Looking for some experienced insight on open source security for small-med business

[TexRyker]

Hello all,

I am starting to write a paper for my grad level trusted systems course and was looking for some insight and experience on what tools and technologies would be of use to a small-med business to aid in securing their infrastructure? I know that BT incorporates several programs that could be used to identify security leaks and potentially prevent attack. I wanted to see what top 10 programs or systems you believe could be used to lock down a small to medium sized business network.

Assumptions would be:
Minimum of 30 client pcs that are mostly windows based
a few servers with a domain controller and exchange services
single lan
single firewall (currently OTS but will be suggested to be migrated to linux based firewall box)
single router (I would think I might approach this as part of the solution using open source code loaded on a generic router)

I appreciate any incite or suggestions on this as the paper topic is completely open assuming it follows along the class name of trusted systems. Key points I am already thinking are a mix between BT tools, a few others not on BT, and a few physical items being added with security software installed.

TIA

[lakiw]

Despite all the jokes about it, I've found the DISA gold disk decent for identifying potential problems in a windows pc, (it's not perfect but better than just about everything else. They really need to get rid of all the manual checks and automate it much better though). The scan only version is free to anyone, (the version that can automatically make changes is only available from a .mil address, but the automatic changes can be dangerous to impliment).

Nessus is another free tool for scanning potential vulnerabilities.

Nmap - couldn't live without this

I think the most important part about the firewall/router is that you have a sysadmin that can manage them. You can have the most secure firewall in the world but if there is a "permit ip any any" rule at the top it won't do much good. Also having someone be able to effectivly go through logs is priceless, (not only for security, but for troubleshooting as well).

Actually, on that point you might want to think of adding a syslog server to your setup.

I generally try to avoid the certification & accredidation side of things like the plague, but you can probably find a lot of good info and best practices in those documents as well.

Then there is wireless and VPNs if you want to support those. You could also talk about using a tool like Norton Ghost so you can have a sandardized base image when you have to rebuild a machine or get a new one. VMWare is also nice for servers as backups are fairly easy.

I'm not a big fan of IDS's, but a program that parses netflow data could also be useful for sysadmins who want to get a snapshot of their network.

Warning, I'm not a security pro by any means. I hope this helps though.

[TexRyker]

@lakiw

Thank you for your insight. For some reason I have not heard of the gold disk before, but this will be definitely looked into if not tested in my daily life as an admin. I have been using the MBSA tool and GFI languard on my work network to check things out, but this looks to be my way around the fee portion of the GFI suite, at least for now.

Thank you for your time!

[Virchanza]

Keeping the computer room door locked.

Even if you were to put a bulletproof Linux on all of the machines, you can still be f***ed over by someone who has physical access to the room for 10 minutes. Over the weekend I had to attend a seminar for work, but we had no internet because the computer admin guy was on holidays and nobody had his password to log into his computer and turn on the proxy server.

We tried ringing the computer admin guy, but his phone was off (or out of range, whatever). Anyway, a few minutes later the people who ran the place gave me the go ahead to do whatever I had to do to get the internet going... so I threw a boot CD into his main PC.

To get to the point though... it tends not to be very difficult for someone to gain access to a computer room. For instance if you're in a school or college, all it takes is "Sorry I left my bag back in the computer room, can I grab the key off you for a minute to run back and get it?". Also when I was in high school, one of the teachers lost his set of keys; over the next few days, doors mysteriously started appearing open.

[compaq]

I have tryed mucking around "Deep Freeze", it take a snapshot of you,re computer and evertime you restart it goes back to that default image. Con, its a bastard to remove, so if you want to test it, be rady to reload windows. You can make a partion, were you store your files on. And it would stop most if not all the virius out there.

Sorry for the rant, but its a damn good tool.

[xorred]

Operating Systems - NSA/CSS is something you SHOULD consider.

Also, you could check out the videos I posted on my security blog... SecurityGuy.org » Video - The IT Security Blog - they are for home - based PC security, but are well suited for small businesses also, as I'm featuring the "Security & Privacy Complete" tool from SourceForge - it's opensource, and it's pretty small quick and easy to use.

[TexRyker]

Thank you for the replies all. I just got my topic approved, so off I go! If only I didn't have a final and a midterm this week to tack onto this rough draft I would be having an easy week lol...

Anyone else go for a information assurance masters here? Seems there are not many colleges that offer the degree.

[imported_wyze]

Designing the network is something that would need careful analysis and planning. You'd need to identify most, if not all of the networks requirements before drawing up diagrams / outlines for its design.

For firewalling / routing, pfSense would be an optimal choice. Deploying it 'correctly' does take a bit of leg work. A Snort IPS can be installed on top of it, using snort2c to block traffic matching rules/signatures. BSD firewalls tend to be much more effective / efficient than Linux.

You would also want to explore options for HIDS deployments (OSSEC comes to mind). PSAD is another application to dive into. Layer 2 security is something to look into as well (usually this falls under vendor stuff and not open source).

Developing a security policy for all of the users on the network is a must (pushy CEO included); enforcing it is another story beyond the scope of a forum post.

Even with many of the above tools in place, you still need the ability for logging, monitoring, accounting and analysis -- such as a central monitoring application (like Splunk for example and/or an IMAP account(s) that alerts would forward to). Create a regular schedule to devote to analyzing the data collected from alerts and log statistics.

I could go on for several hours and not even scratch the surface, but that's my $0.02.

[TexRyker]

Still working on it. Not sure if you guys have seen this list before but has been pretty useful at least on my end.

100 Best Open Source Security Tools | Masters in Criminal Justice

[imported_wyze]

Still working on it. Not sure if you guys have seen this list before but has been pretty useful at least on my end.

100 Best Open Source Security Tools | Masters in Criminal Justice

Well to me, that list isn't complete.. I don't see many of the better tools listed in there (pfSense, Dspam,etc).