FRAMINGHAM (05/01/2000) - Week 8: Pat gets a lesson in ease of use from Linux and ISS's RealSecure; and CyberCop looks good, so farI consider myself pretty savvy when it comes to installing an operating system, especially Windows NT and even Linux. I can install Linux and get it running in 15 minutes, even though I don't have a clue what I'm supposed to do with it once it's running.
So here I am, getting ready for a big conference next week. Some of the classes I'll attend require a laptop with Linux and some require Microsoft Corp.'s Windows NT Server. Well, I once installed Red Hat Inc.'s Linux 6.1 on top of an NT Server configuration on a workstation. With the new graphical user interface, I felt it would be just as simple on the laptop. Not so. After four installs of NT Server and eight of Linux, I gave up and decided to borrow another hard drive, putting Windows 98 and NT on one drive and Linux on the other.
There are a number of issues I need to deal with while I prepare for this trip.
No. 1, I want to get the password policy-change date set. We've already pushed policy change back once, and I don't want the help desk workers to push it back again just because they don't want to deal with all the calls the new policy will create. Under the new policy, passwords must be nine characters long and must not contain any whole words. Also, the expiration period will be cut from 90 days to 45, and everyone will have an expiring password - no more permanent ones.
The Password Dead Horse
Of course, this will raise all kinds of hell with the sales force. But we administrators can make salespeople's jobs only so easy before we start making our jobs harder and compromise corporate security. Am I thankful that they bring in my paycheck every week? You bet. But we wouldn't have those paychecks if a cracker or corporate spy dropped our payroll server or corrupted the database. Besides publishing the password policy, I copied a document on how to select a good password. You would be surprised what kind of passwords people choose. Is this beating a dead horse? No, because passwords are still the No. 1 problem when it comes to compromised networks.
As I've said before, if you are willing to share your security policy with me, I agree not to release it. I want to do a little study and see who has the best policy.
I work for a textiles company dealing with dresses, jeans and suits and fabrics. Our security standards can be looser than those of a banking institution, government agency or brokerage firm. This isn't to say that security isn't important; it is to say that we don't need to encrypt e-mail. We might use a virtual private network, but we might not need to implement a $250,000 RSA Security Inc. SecurID system (a user authentication system that protects networks, operating systems and other elements of the information technology infrastructure from intruders).
Joe Blow's Security
Now some of you may disagree with our security standards, but think about this:
To secure the network the way I want, I would have to go to the board of directors - a family that has been running the business for more than 40 years - and tell them that we need to spend close to $1 million. Their first question would be: "How will it improve productivity and increase revenue?" With a network upgrade such as going from CAT3 cabling to CAT5, I can tell them that performance will increase significantly in a 100M-bit switched environment with a gigabit backbone. My network doesn't need to be as secure as Visa International Inc.'s, but it needs to be more secure than Joe Blow's family vacation site.
Moving right along: I've been discussing the testing of an intrusion detection system, mainly for our internal network. When I last broached the subject, I spoke about Internet Security Systems Inc.'s (ISS) RealSecure and Network Ice Corp.'s IcePac suite. Through all the growth and change ISS has undergone, the company has disappointed me with the quality of its service and customer care.
In order to do anything, you need an encrypted authentication key, and then you need to know how all the keys work when they create directories for holding them on your hard drive.
I don't have the time or patience to go through this hoopla just to get a test product working. I even had a sales rep and tech rep out here to demonstrate the product and get it to work for me. After two hours, they finally decided to install the product; an hour later, they still couldn't get it to work. After they did, we were only interested in the host detection, being in a switched environment.
Take That, Hacker
Enter Network Associates Inc.'s CyberCop suite. Now this thing really won my boss over, so we will test this product in two weeks upon my return. The rep was very nice and brought us a quote that was both timely and easy on the pocketbook - $7,800 for the entire suite. The representatives came in and talked for 15 minutes and then let the product speak for itself. Imagine a hacker defacing your Web site. CyberCop automatically replaces the defaced Web site with a cached backup and stores the defaced Web page for you.
The last item of business before I leave is Windows 2000 Server, which I have been running for about two months. I haven't been too impressed, but I haven't really tried all the features.
We had a meeting this week on the design of our domain structure when we migrate to Windows 2000 in July. One of the items that came up was Terminal Services (Microsoft's software for running thin-client applications), which comes with 2000 Server. I decided to take a look at it since I'm going to be away for 10 days.
It was extremely easy. I told 2000 Server that only my user account could remotely log in to this computer. Then I created a rule on the firewall allowing the Terminal Services (TS) ports from my internal address and to my external address with secure authentication. So first the firewall authenticated me and then it allowed me to fire up the TS client and an added layer of protection. I took the client diskettes and loaded them on my laptop and dialed a local Internet service provider. When I logged in after launching the TS client, I was greeted with a familiar desktop, my local profile and all my icons, exactly where they were when I logged off.
Very cool, I say, because this gives me the ability to administer the firewall and pretty much everything from anywhere. Granted, with this newfound flexibility comes added risk, and with added risk you need added protection.
So until next week, I will be away at SANS2000 in Orlando for the class of a lifetime.