.

Getting ready to defend a Network

<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Thu Jul 12, 2007 9:58 am

Getting ready to defend a Network

Have you ever started a job and been told to fix a network?
How about make it secure and not break anything?

A couple of my friends had just started new jobs and we'd been talking about the huge task in front of them. It's pretty scary and can be overwhelming. These were some of the suggestions to get started and cover your own butt at the same time. Though they might be worth sharing.

Let’s say you start your new job as the head (or only) network/security guru, you’ve got good network and OS skills and you’re keen to make your mark running by cleaning up this Wild West network and kick off using those newly acquired security skills.

Where do you start?
Patching, inventory, mapping the devices on the network, risk analysis, vulnerability assessments, checking the firewall, VPN, wireless access points, installing anti virus, log correlation, validating the backups works (or even exist!), DRP/BCP, upgrading the hardware, software, firmware or removing Quake off the accounts pc?

The sentence above is enough work to keep you busy for at least six months and that’s without dealing with customer requests for help with printing, using word or finding their lost files. 

Let’s say that you have you’re boss’s support, a basic IT/security policy and they have a budget to do work, as long as you can justify why you need to spend it.
When you’re securing a network it’s all about having the basics done right and verified first before tackling the more exciting stuff.

Start by making notes and documenting everything you do. Get a bound A4 book and use it as a journal. IT folks often get blasted for bad documentation skills. Writing down your actions and processes stops you from trying to do too many things at once. It also makes you think what you’re doing and how you’re try to achieve it. Thinking and planning stops those nasty moments where you ask yourself “Did I mean to make that change?”

A nice, simple but great place to start technically is the backups. Old, boring and very unexciting but working backups and being able to validate they can be restored are key to making sure that if a disaster happen tomorrow, you come out looking like a hero.
Knowing what, how and why you have to backup systems and configurations can give you a solid understanding of the company you’re protecting, what their needs are and what’s important to them.

While you working out the backups, start making a full network inventory.
That’s make, model serial number of the hardware, type & version of firmware and software, then licensing, configuration & owner of the system’s and software.

Finding out the owner of a system or software is very important so you can ask questions or get help from with working it out how it works or should work and what it does.

Get this out of the way and you’re safe to move on to the more fun and challenging parts.

You’ve got the management backing, backups are good and a solid network layout, so it’s on to the firewall.
The firewall should be the main portal to the network and control all traffic in (ingress) and out (egress) bound.
Review the rules, ask why they're there and what they actually do. I’ve seen some crazy rules put in place that no-one knows why, but are terrified to remove them in case it breaks something. Take a backup of the configuration and slowly comment out the odd or old rules one at a time, checking the nothing important stops working!

Firewalls should be a default block everything policy and only allow traffic has been understood, documented, agreed and signed off.
The outbound rules are just as important as the inbound one and are more useful to see if trouble is on your internal network.
How can that be?
As you build and document the firewall rules, set up a rule for any failed packets and ip addresses of systems trying to go outbound should be logged. The firewall outbound logs (also know as drop logs) should be always empty, as you’ve spent time make sure all the firewall rules are in place for all the system you want to go outbound are specifically allowed.
If they start filling up, this immediately tells you that some is wrong on the network. It might be a mis-configured pc, someone has plugged in a laptop from home or a new virus is trying to scan other computers out side your network. This gives you the starting point to investigate this problem. Again, write up each of these events in the logs as they help make your case in the future .


With these basic steps you’ve now got a clear, documented picture of the network, its systems and its general health.
If fact you’ve done your first documented audit and risk assessment!

Having hard, clear documented notes on the problems and suggestions on how they can be addressed, management tend to listen. You can use the documented created to show management weakness, like old software/hardware or out of date unsafe systems.
From here you can then target the most important steps to secure the rest of the network.

Remember - If you don't understand what's makes up and happening on the network, how can you know what's right or wrong, what's normal or abnormal?

Spend the time to get the basics done well, then go off and save the world :-)
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Jul 12, 2007 1:42 pm

Re: Getting ready to defend a Network

Very nice write-up. Much appreciated and very useful :)
<<

Kev

Post Sun Jul 15, 2007 8:54 am

Re: Getting ready to defend a Network

Nice contribution and keep up the good effort.
<<

BiotiC

Newbie
Newbie

Posts: 15

Joined: Thu Mar 22, 2007 7:04 am

Post Wed Jul 18, 2007 4:55 am

Re: Getting ready to defend a Network

Having seen this situation from both sides of the fence (tech and management) I would also take into account the actual issues being experienced in the business.

