We continue to hear reports of companies, government agencies, and systems being hacked into by the "Bad Boys" of the Internet. Most recently it was confirmed that the US Pentagon systems were hacked into and thousands of files were copied from the systems that were hacked. When I heard this report I thought "How in the world does an organization like the Pentagon with all of the resources they have get penetrated???" If organizations like the Pentagon have lowered defenses, how do we, the average system owner with a whole lot less resources protect ourselves? Deb Hale |
Deborah 279 Posts ISC Handler Jul 15th 2011 |
Thread locked Subscribe |
Jul 15th 2011 9 years ago |
walla? the word you are looking for is "voila".
|
Anonymous |
Quote |
Jul 15th 2011 9 years ago |
At home I use Astaro and have my network fully locked down. At current job (Health care) we use Juniper and is mostly locked down. We are switching to Palo-Alto though. My last job used a fairly locked down Check Point firewall, but it was VERY old. (Banking!)
|
Tri0x 17 Posts |
Quote |
Jul 15th 2011 9 years ago |
Stonesoft's StoneGate firewall/VPN all the way. Intelligent design, least security advisories, awesome management and log data tools, and best HA.
|
Tri0x 1 Posts |
Quote |
Jul 15th 2011 9 years ago |
Brand does not seem to matter too much these days. They all seem to last around the same number of years. I split the traffic up to multiple IP's. Checkpoint for larger commercial enterprise traffic; Sonic Wall or Cisco added for remote access users; Netgear (metal case ones) for SOHO use; Low-end Cisco or Netgear for "cheap" segment isolators (e.g. sandbox or CAN).
|
Tri0x 1 Posts |
Quote |
Jul 15th 2011 9 years ago |
All internet access via a Debian box, and all workstations forced into separate VLANs by switch; any communication between them (rarely actually necessary) must be explicitly permitted/facilitated by the Debian box acting as gateway. MAC-Forced Forwarding would work here too.
WLAN AP considered untrusted and only even switched on if absolutely needed for something; that, or any untrusted 'guest' machines, get their own special VLAN and its Internet connectivity can be enabled/disabled/filtered at will. Arpwatch alerting of each new device being connected to LAN (or to the WLAN AP). Total bandwidth in/out of each VLAN accounted in RRD log and graphed. All HTTP connections forced through a transparent proxy with logging in case it's necessary to carry out forensics after suspected intrusion. No outbound SMTP/DNS allowed; must use the locally-provided services. Snort IDS monitoring everything going to/from Internet, with real-time email alerts for anything at Priority 1 and periodic reviews of anything else. Considering one or more OpenBSD boxes in place of the Debian box, with CARP providing HA. This is actually all just for my home, and I think any SO/HO ought to do these things as a minimum. For a larger network, maybe also a honeypot to alert to possible internal infections, unauthorised scanning, or emerging threats from outside. Actively scan workstations for unpatched vulnerabilities, and sniff software user-agent versions from HTTP/SMTP headers. If WLAN access is needed, maybe require VPN connection (I don't trust WPA2/802.1X) thus allowing secure off-site login via exactly the same method, even from open or untrusted networks (eg. employee's home, public WLAN, rogue access point on-site pretending to be your company's). |
Steven C. 171 Posts |
Quote |
Jul 16th 2011 9 years ago |
SOHO application. Static internet routable ip addresses obtained over VPN so local connection is DHCP (saves a ton of $$$ over static ip's from internet provider!). Colo box at another, nicer, isp has linux, iptables, openvpn. SOHO site has matching openvpn and iptables setup. DSL bridge goes to Cisco WAP running WPA2 and NAT for local mobile devices (ipads, laptops, blackberries, etc.). This WAP is on DHCPed internet connection. Linux openvpn box goes to DMZ with static NAT for servers, etc. and masquerading NAT for choke firewall in front of LAN. Snort IDS does complete packet logging to multi-TB RAID -- good for several days worth of traffic. IDS has taps on WILD, DMZ, and LAN. Plan to install tap on Cisco WAP as well soon. LAN has second Cisco WAP but machines must have recognizable MAC address to obtain dedicated DHCP address, and only those addresses will pass firewall to LAN. All servers also have host firewall, as do MAC authenticated laptops. How does one secure ipads and blackberries?
|
Moriah 133 Posts |
Quote |
Jul 16th 2011 9 years ago |
We don't play around, It's got to have deep packet inspection with strict rules. Once you start the argument of USABILITY over security you have opened the door to the "bad boys" and from almost every case it's been something Stupid was over looked or due to staffing (again people don't take security seriously until their ass in in fire).
My philosophy is every transaction should have it's own rule. You don't want traffic passing wholesale with loose rules. Loose Rules Sink Networks. |
Moriah 1 Posts |
Quote |
Jul 16th 2011 9 years ago |
I use Injoy Firewall on a non mainstream OS, I also agree with PacketScan, I have everything in and out disallowed by default with strict rules. If the fw falls over, then the default is nothing is allowed in or out, only happened once in several years but I always set things up as if the worse possible intrusion WILL happen.
|
IBManners 3 Posts |
Quote |
Jul 16th 2011 9 years ago |
Use firewall for (1) preventing unauthorized machines from hosting internet facing services, (2) preventing unauthorized services on internet facing machines, and (3) blocking windows LAN protocols from reaching the internet. Notice that (1) and (2) are really for controlling employees rather than anything else.
|
IBManners 39 Posts |
Quote |
Jul 18th 2011 9 years ago |
I use the application FW built into GFI's Vipre, in addition to that I run an Untangle FW with DPI attached to the gateway. I block inbound connections as adefault and only allow outbound connections that I have approved. Every three months I reset all settings to default on th application FW and start from scratch...it is a PITA but necessary.
|
Big "E" 9 Posts |
Quote |
Jul 18th 2011 9 years ago |
How valuable is a firewall? It seems like all malware these days communicates via port 80 or another critical port that can't be denied at the FW. If home users can't afford an IPS or lack the technical knowledge what are they to do?
|
Brandon 7 Posts |
Quote |
Jul 18th 2011 9 years ago |
On my personal laptop I use ZONEALARM EXTREME SECURITY by Checkpoint . I worked on the CP fws many years, from ver. 4.0 up to 7.1. and have great consideration on CP products.
It work as FW, AV, parental controls and some other functions, if you like and purchase ( hd crypto ... ). In my laptop platform, WIN7 Pro 64bit also MS Security Essentials was built-in AV . On Corporate infrastructure we used Checkpoint, different levels. |
Brandon 1 Posts |
Quote |
Jul 19th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!