Network Documentation Policy

Jul 13 2008   6:03AM GMT

Sample I.T. Security Policy - Internet Security

Posted by: Yasir Irfan
Networking, Security, Servers, Microsoft Windows, Linux, Switches, Cisco, Routers, Policies, Mobile, Internet Security, Network Documentation, Exchange, Network Documentation Policy, Network Policies

Finally we are completing this series; here we go with the last topic. It’s Internet Security Policy which is very important to have for any organization. I would welcome your comments which may encourage me to come up with more interesting stuff.

 

 

INTERNET POLICY

 

“IS” CONSIDERED THE FOLLOWING:

1. Dedicate a firewall device. Don’t run other services on it, and disable all unnecessary service features that may be included in the firewall package.

2. Disallow all connection attempts to hosts inside the network. Allowing any inbound connections provides a mechanism hackers might be able to exploit to establish connections to Trojan horses or by exploiting bugs in service software.

3. Divide provided services using Internet tools into public services and private (organizational) services. Place the public services on an Internet site (or sites) external to the Internet firewall and provide the private services on an intranet site (or sites) on the protected LAN.

4. Do not rely upon packet filtering alone to protect the network.

5. Do not rely upon Windows ISA Server built-in filtering alone to protect the network.

6. Do not use simple packet filtering or packet-filtering services from the Internet service provider as a replacement for application-layer firewalls. They are not as secure.

7. Don’t rely solely on packet filters for security protection from the Internet. Drop all external routing protocol (EIGRP) updates bound for internal routers. No one outside the network should be transmitting RIP updates to internal routers.

8. Filter out and do not respond to ICMP redirect and echo (ping) messages.

9. Limit the number of external hosts allowed to connect through the firewall to the absolute minimum possible. Take measures to make sure the IP addresses of those hosts are difficult to determine using proxy servers, Firewall or IP masquerades.

10. Make sure there’s no way for a hacker to tell which firewall product is in use.

11. Never publish a list of user or employee names on the Web site. Publish job titles instead.

12. Reduce the number of connections to the Internet to the minimum number possible: one per campus. Many large organizations allow only a single link to the Internet at headquarters and then route all remote offices to that point using the same frame relay lines used to connect internal networks. Respond immediately to intrusion attempts when they are detected. Collect as much information about the attacker as possible. Use their IP domains to determine who the higher-level service providers are.

13. Set up the firewall to discard ICMP echo and to redirect messages to interior hosts.

14. Unbind NetBIOS from all servers outside the firewall. Set the TCP/IP stacks on those machines to accept connection only on ports for services that machine specifically provides.

15. If there is only one connection to the Internet, hard code that connection in the router connected to the service provider’s network. Use RIP, EIGR, OSPF or other automated routing protocols to manage routing inside the network.

16. Do not allow SNMP to travel into or out of the network.

17. Use operating system software on Internet accessible machines that are not susceptible to the Ping of Death.

18. Configure the gateway not to pass Ping packets.

19. Install the latest version of the operating system software.

20. Log network activity and to have the log software signal an alert when a SYN attack or and ICMP flood is in progress. Deny access to the computer or network that originates the attack, and take measures (such as calling or sending an Email message to the administrator of the offending network) to stop the malicious behavior.

21. Un-bind NetBIOS from Internet-accessible network adapters. Allow only authorized hosts outside the network to connect to the DNS servers.

22. Configure the gateway or packet filter to discard all IP packets that use the source routing feature.

23. Disallow services for which there are no proxy servers.

24. Do not allow clear text-password authentication.

25. Do not use RIP or other automated routing protocols. Statically assign the routing tables and disable RIP updates unless the network is too large to manage manually. This makes them impervious to RIP -based denial-of service or spoofing attacks.

26. Don’t allow dial-up connections to the Internet. Remove modems and all other uncontrolled network access devices. Disable free COM ports in the BIOS settings of client computers and password protect the BIOS to prevent users from overriding the security settings.

27. Drop all packets that are TCP source routed. Source routing is rarely used for legitimate purposes.

Log all public access to servers, and check the logs often. Use alerting software to detect hacking attempts against the exposed machines.

28. Set up monitoring software that can alert on flood attacks against the network. Record the IP addresses of the source computers (assuming they look valid) and try to determine the source of the attacks so legal measures can be taken to stop the problem.

29. Set up the own firewall. Place Web and FTP servers outside it and mail servers on the inside. Pass only SMTP and POP3 traffic from external sources. Run no other services or software on mail, Web, FTP, or firewall servers.

