Re: Help a computer science student
From: Todd H. (comphelp_at_toddh.net)
Date: 04/02/04
- Next message: Todd H.: "Re: Newbie interested in a career security - needs help."
- Previous message: Todd H.: "Re: Network Packet Analyzer"
- In reply to: someb0dy: "Help a computer science student"
- Next in thread: Ford Prefect: "Re: Help a computer science student"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 02 Apr 2004 11:40:04 -0600
malice93@hotmail.com (someb0dy) writes:
> Hello,
>
> I study computer science in Montreal and I have a practical exam about
> computer security. I'll explain to you what the class has do to and
> you'll know why the whole community of infosec might help me.
>
> Our class is divided in four. Each team has to do a network as secure
> as he could. That network had to have a dhcp, dns, pdc, web server,
> database server and a computer for the average joe user (ease of use
> is the most important criteria). We have also another limit. We have 8
> computers, 3 routers, 6 hub, 6 hd and 10 network cards for every
> network.
>
> Our goal is to make our network as secure as we could while still
> having our web page availlable. We must also attack our opponents, to
> test THEIR security.
Cool project. Kudos to your instructor.
> I think I have a fairly secure network, but I'd like to have your
> opinion. Here is the architecture. There is a hub,
> port 1 is connected to the router. Port 2 is connected to a honeypot
> and port three is connected to a firewall (FloppyFW, with natting
> enabled and dhcp) The second interface of the firewall is connected
> to interface one of ISA server (with ANOTHER NAT enabled).
ISA=? Likely my Unix-leanings are showing.
> The second interface of ISA is in a hub(Usually, we would use switch
> but none are availlable for this activity). The first port is for
> the PDC with active directory (hereby dns), the second has the pc,
> and the third one is connected to the web server (wich is also a sql
> server)
>
> Needless to say, all of our arp will be static, all patches will be
> installed and all password will be 14 characters long with a special
> character (alt+129 or alt+255) every character.
> First, I'd like to know if you believe this network is secure. If not,
> what would be the most obvious entry points.
First you have to understand that no network is secure, and adjust
your terminology accordingly. "reasonably secure" is a better
monicker to throw at that question. There are several eschelons of
security...and it involves process and human trianing as much as it
does hardware and architecture. Hopefully your instructor has
illiminated this.
Tons of question you need to consider that aren't outlined in your
post:
What patch levels are you running on all software? Have you run
Nessus against the servers to scan for vulnerabilities nad
configuration problems? How is the web server configured? Is
directory indexing off, are default CGI's removed? What are the
firewall rules? What is your policy for user accounts on the firewall
and gateway/router boxes? Which is the the "internet" end of the
architecture you've detailed. What's your user account granting
strategy on each of the server inside your network? Do you have any
intrusion detection systems installed (Snort is open source)? What
protection against malware/virus/worms are you using on the servers
especially those running some flavor of Windows? What if any CGI's or
ASP's are available on your web server? How could they be leveraged
against your network? What is the physical security of each
server/component of your network? Any steps to prevent unauthorized
physical access to the boxes?
As most security books point out in the first chapter, security is a
process, and no amount of clever network architecture guarantees you
anything.
Best Regards,
-- Todd H. http://www.toddh.net/
- Next message: Todd H.: "Re: Newbie interested in a career security - needs help."
- Previous message: Todd H.: "Re: Network Packet Analyzer"
- In reply to: someb0dy: "Help a computer science student"
- Next in thread: Ford Prefect: "Re: Help a computer science student"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
