Sunday, March 9, 2008

A Red Team strikes!

Talk about an eye-opening experience! We invited a Red Team to do penetration testing on our network. A group of ubergeeks brought their laptops, tools, and toys and left with astonishing results! It's one thing to hear someone say that your server isn't up to date so "go patch it", but quite another to have someone steal a copy of your most valuable data in a short period of time, in a manner that's difficult to detect after they revealed how they did it!

The takeaway is that, if you expect to protect your data, you had better implement, maintain, and enforce Draconian policies on your network. Engineer the system from the ground up with security in mind. Implement IDS systems, baseline your network, track your user group memberships, and above all, train the heck out of all privileged users, then all users - they should be doing things like never logging in with their admin accounts, only using "run as" when necessary, like the Linux "su" mentality, and logging off of or locking their workstation when leaving for a moment. Keep updated with patches on all systems - servers, clients, printers, appliances, routers, whatever. Minimize where you can actually perform administrative tasks from. Apply your same password policy to everything that uses a password. Then: monitor, monitor, monitor. This is one of those "weakest link" deals. Powerful "server" applications like SQL databases (and many, many others) are great launching points - consider running them on "member servers" instead of domain controllers. Technically savy malicious users don't need much of a launching point. This doesn't even take "social engineering" into account, and users tend to behave stupidly from a security perspective.

After seeing what these guys did, I'd have a hard time imagining a network that wouldn't be vulnerable to that kind of crew - unless it's physically isolated, physically protected, and assured that malicious users can't get physically near it or trick actual users into inadvertently assisting them - an unrealistic network utopia. However, that said, there's a lot that you can do for network security. Don't look for a "magic bullet" - attack the low hanging fruit and take it from there.

VoIP - more than you bargained for?

Thanks for the inspiration Carl - your objective viewpoint often sheds light on absurdities that I might otherwise fail to notice. In this case I'm referring to Cisco flavored VoIP. It's an amazing concept that truly delivers next generation communication capabilities. Who wouldn't want: virtually unlimited directory numbers, multi-line capability, much more wide open conference call ability, a centralized web based interface to administer/log the system, the ability to tie into POTS lines at the gateway or use a truly cheap international carrier, and much more?

I had always thought that the key selling point to VoIP is that it works on your existing infrastructure. You already have Ethernet. You're connected to the Internet on a relatively wide pipe. Why not plug phones into your system?

What if I told you that my Cisco rep pointed out that they made half of their income - yes, literally half one recent year on VoIP related sales? Holy Cow! You know how much Cisco equipment costs! How much could a phone possibly run!?!? This surprised me even after hearing that they wanted nearly $20k for call manager software for one switch that we already owned. How could that be?

Lets jump to my recent VoIP experience. We rapidly deployed about 20 VoIP phones on a network that was also to become busier than usual. Without getting into the specifics too much, the system was very sensitive to being properly configured. If the separate VLAN wasn't set up just so phones would randomly reboot and exhibit strange behavior. Some of the switches with a slightly older version of IOS had to be configured differently than the newer ones. Phones plugged into switches without PoE needed power cubes. Gateways, call managers, and phones needed to be configured and coordinated between sites. Bottom line - I love what VoIP brings to the table and am eager to learn more, but it's not a simple matter of plugging a phone into your network.

OK, back to Cisco sales dollars. In light of what I just presented my earlier statements should make more sense. How would you like to save money by purchasing some new VoIP equipment that will work with your existing infrastructure? Yes, great. Well, you may need to replace all your switches. Update your routers, (maybe?), buy some call managers and gateways while you're at it. Hey - at least you'll have a modern network. Your cabling should still be good.

Given all that, I still can't say that I'm opposed to VoIP. In fact, I'll call it progress. But you sure as heck better figure out what you're getting yourself into prior to making the big plunge! You don't want to make yourself that guy at your organization!