RE: ISP Security Suggestions

From: Ansel, Kenny L. (Sytex Contractor) (kenny.ansel.sytex@arrtc-exch.mccoy.army.mil)
Date: 03/26/02 

From: "Ansel, Kenny L. (Sytex Contractor)" <kenny.ansel.sytex@arrtc-exch.mccoy.army.mil>
To: Vernon <Vernon@b2unow.com>, security-basics@securityfocus.com
Date: Tue, 26 Mar 2002 09:59:11 -0600

Security, most often, is sorta limited by $$$. I feel that you cannot have
too much security from a security stand point.....but from a userability
standpoint, thats another issue.

As far as being redundant for adding extra steps.....security comes in
layers. The more layers, the more secure your system/network. NO NO system
or network is 100% secure...but the closer to the 100% you can get, the
better off you will be!!
Simply using MS's IPSec and a 2600 router and IceCap will keep out most
script kiddies. It will NOT keep the strong willed or insiders from doing
damage.

I would suggest something more than just layer3 security. A proxy server
would help!
A picture perfect security model would (at minimum) protect all 7 layers.

The justification question.....would you like to spend the time and $$$$ on
implementing security now....or would you like to spend time and $$$$ later
on the administrative headaches involved on getting your newtork back up and
running????

Kenny Ansel, Sytex Group
Network Security Instructor
MCP+I, MCSE, CCNP
608-388-8801

-----Original Message-----
From: Vernon [mailto:Vernon@b2unow.com]
Sent: Sunday, March 24, 2002 9:06 AM
To: security-basics@securityfocus.com
Subject: ISP Security Suggestions

I have a Windows 2000 Advanced Server setup with a T1 and a Cisco Router
2600 that is managed by our T1 provider. I've also have deployed the
latest version of IceCap (the network version of Black Ice) blocking all
ports, other than those needed to support our email server, 25 and 110.
Furthermore, I've blocked every port using Microsoft's IPSec, again
excluding 25 and 110, and naturally we keep up-to-date with all the
latest patches from Microsoft.

My question is, as this machine is not setup using a Proxy server nor do
I have a hardware firewall does anyone see a real need to purchase a
hardware firewall? Or furthermore a proxy server? I understand that this
would be the ideal situation and every ounce of effort you make a hacker
go through limits their ability to hack into my network, but doesn't it
seem a little redundant to add these extra steps? Does anyone feel that
these extra steps, extra effort and added cost are justified?

Any suggestions and or comments would be greatly appreciated.

Thanks

Relevant Pages

  • [REVS] XST Strikes Back
    ... Get your security news from a reliable source. ... support for TRACE in browsers and proxy servers. ... never arrives at the web server (of course, if the first proxy server is ...
    (Securiteam)
  • RE: suggestions for proxy server to run on w2003 box.. :VSMail m x3
    ... this particular part of security back internally. ... suggestions for proxy server to run on w2003 box.. ... provide prompt, expert service, but I have yet to see or hear about it. ... Would the possibility of outsourcing your company's firewall be viable? ...
    (Focus-Microsoft)
  • Re: msdn.com search failure
    ... BTW are you using a proxy server? ... I have alread knocked security and cookie security ... > level components are probably the OS itself. ... >>> is a problem with some shared component browsers use. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • IE Vulnerabilities
    ... Our IE users are behind a proxy server. ... leave our network with the IP address of the proxy server ... following security bulletins. ... Bob ...
    (microsoft.public.security)
  • https loads slowly with windows 2000
    ... >freezes up and doesn not load, ... I've tried eliminating spyware, defragged ... >the system and checked the proxy server. ... compromising a section in the Security section of their ...
    (microsoft.public.windows.inetexplorer.ie6.browser)