TechProGuild held an online chat on September 27, 2000. John Day discussed what you should look for in virus protection for your network. Here's the edited transcript from that chat.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
MODERATOR: Welcome to today's guild meeting! We are pleased to have John Day here with us to talk about some great security tools!
SPEAKER_GW4GOOFY: Hello everyone. Today, security tools are the "broad" topic of discussion.
MODERATOR: Don't forget we're still giving away that processor and motherboard, so throw your best questions to our speaker! One lucky member will win a chance to win! ;-)
SPEAKER_GW4GOOFY: Are there any specific or topical questions?
Security Client Authentication
MODERATOR: Here's one—can you explain Kerberos?
MODERATOR: And what is your take on the carnivore issue?
SPEAKER_GW4GOOFY: Carnivore issue? I can't lie, I'm not up on that. Perhaps you could elaborate.
SPEAKER_GW4GOOFY: Kerberos is a standard for security client authentication among various systems. It uses a ticket system for network authentication similar to NT's token system.
MODERATOR: Do you know what kind of security algorithm it uses? Blowfish? Rsa?
SPEAKER_GW4GOOFY: RSA I believe.
MODERATOR: Given the chance to create your own firewall or buy a firewall appliance, which would be your preference and why?
SPEAKER_GW4GOOFY: I think I would create my own in light of the many free firewalls available for Linux.
FRANK: Buy a proven product and then refine the rules.
J_LEIB: How can you trace unauthorized access to your network?
SPEAKER_GW4GOOFY: Although I recently put a CUBE-based firewall in for a client that you reviewed this summer.
MODERATOR: How well did it fare?
SPEAKER_GW4GOOFY: I think BlackICE 2.0 is good to track down unauthorized access.
MODERATOR: If you're using Linux, you can simply run through your /var/log/message or /var/log/secure files to find any trace of unauthorized access.
J_LEIB: I assume it logs IP addresses? Where do you go from there?
SPEAKER_GW4GOOFY: It was good and easy to configure with a simple GUI as you indicated in your review at TPG.
FRANK: A sniffer on the firewall segment would also be nice, but the operator would have to have an idea of what he or she was looking at.
SPEAKER_GW4GOOFY: BlackICE logs by IP address anything that matches any known network attack utilities, blocks the IP, and then sends you a notification.
SPEAKER_GW4GOOFY: L0Pht's Antisniff does a good job identifying sniffing except for hardware sniffers.
J_LEIB: Then who do you contact with that information? And can you tell if an IP address has been spoofed?
Behind the Firewall
FRANK: Question: Is it better to have a firewall up and then have a proxy behind it and allow communication between outside and proxy only?
SPEAKER_GW4GOOFY: Your action against the hacker is up to you. You can contact your ISP for help in tracking down the offender and your legal team if you want to take action.
SPEAKER_GW4GOOFY: Firewall yes, proxy is up to you. A good firewall will do for me. With a good firewall, a proxy is only a matter of performance, in my opinion.
FRANK: Appliance eg., CUBE or software such as Raptor, or Black Ice defender?
SPEAKER_GW4GOOFY: With the price of DSL and T1s coming down, get a big fat pipe and checkpoint or other good firewall.
SPEAKER_GW4GOOFY: I don't like raptor, it has some issues on its NT platform. I hear they are porting to Linux, but I haven't heard much about that platform for raptor.
MODERATOR: One of the single, best pieces of security software I've seen for Linux is portsentry.
SPEAKER_GW4GOOFY: I like the appliance-type firewalls on a Linux platform. I like ndiff, which port scans on Linux and reports differences in ports open or listening.
FRANK: Do you think that just a firewall and all the rules needed to allow/disallow all network LAN traffic is just too much of a hassle to configure, whereas defining rules for a proxy seems to be less work and increase security?
Microsoft and Cisco
J_LEIB: How much has security changed from NT to 2000? Is BackOrifice something to beware of on 2000?
MODERATOR: Phoenix Systems has a Linux firewall appliance that is amazing. Within five minutes of plugging it in, I had a solid firewall, port forwarding, and IP Masquerading up.
SPEAKER_GW4GOOFY: Proxy rules are easier to set up, I agree, but I think more advanced firewalls provide better protection.
SPEAKER_GW4GOOFY: I haven't seen much on BackOrifice in 2000 yet, but based on 2000’s new security, I think it will be a while before the break. But it will happen.