30. Use a port scanner periodically (about once a month) from outside the network to check the status of the firewall, packet filter, and NetBIOS bindings. This is especially important when servers are maintained by more than one person or when retaining outsourced security services.

31. Use high-level proxies capable of stripping executable content like ActiveX and Java from Web pages.

32. Use IP masquerades to hide the identity of hosts inside the network.

33. Whenever possible, use proxy servers for all application protocols.

34. Use IP address assignment, in combination with an internal firewall and IP selection on servers, to further control and partition the access allowed to remote users.

35. Use a Web and FTP hosting service rather than computers on the own network to provide the customers with information about the Organization. This puts the Web hosting agency at risk rather than the own network, and allows the provision of no public services from internal servers.

36. As a part of security training, make sure users know to report all instances of denial of service whether they seem important or not. If a specific denial of service can’t be correlate to known downtime or heavy usage, or if a large number of service denials occur in a short time, a siege may be in progress.

37. Great care must be taken when downloading information and files from the internet to safeguard against both malicious code and also inappropriate material.

38. Avoid using one of the smaller Internet service providers. Hackers frequently target them as potential employers because they often have less security awareness and may use UNIX computers, rather than dedicated machines, as gateways and firewalls-making spoof attacks easy to perpetrate. Ask the service provider if they perform background checks on technical service personnel, and reject those that say they do not.

39. Consider using the disconnected Internet security model if the services required by the users can be made available from a single machine.

40. Manually assigning IP addresses if the Organization is a potential espionage target.

41. Apply the anti-spoofing filter.

42. Plans are to be prepared maintained and regularly tested to ensure that damage done by possible external cyber crime attacks can be minimized and that restoration takes place as quickly as possible.

43. In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards are to be periodically reviewed whilst maintained at all times.

44. Contingency plans for a denial service attack are to be maintained and periodically tested to ensure adequacy

45. Procedures to deal with hoax virus warnings are to be implemented and maintained.

46. Antivirus software is to be deployed across all PCs with regular virus defining updates and scanning across servers, PCs and laptop computers.

47. E-commerce processing systems including the e-commerce Web site(s) are to be designed with protection from malicious attack given the highest priority.

48. E-commerce related Web Site(s) and their associated systems are to be secured using a combination of technology to prevent and detect intrusion together with robust procedures using dual control, where manual interaction is required.

49. Personnel should understand the rights granted to them by the Organization in respect of privacy in personal e-mail transmitted across the Organization systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

50. Confidential and sensitive information should not be transmitted by-mail unless it is secured through encryption or other secure means.

51. E-mail should be considered as an insecure communications medium for the purposes of legal retention for record purposes. With the usage of digital signatures and encryption, reliance upon e-mail may soon be available; however, if in any doubt, treat e-mail as transient.

52. External e-mail messages should have appropriate signature footers and disclaimers appended (E-mail Signature File). A disclaimer is particularly important where, through a miss-key, the email is sent to an inappropriate person. The disclaimer should confirm the confidential nature of the email and request its deletion if the addressee is not, in fact, the intended recipient.

53. Personnel should not open e-mails or attached files without ensuring that the content appears genuine. If you are not expecting to receive the message or are not absolutely certain about its source do not open it.

54. Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E -mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

55. Use standard TEXT (ASCII) messages where possible; these are both smaller (in terms of file size) and are less able to ‘hide’ executable code e.g. HTML based e-mails which can ‘run’ upon opening.

56. The sending of inappropriate messages should be prohibited including those which are sexually harassing or offensive to others on the grounds of race, religion or gender.

Jul 8 2008   8:20AM GMT

Sample I.T. Security Policy - Remote Access Security

Posted by: Yasir Irfan
Networking, Network Security, Security, Servers, Microsoft Windows, Cisco, Policies, Network Documentation Policy, Network Policies, Server Security, Remote Access Secuirty

Finally we are almost proceeding towards the completion of the Sample I.T Security policy, we have just two more topics to cover. Coming days I will try to complete that, here we are with Remote Access Security

 

REMOTE ACCESS SECURITY 

“IS” CONSIDERED THE FOLLOWING:

1. RAS server provides the most secure method for remote access to the network if it is reburied.

2. Never allow client computers on the network to answer remote access connections.

3. Organize all remote access servers in a centrally controlled location.

4. Servers have no need to originate dial-out connections (Except when using telephone lines as low cost WAN connections, but these connections should be relatively permanent).

5. To simplify security administration, allow only one method of remote access into the network.

6. Remote access control procedures must provide adequate safeguards through robust identification, authentication and encryption techniques.

7. Carefully consider the wisdom of providing cellular telephones and modems for use with laptop computers. This technology isn’t usually justified considering the relatively modest increase in productivity compared to the cost and the security risk of a lost laptop.

8. Consider using only the NetBEUI protocol for remote access to limit the extent of intrusions on the network.

9. Control the distribution of remote access software on the network. Never allow client computers to run remote control software. If remote control software is necessary, run the software from centrally controlled computers or thin-client servers.

10. Disable dial-in networking, except in the cases of trusted individuals or to special computers,because dial-in networking can bypass regular network security.

11. Encourage an easy-to-use (but secure, of course) method for users to indicate when they need remote access, for how long, and to which phone number. Base the dial-in permissions on these requests. Always verify the request verbally with the user to ensure that it’s not a spoof.

12. Gather contact information for the telephone companies as soon as possible so that it is on hand if dial -up hacking attempts are discovered.

13. If possible, use external modems to answer RAS connections. They can be powered off when no RAS activity is anticipated, and they allow manual disconnection if necessary.

14. If remote access is required only occasionally, set the Remote Access Server service to start manually, then use the services control panel to start the service when needed and stop it when it is no longer in use.

15. Revoke dial-in permissions for users during periods when they are not necessary, and invoke them when the user is away from the office or working from home for a period.

16. Thin client and remote control software can be more secure than remote access software in certain circumstances. For instance, an entire database could be copied down using remote access software, but that same data would be extremely difficult to extract using remote control software configured to disallow file transfers.

17. Tightly control user-based remote access permissions. Allow only those users who have an immediate need to log in remotely.

18. Use alarming software to detect numerous attempts at password guessing over dial-up networks. Use the standard performance monitor to detect this activity, or purchase third party alarming software.

19. Use callback security. Without callback security, tracing RAS based intrusion attempts is very difficult.

20. Use external modems that have on/off switches for those machines that have remote access software installed. Only turn on a modem when a user calls in and requests a remote control connection.

21. Use hard-coded callback security for all remote users that don’t normally travel, to prevent their account from being exploited from unknown locations.

22. Use Microsoft encryption when possible.

23. Use the Point-to-Point Tunneling Protocol for all Internet connections allowed into the network, or some third-party software that performs the encrypted tunnel function in concert with the firewall.

 

 

Jul 5 2008   6:35AM GMT

Sample I.T Security Policy - Data Security

Posted by: Yasir Irfan
Networking, Security, Microsoft Windows, Linux, Switches, Routers, DataCenter, Data Security, Exchange, Backup, Network Documentation Policy, Network Policies

As we are proceeding ahead, and we have two more topics to be covered to complete this Sample I.T Security Policy, hope fully it will be good and useful to you all. I would like to have some comments which may boost my morale to take up more interesting things in future. Here we are with Data Security.

DATA SECURITY

“IS” CONSIDERED THE FOLLOWING:

1. Create a strong backup & Disaster recovery strategy and test backups regularly.
2. Create separate partitions for the Windows System files and the volume the server will share. Then don’t share the system boot partition, share only the empty volume created for file storage.
3. Implement strong permission-based security for all files stored on the server.
4. Never use the FAT file system on the hard disk of a Windows computer when security is a concern.
5. Remove default assignments to the everyone group.
6. Repair damaged drives in mirror or stripe sets as soon as possible.
7. Store backup tapes in a waterproof, flameproof safe in the server room. If tapes must be moved off site, be certain security measures are in place to prevent their being compromised while off site.
8. Use disk mirroring or duplexing for critical data. Use duplexing when possible.
9. Consider using hardware RAID, which is faster and is independent of the operating system.
10. Consider using SAN for huge amount of data.
11. If the server’s physical security could be compromised in any way, and the data on the disk warrants protection, use file system encryption.
12. Use file system encryption to protect sensitive data when operating system features are not effective (when the hard drive has been removed or the operating system has been replaced).
13. For extreme fault tolerance, consider using a third -party server replication system.
14. Access to information and documents is to be carefully controlled; ensuring that only authorized personnel may have access to sensitive information.
15. With poor or inadequate access control over your documents and files, information may be copied or modified by unauthorized persons, or become corrupted unintentionally or maliciously.
16. High risk systems require more stringent access control safeguards due to the confidentiality of the information that process and / or the purpose of the system e.g. the funds transfer used by banks. Ideally, the operating systems for such systems should be hardened for further enhance security.
17. Properly mark proprietary and confidential documents. The confidential markings can be minimized if they are seen on routine documents. Mark only proprietary documents, not everything.
18. Track printouts from any computer. Have confidential and proprietary markings automatically put on every printed proprietary document.
19. Limit access to source code; limit physical access to documents.
20. Access to data and information is at the heart of every set of Information Security Policies. Inappropriate access to data may contravene Organization policy and infringe legal regulations.
21. The right to access systems and data is based upon identified and approved business needs and should be withdrawn when the need ceases.
22. Denying unauthorized person’s access, both physical and logical, to the Organist ion systems is part of an effective Information Security process. Physical access to the data centre or computer room’ should always be restricted to authorized persons only.
23. However, data access goes beyond access to PCs and servers; it also includes access to written and printed information on the desks of personnel, notes pinned to notice boards etc. Access to such information must also be controlled. Traditionally, door locks and keys ensured security; nowadays, even greater security can be provided by electronic keys, biometrics with the additional benefit that they may also monitor and record access attempts.
24. Where user’s access rights and privileges are not documented, information security may be compromised.

Yasir
Personel Website:www.yasirirfan.com

Jul 1 2008   7:25AM GMT

Sample I.T Securty Policy - Server Security

Posted by: Yasir Irfan
Networking, Servers, Microsoft Windows, Switches, Routers, Network Documentation Policy, Network Policies, Server Security

Now we are proceeding towards the Server Security Policy, which was quite tiresome to draft.

6‐SERVER SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. Limit the number of protocols in use throughout the network to the extent possible.
2. Use connection-monitoring software like the performance monitor to alert the network administrator to potential intrusion attempts.
3. Antivirus software must be chosen from a proven leading supplier
4. Remove the keyboard and monitor from servers if possible. They can be reattached when administration is necessary. Certain mouse devices will not reset properly when reattached; they should be left attached.
5. Add trust relationships between domains only when several users need access.
6. Create groups based on natural associations in the Dept. Assign file permissions by groups. Make user accounts members of the groups that need access to certain files.
7. Don’t allow unrestricted file sharing. Use files sharing with user-based authentication or, at the very least, passwords.
8. Limit the rights of Guest and Anonymous accounts.
9. Never enable the Guest account.
10. Try to arrange data so that as few user accounts as possible are required for users to access it.
11. Do not make Internet Information Server user accounts members of the Users or Domain Users groups. A void making these accounts members of groups that would grant these users additional rights or access permissions.
12. Do not make script virtual directories readable, do not make other virtual directories executable.
13. Create a group for Internet users for lIS; apply permissions to that group account.
14. Do not allow users to place scripts in their own WWW service virtual directories.
15. Use the logging facilities of lIS to watch for a high proportion of unauthorized, forbidden, and not found access attempts.
16. Do not allow NetBIOS connections to be made over the Internet.
17. Replace the default Everyone, Full Control permission with a Domain Users, Change permission on all drives except the system and boot volumes.
18. On each Window 2003 server inside the network, establish filters to pass only those protocols that are explicitly served. This prevents software from working in unexpected ways.
19. To make administration easier and leave less possibility for error, use several shares on one workstation rather than scattering them among several workstations, if possible.
20. Use the No Access permission only then necessary to override other permitted access.
21. Grant permissions for a share to a specific group or set of users, rather than using the everyone group and attempting to restrict users at the subdirectory level.
22. Use NTFS volumes for file sharing whenever possible, and use file-level security rather than share-level security when possible.
23. Keep sensitive information out of the shopper table because that information is accessible to a web browser.
24. Use both a secure port (HTTPS) and Secure Socket Layer encryption, and use strong NTFS permissions restrictions on WWW service virtual directories.
25. Require all possible network connections to services outside the network security to go through a proxy server.
26. Configure the DNS server to exchange information with only computers within the network security and with the DNS server “up” the network tree from them.
27. Remove all instances of the Everyone, Full Control permission. Do not set a default permission to replace it so that all subdirectories from the root do not by default inherit permissions. Add permissions only where specifically required.
28. Access to operating systems is to be restricted to those persons who are authorized to perform systems administration/management functions. Even then such access must be operated under dual control requiring the specific approval of senior management.
29. Staff with access to the $ prompt or command line, could succeed in executing system command,which could damage and corrupt your system and data.
30. Operating System commands could be used to disable or circumvent access control and audit log facilities, etc System access must be monitored regularly to prevent attempts at unauthorized access and to confirm that access control standards are effective.
31. Apply intrusion detection sensor for each server you want to protect.
32. Make sure the audit or accounting functions are turned on.
33. Keep try to find the last patches found for both the Operating systems and applications installed on that servers .That will help for closed O.S and Application holes.
34. Have servers in a physically secure location to prevent unauthorized access.
35. On a regular basis, run programs (for example, Crack, Tiger, COPS and Satan) to check for system weaknesses.
36. Make timely system backups.
37. Keep one copy of backup tapes in a secure facility offsite.
38. Use a virus-checker program.
39. Modify registry in windows severs for maximum security issues according to Microsoft security check list.

Yasir
Personel Website:www.yasirirfan.com

Jun 28 2008   12:25PM GMT

How to configure ASA/PIX firewall to collect Net flow data from an external router to the netflow collector located in Inside Network.

Posted by: Yasir Irfan
Networking, Cisco, Routers, Network Documentation Policy, ASA/PIX, Netflow, PIX 525

This article provides an example of Net flow configurations in a Cisco Router, ASA/PIX firewall to collect the Net flow data in the internal network.

Components Uses
The information in this document is based on following hardware and software versions
• Cisco Router 3745 – IOS version 12.3(17b. (Network 192.168.10.0)
• PIX 525 7.0.3 ( ASA can also be used) (Internal 10.0.0.2)
• Manage Engine Net flow Analyzer 6 ( Any net flow collector can be used)(

In this example let’s start by configuring Net flow in a Cisco Router

Cisco Router Configuration
Here the IP address for the interface is 192.168.10.1

Enabling Net flow in an Interface
Enter global configuration mode on the router and issue the following commands for each interface on which you want to enable Net Flow:

interface {interface} {interface_number}
ip route-cache flow
bandwidth
exit

After applying the commands the example will be as follows
router3745#configure terminal
router-3745(config)#interface FastEthernet 0/1
router-3745(config)#ip address 192.198.10.1 255.255.255.240
router-3745(config-if)#ip route-cache flow
router-3745(config-if)Bandwidth 1000
router-3745(config-if)#exit

Exporting NetFlow Data

Issue the following commands to export Net Flow data to the server on which NetFlow Analyzer is running:

ip flow-export destination {hostname|ip_address} 9996 ( Exports the NetFlow cache entries to the specified IP address. Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port. The default port is 9996. )

ip flow-export source {interface} {interface_number} (Sets the source IP address of the NetFlow exports sent by the device to the specified IP address. NetFlow Analyzer will make SNMP requests of the device on this address.)

ip flow-export version 5 [peer-as | origin-as] (Sets the NetFlow export version to version 5. Version 5,7 & 9 are available)

ip flow-cache timeout active 1 (Breaks up long-lived flows into 1-minute fragments. You can choose any number of minutes between 1 and 60. If you leave it at the default of 30 minutes your traffic reports will have spikes.It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data.)

ip flow-cache timeout inactive 15 (Ensures that flows that have finished are periodically exported. The default value is 15 seconds. You can choose any number of seconds between 10 and 600. )

snmp-server ifindex persist (Enables ifIndex persistence (interface names) globally. This ensures that the ifIndex values are persisted during device reboots.)

The following example shows the above mentioned commands

router-3745(config)#ip flow-export destination 192.168.10.5 9996
router-3745(config)#ip flow-export source FastEthernet 0/1
router-3745(config)#ip flow-export version 5
router-3745(config)#ip flow-cache timeout active 1
router-3745(config)#ip flow-cache timeout inactive 15
router-3745(config)#snmp-server ifindex persist
router-3745(config)#^Z

Issue the following commands in normal (not configuration) mode to verify whether NetFlow export has been configured correctly:

show ip flow export (Shows the current NetFlow configuration)
show ip cache flow (These commands summarize the active flows and give an indication of how much NetFlow data the device is exporting

router-3745#show ip flow export
router-3745#show ip cache flow

The next step is make a Natting in ASA/PIX

pix-525# configure t
pix-525# (config)# static (inside,outside) 192.168.10.5 10.0.0.6 netmask 255.255.255.255 dns

In order to export to the netflow statistics to the netflow analyzer located in the internal network we have configure the following access-list and apply it to outside interface to allow the Netflow traffic

pix-525# configure t
pix-525# (config)#access-list NETFLOW extended permit udp any host 192.168.10.5 eq 9996
pix-525# (config)#access-list NETFLOW extended permit tcp any any

Apply the created access-list to the outside interface
pix-525# (config)#access-group NETFLOW in interface outside

Now install the Netflow Analyzer software and configure it to recieve the netflow statists from the external router.

