I'd personally recommend the Harding guide from the NSA, they know their stuff. As for the Linux brigade, a Bradley secured Linux install that is poorly managed is not better then a decently managed Linux distro. I have to go look at some of the products you wrote down, but this looks like a decent shopping list for a reasonably secure environment.
On Mar 1, 2013, at 2:43 AM, "[email protected]" <[email protected]> wrote: > Frankly your whats wrong with a small minority of the people on > LibTech. NGO's have to balance cost, security, people, user needs, > current infrastructure, software/hardware donation programs, man > hours etc etc...Every idiot knows Linux is more secure in many ways > than Windows yet sometimes other factors come into play that > require the use of MS. > > This topic is a genuine topic that has not been looked at to my > knowledge by the movement - we have tons of material on VOIP > safety, encryption, device management etc but not much on actually > network design...I hope your glad that your smart-ass comments have > dragged it sideways within the first two posts, to the detriment of > the group. > > I have no interest in being trolled. Is there anyone on the list > that wants to talk through this and give me some direct advice on > how to implement a safe NGO operational network? > > On Thu, 28 Feb 2013 13:35:26 +0000 "Bill Woodcock" <[email protected]> > wrote: >> Sorry, thought you'd asked for advice about the "best possible" >> way to do it. Didn't realize you meant "best possible with no time >> or attention." But, wait, that's not quite it either, is it? You >> meant that you don't want to invest _your_ time and attention, but >> you think people on the list can solve that for you by >> contributing _our_ time and attention? I'm not sure it works that >> way, but perhaps someone who's feeling more charitable than I am >> right now can suggest the "best possible" solution that requires >> none of your time and attention and runs on Windows. >> >> Since I'm now 34 hours into an Ottawa-bound itinerary for the CIF, >> a tip of the hat to Canada: "As secure as possible, under the >> circumstances." >> >> -Bill >> >> >> On Feb 28, 2013, at 8:22, "[email protected]" >> <[email protected]> wrote: >> >>> Can we please get back to the issue at hand.... >>> >>> On Thu, 28 Feb 2013 13:16:03 +0000 "Bill Woodcock" >> <[email protected]> >>> wrote: >>>> Ah, yes, those expensive man-hours. Security is so much easier >> >>>> when you don't give it time and attention. It also doesn't >> work. >>>> >>>> >>>> -Bill >>>> >>>> >>>> On Feb 28, 2013, at 8:09, "[email protected]" >>>> <[email protected]> wrote: >>>> >>>>> I knew this was coming at some point. Yes I am starting with >>>>> Windows, it's more functional (awaits incoming) and costs less >>>> in >>>>> terms of expensive man hours (the hidden cost vs software) for >>>> an >>>>> Linux guru to run and monitor the network. >>>>> >>>>> On Thu, 28 Feb 2013 13:03:00 +0000 "Bill Woodcock" >>>> <[email protected]> >>>>> wrote: >>>>>> You want to do this securely, and you're _starting_ with >>>> Windows? >>>>>> >>>>>> >>>>>> -Bill >>>>>> >>>>>> >>>>>> On Feb 28, 2013, at 7:40, "[email protected]" >>>>>> <[email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> We are a human rights NGO that is looking to invest in the >>>> best >>>>>>> possible level of network security (protection from high- >> level >>>> >>>>>>> cyber-security threats, changing circumvention/proxy to >>>> protect >>>>>> IP >>>>>>> address etc, encryption on endpoints and server, >> IDS/Physical >>>>>> and >>>>>>> Software Firewall/File Integrity Monitoring, Mobile Device >>>>>>> Management, Honeypots) we can get for a our internal >> network. >>>> I >>>>>> was >>>>>>> wondering if people would critique the following network, >> add >>>>>>> comments, suggestions and alternative methods/pieces of >>>>>> software. >>>>>>> (Perhaps if it goes well we could make a short paper out of >>>> it, >>>>>> for >>>>>>> others to use.) >>>>>>> >>>>>>> -Windows 2012 Server >>>>>>> -VMWare virtual machines running Win 8 for remote access >>>>>>> -Industry standard hardening and lock down of all OS >> systems. >>>>>>> -Constantly changing proxies >>>>>>> -PGP email with BES >>>>>>> -Cryptocard tokens >>>>>>> -Sophos Enterprise Protection, Encryption and Patch >> management >>>>>>> -Sophos mobile management >>>>>>> -Encrypted voice calls for mobile and a more secure >>>> alternative >>>>>> to >>>>>>> Skype via Silent Circle. >>>>>>> -TrueCrypt on all drives - set to close without use after a >>>>>>> specific time >>>>>>> -Easily controlled kill commands >>>>>>> -False and poison pill files >>>>>>> -Snort IDS >>>>>>> -Honeypots >>>>>>> -Tripwire >>>>>>> -Cisco Network Appliance >>>>>>> -No wifi >>>>>>> -Strong physical protection in a liberal country as regards >>>>>> human >>>>>>> rights >>>>>>> >>>>>>> I know there are many other factors, good training, constant >> >>>>>>> monitoring, avoiding spearfishing, penetration testing, etc >>>> but >>>>>> if >>>>>>> possible I would please like to keep the conversation on the >> >>>>>>> network design and software. >>>>>>> >>>>>>> Thanks guys. >>>>>>> -Anon >>>>>>> >>>>>>> -- >>>>>>> Too many emails? Unsubscribe, change to digest, or change >>>>>> password by emailing moderator at [email protected] or >>>>>> changing your settings at >>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>>>>> >>>>>> -- >>>>>> Too many emails? Unsubscribe, change to digest, or change >>>> password >>>>>> by emailing moderator at [email protected] or changing >> your >>>> >>>>>> settings at >>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
