effective security solution

20 pts.
Tags:
Security
Your Intranet Web server has been attacked by unauthorized external users. Company management wants you to recommend an effective security solution. Which should you suggest?
ASKED: December 23, 2007  3:08 AM
UPDATED: December 31, 2007  1:14 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Mines in a DMZ supported by ISA 2004 and Cisco Pix firewall. I’ve had several penertration tests and its passed all with flying colours. depends on your budget of course. Prior to using the pix and only because we wanted a layered approach ISA on its own also passed many tests with colours.

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Wrobinson
    This is a good start, but there is a lot that goes along with establishing and maintaining a good security baseline. First, you must understand that there are three areas to concentrate on: people, process and technology. People need to be trained on the impact of computer security on an organization, as well as how to implement it. This does not rest with IT, but end users must also be edudated and aware of how computer security impacts them -- particularly how to steer clear of common pitfalls. This is key because statistics show that the majority of security infractions that occur at the hands of end users is the result of them only trying to be helpful -- unaware of the consequences of their actions. Your company should develop a formal computer security policy, if one does not already exist. Having a well established computer security policy provides a framework according to which decisions affecting computer security can be made, as well as a standard against computer security is measured. Things that it should encompass are user name and password requirements and policies, acceptable user of computer and telecommunications equipment policies, as well as any hardware and software configuration hardening requirements, only to name a few. Once such a policy is in effect, it must be communicated to the user community. I have a sample one that I can float you, if you're interested. You can also consult security Web sites like SANS Institute or search the Web in general to find examples of these and other documents. Next, as mentioned previously, people need to be trained on the impact of security and how to implement it within the organization. For this, it is recommended that a separate and distinct security subteam be developed to ensure that there are no conflicts of interest, such as when security is offloaded onto an already existing arm of the IT team like network/system administration and so on. The truth is that it is the responsibility of everyone to maintain security but the accountability should rest with this group. Their role is to really define the policies and procedures -- not so much the implementation thereof -- again to prevent conflict of interest. This does not mean, however, that the input of administrators should not be considered, because it is they, who have the knowledge and expertise when it comes to the tools to do the job and it will in turn, the administrators in the environment will be responsible for implementing the security procedures from a technology perspective. The more that can be automated on this level, the better. Now looking at this from a technical implementation perspective, I think that a DMZ, which stands for demilitarized zone, for anyone out there that did not already know that, is a good place to stage any Internet facing servers. This is a means of keeping for all intents and purposes, unregulated traffic off the corporate/private network. You can configure communication back and forth from authorized sources and destinations accordingly. Microsoft ISA is a good security solution that can publish Web services securely -- that is without exposing the actual server and/or service to the Internet directly. Implementing a good hardware based firewall, like the one mentioned -- Cisco PIX or SonicWALL and so on, is also a good option. You will also want to consider having external and internal penetration tests performed, as well as simulated social engineering attacks and so on to find out where your weaknesses are before and after implementing security measures. I mentioned this earlier, but I want to expand on it a bit. Develop server configuration hardening standards. Make sure that only the services required run on any given server to minimize the potential for vulnerabilities to be exploited. Also, stop unnecessary services and don't install unnecessary applications and add-ons. Windows Server 2008, which is due out early next year, has a great feature CLI option called "server core" that installs only the command line and those services necessary, according to the intended use of the server. You can find out more about that here http://www.microsoft.com/windowsserver2008/servercore.mspx. Lastly, once you have a secure environment up and running -- and perhaps even beforehand -- you will want to consider performing regular audits to ensure compliance and check for vulnerabilities. In the meantime, good luck and godspeed! -Wrobinson
    5,625 pointsBadges:
    report
  • Papp
    Wrobinson is partialy right. I persoanly do not hold hope that the end user "could" help. Inserting a Sony CD embeds $sys$aries. ActiveX should have been reserved for internal enterprise ONLY! Microsoft Web servers can not be protected by perimeters alone. First client comprimise has a setemic effect when they then access the internal ACL'd server. Tons of these zero-day activeX controls are still out there and never likely put back in the box. I remember being chided about my complaint on VS5 activeX release, "What are you scared?"... Yes! I am trying to stay smarter than my bravado! Tools + Money from exploiting = failure to keep up_! If MS had better tools to lock, monitor, and throttle RPCs,... then perimeter away. You better check your endpoints, and watch the "enticements" bait you back in. It is like playing lemmings and they are protesting then tearing down the bridge!!! You can only watch as they drop off the cliff.
    310 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following