Troubleshooting tips

Verify Netflow is working in Cisco Router

router-3745#sho ip cache flow
IP packet size distribution (78841980 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.003 .453 .023 .012 .008 .010 .004 .003 .003 .003 .004 .003 .003 .003 .004

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .005 .022 .021 .401 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
548 active, 3548 inactive, 4045717 added
84147818 ager polls, 0 flow alloc failures
Active flows timeout in 1 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33416 bytes
548 active, 1500 inactive, 4045717 added, 4045717 added to flow
0 alloc failures, 0 force free
2 chunks, 14 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
——– Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 143 0.0 2 52 0.0 0.4 12.7
TCP-FTP 255 0.0 6 100 0.0 9.0 7.2
TCP-FTPD 15010 0.0 1 63 0.0 0.6 15.4
TCP-WWW 1100665 2.5 14 607 37.7 8.2 6.9
TCP-SMTP 171448 0.3 69 633 27.3 35.8 6.2
TCP-X 723 0.0 2 245 0.0 0.4 13.0
TCP-other 1966270 4.5 21 656 95.4 11.7 6.6
UDP-DNS 56825 0.1 12 66 1.5 20.5 11.6
UDP-NTP 8 0.0 1 76 0.0 0.0 15.5
UDP-Frag 1 0.0 1 1476 0.0 0.0 15.0
UDP-other 684203 1.5 11 319 17.9 4.8 14.9
ICMP 48198 0.1 1 78 0.2 1.6 15.4
GRE 1358 0.0 183 182 0.5 50.0 4.2
IP-other 62 0.0 83 108 0.0 53.4 3.2
Total: 4045169 9.2 19 601 180.9 10.6 8.3

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 192.168.10.5 Tu0 69.26.190.118 11 1705 0D96 8
Fa0/1 192.168.10.5 Tu0 65.55.111.92 06 0019 10EC 32
Fa0/1 192.168.10.5 Tu0 206.190.48.113 06 0019 714B 29

Check Nating is working in the Firewall

pix-525# show xlate
2in use, 417 most used
Global 192.168.10.5 Local 10.0.0.6

Check access -list is forwading the netflow traffic

pix-525# sho access-list NETFLOW
access-list NETFLOW; 2 elements
access-list NETFLOW line 1 extended permit udp any host 192.168.10.5 eq 9996 (hitcnt=7)
access-list NETFLOW line 2 extended permit ip any any (hitcnt=140861)

To know more about Netflow Analyzer and its configuration click this link Netflow.

Jun 28 2008   5:24AM GMT

Sample I.T Secuirty - Network Security

Posted by: Yasir Irfan
Networking, Network Security, Security, Microsoft Windows, Switches, Cisco, Routers, Policies, DataCenter, Network Documentation Policy, Network Policies

We are continuing our series on Sample I.T Security Policy, so far we have covered Physical, Human, User Secuity and Client. Today lets concentrate on Network security which is as follows

5‐NETWORK SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. The network must be designed and configured to deliver high performance and reliability to meet the needs of business whilst providing a high degree of access control and range of privilege restrictions.
2. Inappropriate control over access to the network will threaten the confidentiality and integrity of Organisation data.
3. Apply Strong monitor and management utilities in Organisation network.
4. Never communicate between Organisation units over the Internet without using some form of encryption.Unencrypted packet headers contain valuable nuggets of information about the structure of the internal network.
5. Always use encrypted communications for data that flows over public networks like the Internet.
6. Locally control and administer all security services for the network.
7. Make telecommunications security an integral part of the network security if the network can be accessed via modems.
8. Use leased lines rather than encrypted tunnels whenever practical.
9. Monitor and Audit the logs for the internal routers and switches.
10. Install fiber cables instead of UTP cables.
11. All speed dialing facility create information security risks as confidential customer contact information can be accesses just by pressing telephone keys.

I.S issues concerned:
• Sensitive information may be stolen because caller masquerade as you over the
telephone
• Secure or unlisted phone numbers may be acquires from your stored information.
• Secure or unlisted phone numbers may be acquired from global information stored in PBX.

Yasir
Personel Website: www.yasirirfan.com

Jun 25 2008   4:48AM GMT

Sample I.T Security Policy - CLIENT SECURITY

Posted by: Yasir Irfan
Networking, Security, Microsoft Windows, Policies, DataCenter, Network Documentation Policy, Network Policies, Client Security

Today there is a seminar organized by Cisco , Data Center 3.0 Statergy event at Meridian. Hopefully I get more info which I can post here. The last Cisco Expo I attended was held two months back. Which was simply outstanding. Ok now lets get back to out Series of Security Policies, today I am going to eloborate the Client Security policy.

