Sei sulla pagina 1di 3

Article by Mark Boyd

www.simpleit.tumblr.com

Security: Internal threats


All of t he inf ormat ion pres ented in t his art ic le is t he opinion of t he aut hor, not t he opinion of t he any of t he v endors ment ioned. The aut hors ex perienc e is in t he M anaged Serv ic es Prov ider s ec t or , more s pec if ic ally , t he Educ at ion v ert ic al. This art ic le will ref erenc e a lot of mat erial f rom www. s ans . org. I s t rongly rec ommend y ou rev iew all mat erial I link in t his art ic le. I hope t o c learly s how t hat I hav e int erp ret ed t he mat erial at www. s ans . org and it is v ery c lear t hat I am not c laiming t he mat erial t o be my own. 1As alway s , I t ry t o prov ide real lif e ex amples t o ex plain any writ t en t ext s I ref erenc e

Security Controls: Internal threats and unauthorised devices. Good morning, afternoon, evening, how are you all today? Good? Great. This article will hopefully start you thinking about protecting your internal infrastructure from internal but unauthorised threats. What do you know about who can get into your network? You are an admin at a school with a moderate I.T budget. You are a security conscience I.T admin, but your boss, the I.T Manager is a teacher. He doesnt know a huge amount about security, and has charged you with making sure the network is secure. What do you do? What questions do you ask? Ask yourself a few questions What devices exist on your network? What devices are authorised on network? What devices are unauthorised but still on your network? What devices are unauthorised and choking your already scarce resources? Have you got an asset register of all known devices? If you accept the risks unauthorised devices pose, do you put those devices on a different subnet? If you accept the risks unauthorised devices pose, do you know what they are able to access? Time and time again I see businesses that dont know, or dont care, about what they let onto their networks. This is dangerous; it can damage the financial security of an organisation.

http://www.sans.org/critical-security-controls/control.php?id=1 for more on this topic.

Tuesday, 28 June 2011

Page 1

Article by Mark Boyd Let us consider the following example. AbcBusinessCorpTechLimited is large K-12 education provider.

www.simpleit.tumblr.com

They have 1200 students, 200 staff members. They have a large I.T Budget of $2,000,000 PA. Equipment at the education provider includes but is not limited to:
40+ Layer 3 Switches from a top tier vendor 1 X 40Tb 10Gb FC SAN 1 X 20Tb 10Gb FC Backup SAN Server 2008 Active Directory role controlling identity management A dedicated DHCP and DNS Server 600 Desktops, all on the domain 100 Laptops, all on the domain 100 Other registered portable network devices Multiple tier one vendor Firewalls Strong endpoint security A Microsoft ISA 2006 box providing proxy services A tier one vendor application layer firewall providing advanced filtering. Tier one vendor web filtering solution blocking websites based on Active Directory membership

The question is simple. What happens when a student brings his own laptop in and plugs it into a network point on the wall? What happens you ask? He gets a DHCP address; he gets DNS servers assigned to him. The student goes to use the internet and gets prompted for a username and password. What happens then? Well, he enters his user name and password; he gets let out to the internet. I am sorry I.T Guy; we need to have a conversation. You: But a tier one vendor web filtering solution is still in place, and an application player filter is also there, who cares that the student gets access to internet resources? It is enabling his use of technology and helps him learn Me: I understand your contention, but you are wrong, it is not acceptable to let any employee come and patch in their laptop to the network, and access internet resources. You: Why? Me: You forget, its not just the internet this student can now access. There is no mention of any protection of other network resources. What is stopping the student from accessing his or her file share? You: Why is that a risk? Me: The student has no antivirus software on his laptop, and now your network has a Trojan on it, everything is affected, everything is down, the server room is now literally on fire, and you are responsible. So what can you do? How can you protect your network from unknown and unauthorised devices?

Tuesday, 28 June 2011

Page 2

Article by Mark Boyd Fix number one: Think physical.

www.simpleit.tumblr.com

The student plugs into a wall point not directly into the switch (or at least I hope that is the case) The wall points go back to a patch panel, the patch panel goes back to a switch. Your task is to perform a full port audit. Discover which device is plugged in, and to where. When you know what devices are plugged into which patch points. Remove every non-essential patch lead from patch panel to switch. You have just successfully mitigated the physical risks associated with unauthorised devices Or have you? Fix number two: Think physical act virtual. So there is no connectivity to unused patches. Great, what if a student unplugs an authorised device and plugs his / her unauthorised device. You are back to square one. Never worry, there are a few things you can do Sticky MAC Addresses, yes it sounds like a food, no, it isnt a food. Sticky MAC addresses register the MAC address of the first device to connect to that port and dont allow any other devices to connect to it. This will solve the above mentioned problem. So you have solved the problem, orhave you? Fix number three: Think physical act physical act virtual. So your first two methods mitigate the risk, but the students are cunning, they look at the OEM sticker on your hardware and find the MAC address of the authorised device. They then proceed to spoof the MAC address on their authorised machine. Now you are in a pickle arent you? First up, remove the OEM stickers on the box; they dont need to be there. Next, lock down your BIOS, no one other than I.T Techs need access to the BIOS of your assets. Next use Kensington locks to physically secure your box. Next use Active Directory to enforce Domain computer authentication to happen So have you solved your problem? Maybe, maybe not. Whenever I write a security article, I will merely get you thinking about a particular security topic, and get you talking about how to protect yourself better There are many vendors that offer Network Access Control tools (NAC for short). I urge you to investigate the options form the various vendors. There are physical solutions (in rack) and software solutions from vendors like Symantec and Sophos. Dont be afraid of letting users bring in their own devices, it is counterproductive and short sighted not to allow such devices. But by all means, enforce very strict standards. All of things above and more, will help you protect your internal network. The internal network still being an afterthought still after all these years for administrators. A shame seeing thats where all your data sits, and if you lose it, you lose your job, plain and simple. Over and out.

Tuesday, 28 June 2011

Page 3

Potrebbero piacerti anche