT command. (If you're upgrading to Windows XP. click this link: http://support. be aware of the various permissions that are used. change some of the default settings.aspx?scid=kb. and then any new subdirectories created after that will get the new permission settings. You may want to change the Everyone group's permission for a folder to read access.microsoft.com When implementing permissions in Windows NT/2000 the network administrator should ensure that NTFS volumes are being used and not FAT volumes. For permissions in XP.

File-level permission checks should also be conducted periodically to ensure that the group of users, or in some cases a single user, has the appropriate rights assigned. The network administrator should place program and data files in separate locations. Assigning write access to data files requires special attention. By assigning write access users can copy files from the server to their local hard drive and vice versa. If the user access rights are set up properly on a Windows 2000 workstation, then users should not be able to copy files from the network server to their local drives. It's also a good idea to set Audit options, especially where you've granted write access to a folder There may be instances where users need access to certain sensitive folders in an application but some users within the group will not require access to that particular folder. In that case, share the folders that contain the sensitive information with a dollar sign ($) to hide them from unauthorized persons. As your Windows help system will tell you, such folders are not visible from My Computer, but can be viewed using the Shared Folders snap-in. About the Author: Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals, and the International Webmasters Association. He has also lectured extensively on a variety of topics.

SearchSecurity.com Copyright TechTarget 2006

123

Network access control policies
Distinguishing a remote access policy from a portable computing protection policy What is the best way to distinguish a remote access policy from a portable computing protection policy? QUESTION POSED ON: 4 November 2005 QUESTION ANSWERED BY: Shon Harris | SearchSecurity.com These two policies have very distinct focuses. A remote access policy should address the following items and concepts: Standardize remote connectivity for: • Any system type, whether it is company owned or personally owned computers, PDAs, smart phones, laptops, Blackberries, etc. • User type (employee, vendor, contractors, partners, etc.) • Connectivity type, as in dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc. Remote access should only be allowed to carry out company-related functions Reduce potential unauthorized use of company resources Connectivity and encryption requirements: • VPN, SSL, SSH and encryption needs for sensitive data Employee is responsible for ensuring: • Family members do not violate any company policies • Antivirus signatures, hot fixes and patches are up to date • Personal firewall is installed and properly configured • Authentication credentials are not shared • System is not connected to another network that is not owned by the company or employee • No use of non-company email accounts are used • Non-approved hardware configurations are not used Authentication type that is allowed • Passwords, passphrases, one-time passwords, private key, etc. Enforcement • Disciplinary actions, termination, prosecution While a portable computing protection policy should address the following items and concepts: Standardize connectivity and configurations for: SearchSecurity.com Copyright TechTarget 2006 124

Notebook computers, Tablet PCs, Palm Pilots, Microsoft Pocket PCs using Windows CE, text pagers, smart phones, FireWire devices, USB drives, etc. • User type (employee, vendor, contractors, partners, etc.) • Connectivity type, as in remote, LAN, WAN, wireless, etc. Allowable usage • Smart phones with cameras may be banned in sensitive areas for example Classified data needs to be encrypted during transfer or synchronization steps Roles that are allowed to use certain portable devices: • Only executives may be able to use and connect Blackberry devices to the network Specific types of security software may be required for specific types of devices • Additional security software may need to be installed and properly configured Asset management • Company owned portable devices must be properly tagged and documented • User must register device with company before attempting to connect it to the network Portable devices should not be left unattended in public areas Public network may be setup to allow only Internet accessibility for portable devices Prior to transfer of ownership or disposal of portable device, all sensitive data must be properly destroyed Access should only be allowed to carry out company related functions Reduce potential unauthorized use of company resources Connectivity and encryption requirements: • VPN, SSL, SSH and encryption needs for sensitive data Employee is responsible for ensuring: • Antivirus signatures, hot fixes and patches are up to date if applicable • Personal firewall is installed and properly configured if applicable • Authentication credentials are not shared • System is not connected to another network that is not owned by the company or employee • No use of non-company email accounts are used • Non-approved hardware configurations are not used Authentication type that is allowed: • Passwords, passphrases, one-time passwords, private key, etc. Enforcement • Disciplinary actions, termination, prosecution About the Author: Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.

