On 28 February 2013 07:39, <anonymous2...@nym.hush.com> wrote: > Hi, > We are a human rights NGO that is looking to invest in the best > possible level of network security (protection from high-level > cyber-security threats, changing circumvention/proxy to protect IP > address etc, encryption on endpoints and server, IDS/Physical and > Software Firewall/File Integrity Monitoring, Mobile Device > Management, Honeypots) we can get for a our internal network. I was > wondering if people would critique the following network, add > comments, suggestions and alternative methods/pieces of software. > (Perhaps if it goes well we could make a short paper out of it, for > others to use.) > > -Windows 2012 Server > -VMWare virtual machines running Win 8 for remote access
Windows doesn't scare me, full remote access scares me. (I'm amazed at how many people are saying "X is insecure" with no explanations how or why an alternative is more secure.) Obviously you'll need something for remote workers, but see the next section... > -Industry standard hardening and lock down of all OS systems. Industry 'Standard' hardening isn't particularly good because 'Standard' is 'Standard' and 'Standard' is also hacked over and over again. Upgrading your RDP authentication level is a good idea and 'Standard' - but what you want most of all is separation of privilege. I don't mean "Bob the sysadmin is the only person who can administer the mailserver" I mean "Bob the sysadmin is the only person who can administer the mailserver, and he can only do it from a separate computer that's on a separate airgapped network and he doesn't use USB keys". Airgapping brings thoughts of crazy military-levels of paranoia - but it's not all that difficult and it's getting more and more important. Get a couple cheapish laptops, a separate consumer-level broadband connection, and run red cables plus blue to a few people's desks. Think about it terms of compartmentalisation, both airgapped and non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. Draw out your network, and then fill an entire section with Red - that's what the attacker controls. How does he move to another section? What data does he get? Brainstorm this part heavily, consider putting it up on a permanent whiteboard and referring to it every time someone comes in and needs access to X group's fileserver, or what-have-you. > -Constantly changing proxies I have no idea what you intend to accomplish with this. Performing *more* logging of your employees, or not disabling WPAD sounds like the opposite of what you'd want. (And a note on the WPAD item: disable IPv6 too.) > -Sophos Enterprise Protection, Encryption and Patch management > -Sophos mobile management Uh, I guess. I guess I shouldn't disparage something I've never reviewed and haven't worked with... But my opinion of "Enterprise Protection" products isn't too high until I've seen an independent security firm see how secure the product is and how much it attack surface it adds. > -Encrypted voice calls for mobile and a more secure alternative to > Skype via Silent Circle. So I guess that's RedPhone? > -TrueCrypt on all drives - set to close without use after a > specific time Bitlocker is a fine alternative, and probably easier to manage/query via Group Policy. > -False and poison pill files > -Honeypots Ooookay. This isn't a bad idea, but it's pretty damn complicated to set up - you're moving more and more towards something that requires a 24/7 SOC (Security Operations Center) and further away from "Architecting a secure network." > -Snort IDS > -Tripwire And someone full time (or 2 people, really probably a team of folks operating 24/7) to monitor these? Cause this stuff doesn't help you if no one's looking at it. > -Easily controlled kill commands ... Huh? > -No wifi Good luck with that. I guess no one's going to have any productive meetings or use any MacBook airs, tablets, or phones for work purposes. (Unlikely.) Having everyone use the cell towers isn't a great idea either. This sounds like you haven't done a requirements gathering phase with your users. -tom -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech