Thursday, January 6, 2011

Internal Threats

Don't just secure your network perimeter, consider that the majority
of attacks are committed by someone with existing access to the
internal network. These are often on hubs or rogue access points so
first things first, enable strict mac access control on your access
switches, you don't need to be using expensive switches as the feature
is often available on the most basic of managed switches. It may seem
tedious to get the mac addresses of every device but you've probably
already got them listed, in dhcp for example or even run an automated
script to scrape the arp cache from your dns server every couple of
minutes for a week.
Have a wireless survey every couple of weeks, it doesn't have to be
done by a pro with mapping software (unless you've got the money to
burn), you could even use a smart phone and take a slow stroll around
your premises, personally I'd use the tools on a live Linux
distribution like backtrack3. If you're really keen on wireless
security, look into kismet, it can be set to detect rogue access
points and even attempt to disrupt their use if discovered!
Sounds a simple one but only make live the network points that you
need to. An active network point in an unused room is perfect for an
intruder to get unsupervised access to your network.
Segment your network, either physically or virtually using vlans.
Having a firewall between your core servers and clients might seem a
little over the top but consider the services that are actually used
by your clients, these are very unlikely to change, at the very least
you could monitor traffic on non-standard/interesting ports, i.e. Who
is connecting via RDP to your domain controllers? Or who is accessing
file shares on your SQL server?

No comments:

Post a Comment