Invulnerable safe corporate computing environment

E-mail applications
Microsoft Exchange
We are redesigning our IT environment (software and hardware) and are looking for a solution in which our systems will not be vulnerable to any type of threat from our internet connection (web browing, email, IM, FTP, etc). Today's typical solution is to surround ourselves with expensive and complex layers upon layers of detection software and appliances, and new companies are popping up daily with these products. Instead, how can we design a system (or overall computing environment) that is not vulnerable in the first place? I feel that there is enough technology out there to do this, I just have not figured out the right mix yet. For example, our research has included the following: thin clients, ASP hosted apps, PC blades, streaming O/S and apps, virtual PC's and servers, diskless Linux workstations, non-mainstream vendors, multiple system domains and user profiles, isolation servers, O/S freeze type of products, etc, etc, etc. We've come up with a number of possible strategies, but all have some limitations or flaws. One thought was to use a thin client device with an embedded browser for the bulk of user web browsing (so Internet born threats cannot affect it), and connect with a Microsoft Terminal Server to access Microsoft IE when necessary, and that TS server would actually be a virtual server that got rebuilt every night to clear out any malware, etc. We would also setup a virtual Terminal Server for an email client. This does not make us vulnerable, but it does come close, but there are user profile and other issues (limited embedded web browser, etc). Ideally, our ISP should provide a clean threat-less internet connection, but that has not happened. I'm open to any think-outside-of-the-box creative solution. Our company has about 50 users and are currently running Win NT, MS Office 97 Pro, Exchange 5.5, and Outlook 98. Any suggestions?

Answer Wiki

Thanks. We'll let you know when a new response is added.

There’s an answer, but you won’t like it. It’s called wire cutters. *snip*

The overall consensus in the security community is “Defense in depth” – meaning multiple layers.

Your best bet is to put everything through application-specific proxy servers, and set up the following:
– No Direct Internet Access – all through proxy server
– Email gateway with anti-virus
– Corporate, centrally controlled and downloaded anti-virus
– Corporate patch control
– Validation at a MAC address level that a given machine is authorized and patched, etc. or it doesn’t get on the network – it’s quarantined on a separate VLAN. (Cisco sells such a product, I think others do as well. Don’t remember its name though)
– Lock down Internet Explorer to the most paranoid level
– Disable Autoplay for CD’s inserted
– Disable the ability to boot off of a floppy or a CD
– Perform regular checks for rogue wireless equipment
– Get a topology report from your phone company and check every line for modems.

