Penetration Testing mailing list archives

Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

From: "Michael Condon" <admin () singulartechnologysolutions com>
Date: Tue, 3 Mar 2009 19:45:57 -0600

I'd recommend (from past experience):
- Which Server Operating system should I install on my Server?
If Microsoft, 2008.
- Preferably Cisco gear for backbone, MDF, IDF's, 10 gig Backbone.

- 10/100/1G NICS are standard (btw - if anyone has ever seen a user otherthan an admin hit 30% on a 1G link, I'd wonder what they were doing)- VLAN's/subnetting depends on your physical layout & IDF locations. Ciscoallows various levels of NAC.

- Shares (if possible to have Shares and still maintain a secure network)

I'd actually disable user sharing, no exceptions. Use NAS, and rolebased/Access Control/Least Privilege security. Get the org chart, have a sitdown with dominant alpha managers, starting point is nobody can look atanything and proceed from there. Nobody can even see their own (and ofcourse someone else's) password in plain text, including admins. I'drecommend following NIST/FDCC guidelines, but that's up to you.- Encryption to the desktop - usually that's done at the app level, or onrouters. I may be TFOS on this......- Whether you're converting the Unix machines to Windows or installing new,just use RIS (sorry, Windows Deployment Services - New OS version, new nameas usual). And patch/duct tape the desktops (and of course Servers) daily.- If you plan on using Windows on the server side, just use the native MSActive Directory for security & policies. A PDC, plus preferably two BDC's.Are you converting from Linux/Unix to MS or keeping a blend? And email, IDS,firewall, Spam, AV?Mac's are another story. Usually if someone says they absolutely need a Mac,if they're reasonably credible & intelligent, they more than likely arecorrect. Or if the user asking for a Mac has a yearly bonus or severancepackage that's more than you'll make in ten years, he'll get one.

--------------------------------------------------
From: "Chip Panarchy" <forumanarchy () gmail com>
Sent: Sunday, March 01, 2009 8:12 AM
To: <pen-test () securityfocus com>

Subject: Securing a Network - What's the most secure Network/Server OS? - Isthere a secure way to use Shares?

Hello

So far, when I have posted on this Mailing-List I have recieved some
very informative replies.

I am currently studying for a few certifications, (amongst them MCSE,
Security+ & the CCNA), and would like to learn how to design a secure
network.

Please help me with this endeavor.

Hypothetical situation;

################################################################
1x Server (no need to go into specs, but let's just say 8GB of RAM and
2x Intel Quad CPU at 2.66GHz)

500x Windows Computers (400x Windows XP, 94x Windows Vista and 6x Windows7)

80x Linux Computers (Ubuntu... and others?)

46x Mac OS X Computers (Including 10x Tiger, 34x Leopard and 2x SnowLeopard)

3x FreeBSD (2x v7, 1x v9)
################################################################

===============================
630 computer all up, including the Server
===============================

Now onto my question. For a convoluted network as pictured above,
(hypothetical, of course), what kind of Server (NOS included?)
operating system should I install, and how should I configure it?

I want to know this only by a security standpoint. Things that areimportant;

############
# SECURITY #
############
- Encryption of all traffic (256-bit)
- Shares (if possible to have Shares and still maintain a secure network)
- Centralised secure storage of Data (Storage)
- Centralised secure storage of User accounts
- Unattended installation of (at the very least) the 500 Windows boxes
- Internet

Please tell me what I would need in this situation, not interested in
how many people would be needed, how much money it would cost, or how
much time it would take.

Now time to summarise my questions in an easy to review format;

1. Which Server Operating system should I install on my Server?
2. To make the Network fast (e.g. Gigabit NICs on all computers & more
Servers etc.), as well as secure, what would I need to do?
3. What is the best way to have 256-bit encryption of all traffic on
this network?
4. Is it possible to have Shared folders, yet still attain a
high-level of security on this Network?
5. Would it be possible to have Centralised Storage/Resources?
6. Could it be possible to have a Centralised User Account database,
for this entire network?

Please try your best to answer those 6 questions.

Thanks in advance,

Chip D. Panarchy

PS: I was planning on making this into many little Messages on this
Mailing-list, however, I decided against it. If you think I should
make them into smaller messages (eg 1 of the 6 questions per message)
then please tell me.

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.7/1982 - Release Date: 03/03/0916:09:00

Current thread:

Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares? Chip Panarchy (Mar 03)
- Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares? Michael Condon (Mar 04)
- RE: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares? Kaminski, Lorenz (Mar 10)