CLIENT SECURITY

“IS” CONSIDERED THE FOLLOWING:
1. If attachment via the Internet is allowed, be absolutely certain that home users who attach via the Internet do not have file sharing turned on. For Windows clients, use automatic scanning software across the range of IP addresses attached to the network to make sure that no clients respond on TCP/IP port 139.
2. Instruct users to avoid inappropriate local access and creating or modifying shares.
3. Remove the remote access and dial-up connection services from clients on the network. There should be no need for remote access outbound connections from computers on networks that are connected to the Internet.
4. Organisation owned computers used by work-at-home telecommuters cannot be connected to the Internet or used by any family member other than the employee.
5. Employees shall use their own computers at home for entertainment or personal interests.
6. Client computers shall not be configured to use any sort of remote access software.
7. Clients shall not be configured to answer dial-in security connections.
8. Do not allow users to install software on their clients. Take removable media drives like floppy,CD-ROM, and Zip drives out of client computers since all authorized software installations can occur over the network.
9. Do not install file and print sharing on clients unless absolutely necessary. Encourage users to store all files on network file servers, and create server pools of resources.
10. Remove all modems and other alternative access devices from client computers.
11. Each client computer should have one-and only one-possible connection to any data network.
12. Restrict logon access to the network to the computers that an employee normally uses. This makes it impossible to exploit an account name and password from anywhere other than the user’s regular computer except nursing stations.
13. Disable all unused I/O ports, especially parallel ports, USB ports that are not attached to printers,since many alternate access devices are capable of attaching through the printer/USB port.
14. Disable unused serial /USB ports in the BIOS of client computers. But strong administrative passwords in the BIOS setup pages of client computers to maintain central control of network security.

Yasir
My Personel Website:www.yasirirfan.com

Jun 24 2008   5:19AM GMT

Sample IT Security Policy - User Security

Posted by: Yasir Irfan
Networking, Security, Microsoft Windows, Switches, Cisco, Routers, Policies, DataCenter, Network Documentation Policy, Network Policies, User Security

As promised I am trying to cover the topics I posted in my first post, now we are proceeding towards the User Security. We should consider the following while drafting the User Security policy.

3‐USER POLICY
“IS” CONSIDERED THE FOLLOWING:
1. Networked systems shall update regularly with the latest vendor patches for all software executed on Workstations and Servers.
2. Users shall select passwords that cannot be found in a dictionary and that are of sufficient length that the probability of determining the password over a network shall take at least 160 hours. Currently, this is at least 8 characters but shall be automatically increased as technology allows.
3. All users passwords attached to a network wherein a compromise has occurred or is suspect shall be changed immediately.
4. Enable client operating system user profiles so that specific users and groups have their own security settings that reflect their level of trust in the network.
5. Force password changes often. Passwords should be valid for no longer than 30 days.
6. Train users to prevent mishaps, by doing things such as turning off a workstation that holds shared data when it is not required.
7. Execute a virus scanner automatically whenever a user logs onto the computer.
8. Use workstation user accounts and system policies to prevent individual users from controlling the security of their workstations.
9. Disable password caching so passwords do not accumulate on client computers.
10. Client computers shall be restricted such that their network settings may not be modified by nonadministrative personnel. Implement the following specific policies:

* Disable the network control panel for all users except administrator and trusted knowledgeable users.
* Disable the registry editing tools for all users except system administrators.
* Enable the shell restrictions for accounts that serve a particular purpose, such as public e-mail accounts, public word-processing accounts, process control, etc.
* Hide the general and details pages for printers in the network, disable deletion of printers,and disable the addition of printers.
* Hide the remote administration page and the user profiles page for all users except administrators.

11. Disable booting the A: drive in the BIOS and apply a password to the BIOS to keep the user from using a DOS boot floppy.
12. Hide the display settings page from everyone except administrators.
13. Limit the rights of default Administrators group, and create a separate group with full access.
14. Provide periodic security training for new and established employees alike. A periodic refresher keeps users aware of security problems.
15. Require alphanumeric passwords so that a hacker cannot quickly determine the password to a user account simply by performing a “dictionary scan.”
16. Modify the client operating system to boot directly to the allowed application or a menu restricted to allowed applications.
17. All users of workstation and pc’s are to ensure that their screens are blank when not to be used
18. Approving Login procedures must be strictly observed a users leaving their screen unattended must firstly lock access to their workstation because may be unauthorized systems may be gained via a valid user is and password.
19. Managing user access must be authorized by the owner of the system and such access,including the appropriate access rights or privileges must be recorded in an access control list. Such records are to be regarded as high confidential documents.