You get the idea…


Discuss This Question: 9  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Amigus
    Well the good news is that in your search for the holy grail of Internet computing you're not alone. In fact just about everyone wants what you want. Everyone except the vendoring trying to sell you protection products who's purpose for existance would be negated if there were such a thing as a network immune to attack. The biggest problem with any stategy/solution you are likely to divise is a) it will have inherent limitations or flaws and, b) it will require lots of testing and will still have some negative impact on user productivity. OK enough philosophy, here's what I'd recommend and have had the most success with: 1. Standardize your software set(s), preferably with a fairly new version of everything. The newer version of just about everything has more security builtin and you stand a better chance of being able to enable that security and effectively maintain it if you have a standard software set. 2. Hardening. There are books, webcasts, articles, etc. all over the Internet that teach you how to tweak operating-systems and applications so that they become immune to whole classes of attack. I can happily click on the latest IM-borne virus on my Windows XP box and it has no affect. 3. Disposable enviornments. The harsh reality is that you're probably not going to get your holy grail no matter how hard you try. You have to admit to yourself and management that no matter what you do there will always be attack vectors in your network. The trick is to plan for and optimize recovery. Build systems that can be rebuilt quickly and easily. Automate and regularly do workstation reinstalls for example. I'd also look into quarentining w/ ipsec authenticated communication, web-caching/web-filtering, HIDS and IPS. While I agree that you can come awfully close to what you describe I don't think by the very nature of security you can attain it. If you do manage to solve this problem please let us know and I would suggest solving the traveling salesman problem as follow-on work. Lastly don't wish for your ISP to solve the problem for you. IMHO that's opening a can of worms you don't want to open.
    0 pointsBadges:
  • Martoncik
    Don't forget a good intrusion detection system. May also want to upgrade your stuff to Windows 2003 server with XP workstations, get rid of exchange and install groupwise for your mail.
    0 pointsBadges:
  • Howard2nd
    Invulnerable - not in this lifetime on one machine. You want full protection between inside network and outside internet. Do what the military does, have two machines. a hardwired KVM switch will save you some by allowing one monitor, keyboard, switch. But it has to be basic, not IP and not smart switch. Anything else is a compromise and less than secure. Or get reasonable and run updates, anti-virus and patches, firewalls turned on and know that due diligence works four nines (99.99%) Every additional decimal in improvement will cost you ten fold in cost (i,e five 9's 99.999% is ten times more expensive than four 9's). Good luck.
    30 pointsBadges:
  • Anakin
    Thanks for all of your replies! In summary, I think we need to 1) put in place a resonable layered mix of perimeter and internal detection products, 2) assume we will get infected at some point so design a system that is easily and quickly recoverable, and 3) consider using products that are not mainstream and less vulnerable to attack (ie. Mac's, etc). However I'd still like to come up with a strategy (hardware/software mix) that uses some sacrifical device (thin client, PC, Mac, etc) or session that provides safe browsing and email usage....something simpler than the dual PC (military strategy). Perhaps something similar to Avinti's Isolation Server product that automatically opens email attachments on a virtual machine and then looks for unallowed activity (ie. virus stuff, etc). I feel that some type of virtual PC or server design could help create a safer computing environment for our users....just need to figure out how to do this successfully.
    0 pointsBadges:
    There is a key phrase "defense in depth", besides the obvious anti-virus, include anti-spyware in your standard build. Given your number of users, consider using SmoothWall Linux as your firewall (or outer firewall). Never boast about about your invulnerability - to do so would be to invite the hackers to attack.
    0 pointsBadges:
  • Poppaman2
    Good answers, all... I think BobKerg's solution (ie: "snip") is the only foolproof way to go... In a real world situation, harden your OS (the SANS reading room has some instructions, as does, I believe, CERT) or use Astaro (sp??) Linux - pre-hardened... No environment is totally secure: Firefox just patched some security holes, as did Opera; Linux (AS A WHOLE...) probably has as many vulnerabilities as Microsoft's OSes, they just receive less publicity... Apple issues security updates routinely. Your best bet is to investigate all of the components of your network (server OS, desktop OS, router, switch, IDS, IPS, antivirus, messaging, etc...) and select "best of breed" products from a security standpoint. Defense in depth, as stated several times before, is the way to go.
    0 pointsBadges:
  • Dargandk
    For a safer computing enviorment. It all boils down to the approach you are taking. Here are few points which i consider are important 1- Securing the perimeter is not the complete solution. Secure your resources, your main servers, applications should be well protected, along with the perimeter solution. Within security design rely on multiple control design. Some of the controls should be in form of preventive controls, at the same time you have to consider mitigating and compensating controls. 2- Standardize, if you want to built on thin client enviorment, or user based machines (which I would recommend) , make sure the configuration is based on standards and it is consistent. For example Hardware/software and application pack should be consistent 3- Standards - this time i am referring to industry standards, such as protocols and design. A deviation may be required if you have stong business case. otherwise follow the KISS principle, keep it simple and straight and follow the standards 4- Develop strong process and practices which can be enforced through technology. This is the main requirment for continuing operations and the compliance issues. - Dharminder Dargan
    0 pointsBadges:
  • NetminderEE
    No argument with what Dargandk has posted, but you should recognize that IF you have an Internet connection and IF you have users and IF you're in a Microsoft environment, you're vulnerable. That's not to say you should make wholesale changes to your network. It does mean that because of your environment and because of the number of users, your network will always be a passive target for the next virus that hasn't had a definition written yet. Barry Goldwater once got in a lot of trouble for suggesting that the price of liberty is eternal vigilance; the same is said for a secure computing environment based on Microsoft systems. I'm not bashing Microsoft; but let's face it: they're the target every virus-writer shoots at.
    0 pointsBadges:
  • Jaicee
    You might want to consider IBM's i5 (iSeries) platform. It will run (along with it's native OS) Linux, AIX(unix) and Windows all on the same box. It also has DB2 database built in, so you wouldn't need to buy a database manager. For the desktop you might want to look into Linux (although i haven't had a chance to try that) which you could use for office apps (wp, spreads, email, browser, etc). The i5 when properly configured is very secure. i5/OS cannot be infected with a virus (however it can be a carrier when serving stream files so you still need an anti-virus scanner. IBM Support is outstanding! So if you were to buy a package for you core business apps, you could probably get buy with a very small support staff. If you wanted to do inhouse programming the system supports RPG, COBOL, C, C++, and Java (and some other languages). The only thing i would say is don't skimp on that staff. Make sure the i5 administrator KNOWS how to set up security. Or if you are retraining an existing staff, send them to classes. There's also plenty of outside help, tools, etc. It may cost a little more upfront, but it's definitely worth a look even if you decide against it.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: