Tales of an Insecure Security Manager

FRAMINGHAM (03/13/2000) - Week one: In which our self-taught hero is promoted and promptly screams for help - from you.

Hi. My name is "Pat," and I just became the new security engineer at Western Textiles (not the company's real name), a.k.a. "Please hack our system because we have no security in place and I have no idea in hell what to do!"

That's pretty much how my new job is beginning, and if you're reading this, then I bet you, too, were just promoted into this position or hired because you knew more than the person hiring you.

Not that there is anything wrong with that. Our industry is in dire need of security professionals, and I hope that by sharing my trials and tribulations with you, together we can make our networks a safer place to conduct business.

Completely Thrown

When I was first approached about moving into the position of network security administrator, I was completely thrown. I had been a network analyst/administrator for a little more than two years, doing light Microsoft Corp. Exchange work, PC installs, help desk, network connections and fixes and everyday server maintenance.

The biggest project I worked on was implementing a high-speed dial-up service for the company's 5,000 sales reps and managers. It was basically a yearlong effort to create an Internet service provider for the company. Everyone was satisfied. Then, in a recent security audit, a Big Five firm said it was impressed with the built-in security I had configured.


The only other major networking experience I have is some volunteer work, which involves networking hundreds of computers in a very short period of time. I learned everything from how to crimp cable to configure big Layer 2 and 3 switches like Cisco Systems Inc. Catalyst 5000 or Bay Networks Accelars.

So here I am with one week left before I move into my new office (with a window, I might add), and I thought I would take the time to introduce myself and give a little background.

Just so you know, the guy who held this position before me was at the company for more than 15 years, beginning back when they still had IBM Corp. keypunch systems.

About two years ago, he was asked what part of the network he wanted to head up since he had seniority, and he chose security and Web administration.

Apparently, he was in over his head, or he just got complacent. Either way, he was asked to leave four months ago, after a security audit by the Big Five firm I mentioned earlier.

My company is more than 30 years old and does more than $500 million per year in business. Half the employees have been here since I began - I am definitely the new kid on the block. So if I have to step on toes as the security manager, it may be quite treacherous.

There is a high expectation on the part of my group that I will be successful in this position, so of course that only makes me nervous, because that might be why the other guy got fired - he couldn't or wouldn't dance the dance. We'll see. I am very hopeful.

To get a better feel for where I am starting, here's a brief look at the current state of our network security: To start, we don't have a clear security policy in place, only e-mail- and Internet-acceptable usage policies.

On our perimeter, we have a full T1 line connected to our Internet service provider via a Cisco 2514 router. We aren't sure whether we own the router, let alone the configuration of it! The router leads into our network into an x86 Windows NT 4.0 Service Pack 5 FireWall-1 Version 4.0 from Checkpoint Software Technologies Ltd.

Our policy for the firewall is one of "least access," meaning only e-mail and HTTP are allowed through. Coming from the firewall, we go into our proxy server, which is Microsoft Proxy Server 2.0 on NT Server 4.0 Service Pack 5.

I'll describe the firewall configuration in detail next week, but just so you know, we have all of our 2,000 local on-campus users being sent to the firewall as one IP address. In layman's terms, this means the firewall accepts requests only from the IP address of the proxy server, and the proxy server translates all the users' IP addresses to its own address before sending the packets out to the firewall.

The Legacy Refrigerator

We still have some legacy stuff for our manufacturing plants, such as two Data General Corp. Aviion systems and a DG "refrigerator," which is basically a big Unix-flavor server for our distribution subsidiary. These are connected to dedicated leased lines and then to our network. We won't spend too much time on these, as the plants came to us through acquisition and are managed by DG.

Other than that, we have a copy of Internet Security Systems Inc.'s Internet Scanner and all the usual hacker tools - both white and black hat (in other words, those created by either ethical or unethical hackers).

I will attend the Checkpoint class for the firewall, and then I will attend one of the SANS (System Administration, Networking, and Security) 2000 conferences, where I plan to absorb lots of new knowledge from just being around all those great minds.

This weekly column is designed to help both you and me, to let you know that everyone feels overwhelmed with the amount of information to digest. You could spend a year learning and reading everything and not spend even one second working on your current security policy or network security.

I'm writing this to help all of us wade through all that nonsense and help focus our studies on the tasks at hand - securing our networks against internal and external intrusion and destruction.

Got Advice?

I really need expert advice to comment on what I say and how I secure my network. If you have real-world experience that could help, please send your e-mails to info@sans.org with the subject Pat's Journal.

I will also be extensively discussing my company's changeover to a new operating system, namely the deployment of Windows 2000 Professional.

This move gives our IT department the opportunity to secure the desktop and manage it without having to play the political battlefield, because we will be in control of the deployment. You will see, step-by-step, how we plan, plan, secure and finally deploy Windows 2000 in an enterprise environment and how we try to take charge of securing our network at the same time.

Along the way, you'll see the mistakes we make and how we recover. I hope our experiences can help you avoid one or two of the pitfalls we discover.

Until next week, my friends. I look forward to a new beginning!

-- This journal is written by a real security engineer at a real company, whose name and employer have been disguised for obvious reasons. It is posted weekly at www.computerworld.com and at www.sans.org to help you and our security manager - let's call him Pat - better solve your security problems. Contact him with comments or advice at info@sans.org with the subject of Pat's Journal.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Bay NetworksCiscoCrimp AustraliaData GeneralIBM AustraliaInternet Security SystemsMicrosoftSecurity Systems

Show Comments