Yasir
Personel Web Site:www.yasirirfan.com

Jun 23 2008   5:41AM GMT

Sample IT Security Policy - Human Security

Posted by: Yasir Irfan
Networking, Security, Microsoft Windows, Cisco, Policies, Physical Security, DataCenter, Network Documentation Policy, Network Policies

In my previous post on IT Securty Policy I did discussed about the Physical Security, now we will continue our journey and lets see what things should be considered while drafting the Human Security Policy.

2‐HUMAN SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. Several studies and experiences indicate that employee and other persons who are authorized to be on the company premises or who are in a trusted relationship commit most computer crimes.
2. Do complete background checks before hiring someone or allowing someone access to Organisaton resources.
3. In new employee indoctrination, stress the importance of proprietary data and that any compromise of proprietary data will result in discipline, termination, or prosecution.
4. Advise departing employees that it is against the law to take proprietary material, and that you will prosecute anyone caught taking any type of proprietary information.
5. Set up an easy-to-use system that allows employees to covertly or anonymously report suspicious behavior.
6. Develop a method to combat the belief by many employees that anyone who has worked on something has a right to take a copy. This feeling of ownership occurs regardless of the signing of non-disclosure agreements and ownership/invention agreements. One of the most common criminal defenses used is that the ex employee just wanted a sample of their work.
7. Control and approve any articles written about the Organization by employees.
8. Access to information shall rise with pay and with proven loyalty.
9. Employees are responsible for immediately reporting lost, misplaced, or unaccounted for networked systems.
10. When audit policy monitoring reveals that an employee is a security risk, that employee’s access to sensitive information shall immediately be downgraded.
11. Off-Site computer usage whether at home or at other locations may only authorized by the Manager.
12. Assignment of portable systems shall be limited to those who require portability to perform their work. Portable equipment is not perquisite due to the inherent security risk and the cost of replacement.
I.S concern is
a. It must be used for business only.
b. The use for unlicensed SW way be put the Organization in critical Condition.
c. Viruses, Worms, Trojans and other malicious code can corrupt both data and the system files.
d. Theft of the portable computer exposed Organization to the threat of disclosure of sensitive data.
e. A laptop connected to any network is open to hacking and is unlikely to have any effective security features enabled. Files and data could be stolen, damaged or corrupted.
f. Where a laptop is used by several persons old/State data may still present, risking unintentional actions / reactions to inaccurate data
13. Sudden changes in Appearance that might indicate an external factor at work in the employee’s life shall be noted and monitored by security personnel. Sudden changes in lifestyle, apparent income, or attitude may necessitate a security evaluation.
14. Personnel issued with Mobile Phones by the Organization are responsible for using them in manner consistent with the confidentially level.
15. Security checks in/check out and name tags are required for all personnel on the premises. Employees shall be issued permanent badges. Visitors shall be issued temporary badges for the duration of their visit only.
16. Employees shall not have access to secret or higher systems or information for a period of ninety days from their initial employment. The purpose of this policy is to prevent the employment of spies from competing organizations.
17. Animosity, aggression, or violence towards the Organization, its assets, or its employees is an indicator of serious security risk. Audit policy shall be used to monitoring the behavior of suspect individuals without alerting them to the fact that they are under observation. Instances of sabotage or other security violations are grounds for immediate dismissal.
18. Sensitive or confidential information must not record in answer machine or voice mail.

Yasir

Personel Website:www.yasirirfan.com

Jun 22 2008   12:59PM GMT

Cisco Cool Tips - Series 1-Cutting and Pasting config via Hyperterminal

Posted by: Yasir Irfan
Networking, Switches, Cisco, Routers, Network Documentation Policy, HyperTerminal, Cisco Tips

If you cut and paste your config onto an IOS-based switch using Hyperterminal, it breaks down about midway. This occurs because Hyperterminal sends the text too quickly for the switch, particularly if a command returns a message, such as portfast. To avoid this, in Hyperterminal, select File – Properties; click the Settings tab, click the ASCII button, and add a character delay of 5 milliseconds. You should now be able to cut and paste your config successfully.

Yasir
Personel WebSite:www.yasirirfan.com