When security hassles spook searchWindowsManageability users, they send an SOS to the site's security guru Scott Blake. As information security vice president for Houston, Texas-based BindView Corp., Blake is well-schooled in network security triage. Here are his Top 10 answers to some tough security questions.
1. What are the differences between a firewall and just using NAT on the router?
NAT is not a security technology. There have been flaws discovered in some NAT implementations that allow attackers to translate their inbound packets, subverting the apparent benefit of NAT. A firewall in combination with NAT would have prevented that. Also, not using a firewall necessitates turning your NAT device into a bastion host, something that's very difficult to do and requires constant maintenance. NAT introduces greater complexity into the network design. A cornerstone of security is KISS (Keep It Simple, Stupid). Simple designs are easier to manage and secure, and mistakes are less likely to slip through. Only use NAT when absolutely necessary. It won't prevent attacks.
2. Can any security certification programs help me boost my network's security?
There aren't any fabulous certification programs, but the SANS GIAC program is a good start (http://www.sans.org/). The most important thing is to know what your systems require for function and maintenance. Turn everything else off. Keep the patches up to date. Minimize user
3. I run a Win2K server with Win9x and NT 4 workstations. How can I prevent users from deleting data files on the server?
On Windows 2000, with NTFS, you can remove just the ability to delete. Right-click on the file or directory and select Properties. Then change to the Security Tab and click the Advanced button. From there you can access more fine-grained permissions on a per User or per Group basis.
4. On a network of Windows NT and UNIX machines, is it possible to sit at one machine and copy the file(s) to the other machines?
Install Samba (http://www.samba.org) on the UNIX server. That will allow you to mount a file share from the UNIX server to Windows machines as if the share were on an NT server.
5. How can I fortify my network logon security?
Use some sort of virtual private network for remote users. PPTP (Windows) or SSH (UNIX) should be adequate. Don't let users procrastinate about changing cracked passwords. Run Crack (or equivalent) on your password database weekly and force users to change them immediately.
6. Someone is using a program to break our NT servers' password. How do I find out if a particular user logged on to some machine with another user's name?
It isn't possible to prevent a password cracker from recovering passwords or to detect if a user is logged in with a different username. However, you can enforce the selection of strong passwords on your network. That will slow down the cracker. Make sure your users select passwords that are not in a dictionary, include non-alphabetic characters, and are at least eight characters long. Use a cracker yourself to find out which users have weak passwords. Then ask those users to change them.
7. Is Instant Messaging a real security risk?
Most IM clients are reasonably secure, assuming the users don't do silly things like exchange files, click on links, or talk to anyone. The same principles apply as those in e-mail -- don't click on links, don't open attachments, and don't send sensitive information to anyone. Most IM systems do not encrypt traffic, which makes them inappropriate for business use. Consider setting up an internal server and restricting access to authenticated, internal users if there's a business reason why people can't pick up the phone when they have something to say. Don't exchange files and never, never exchange sensitive information.
8. I run a 35-node network with an old software firewall. What should I be looking for in a low-priced firewall product?
You can build yourself a 100% free firewall using nearly any variety of Unix. Linux, FreeBSD, OpenBSD, and others include free, robust firewall software with the operating system. If you're comfortable with Unix, this is by far your best option. However, barring that, any firewall appliance should be adequate. Check out NetScreen and WatchGuard.
9. Should we allow our software vendor to maintain/fix his product remotely by dialing into our networked workstation with PCAnywhere? If so, what should I do to protect our network first?
Your best bet is to disable the remote access service when it is not in use. If you must have the workstation online when the vendor is connected, have a person watch what the vendor does. If not, pull the plug. Actually, it's a good idea to watch what they do anyway. Fundamentally, you have to decide whether or not to take the risk. When they are dialed-in, they could install any software, backdoor agents, scan software, packet sniffer, etc. Ideally, you wouldn't have to let them do this, but if you must, you pretty much have to trust them. But make sure no one else gets in by turning off the service when it isn't needed.
10. I had the Code Red virus. I ran the patch and then rebooted the system as the instructions at Microsoft specified. I have thousands of... 23:14:34 126.96.36.199 GET /default.ida 200 3818. These still happen. Is this the virus at work?
You're seeing the worm attacking your system. If you've installed the patch, you're not vulnerable, so you don't have anything to worry about. The IP address you see in the logs belongs to @Home. Send a copy of your logs to their Network Abuse e-mail address.
This was first published in February 2002