keep it simple, infosec…

Since I saw this site for the first time, I glanced at a few articles on the site, particular the security challenges. Reading the comments (i.e. solutions) for the first challenge, this pretty succinctly illustrates why infosec is so frustrating for business and IT persons! The range of answers is phenomenal, from simple to complex to flat-out suggesting complex setups with specific hardwired vendors and various other things.

I don’t think the answer to any, “help me secure this,” challenge should be to grab your favorite 600 page IT security book and thump it on the desk like you’re some pimp on Exotic Liability flopping your meat on the table. Keep it simple, and keep it on task with the information presented. Nothing in a network/data diagram really begs for a sermon about file permissions, and OS patching, and extraneous complexity for what is obviously a small shop. If you want to get further down that road, you can’t do so intelligently without more information. You’re just going to lose your audience (or demonstrate your lack of experience when suggesting over-the-top recommendations or flatly inappropriate ones…).

Anyway, based on that security challenge, these would be my simple recommendations:

– Replace the hub with a managed switch, assuming that is the basis of the underlying network connecting the users, the servers, and the router together. That’s the one real question the diagram makes me ask, “Is the hub separate, or is that what the blue ethernet network bar is supposed to be? You can pick up a soho one if you want for $100, or drop a grand or two for an enterprise level one.

– Drop in a firewall/VPN hardware device behind the router (i.e. between the internal network and the router). Configure this to position the web server into a one-armed DMZ, and set up necessary firewall rules to allow the access shown as needed on the diagram. Configure the VPN so external people can log into it and get to the fileserver as needed. Get a decent enough one that you can budget for; the features and support will be worth it. As a bonus, make sure VPN users are in their own subnet and even segment off the fileserver to its own, and configure firewall rules as necessary for everyone’s access. In the absence of other technologies, at least losing one part to an incident won’t caused the rest to be suspect; at least not by default. At worst, grab an old PC and figure out a tool like Untangle or IPCop…

This leaves open questions, but they’re questions that require further dialogue with the client.