G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy



Similar documents
INTRUSION DETECTION SYSTEMS and Network Security

Computer Security Maintenance Information and Self-Check Activities

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

GFI White Paper PCI-DSS compliance and GFI Software products

Architecture Overview

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Best Practices for DanPac Express Cyber Security

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Chapter 9 Firewalls and Intrusion Prevention Systems

HoneyBOT User Guide A Windows based honeypot solution

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

CMPT 471 Networking II

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Achieving PCI-Compliance through Cyberoam

Airtel PC Secure Trouble Shooting Guide

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Web Security School Final Exam

Locking down a Hitachi ID Suite server

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Firewalls, IDS and IPS

ViRobot Desktop 5.5. User s Guide

System Security Policy Management: Advanced Audit Tasks

Chapter 15. Firewalls, IDS and IPS

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Cyber Essentials KAMI VANIEA 2

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Firewalls Overview and Best Practices. White Paper

FIREWALL POLICY DOCUMENT

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

8. Firewall Design & Implementation

Network Incident Report

Lab Configuring Access Policies and DMZ Settings

A Decision Maker s Guide to Securing an IT Infrastructure

ICANWK406A Install, configure and test network security

Cryptography and network security

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Course Title: Penetration Testing: Network Threat Testing, 1st Edition

TIME TO LIVE ON THE NETWORK

FIREWALL POLICY November 2006 TNS POL - 008

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Zone Labs Integrity Smarter Enterprise Security

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Best Practices for DeltaV Cyber- Security

The Bomgar Appliance in the Network

Payment Card Industry (PCI) Data Security Standard

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Lesson 5: Network perimeter security

Common Remote Service Platform (crsp) Security Concept

March

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

How To Protect A Network From Attack From A Hacker (Hbss)

Firewalls, Tunnels, and Network Intrusion Detection

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Codes of Connection for Devices Connected to Newcastle University ICT Network

Implementing Security Update Management

Firewalls (IPTABLES)

AVeS Cloud Security powered by SYMANTEC TM

Huawei Network Edge Security Solution

Windows Remote Access

Intro to Firewalls. Summary

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Microsoft Software Update Services and Managed Symantec Anti-virus. Michael Satut TSS/Crown IT Support

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Internet Security Firewalls

11.0. Symantec Endpoint Protection 11.0 Reviewer s Guide

74% 96 Action Items. Compliance

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Training Course on Network Administration

Secondary DMZ: DMZ (2)

Network Security Topologies. Chapter 11

How To Secure Your System From Cyber Attacks

Transcription:

For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6

Table of Contents Scope...3 G/On Server Platform Requirements...3 G/On USB and G/On Desktop Platform Requirements...4 Intrusion Detection...4 G/On Server Placement...5 In the intranet... 5 Intranet with Elevated Security... 6 In the Demilitarized Zone (DMZ)... 7 What is the definition of a DMZ?... 7 References:...9 IANA Assigned Port Numbers... 9 Windows Server 2003 Security Guide... 9 Microsoft Baseline Security Analyzer (MBSA)... 9 The Antivirus Defence-in-Depth Guide... 9 Intrusion Detection FAQ... 9 2006 Giritech A/S. 2 G/On Basic Best Practices Reference Guide v.6

Scope This document has been developed to provide best practice reference information to users and administrators of the G/On Product line. The document details best practice for configuration and placement of the G/On Server, and also a basic set of requirements for the PC where the G/On USB Key or G/On Desktop will be implemented. It is assumed the reader of the document has the relevant technical skills and background to understand security implications of different network topologies. It is also assumed the reader understands how to secure the components of a network topology. G/On Server Platform Requirements In today s hostile environment of worms, viruses, denial-of-service attacks, Internetwide scanning, and much, much more, it is imperative Internet facing servers are secured as much as possible. The first and most important step in securing an Internet facing server is to keep the server updated with the latest security related fixes. Almost all exploits, giving access to a server, are based on known vulnerabilities in the operating systems and/or running applications. Eliminating most of these vulnerabilities is done by keeping the server updated with the latest service pack and security fixes, sometimes also called hot-fixes. The second step in securing an Internet facing server is to harden the operating system by removing any services not needed by the application running on the server. Removing the services limits an attacker s options. Should an attacker gain access to parts of the network, reducing running services will limit the attacker in gaining additional access. The third step in securing an Internet facing server is to reduce the amount of users that have access to the server. Only system administrators, with a valid business need, should have an account on the server. Renaming default administrators accounts, changing default passwords, and disabling or removing unnecessary accounts is a basic step making it more difficult for an attacker to gain access to the server. Once these steps have been taken, the server is ready for installation of the G/On Server. For more information on securing Internet facing servers, please see the reference section at the end of this document. 2006 Giritech A/S. 3 G/On Basic Best Practices Reference Guide v.6

