Thoughts on how I could improve my network security?

beta

@scottalanmiller said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

I think my biggest concern is visibility and IDS/IPS.

Do you really need this? Not that it can't be a good thing, but what are you really trying to protect?

That's always the real question. I get that there is money to spend, use it or lose it, but still evaluating the real risk and concern is important. What's the itch that is attempting to be scratched?

So a little more info on our operation here. One of the things I'm concerned about is HIPAA adherence. We have a small department that has a contract with the state to collect some sensitive information from people. It's not even medical information, but they want us to follow HIPAA practices. I thought an IDS/IPS would be especially helpful here to safeguard this information and would help satisfy the state if they ask us what steps we take to secure the information. Of course we do the usual steps to safeguard the information such as it being restricted to only those users who need it via Active Directory permissions. Our users who collect the info are out in the field and their laptops are also using full disk encryption. We have multiple copies of backups onsite and offsite, etc., etc.

It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.

Dashrender

@beta said in Thoughts on how I could improve my network security?:

It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.

An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.

beta

@dashrender said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.

An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.

Sorry, I didn't mean to imply that's what the IDS/IPS would be for, I was referring to a UTM like appliance like the Palo Alto.

IRJ

AlienVault's UTM works decently if you are on a budget, but requires ALOT of configuration. I spent months working on AlienVault's UTM with my last employer to get it to be reliable.

scottalanmiller

@beta said in Thoughts on how I could improve my network security?:

@dashrender said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

It would also be helpful to have more visibility into our traffic so I can see exactly who's using bandwidth if the internet is slow, if management asks me how many people are wasting time on non-work related websites, etc., etc.

An ER-L can give you basics in this area. I don't think IDS/IPS gives you this.

Sorry, I didn't mean to imply that's what the IDS/IPS would be for, I was referring to a UTM like appliance like the Palo Alto.

But you don't need UTM for that. A normal router does that. It's not even a firewall function. At least for who is using bandwidth.

Now as for websites, you need a proxy for that. But no need for a UTM.

Kelly

I can understand where you're coming from @beta. I work for a government contractor, and one of our compliance points requires that we use an IDS/IDP on our edge. It isn't ideal, but it is a reality when you're working for people that operate on checklists rather than what is actually secure.

JaredBusch

@kelly said in Thoughts on how I could improve my network security?:

I can understand where you're coming from @beta. I work for a government contractor, and one of our compliance points requires that we use an IDS/IDP on our edge. It isn't ideal, but it is a reality when you're working for people that operate on checklists rather than what is actually secure.

This is definitely true.

scottalanmiller

@kelly said in Thoughts on how I could improve my network security?:

I can understand where you're coming from @beta. I work for a government contractor, and one of our compliance points requires that we use an IDS/IDP on our edge. It isn't ideal, but it is a reality when you're working for people that operate on checklists rather than what is actually secure.

On the edge is fine, that doesn't imply on a UTM.

beta

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

IRJ

@beta said in Thoughts on how I could improve my network security?:

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

https://pages.nist.gov/800-63-3/

Dashrender

@beta said in Thoughts on how I could improve my network security?:

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

If it were up to my docs - it would be zero length, zero complexity, and zero change frequency. lol - OK I'm kidding I think they would seriously want 8 or less with no other requirements.

Personally I think we should be at 12+ characters with no other restrictions.

Kelly

@irj said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

https://pages.nist.gov/800-63-3/

What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

IRJ

@kelly said in Thoughts on how I could improve my network security?:

@irj said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

https://pages.nist.gov/800-63-3/

What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

What Framework do you follow?

Kelly

@irj said in Thoughts on how I could improve my network security?:

@kelly said in Thoughts on how I could improve my network security?:

@irj said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

https://pages.nist.gov/800-63-3/

What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

What Framework do you follow?

For passwords we have to follow various sets of guidance that are built on the password concepts of last decade, i.e. complexity is the greatest guarantor of security.

JaredBusch

I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

beta

@jaredbusch said in Thoughts on how I could improve my network security?:

I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

What would you have set it to if you weren't limited by 2008?

scottalanmiller

@beta said in Thoughts on how I could improve my network security?:

@jaredbusch said in Thoughts on how I could improve my network security?:

I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

What would you have set it to if you weren't limited by 2008?

I like 20.

JaredBusch

@scottalanmiller said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

@jaredbusch said in Thoughts on how I could improve my network security?:

I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

What would you have set it to if you weren't limited by 2008?

I like 20.

I was going to set it to 16.

scottalanmiller

@kelly said in Thoughts on how I could improve my network security?:

@irj said in Thoughts on how I could improve my network security?:

@kelly said in Thoughts on how I could improve my network security?:

@irj said in Thoughts on how I could improve my network security?:

@beta said in Thoughts on how I could improve my network security?:

I didn't want to start a whole new thread, so thought I would ask here: what are your password policies looking like nowadays in regards to length, complexity, change frequency, etc.?

The best thing to do is to pick a standard to follow such as NIST. Then use those guidelines to create your policies throughout your network.

https://pages.nist.gov/800-63-3/

What is fun is that the government doesn't follow the NIST guidelines. Drives me nuts.

What Framework do you follow?

For passwords we have to follow various sets of guidance that are built on the password concepts of last decade, i.e. complexity is the greatest guarantor of security.

Those were known to be wrong in the last decade. That's not old knowledge, it's just universally insecure.

JaredBusch

@beta said in Thoughts on how I could improve my network security?:

@jaredbusch said in Thoughts on how I could improve my network security?:

I just changed the policy at one client to be a minimum of 14 characters with no complexity and a 1 year change cycle.

I chose 14 as a minimum because that is the largest GPO would let me set it on a Server 2008 R2 based domain.

What would you have set it to if you weren't limited by 2008?

2008 R2 not 2008. There is a difference.

Related note: I will migrate their domain level to 2012 R2 in late 2018 or 2019 when they move Exchange off premise and can get rid of the rest of their 2008 R2 instances and thus their oldest servers will be 2012 R2 at that time.