FRAMINGHAM (03/27/2000) - Week 3: Pat checks out his ISP and plugs a security gap by - duh! - calling tech support.
When I opened the door to my lab, I nearly cried when I saw the museum pieces I was going to have to deal with. Granted, I have one 200-MHz Pentium with 128MB of RAM for my firewall, but the others are Pentium 133s with 64MB of RAM. The products I am testing, Internet Security Systems Inc.'s RealSecure and Network Ice Corp.'s IcePac, require a 300-MHz Pentium II and 128MB of RAM. RealSecure wouldn't even install! Luckily, my boss listened to my needs, and I am getting three new Pentium IIIs.
A circuit board on our Internet service provider's (ISP) Cisco Systems Inc.
Catalyst 7500 blew out, so we were down for 14 minutes. Our ISP replaced the board immediately. Of course, it helps when you know two of the tech guys extremely well. The boards have approximately 12 ports on them, so we weren't the only ones who had their Internet service interrupted.
I took the opportunity to meet our ISP sales rep, and he invited us to see the network operations center (NOC). The ISP just finished construction of a new co-location facility that blew our team away. We were also able to view our DS3 from our ISP's perspective. The point-of-presence (POP) was really an incredible site. The cables were all color-coded - blue for T1, yellow for T3, gray for 10M-bps. and purple for 100M-bps.
I recommend visiting your ISP. Your business is completely dependent on your provider; you might want to make sure you have a friend in the right spot when and if something happens.
There was another network outage this week, this time at one of our warehouses.
They have a mixed environment of PCs that connect back to our Windows NT domain and dumb terminals that connect to a Data General Unix server in Chicago. The call I got said they took a power hit and some people had connectivity and others did not. It turns out that the DG box that serves the terminals and connects to the Unix server had come up before the router did, so the terminals couldn't find the route to the server, because the router hadn't established the route. That was an easy fix.
An interesting situation arose during that fix. One of the server administrators didn't know the topology of the site and thus had a hard time doing any preliminary troubleshooting. My boss, the network architect, hadn't come in yet, and he's the only one who has that data. We decided to make the topology available to administrators as a little black book.
I sensed this was a great opportunity to begin testing my policy-making ability. After all, data about network topology is sensitive, proprietary information. It includes our entire global network structure, both physical and logical, including IP assignments and phone numbers for mission-critical contacts. I set up a meeting with the director of network services, two lawyers from our legal department and my boss to discuss how the policy should be written and implemented before the book is distributed.
One of my ideas is that if there is any change that needs to be made, everyone must bring their books in to be updated on the day specified - no exceptions!
This would let us destroy the old information and keep track of the books.
Plenty of Porn
I was in the NOC, and one of the net admins said he tried to follow a link to register an Internet domain and it took him to a porn site. I thought that was weird only because we use Websense for FireWall-1 to filter out those types of sites. When I looked further, it seemed as though Websense was acting like the trial version and had expired. Not good.
I knew we had purchased a license for the full product, so I called Websense's technical support people. They had me delete the corrupt database of Web sites and apply the new license key. I then stopped and restarted the service and tested it by trying to go to all the porn sites I could find. It worked.
The next day, the director of network services thanked me for fixing a situation that hadn't been resolved by the previous security officer. All I did was call the technical support people, who got me up and running in two minutes.
The next day I took a Windows 2000 file and print server class that proved to be very useful. I am going to take as many Windows 2000 classes as I can; it is an entirely different beast from NT.
Just Do It!
The class coincided with a preliminary meeting I had with our CIO and chief e-commerce officer to discuss a possible global intranet or corporate portal site. They feel that it will be a snap to set up and that it should be ready in May. Well, not so fast, I said; our programmers just got off the learning curve of developing 32-bit applications and Web apps from old Cobol and Visual Basic 4 applications that still run in 16-bit mode! But we'll be going ahead anyway.
"Business necessity," they said.
To handle the encryption and security management for this global intranet, we are deploying Windows 2000 with Active Directory. We will take the time to configure our domain structure and organizational units on a logical level, and, at the same time, we will have to consider the hardware. The domain controllers in Windows 2000 run similar threads to Exchange 5.5 and SQL Server, so with Active Directory we will need a lot more horsepower.
Instead of desktop servers with juiced up RAM, we are looking at dual to quad processors, a dual to triple SCSI channel and 1 to 2G bytes of RAM. Management wants to move to more of a Web-based environment, so we are looking for a new operating system. Since we're a straight NT shop, we might be moving from Windows 95 to Windows 2000, or we might stay with 95 and use 2000 Terminal Server to provide the desktop.
This weekend, I plan to rip IPX and several other services out of the firewall. I will also test the anti-IP-spoofing feature of FireWall-1 in the lab, since the previous team couldn't get it to work. We have an internal network, a demilitarized zone (DMZ) and then the Internet. The configuration on the DMZ is what makes me nervous, since it is a separate valid Class C network from the Internet Class B network.
If you have any suggestions, send them to firstname.lastname@example.org, or visit our new security forum at www.computerworld.com/sjf. Until next week, remember:
The safest way to secure a network is to unplug it!