Like any techie I love to get to grips with the nuts and bolts that hold the systems together and get them all working securely and at peak efficiency but there are times when you can get carried away on the core systems and lose sight of why the company has the systems it does - usually to make the employees more efficient.

Its fine to have the most secure network with the best backup and recovery strategy but if the users have issues with the systems or their PC's then you haven't significantly added any value back into the business.

You can really make an impact and create allies very quickly by helping cure quite insignificant (on a tech front) problems that people are experiencing.

When starting a new job/contract or when I visit a branch office for the 1st time I make a point of finding out what issues they have currently got with IT. Fixing these problems, many of which are usually minor and take no time, soon win you credibility and allies which is always a plus. If I can't fix their problem there and then, I make it my job to get it fixed by one method or another - at least be seen to be trying to be helpful.

In my experience too many techies lose sight of the bigger picture and tuck themselves away in server room and only ever come out when major problems occur - my advice would be to get pro-active with the users - the jobs tend to go smoother, quicker and with less stress if the users are on your side.
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Thu Jul 19, 2007 8:07 am

Re: Getting ready to defend a Network

BiotiC,

You are a 100% right about forming a strong relationship with the people you’re supporting. Treating them as customers rather than users is an excellent way of getting into a business focused mind set. Getting out and being seen is a must to get all the help you can from the people you work with and support.

Don’t take the following as a shot, just my justification on doing the core work first as priority for job security and a critical business requirement.

I'd suggested you're talking about the infamous "quick fix" which is can do wonders for the perception a new IT staffer and to you get the love. 
The problem with quick fixes is that they are surface issues. Some times when you scratch the wrong surface without fixing the basics first, you’ll be doomed making your life a misery.

For example, you get to a new role, it’s a company of 70 staff, you’re the only IT support and get straight into fixing the 10 top ten reported staff problems.
Those standard problems can be “my computer is too slow”, “I can’t get to certain web sites”, “I have printing issues”, “I have difficulty saving my data” and so on.
Immediately, you focus on the fixing the local problems, leaving the back office “stuff” to later.
You notice that on a number of machines are running incredibly slowly and are riddled with spyware. It takes you the best part of a week to get them fixed, then a few days to get AV installed, then run updates on all machines to fix the Ms office problems, update printer drivers, sort out the folder/group permissions and so on. A month goes  by and you’ve got that 10 top ten out of the way.
Then you get the call, Mavis from accounts has deleted some file on the server and needs it back. Now. It happens to be the accounts system file and she’d just overwritten the database rather compress it then, in her panic, deleted a couple of the account package vender’s application files. End of month payments need to be made tonight.
You walk over to the server, pop in last night’s backup tape and hit restore. The last night tape’s a dud, and the other tapes weren’t backing up the right folders, as some genius installed the database on the C drive, not the data drive. You have only a copy of the database from six months ago, you haven’t got then details for the vendor and your boss walks over and asks what’s happening.
All the love you’ve built up run out of the nearest windows and takes a swan dive to hit the very hard concrete.

That’s a very real, hard lesson and sadly, a true one. The business lost a considerable amount of money and a good IT guy left the company, very shortly afterwards.

Keeping people are happy is important, but making sure the business can survive human error to its IT systems it is vital to the IT professional.

Getting the basics sorted out first and make sure this doesn’t happen, means you can follow up and get all the quick fixes done, keeping everyone happy.

I believe that IT folk these days are much more people focused, due to the fact they have to be. IT is too much part of every day working life.
The back office, no-people skills, IT geek no-one sees is slowly becoming a just a tv sitcom character.

Again, this is my opinion from experience of having to clean up problem networks.

Covering the basics, being able to keep records, understand what the business drives are and explain what I’m doing and why has been helpful for keeping my job and staying employed in one ;-)
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Fri Jul 20, 2007 11:34 am

Re: Getting ready to defend a Network

Awesome write up!

I would just add a few things from my experience that overlap a little ...

The first thing you always do is map and inventory what you have. You can not protect what you don't know you have. Once you do this, you have to determine which of these assets are critical to the business. This gives you a good chance to network and find out who the key players are in the company. This will also help you figure out what the priorities are for the business. If this is already done for you, then your way ahead of most people.

Also, I can't recommend enough, the use of a wiki for your notes, documentation, procedures, etc. Its been a real lifesaver for me.

Return to Opinions

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software