SearchSecurity.com Copyright TechTarget 2006

125

Additionally. such as contact lists. Reducing that risk starts with establishing an information security policy that deals with both employee-purchased and companyowned mobile devices. any business data it contains is jeopardized. instant messaging. such as California SB1386 (and similar laws introduced in 35 states last year). Therefore. While these devices are increasingly well-connected. Laws. In the Nokia study. but safeguards are needed to prevent misuse or attack. Mobile phones with Bluetooth can be "BlueBugged" (used by an attacker to place calls) or "BlueSnarfed" (accessed to retrieve contacts and calendars). And businesses that violate industry mandates like HIPAA and GLBA face hefty fines or even jail time. companies need to define which mobile devices are allowed and under what conditions.com Copyright TechTarget 2006 126 . corporate database access. Cradled PDAs can become Wi-Fi bridges into corporate networks. A 2005 Nokia study found that 21% of US employees carry PDAs and 63% carry mobile phones used for business. CRM and ERP/supply chain applications. creating new attack vectors. A growing number of workers are using PDAs and smartphones to access business networks and applications. they are largely unsecured and can pose a significant risk to business networks and data. When used correctly. Risky business When a mobile device is lost or stolen. Companies without mobilespecific applications may still face mobile exposure through traditional applications. Such policies may include the following sections: SearchSecurity. if lost or stolen. Security measures and practices should be required. many workers are carrying PDAs. account passwords. smartphones and other mobile computing devices containing at least some business data. commonly-used mobile applications included email. and on business data storage and transfer. For example. These decisions should be documented in a mobile device security policy -.com Today. many employees synchronize company email onto PDAs or forward messages to smartphones. They should place limits on network and application access. many mobile devices now support multiple wireless interfaces. and processes defined to monitor and enforce compliance. wireless interfaces can aid productivity. these devices can be used to gain unauthorized access to an otherwise private network and applications therein. Security policy To manage these risks.a formal statement of the rules by which mobile devices must abide when accessing business systems and data.Policies for reducing mobile risk 25 Apr 2006 | Lisa Phifer | SearchSecurity. But many companies cannot even enumerate the data carried by lost or stolen mobile devices. require companies to notify individuals whose private information may have been compromised. sales force automation. confidential emails and file attachments. field service.

For example. Enumerate the mobile device models and minimum OS versions allowed to access or store business data. the intent of the policy may be to prevent disclosure of company-confidential data when transferred to or stored on PDAs and mobile phones. those responsible for policy monitoring and enforcement (compliance team). Objective: Identify the company. accepting incoming phone calls without entering a password). Ownership and authority: Identify those responsible for policy creation and maintenance (development team). including: • • • • • • • Power-on authentication to control lost/stolen device use File/folder encryption to prevent unauthorized data disclosure Backup and restore to protect against business data loss or corruption Secure communication to stop eavesdropping and backdoor network access Mobile firewalls to inhibit wireless-borne attacks against devices Mobile antivirus and IDS to detect and prevent device compromise Application and interface authorization to control program installation. 5.your company assets that may be placed at risk by mobile devices. Risk assessment: Identify the business data and communication covered by this policy -. For each asset. or you may require users to register personal devices before using them for business. security software download and installation. Enumerate best practices SearchSecurity. and policy configuration and update..g. For example. If your risk assessment determines that data carried by a mobile device is more valuable than the device itself. organizational unit and business purpose of the policy. For example. 4. hardware replacement is probably just a small fraction of the impact. synchronization and data transfer to/from removable storage For example. taking into consideration both probability and cost. network use. specifying the minimum length and complexity for passwords and any applications that are excluded from authentication (e. Security measures: Identify recommended and required mobile security measures and practices. your policy may mandate authentication.1.com Copyright TechTarget 2006 127 . when a mobile device is lost. including procedures required for device registration. no matter who owns those devices. Acceptable usage: Define what users must do to comply with this policy. identify threats and business impacts. 2. this may lead you to focus on data backup and confidentiality as your top priority. services and data. Scope: Identify the users/groups and devices that must adhere to this policy when accessing business networks. 3. Identify the organizational units that are (or are not) permitted to do so. 6. and those responsible for policy approval and management oversight (the policy's owners). Your policy may also define a process for mobile password reset that is convenient yet safe for users who cannot easily return to the office. you may forbid business data storage on unapproved devices.