FRANK: <—leaving will return, dept meeting.
SPEAKER_GW4GOOFY: The phoenix firewall is the one I used recently, and while it took me longer than five minutes, it was easy.
MODERATOR: I've never actually seen it; how did it (the phoenix system) turn out in the end?
SPEAKER_GW4GOOFY: I set up a DMZ for a Web site, hid the users with IP masquerading, and that was it.
MODERATOR: What about when ipv6 comes to life? How do you think that is going to change things?
SPEAKER_GW4GOOFY: In the end the client was happy, and I have two more to install next month. $2400 bucks was half of a Cisco price for the same thing.
MODERATOR: Do you think the system does as good a job as the Cisco hardware?
SPEAKER_GW4GOOFY: Probably not as fast, performance-wise. Cisco's hardware is hard to beat.
MODERATOR: No doubt.
J_LEIB: What is a good source of information on what to look for and what to do about securing your network in general?
SPEAKER_GW4GOOFY: Not sure about the IPV6 standard yet.
SPEAKER_GW4GOOFY: I like securityportal.com and packetstorm.security.com.
J_LEIB: Thanks. I'll check those out.
SPEAKER_GW4GOOFY: Many new firewalls are adding virus scanning to their products, but I would add them to a server-based scanner as an additional layer of protection.
SPEAKER_GW4GOOFY: In general, get a good firewall, have a virus scanner for your e-mail server like Trend Micro’s products, then look for data on user drives, and look at encryption tools.
J_LEIB: I know there is a certification for checkpoint. Are there other ways to determine whether someone is a "security expert"?
SPEAKER_GW4GOOFY: Then look for an antisniffer program or an anti attack utility like Black Ice.
SPEAKER_GW4GOOFY: That would protect you from most any attack. In light of the recently lost laptops in the news, DOE, state department, and Qualcomm, I think laptop data is a more likely area of compromise than a network behind a firewall.
SPEAKER_GW4GOOFY: I don't know about security certifications on other products. Anyone?
MODERATOR: I know that many of the Linux certs have security 'modules'.
SPEAKER_GW4GOOFY: Of course Cisco's cert includes its PIX product.
MODERATOR: Nearly all of them. The LPI, however, is the best.
SPEAKER_GW4GOOFY: I know the FAA is looking at security certification of some sort for all its security admins.
Setting the Standard
J_LEIB: Do you think that security features such as smart cards, biometrics, etc. will become standard in most environments?
SPEAKER_GW4GOOFY: Some of the antivirus vendors are looking at certs as well, like Command Central.
SPEAKER_GW4GOOFY: I think smart cards will be popular in sensitive environments.
J_LEIB: Is it the cost or the resistance by users that will prevent them from becoming more widespread?
SPEAKER_GW4GOOFY: I think the thumbprint technology will be a larger part of laptop security.
SPEAKER_GW4GOOFY: Cost and a lack of concern in most companies. I think if most users don't even sign off during lunch, why spend the money on hardware that they won't use? Enforcing a security policy is never popular, and without an actual attack, it is hard to sell to management.
SPEAKER_GW4GOOFY: For a cheap firewall, check out floppyfw, it fits on one floppy and runs simple packet filtering on Linux.
J_ASTREIDES: In reference to people signing off, you can use the screen saver in the NT admin CD to force a logoff when the screen saver starts. The file is called winexit.scn.
SPEAKER_GW4GOOFY: Good idea.
SPEAKER_GW4GOOFY: Don't all your clients need to run NT for that?
J_ASTREIDES: No, winexit works on all Win9x versions. I use it on our Win95 machines here.
SPEAKER_GW4GOOFY: Cool, I'll remember that one.
SPEAKER_GW4GOOFY: I think those types of simple measures are the most important areas to fix before spending money on hardware, software, and consultants.
J_LEIB: In that case, do you think blocking "across the wire" attacks is easier than trying to get mgmt. and users to accept and follow a security policy?
SPEAKER_GW4GOOFY: Yes, I think using attack detection and tools like Norton's Internet Security 2000 are good measures to take.
J_ASTREIDES: In the last few issues of Information Security magazine, they have written articles referring to the greatest threat: Internal user, Sysadmins, and consultants.
SPEAKER_GW4GOOFY: I agree that internal users are much more likely to cause loss or unauthorized access to data.
J_ASTREIDES: There just seems too much to do in Information Systems security for any one person to perform.