G/On USB and G/On Desktop Platform Requirements Because of the hostile environment the Internet has become, it is necessary to take a few basic steps to protect a PC before connecting it to the Internet. As described in the server section, it is equally important to keep a PC updated with the latest services pack and security related fixes. Since you don t always have a way of knowing if the Internet connection you are using is protected by a firewall, and if it is, how well the firewall has been configured, it is always recommended to install firewall software on the PC. Some operating systems include firewall features, in other cases it must be purchased separately. Antivirus software has also become a necessity. Not only does it protect from virus and worms, but most antivirus software also protects against Trojans and other forms of malware. There are a multitude of ways to get infected, not just from e-mails, but also by visiting certain Internet sites, or even using applications that appear friendly, but aren t. Spyware isn t normally malicious in nature, but it does slow down the PC by using the CPU, and it also reduces available bandwidth, by unnecessary use of the Internet connection. Installing anti-spyware software is becoming a necessity, and should be considered seriously. For more information on protecting a PC, please see the reference section at the end of this document. Intrusion Detection Implementing a firewall doesn t necessarily imply security. Without proactive monitoring, there s no way of knowing if the firewall is actually protecting the network. One way is constant log analysis. Depending on the amount of traffic, this may be an impossible task. A better way is to implement an Intrusion Detection System (IDS). The IDS can detect patterns of attack, and can send alarms, or even shut down parts of the network to protect the infrastructure. 2006 Giritech A/S. 4 G/On Basic Best Practices Reference Guide v.6

G/On Server Placement In the intranet The G/On Server may be placed in the intranet with direct connectivity through the enterprise firewall to the Internet. This placement requires a single port on the firewall be configured to allow through traffic TCP. The Giritech IANA Registered default port is 3945. The server port is configurable and may be set to any port. If the G/On Server is configured to use another port, i.e. 443, the firewall must still be configured to allow outbound traffic on port 3945/tcp, to allow the G/On Server to contact the Giritech License Server, during the installation process. It is possible to utilize Port Address Translation (PAT) to allow different port configurations across firewalls. This placement allows the G/On Server to connect to legacy systems without needing to open additional firewall ports. It is very important that the G/On Server be the only device allowed to connect through the firewall in this manner, in order to protect all other systems placed in the intranet, from being accessed directly from the Internet. This placement also allows the G/On Server to authenticate users at the Active Directory (AD) without further configuration. This allows the AD administrator to make and remove users, disable accounts, apply group policies at the AD and sync to the G/On Server. No password information is transferred to the G/On Server during sync. Groups and user replicas are the only information passed to the G/On Server. The default settings of the G/On Server represent a best practice approach. These settings can be customised to address in-house security policies. 2006 Giritech A/S. 5 G/On Basic Best Practices Reference Guide v.6

Intranet with Elevated Security Depending on the type of environment the G/ON Server will be placed in, there may be elevated security consideration to be met. One such consideration is the fact that the G/On Server can be contacted directly from the Internet, which may be against the implemented security policy. To limit and have better control over possible damage caused by an attack on the G/On Server, it is possible to place the G/On server on its own network segment, separated from the server farm by a choke router. The choke router is then configured with filters, allowing G/On Server access only to the servers it needs to communicate with, like the Active Directory, TS/Citrix Server, etc. The G/On Server could also be attached on a separate network interface of the intranet firewall. Please note, this is NOT a DMZ, but simply a solution for more control, and better logging facilities, as this is often the case with firewalls compared to routers. 2006 Giritech A/S. 6 G/On Basic Best Practices Reference Guide v.6

In the Demilitarized Zone (DMZ) What is the definition of a DMZ? Demilitarized Zone (DMZ) a buffer area between two enemies. The definition of a DMZ is that no traffic originates from the DMZ. The DMZ can only answer a connection initiated outside the DMZ, and never initiate a connection of its own. The only exception to this rule is that in some cases, to simplify an e-mail solution, smtp (25/tcp) is allowed outbound from the DMZ. By not permitting systems in the DMZ to establish outbound session, either to the Internet or intranet, DMZ systems are effectively prevented from initiating transfer of data from one zone to the other. As an example, if a DMZ placed system is compromised from the Internet, connections cannot be initiated to the intranet, effectively preventing the compromise from spreading to the intranet. NB! Giritech does not recommend placing the G/On Server in a DMZ. To do it properly requires that all intranet systems, to be accessed, be duplicated to the DMZ, thereby increasing complexity and doubling administrative tasks. Placing duplicates of intranet systems in a DMZ also reduces the number of obstacles a hacker must pass to get to confidential data. 2006 Giritech A/S. 7 G/On Basic Best Practices Reference Guide v.6

The G/On Server may be placed in the DMZ with direct connection through the DMZ to the Internet. This placement requires a single port on the DMZ firewall to be configured to allow through traffic TCP. The Giritech IANA Registered default port is 3945. The server port is configurable and may be set to any port. If the G/On Server is configured to another port, i.e. 443, the firewall must also be configured to allow outbound traffic on port 3945, to allow the G/On Server to contact the Giritech License Server, during the installation process. Using this placement requires that the systems and resources be replicated in the DMZ and that any synchronization from the intranet be pushed to the DMZ from the intranet. In other words the internal firewall must only contain outbound rules to allow synchronization to the DMZ systems. This placement allows the G/On Server to connect to replicas of legacy systems without needing to open additional DMZ firewall ports. It is very important that the G/On Server be the only device that is allowed to connect through the DMZ firewall. In order to synchronize the Active Directory (AD) from the G/On Server, the G/On Server MUST be a member of the domain. The default settings of the G/On Server represent a best practice approach. These settings can be customised to address security policies. 2006 Giritech A/S. 8 G/On Basic Best Practices Reference Guide v.6

References: IANA Assigned Port Numbers http://www.iana.org/assignments/port-numbers Windows Server 2003 Security Guide http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sg ch00.mspx Microsoft Baseline Security Analyzer (MBSA) http://www.microsoft.com/technet/security/tools/mbsahome.mspx The Antivirus Defence-in-Depth Guide http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx Intrusion Detection FAQ http://www.sans.org/resources/idfaq/ 2006 Giritech A/S. 9 G/On Basic Best Practices Reference Guide v.6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information