g.. Effective policies ensure compliance through monitoring and enforcement. and evaluation of data communications. Some mobile security systems can hard-reset devices that have been stolen or appear to be under attack. It is a good idea to begin with a trial. implementation. a consulting firm specializing in network security and management technology. Be sure to consider all points of network entry (e. taking both your mobile security software and defined procedures out for a test drive with a small group of users. like beaming business data over Bluetooth or copying data to removable storage. you may implement a mobile security system that automatically detects any PDA cradled to a corporate desktop. 8. She is also the guest instructor for SearchSecurity. Phifer has been involved in the design. desktop PC cradle). If users understand what they can and cannot do and why.that users are required to follow. Auditing and enforcement: Voluntary compliance is nice. Wi-Fi AP. and network management products for nearly 20 years. email server. 7. Deployment process: Define how you plan to implement and verify your mobile security policy. including banned activities. but your policy should clearly define the conditions under which this potentially destructive step will be invoked. About the Author: Lisa Phifer is vice president of Core Competence Inc. but insufficient for truly managing business risk. VPN gateway. Many security policies fail because they prove impractical to deploy or use. For example.com Copyright TechTarget 2006 128 .com SearchSecurity. That system may prompt the user for self-registration and then push security software and policy onto the PDA. and define a business process to deal with non-compliance and intrusion. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. you may adopt a mobile security system that checks for a correctly-configured security agent whenever a PDA or phone is synchronized over-the-air or cradled.com's Wireless Security Lunchtime Learning. security.. internetworking. Laptop security policy: Key to avoiding infection 16 Sept 2003 | Ed Tittel | SearchSecurity. For example. they will be less frustrated and more likely to comply with stated policy. Your policy might explain this procedure and require that users cradle any purchased PDA to their office desktop before using it to store business data. It might also describe unauthorized use that will be blocked. Don't forget to include training for administrators and users in your deployment process. Working out these kinks before requiring everyone to follow your policy will increase voluntary compliance and overall effectiveness.

I'm taking a short emergency break from my ongoing series on security policy document library elements to sound a note of caution regarding the handling of traveling employee laptops. but some or all of whose traveling sales or technical staff got infected by same.com and even Norton's own more exhaustive Web-based scan. vendor selection and so forth. and safest OS and application images. Although these companies were able to withstand big impacts from these worms. then add a few additional recommendations. let me mention that an out-of-the box default install of Norton Internet Security in August produced a machine that showed no vulnerabilities whatsoever (zero!) to security scans from Steve Gibson Research. In light of this situation. I can't stress enough how important it is to develop and implement security policy for laptops. require some expansion of this simple but effective list: • Choosing the right Internet firewall depends on other corporate policies. Entire groups or departments of salespeople or technical staff found themselves essentially disconnected from e-mail and network access for anywhere from a full day to as long as a week. In passing. depending on how soon they could get their machines repaired and recovered. Getting updates is not the issue. installing them is what really counts. SoBig and others. At www. I'm going to refer to a recent posting by Microsoft (yes. Welchia. this simple prescription would have protected all of the people whose machines were essentially taken out of service by these worms. Picking and using antivirus software likewise depends on other policies and vendor selections and again should be combined with automatic updates and email warnings to download signature files when automatic update intervals don't suffice to maintain proper levels of protection. SecuritySpace. "3 steps to ensure your PC is protected: • Use an Internet firewall • Get computer updates • Use up-to-date antivirus software" If followed. and to keep remote and roving workers as safe as those behind corporate firewalls and other infrastructure elements. that paragon of security itself) that actually makes a great starting point for laptop security policy. The missing details. In the wake of recent discussions with several Fortune 500 companies whose internal networks were safe from the onslaught of Blaster. SearchSecurity.com/security/protect you'll find the following admonitions. I've started to recognize that security policy for laptops is pretty darn important. Companies should either impose the policy of enforced access to automatic update services from vendors. or provide regular image delivery or patching services of some kind to employees to make sure they're running the latest. others weren't so lucky.com Copyright TechTarget 2006 129 • • . greatest.microsoft. To that end. of course.

