10 common network security design flaws

---

Network security is arguably one of the most critical functions of IT – yet I frequently see organizations that have overlooked easily implemented security design practices. Here are a few common mistakes that could compromise your network defenses and put company assets at risk.

Note: This article is also available as a PDF download.

1: Set it and forget it

The first flaw I want to talk about is more a planning flaw than a design flaw. It involves what I like to think of as the “set it and forget it” mentality. This is what happens when organizations work hard to secure their networks without stopping to reevaluate their security plans again. The threats to security are constantly evolving, and your security architecture must evolve too. The best way to accomplish this is to reevaluate your security needs on a regular basis.

2: Opening more firewall ports than necessary

We all know that opening an excessive number of firewall ports is bad, but sometimes opening ports is unavoidable. For instance, take Microsoft Office Communications Server 2007 R2. If you are planning on providing external access, about a dozen ports must be opened. In addition, OCS 2007 R2 assigns a wide range of ports dynamically. So what’s a security administrator to do?

One of the best solutions is to make use of a reverse proxy (such as Microsoft’s ForeFront Threat Management Gateway). A reverse proxy sits between the Internet and the server that requires the various ports to be opened. While there is no getting around the need for open ports, a reverse proxy can intercept and filter requests and then pass them on to the server they’re intended for. This helps hide the server from the outside world and helps ensure that malicious requests do not reach the server.

3: Pulling double duty

With the economy in shambles, there is increasing pressure to make the most of existing server resources. So it might be tempting to host multiple applications or multiple application roles on a single server. While this practice is not necessarily bad, there’s a law of computing that states that as the size of the code base increases, so does the chance that an exploitable vulnerability exists.

It isn’t always practical to dedicate a server to each of your applications, but you should at least be careful about which applications or application roles are hosted on a single server. For example, at a minimum, an Exchange 2007 organization requires three server roles (hub transport, client access, and mailbox server). While you can host all three roles on a single server, you should avoid doing so if you are going to be providing Outlook Web Access to external users. The Client Access Server role makes use of IIS to host Outlook Web Access. Therefore, if you place the client access server role on the same server as your hub transport and mailbox server roles, you are essentially exposing your mailbox database to the Internet.

4: Ignoring network workstations

About a year ago, someone asked me during a radio interview what I thought was the single biggest threat to network security. My answer was, and still is, that workstations make up the single largest threat. I constantly see organizations that go to great lengths to secure their network servers but practically neglect their workstations. Unless workstations are locked down properly, users (or malicious Web sites) can install unauthorized software with untold consequences.

5: Failing to use SSL encryption where it counts

We all know that a Web site needs to use SSL encryption any time a user is going to be entering sensitive information, such as a username and password or a credit card number. However, many organizations make some bad decisions when it comes to securing their Web portals. The security flaw I see most often is including insecure content on a secure page. When this happens, users receive a prompt asking if they want to display both secure and insecure content. This gets users in the habit of giving Internet Explorer permission to provide insecure content.

A less obvious but even more common problem is that organizations often fail to encrypt critical pages within their Web sites. In my opinion, any page that provides security information, security advice, or contact information should be SSL encrypted. It isn’t that these pages are especially sensitive. It’s just that the certificate used by the encryption process guarantees to users that they are accessing a legitimate Web page rather than a page someone has set up as a part of a phishing scam.

6: Using self-signed certificates

Since some organizations completely neglect the importance of SSL encryption, Microsoft has begun to include self-signed certificates with some of its products. That way, Web interfaces can be used with SSL encryption even if the organization hasn’t acquired its own certificate yet.

While self-signed certificates are better than nothing, they are not a substitute for a valid SSL certificate from a trusted certificate authority. Self-signed certificates are primarily intended to help boost a product’s security until an administrator can properly secure it. Yes, a self-signed certificate can provide SSL encryption, but users will receive warning messages in their browsers because their computers do not trust the certificate (nor should they). Furthermore, some SSL-based Web services (such as ActiveSync) are not compatible with self-signed certificates because of the trust issue.

7: Excessive security logging

Although it’s important to log events that occur on your network, it’s also important not to go hog wild and perform excessive logging. Too much logging can make it difficult or impossible to locate the security events you’re really interested in. Rather than trying to log everything, focus on logging the events that are really meaningful.

8: Randomly grouping virtual servers

Virtual servers are commonly grouped on host servers by their performance. For example, a high demand virtual server might be paired on a host with a few low demand virtual servers. From a performance standpoint, this is a good idea, but this approach may not be the best idea from a security standpoint.

I recommend using dedicated virtualization hosts for any Internet-facing virtual servers. In other words, if you have three virtual servers that provide services to Internet users, you might consider grouping those servers on a virtualization host, but don’t put infrastructure servers (such as domain controllers) on the host.