J_LEIB: Where do you think the burden should fall on preventing hacking? Companies or ISPs?
J_ASTREIDES: Policies help but need constant revision to meet new threats.
SPEAKER_GW4GOOFY: Well you need to share that responsibility among your experts: server security for your admin, net security for your Web site guys or gals, and desktop security to your tech support.
SPEAKER_GW4GOOFY: These key people need to meet on a regular basis with time set aside for needed discussion and action. Point them to online information, such as TPG, security portal, and others, and then they should share interesting articles among themselves for action and discussion.
J_ASTREIDES: I agree, and that’s where policies come in, but the overall responsibility as CIO, CTO, or security manager still leaves a lot to consider and keep on top of.
SPEAKER_GW4GOOFY: I agree, and most companies don't focus on security as a major part of IT. Mostly they worry about functionality, performance, and cost.
J_LEIB: How far behind the "bad guys" do you think the "good guys" are in determining new ways to break into a system and how to prevent the attack?
J_ASTREIDES: Hiring was one article I found very interesting, in the magazine I mentioned. It delved into personality types and the type of threat each is capable of (as Sysadmin).
SPEAKER_GW4GOOFY: It is the CIO or CTO who is responsible for listening to his or her experts, communicating the issues to management, and then enforcing policy if needed.
SPEAKER_GW4GOOFY: I think that a majority of "good guys" are way behind.
J_LEIB: Is there a way to be proactive rather than reactive?
SPEAKER_GW4GOOFY: What magazine? I would be interested in that type of discussion.
J_ASTREIDES: I just think the scope of the Information Security Manager can be very broad and a very difficult position at best.
SPEAKER_GW4GOOFY: I used to start each morning with a review of security news on securityportal and then forward any current threat information to the CFO, IT director, and users, if necessary. Don't forget to inform users fist of virus or e-mail based attacks so they can be cautious.
J_ASTREIDES: It is Information Security from ICSA.net; I do not remember the exact issue.
SPEAKER_GW4GOOFY: I wonder what personality type was the best for a sysadmin. Methodical? Reactive?
It’s in the details
MODERATOR: Just a warning everyone—we have 10 minutes left.
SPEAKER_GW4GOOFY: I lean away from methodical and more toward decisive action.
SPEAKER_GW4GOOFY: Security threats change daily, and quick thinking and identification of openings in your network are the most critical function of a security "guru."
J_LEIB: Do you think that could cause you to overlook something? (as opposed to being methodical?)
J_ASTREIDES: Being Security Guru is one job I think I will outsource...Too easy to lose all over one incident.
SPEAKER_GW4GOOFY: FYI cert.org has some good but rather slow-to-update information and white papers.
SPEAKER_GW4GOOFY: I think you will always overlook some things, it is too broad an area. It is not an area for the timid.
SPEAKER_GW4GOOFY: Yes you could lose all over one incident and an area often overlooked is to take credit when you prevent attacks, protect data, or catch a hacker.
MODERATOR: Five minute warning all.
SPEAKER_GW4GOOFY: Otherwise when you miss something you could lose it all. I've been guilty of the old thinking that if the network is up and running, then you’re doing your job.
J_ASTREIDES: Have a good one all, its time to flee.
J_LEIB: Is the breadth of security why there isn't as much as an emphasis on it? That it is too overwhelming because there is so much?
SPEAKER_GW4GOOFY: But you have to make sure they know what you have done to keep it up. I don't think many people want the job for the very reasons we have discussed.
MODERATOR: I'd like to happily announce that j_leib is today’s winner! Send your contact information to email@example.com (that would include full name, e-mail, and mailing addy), and you'll be in the running for the motherboard, processor, and fan from PogoLinux.com!
J_LEIB: That they are afraid that if they proclaim a network "secure" and something happens, they look bad?
SPEAKER_GW4GOOFY: No network is truly secure unless it is down...
MODERATOR: Don't forget, if you have any questions about security (or Linux or both) send them to me, firstname.lastname@example.org, and I'll see what I can do about answering them.
MODERATOR: Good one John!
MODERATOR: Anyone have any last questions for Mr. Day?
J_LEIB: Thank you to both Speaker and Moderator!
MODERATOR: You're welcome!
MODERATOR: I hope everyone has a wonderful, safe day. Always remember—if there's a problem with your computer, format C: install Linux. ;-)
MODERATOR: Take care everyone!