such as remote access mechanisms. Besides. Work with your users.com Copyright TechTarget 2006 130 . issuing stern edicts typically serves only to increase awareness of the "forbidden" (and thus much more interesting) technology and tends to drive users underground. Stop and take a deep breath Some security practitioners react to new technologies with panic and the issuance of stern edicts against using USB drives/PDAs/EVDO cards/wireless LANs. CompTIA and security certifications. It is your job to find a way for them to fill that need safely. Work with users to secure new technologies in the enterprise 18 Nov 2005 | Al Berg | SearchSecurity. Ed's worked on numerous titles on Microsoft. As creator and series editor for Exam Cram 2.• Other elements of security policy. are thinking of buying). You want them to come and tell you about the neat new gizmo or software they just bought (or better yet. including Security+. passwords and other SearchSecurity. users fell in love with the ability to stuff their cellphone/PDA with all the important information they need while working outside the office. access controls and privileges. etc. By sitting down with users. My Infosec Director side (the side that pays the bills) reacts to new technologies like Dracula to a nice garlic sandwich.com New technologies make my head hurt. when smartphones came on the scene. About the Author: Ed Tittel is Vice President of Content Services at iLearning. not to keep them from being efficient. laptops needn't pose any more of a threat to security than other systems in use. Texas. a CapStar company based in Austin. acknowledging all of the good things about smartphones and maneuvering them into asking about how their customer lists. users have a legitimate need to fill. CISSP and TICSA. not against them Make sure that your users feel comfortable talking to you about new technologies. A better approach is to sit down with the user. understand what they are trying to accomplish with the new technology. and so forth also need to be consistently enforced to prevent unauthorized access to internal systems and resources. These little gems quickly became nightmares for security people. For example. Stop and take a deep breath. making your job more difficult and adversarial. VPN use. In most cases. and try and get them to raise the security questions themselves. Some type of entire drive or directory-based encryption is strongly advised to protect information. How can I keep my organization safe without limiting my users to outdated technologies? Here are a few tips and techniques I find helpful. • With these simple policy elements in force. They will not do this if they perceive that you are going to arbitrarily stop them from using anything new. Novell. My geeky side loves to play with the latest toys and see what they can do.

The resulting standards combine encryption." bypassing all of your expensive firewalls. it is easy to make them understand the risks. Either option may be a legitimate strategy for your organization. allowing us all to sleep at night. For example. not to stamp out new and better ways of doing things. except faster. Every company seems to have a few early adopters who can be counted on to buy and try every new gadget that hits the market. Remember: your mission here is to gather information. make sure that you have analyzed the risks and rewards of the new technology thoroughly and that your users understand why SearchSecurity. No new policies are needed to deal with this issue as most companies' modem policies are broad enough to deal with this new form of connectivity. they were willing to accept the addition of some security measures that create a little bit of inconvenience. Plugging one of these into a corporate network provides an attacker with a "back door. You can allow the use of these connections with the proper firewall measures – just not while connected to the corporate LAN. Know what's on the horizon Infosec departments should be looking ahead to find out what new technologies are most likely to pop up in their organizations. If you think about it. Compare new technologies to old Another way to deal with new technologies is to compare them with existing technologies. Educate users New technologies should be part of your awareness efforts. In many cases. if that is the route you are going to take. Make these people your buddies and keep tabs on what new technologies they are looking at and how they are using them. However. cheaper and with prettier blinking lights.confidential information could be protected. we are starting to see laptops with built in broadband class Internet connections over wireless public networks (like EVDO or WiMax) being offered for sale. explaining the logic to users is going to be key in getting them to accept and comply with new policies and standards. password protection and the prompt reporting of device loss and subsequent remote self destruct of data. you can either disable USB ports and explain why. we've had this problem before with dial up modems. By explaining this new technology to users in comparison to modems. or even for a subset of your organization. If your users are clamoring for the ability to use those cute little USB thumb drives to carry documents and data. Become a business enabler There are going to be times when saying no to a new technology is the right answer. It depends on what your company does and how sensitive the information is. This makes it easier to explain the security issues to users and can cut down on the need for more and more policies. from a security point of view. or you can show your users how to use an encrypted thumb drive to protect data while in transit.com Copyright TechTarget 2006 131 . Because the users felt included in the process of analyzing the problem and coming up with the policies. The point here is that no matter which choice you make. I was able to get them to drive the process of setting security standards for the new devices. the new gizmo is a lot like some older gizmo.

