Network Security Firewall question

[KaptKaos]

2500 seats and not that technical?!?!

I assume its a MS shop then? LOL

Seriously, ISA offers proxy services iirc. Also, WebMarshal is a proxy that offers content filtering. It's pretty easy to use and with good reporting. You'll want to setup an LDAP pull to AD so that you can make rules by user and group. You don't want AD access on a forward facing proxy.

PM me if you need more details.

[mikester]

I thought that might be the case....

Why do companies hire security "experts" that can't f'ing DO anything?

[masraum]

Yeah, like I said, security here is non-existent. It's really scary. I'm a network guy that has some experience with firewalls, ids/ips, and vpns. I've done some reading on Security, and honestly, most security is pretty common sense, but a company like this needs a couple of technical folks that are hard core security guys. I'm not a security guy, just a network guy that knows some security basics.

We have developers, database folks, UNIX, AIX, and Windows here. The "Security team" is 2 guys. One guy says he has some experience with firewalls and IDS stuff, but I think much less than I do. I'd consider him a Jr security guy. The other guy here who had his title as "Senior Security Analyst III" doesn't understand ports, protocols, IPs, etc.... But he does make a mean screen saver that reminds us to not leave our passwords laying around for folks to see.

[KaptKaos]

Quote:

Originally Posted by mikester

Why do companies hire security "experts" that can't f'ing DO anything?

Easy Mikey... count to 10, take a breath. Serenity now, serenity now.

[masraum]

Quote:

Originally Posted by mikester

I thought that might be the case....

Why do companies hire security "experts" that can't f'ing DO anything?

These guys have an outsourced event correlation solution, BT Counterpane, but it's only partially implemented.

They have an outsourced security scanner, Qualys.

Internet filter, 8e6

IM filter/logger, Akonix

And that's about it.

Ideally, I'd like to see them doing something else, and get a serious security guy or two in here. I figure I'd learn something from them, and we'd actually have some security.

[masraum]

Quote:

Originally Posted by KaptKaos

Easy Mikey... count to 10, take a breath. Serenity now, serenity now.

goosfrabaaaaa

[KaptKaos]

Quote:

Originally Posted by masraum

Internet filter, 8e6

8e6 and Marshal merged. WebMarshal is in their kit bag and may actually be what they are running.

Akonix has several products, and is pretty good, as long as it is installed correctly.

[masraum]

Our 8e6 is only doing web filtering. I think we got it before they merged. Either way, I think ours is before they merged and only filters for content or it is correctly implemented (or both).

We SPAN our internet feed to the 8e6 and it will filter via TCP resets. The security team is getting ready to deploy a remote filter so that company laptops can't surf porn no matter where you are. I actually don't care if the porn is filtered. My problem is that the folks deploying the solution aren't smart enough to really know what they are doing.

The Akonix seems to be a decent product. My manager tried to get us/me to manage it, but I've convinced him to let them have it. We have enough to do with the rest of the network.

[mikester]

Seriously - don't mean to hi-jack but I'm at my wit's end (in all fairness it was a short trip).

I, like you am just the network engineer. I happen to have held a few security positions before I went to this current job which was supposed to be a straight network job.

I honestly wasn't really sure I wanted to do security anymore because by and large companies don't want to do it and I was tired of fighting for something companies saw as purely an expense with zero return.

If you haven't had a breach and ended up in the news then you don't need to do any serious security. If you haven't had your entire windows infrastructure compromised by some stupid worm - you don't need security.

In November they laid off our IT Security Director. He wasn't stupid but the job he was doing wasn't very successful. I'm not sure it was his fault but if he had a few more technical minds around him rather than the 'analysts' he would have had some problems solved.

They haven't replaced him and don't seem to intend to.

I want the job - but let me be clear: I do not want that job.

Now we're down to 2 'security' personnel, a technical analyst who means well and tries but is spread so thin he has no chance for success. And a 'manager' (with no reports) who tries desperately to get anyone else to manage the security project she needs done (rather than simply managing the project herself to ensure it does get the proper attention). She's nice, I like her but she clearly doesn't want to do the job she has. They both report to our CTO who doesn't seem to want to have anything to do with them.

I'm the Network Engineer, I 'know' firewalls. I 'know' VPN, I know host based firewalls and I am reasonably good with IDS/IPS and create secure environments using standard Cisco routers and switches. I know more than routers, I am competent in systems - more so in the *NIX environment than windows but I can hold my own.

We are in the process of building our security project plans this year - the CTO has a bi-weekly meeting with his security duo on Monday. It's supposed to be an hour. I spend the better part of a couple of days working up reasonably simple slides for a couple of projects we need to do this year. I Work up the numbers, the hardware and hand it to the 'IT Security Manager'.

The meeting is supposed to be an hour, I get a message from her later in the day to call her back as the meeting was only 15 minutes and she wasn't sure she was able to give him all the information. As I finish listening to the message, the CTO walks into my cube and asks me if I have a minute to go over a the project plans I've been doing.

So we go over the 4 project line items we need to do and he really wants to cut as much as he can. It's irritating but I understand where he is coming from - the only return from this is staying out of the paper in a C*O's eyes. Right now, publicity like this to our very public company would only add insult to injury. I go over the slides with him, the spreadsheets, the money and the risk as well as what we can do as a compensating control in lieu of NOT spending this money or some of it. He spends an hour with me instead of his security team. I think he walked away thinking I single handedly saved him $600k from his budget and I think I got most of what I want to get done. We'll see. Quarterly results are announced on Monday and I'm fully expecting they are just going to shut the IT department down and start stringing up cups between buildings.

I've been trying to get a series of firewalls in place with policies other than 'permit ip any any log' for the better part of 2 years.

I just needed to vent that I guess..

goosfrabaaaaa

[Paul_Heery]

Quote:

Originally Posted by masraum

I understand that it's more secure to say "permit from the internal networks to the internet on port 80 and 443" and then let everything else be denied (greatly over simplified, of course, you'd have to permit more than 80 and 443).

Do any of you restrict outbound access like that, only allowing a few (relatively) ports/protocols from the inside to the outside or do you basically have a "permit ip any any" from the inside to the outside?

Sorry I'm late to the party, but I wanted to respond to Steve's original question.

Whatever you do, it needs to be backed up by your InfoSec policy. Otherwise, it has no teeth and exception after exception will be made.

Not to provide any specific details of our policies, but anything other than port 80 or 443 access to the untrust must have specific, detailed, approved and documented business justification. By default, our users get just that access and it is all proxied.

We also filter access to the web based upon content (both inappropriate and potentially dangerous). We also heavily monitor that traffic via an IDP system for potential vulns and intrusion attempts. That's just for the general population. If we have to grant other access because of justified business reasons, that's when we get really serious about security.

I do want to point out that reliance on point solutions is folly. You need to have an overall approach that is sponsored, funded, blessed and followed by the C-level in you organization to stand a chance of improving the security of your environment.