Security and Network Policy
|
|
| Example Security Policy |
|
| Computer/Network Policy |
|
| Computer Room Access Policy |
- who has the keys to get into the server room
|
| Network and Cabling Access Policy |
- can somebody plug into your internal LAN by plugging into an unused hub
- Disconnect all unused ports at the hub in the server room
- Can somebody accidentally pull/wiggle loose the ethernet cables/power cord
- Tie down your cables to minimize wiggling when working on another cable/issue
|
| Physical Access Policy |
- does the machine reboot due to "X11 login screen" shutdown option
- does the machine reboot due to user hitting ctrl-alt-del
- we will ignore issues with power cords, power switches to force a hard reset/boot
- only root should be able to reboot the machine
- Keep spare servers/parts handy... ( cables, cpu, memory, disks ... )
|
| Network Topology |
- Leave web, mail, dns servers "outside your firewall"
- Keep your pop/imap Servers on a secure network with another firewall
- Keep your VPN, PPP, Servers on a secure network with another firewall
- Keep your production servers on a firewalled secure network
- Keep your engineering/development servers on a firewalled secure network
- Keep your HR servers on a firewalled secure network
- Keep your finance/purchasing/acct payable/acct receivable servers on a firewalled network
|
| Host Security |
- Harden each server as if there was no firewall
- Harden each server as if there IS an intruder in your network right now
- Keep a copy of the entire server on cdrom
- Keep a log of how to build another server
- Keep a secure spare/redundant/backup servers for emergency replacements
- Test All patches and changes starting from "cdrom" installation before releasing changes to production servers
- who can login into this server
- which machines can connect via ssh/mount to this server
- Simulate a disk failure ... what happens to your corp productivity
|
| Proceedural Security |
- use static ip# instead of dhcp
- use ssh instead of insecure telnet
- use scp instead of insecure ftp
- use secure pop3s/imaps instead of insecure pop3/imap
- use different loginID and passwd for each of these services
- email vs ssh login vs pop3 vs ppp vs vpn vs wireless
- keep credit card info offline ( NOT accessible from the internet )
- move daily order information offline
- keep multiple backups on different servers of important data
|
| System Security |
- how do users get their emails
- how is systems upgraded to latest/greatest
- how do you detect "un-wanted activities"
- who has root passwd
- Separate "insecure services" from the rest of the corporate lan
- insecure services == pop3 email, telnet, ftp, ppp dialups, MS windows login, etc
- Create an Insecure server for insecure services ( pop3, ppp, things w/ cleartext passwd )
- Once logged into an insecure machine, you are locked in... should NOT allow vpn/ssh back out
- Always require someone to type the "root" passwd ( vs scripts w/ keys )
- Never trust client machine - ask for passwd or passphrase
- only one person, to be held accountable/liable has root passwd
- Never login as root, use sudo instead
- Never login as root in X11
- Delete user accounts of people that left the company ( same day, preferably BEFORE they leave )
- Disallow telnet, ftp, pop3, imap, ppp ( cleartext passwds ) connection to a "secure server"
- Install ssh-clients on MS windows boxes
|
| User Accounts |
- Be sure to check user passwds thru the passwd checkers
- Allow only ssh connections ( no telnet, no ftp )
- Remove user accounts BEFORE employees/contractors are notified of their termination
- Remove user accounts on ALL machines that the employee used
- Forward all emails to the co-workre assuming their responsibility
- For courtesy, forward their emails to their accts
|
| Backup Methodology |
- is all data and logfiles backed up - can you recover from a disk crash
- Backup only /root, /etc and user data ( /home ), rest of data is already on the initial cdrom
- Never automount BackupServers
- Daily incremental backup should start from the last full backup on daily_backup_server
- Weekly incremental backup should start from the last full backup on a DIFFERENT weekly_backup_server
- Monthly full backups on a different full_backup_server
- Backup Methodology and Example Scripts
|
| Server Hardening Methodology |
|