Network Security Comments and Ideas


02/06/14: Page Origin.

LINKS:
Ideas for Admins
Ideas for Users

Some Network Security Ideas For Network Admins
If you host your own domain(s) as I do, here are a few observations/suggestions:
SPAM:
11/28/13:   Since sendmail quit giving free updates several years ago, I have had to switch to postfix.   I'm still not pleased with having a lot of places to go to reconfig, but it does come with SPF, and RBL (so did sendmail).
I use the big dog, sendmail, which is a little bit harder to learn but allows me the flexibility I wanted (besides, most companies who host their own mail use it, and it looks good on your resume).   Sendmail is also free.   I use zen and spamhaus real time black lists, I also use sendmail's access database.   Sendmail allows "milters" (mail filters) to be added to do any kind of filtering you want, like grey listing, SPF filtering, IP reputation, etc.   I also use the firewall to block access to my mailserver from all countries outside the US, and networks who have previously spammed me.  
Another thing to watch in the logs is: spammers frequently don't include a
"from"
address, it takes time to transmitt and isn't required by the spec, but reputable senders always have one.  

Name Server:
I use bind, again it gives you the flexibility you need, it looks good on a resume, and its free.   Bind has "views" which allows me to provide different information for my internal network, selected external nets, and redirect name queries from undesirable places, to innocuous targets, like their own loopback or the Federal Trade Comission's spam site.   I know they won't get an answer but I hope FTC monitors their net and pays attention to such things.   I can easily control recursion by view and by virtual domain, only my internal domain should be allowed to recurse.

Firewall
I use iptables (and soon ip6tables) because I like the flexibility and its free.   I did create a firewall language which makes it easy to control access and minimizes errors.   The firewall IM, has keywords like BLOCK, ALLOW, ACCEPT, REDIRECT, etc. and understands the traversal of iptables so I can quickly block a net from Apache, for example, with no errors.

Web Server:
I use Apache, again max flexibility, well documented (easy to learn), and its free.   Using Apache its easy to create virtual domains and secure them.

Network Surveillance:
I use a home built IDS, and several log scanners, see below.  
Intrusion Detection System:
I liked (and learned on ) Shadow from Naval Surface Warfare Center but I didn't like waiting an hour to see what was happening on my net, so I built my own real-time version.   Using my Shadow its always interesting to watch what folks are trying to do to my site.  
Snort is very good for a Knowledge Based system (difficult to learn) and its free.

Log Scanning Scripts
I wrote some perl scripts that scan the maillog, httpd log, and syslog looking for abnormalities and displaying their results.  
The maillog provides the list of unknown users which I use to add to my firewall rules blocking networks that send to users who have never existed on my domain, these are usually spammers.   Another benefit of maillog scanning is looking at SPF fails and blocking networks who have a lot of these.   Spammers get paid by the number of email addresses they send to so, being criminals anyway, when they get an email address containing a valid domain, they generally pad the list by adding "made up" users on that domain thus, increasing the number of addresse they get paid for.   Another thing: spammers frequently don't include a "from" address, it takes time to transmitt, isn't required by the specs, but legitimate senders usually have one.   I also use SPF, nuf said.   One comment about SPF, lately, I notice spammers have started using a ligitimate domain (for the network address) in the HELO command so the SPF checks out.   BTW, I have noticed lately that a lot of spam uses a different domain on the HELO command from the MAIL_FROM command, I believe it because HELO is checked by SPF.   Also, if the HELO is different from the MAIL_FROM its usually SPAM.
The httpd log is good for determining who is poking around your document root looking for stuff you don't have or probing for weaknesses (404 result codes, and PUT or POST commands).   This tells me who doesn't belong on my web server so I block their network's access to it.  

Some Ideas About Network Security For Users
Your Computer's Operating System:
Never use any version of Windows, use Mac's OS 10 or any form of Linux, Ubuntu is really good for neophytes, you'll be amazed at how familiar it feels.   I have a lap top which runs XP, I keep it around just to program my Harmony-1 and my GPS, those are the only times I turn it on.   I wish suppliers would support Linux so I can junk that lap top and you would be safer, but the CEOs of those companies think they are playing it safe and cheap.

Passwords:
If you want your stuff safe, until we have good biometric devices, you gotta use good, strong passwords.   If your one of these folks who can't remember you password(s) you have to focus on what you are trying to do (protect yourself), or maybe you just shouldn't be using a computer at all.   I've seen NSA guys research a person on the internet, then crack their passwords in seconds.  

EMAIL:
Don't include a long list of recepients on each mail, hide them, use BCC (blind copy, or your email client (program you use) has the ability to hide them for you, look at your preferences.   Never, ever, ever open an email you were not expecting, even if you think you know who sent it, and that goes double for opening attachments.   Spammers and take over hackers love to send email with viral attachment programs that they mask as pictures (steganography) etc.   When surfing, be very careful who you give your email address to, lots of companies sell email addresses to spammers (advertising companies, like: Exact Target, Constant Contact, etc., are usually spammers).   Be careful of web sites that want you email address as you user ID, same reason.

HOME NETWORK:
Use wireless sparingly or not at all, it is very hard to secure.   Hard wired networks are always better, I know its a little harder to install but the peace of mind is worth it.   Encryption: if you just MUST use wireless, use WPA2 (Wi-Fi Protected Access), do NOT use WEP.   WEP secured nets have been cracked in 3 minutes by the FBI.   If your AP (Access Point, aka. wireless router) doesn't support WPA2 get a new one.   Use your own wireless key (or pin), make it as complex as possible, don't use the manufacturer's pin, its too easy to crack.   Don't use DHCP, unless you assign your computer's MAC address(es) in the AP.   When your not actually using wireless, turn the AP off.

SURFING:
Never use Internet Explorer, use any thing else, like Firefox or Chromium (is there still a Netscape?).   I know IE is the default on your windows box, that in itself should be reason enough to replace it.   Use anonymous or private browsing sessions, if you browser doesn't support it, get a different browser.   An anonymous browse session doesn't allow a site to look at your history or cookies unless that site put them on you computer.  
As I have had to remind a whole lot of computer professionals, The Bad Guys Don't Play By The Rules

Social Media: (like facebook etc.)
It gives bad guys a look into you life and info about habits, password hints etc.   Don't mention going on vacation next week, it tells thieves that your not gonna be home during that time.  

Microsoft: The Cause of Most Network Security Problems

I badmouth Microsoft a lot and have very little respect for their marketing and profit centric designs, but if it weren't for them a lot of folks in network security wouldn't have jobs.   One thing about Microsoft, which gives me angst, that millions of folks around the world would not be using the internet today if it weren't for Microsoft.   As I said this is a good thing and a bad thing, since these folks don't have a clue about security or what they are actually doing.  

Microsoft is NOT an innovator, they pretty much buy everthing they sell, even windows they stole the idea from MIT.   The original windows program is called X-windows and is in use today in all Unix systems.