Staff training. as a result. they are missing an opportunity to use the policy-writing process as a way to get consensus amongst a variety of different managers about the functionality of these security systems. the degree to which there must be end-user involvement and training. intrusion detection and other capabilities not yet deployed. as well as the technical capabilities that must be available in order to properly manage the security systems. The enhanced security they seek includes content filtering. Although certain managers receive their bonus for bringing in the project on-time and onbudget. the interfaces with related systems. The very act of writing a policy begs questions such as the impact on the business. "No. The benefits of writing a policy before a new system deployment 15 Sept 2004 | Charles Cresson Wood | SearchSecurity. organizational communications channels and other non-technical factors are postponed until the end of the project. The budget for the project does not include sufficient resources to handle organizational issues. significantly lower than it should be.com Copyright TechTarget 2006 132 . documentation. information security has a bad reputation as being the department that says. thinking that through these system components information security will be achieved.com Consider this scenario: A multi-national company is revamping its network defenses on a worldwide basis." We need to work on this and change our role from business obstacles to safebusiness enablers.liquidnet. This is due to a lack of effort to integrate business needs with new security functionality and because the organization's ability to effectively manage these new systems is questionable. SearchSecurity. CISSP. magazine in 2004. selects and deploys hardware and software. the actual level of security delivered is. CISM is the Director of Information Security for Liquidnet (www. About the Author: Al Berg. such as the establishment of a single manager in charge of network security across the organization. Offer some alternatives to help users get the functionality they are seeking – safely. and some are then dropped entirely in order to make a deadline and keep resource consumption down.they can't use the latest gadget. According to INC. Instead.com). Working with users to introduce new technologies is one way to do this. As a group. Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries. When organizations decide to write a policy after a security system is deployed. It locates the relevant internal information systems specialists around the world and engages them in a dialog on how to increase the organization's network security. technical staff specifies. Liquidnet is the leading electronic venue for institutional block equities trading.

• • • These days most people wouldn't think of building a house without a blueprint and other plans like a permit from a local government authority. But policies should be vendor neutral and technology agnostic.com Copyright TechTarget 2006 133 . help to clarify the objectives of a system and help to get alignment from all those concerned with the involved system. but the functionality may be a problem for existing privacy policies and laws. or perhaps the deployment of an entirely new system. that desired project timelines are overly-optimistic. At first this sounds good. political issues and disagreements about what should be done will be immediately highlighted. Then a draft policy about a content management system can be prepared. particularly when it comes to the business and operational impacts of a new or significantly modified system. In terms of keeping costs down and project timelines short when deploying a significantly modified or new security system. the policy can direct staff to select hardware and software that genuinely meets collectively-determined business needs. Policies should talk about necessary control capabilities. and that approval is obtained. This approach also forces people to communicate their ideas in concrete and explicit terms. among other things. depending on the organization and country involved. Before technical staff proceeds to acquire and install such a system. Writing policies prior to deployment forces people to look at issues such as necessary changes in business operations. examine and log the nature of the Internet material being sent and received by specific workers. be sure to include sufficient time in the early stages of the project to develop policies. If a particular worker is distributing unauthorized copies of copyrighted software. affected business processes and required worker interactions with the involved systems. This can help prevent the organization from committing itself to purchasing. consider a content management system that can. but many people still continue to build information systems (which by the way are even more complex) without the benefit of planning documents such as policies. the overview that policies SearchSecurity. When you're developing a project plan for the next major security system upgrade. As an example. leasing. Thus. it is important that privacy policies and laws be examined. Architectures. all before any money is spent on the involved system.When a policy is written before deployment. it is best to write policies early. the content management system will note this. procedures and configuration standards come later. Also. in part because they are a function of the hardware and software selected. Here are the benefits of doing so: • Policies help to define the scope of a system. and hopefully resolved. renting or outsourcing certain security capabilities only later to find that these same capabilities are in some way objectionable and inappropriate for the organization in question. Writing policies before deployment may also make it clear that project budgets are insufficient. and/or that technical staff plans are at odds with business reality.

routers. even thousands. Aside from stronger configuration control.com Copyright TechTarget 2006 134 . but how? Custom scripts can help. Business partner connections or newly acquired enterprises. but. CISSP. But. and most network vendors have some sort of console. with specific risk thresholds and security requirements. HR and finance departments.com Managing the complexities of large. There are several environments in which this functionality is critical: • • Multinational enterprises. Managing the security settings on these devices from a central console sounds wildly impractical -.provide should be one of several early planning tools in every major information security project. About the Author: Charles Cresson Wood. switches and even VPNs and firewalls. Managing network policy 22 Jul 2004 | Pete Lindstrom | SearchSecurity. popular firewalls and Linux and Solaris OSes. SearchSecurity. CISA. central logging and. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.. Network security provisioning solutions provide centralized management of heterogeneous network devices -. standards.the requirements are complex. where the "other end" of the network is unknown. Calif. Here are a few: • Gold Wire Technology's Formulator manages ACLs and other configuration parameters and provides infrastructure integrity to network devices. procedures and job descriptions. routers and gateways. • • • Managing each set of devices based on particular needs is imperative. in which headquarters may need an administrative connection to the plant but the company doesn't want anyone or anything touching the computers running the assembly line. the demands of global business and regulatory compliance are forcing enterprises to consider management consoles that push granular policy updates to heterogeneous devices. of mixed-vendor bridges. these devices are operated independently. He specializes in the development of information security documents including policies. distributed networks is a daunting task. in most cases. the solutions also offer SSO for network devices. for the most part. Manufacturing environments. and there are too many fast-moving parts. which may want to segment their networks to comply with the regulatory requirements of the host nation. management backbones. Web server farms. which share a lot of sensitive information among themselves and little with other employees and customers. switches. Enterprises carving out logical networks for users. with hundreds. is an independent information security consultant based in Sausalito. network configuration management. CISM. etc.

In my search for supporting reference material. About the Author: Pete Lindstrom. I came across a very informative document called The 60 Minute Network Security Guide on the National Security Agency Web site (www. but manage them you must. and understand which default software installations provide weak security configurations. 6.Turn off or remove unnecessary services. including specific information for Windows and Unix systems. Solsoft's Policy Server models a network and provides "point-and-click" security design. 3. 5.Develop and maintain a list of all hardware/software components. administrators and managers. Establish a strong password policy -. CISSP.com I was asked by a client to develop a "best practices" guide for securing Microsoft IIS 5. Scan TCP/UDP services -.gov).com Copyright TechTarget 2006 135 .• • • • Voyence's VoyenceControl! is a Java application that provides lifecycle change management services. Rendition Networks' TrueControl is a Windows 2000 application that manages many network devices. Make sure you have a security policy in place -. Top 10 network security tips 22 Nov 2002 | Mark Edmead | SearchSecurity. Intelliden's R-Series software is a Java application that performs device modeling along with its core network configuration features. Keep an inventory of your network devices -. including wireless access points and VPN concentrators.Keeping your systems patched will close vulnerabilities that can be exploited by hackers.nsa. Today's enterprises and their distributed environments are too complex and their requirements too diverse to manage efficiently. SearchSecurity. automatically calculating the ACLs required to allow access from a source endpoint to a server.Weak passwords could mean a compromised user account. The document is what is known as a "best practices" guideline for network security. 2. Unneeded services can be the entry point attackers use to gain control of your system. It pushes out these changes and keeps track of them. 4. The document is only about 40 pages long.The security policy is the formal statement of rules on how security will be implemented in your organization. Make sure all of your operating systems and applications are patched with the latest service packs and hotfixes -. rollback and workflow. Here's a summary: 1.0. Don't trust code from non-trusted sources. but it's packed with valuable pearls of wisdom on how to secure your network enterprise. Network security provisioning solutions offer an option that makes sense. is research director at Spire Security. It features support for templates. A security policy should define the level of security and the roles and responsibilities of users.

. and has more than 25 years' experience in software development.vbs. I recommend downloading this document and reading it from cover to cover. TICSA.bas. About the Author: Mark Edmead.7. (www.mtesoft. CISSP.com Copyright TechTarget 2006 136 . Inc. . Block certain e-mail attachment types -.bat.Don't rely on just one control or system to provide all the security you need.com). Perform your own network security testing -.Find the holes before the attackers do! 10.Implement the concept of "least privilege". It's packed with excellent tips and techniques to help secure your network environment. Don't provide more rights to system resources than necessary -. Implement "defense-in-depth" -. is president of MTE Software. SSCP. 9.exe and .This list includes . SearchSecurity. product development and network systems security. 8.

Sign up to vote on this title
UsefulNot useful