My reasoning behind this is to provide protection against an escape attack. An escape attack is one in which a hacker can escape from a virtual machine and take control of the host. To the best of my knowledge, nobody has figured out a way to perform a real-world escape attack yet, but I’m sure that day is coming. When it does, your odds of prevailing against the attack are going to be a lot higher if virtual machines that are exposed to the Internet share a virtualization host only with similarly hardened Web-facing servers.

9: Placing member servers in the DMZ

If you can avoid it, try not to place any member servers in your DMZ. If compromised, a member server can reveal information about your Active Directory.

10: Depending on users to install updates

One last common security flaw is depending on users to deploy security patches. I have seen several network deployments recently that use WSUS to patch network workstations. Unfortunately, many of these deployments rely on the users to click the option to install the latest updates. The problem with this is that the users know that the update process is going to require them to reboot their computers. Some users may end up putting off the updates indefinitely. Rather than relying on the end users, use a patch management solution that pushes security patches automatically without giving users a choice in the matter.

Ubuntu

10 reasons Ubuntu 9.10 will be a game changer for business

he latest release of Ubuntu is just around the corner – and Jack Wallen believes it’s going to make a big splash in the enterprise space.

---

October 29, 2009. Mark your calendars, people, because that is the day the Linux landscape will shift, and the bar will be raised. Why do I say this? Ubuntu Karmic Koala is released that day and, even without reading between any lines, you can easily see where Canonical is taking its flagship operating system: Business and enterprise.

When 9.04 shipped, it became clear that Ubuntu had done what all other Linux operating systems have failed to do — truly become an operating system anyone can use. Yes, there are plenty of good, solid, easy-to-use Linux distributions, but none of them has reached such a level of both simplicity and appeal.

Now, with the release of 9.10, Ubuntu will one-up itself by taking its already user-friendly Linux distribution and making a concerted effort to gain ground with the business/enterprise crowd. And from what I have seen, it just might work. Here are 10 reasons why Ubuntu 9.10 should make businesses happy.

Note: This article is also available as a PDF download.

1: Software Center

This is the big one. Ubuntu is migrating away from the old Add/Remove Software tool in favor of the Software Center. This tool will be just as user-friendly as the old tool, but it will have one feature the old tool didn’t have — commercial software. That’s correct. Ubuntu is finally going to include commercial software in its software installation tool. So now users will be able to install not only the usual open source tools, but they’ll also be able to find plenty of commercial software that can be installed with a few simple clicks (and a purchase here and there). This will be good news for the business users who need more than the open source community has to offer.

2: Ubuntu One

If you’ve ever used DropBox, you know how helpful having a file/folder synchronization tool can be. Ubuntu One is just as easy to use as DropBox, it does instant, automatic synchronization, and it offers two plans (one free with two gigs of space and one paid with 50 gigs of space). You can also add as many machines as you like to your Ubuntu One account.

3: Ubuntu Enterprise Cloud Images

With 9.10, businesses will be able to download and use images on the Ubuntu Enterprise Cloud. You can also try out the latest 9.10 server image instantly (on EC2 with a preconfigured AMI) or even download an image and put it directly into your Ubuntu Enterprise Cloud.

4: Quickly

A new framework called Quickly will enable developers to accelerate their development process. Quickly provides a command-line framework for generating code projects, storing changes in version control, building packages, and releasing software. To do this, Quickly uses templates that allow specialized behaviors to be defined for different types of  projects. The Quickly templates define such behaviors as edit, save, dialog, glade, and package. You can think of Quickly as a Rails-like tool for Ubuntu application development.

5: Better Intel graphics support

The new kernel that will ship with 9.10 will have the kernel mode enabled for Intel graphics. Add to that the driver switch from the troubled EXA to the newer UXA acceleration method, and anyone with Intel graphics (and that’s a lot of users) will see better performance and quicker resumes from suspend.

6: Faster, stronger AppArmor

Ubuntu 9.10 will ship with more profiles for AppArmor and an improved parser that uses cache files, which will speed up initialization upon boot. Although AppArmor is not a tool for the new Linux user, it lets you set up machines that are even more secure than before. You can even use Firefox with an AppArmor profile. Also included with 9.10 will be the ability to transition a process to an AppArmor profile or run without a profile.

7: Blocking module loading

This feature will allow the blocking of unloaded modules once the machine has booted. The primary focus of this feature is to prevent kernel root kits from being installed. This is handled by one-way sysctl flag/proc/sys/kernel/modules_disabled.

8: Boot time

The elusive 10-second boot time is drawing ever nearer. With the help of many improvements, Ubuntu 9.10 shortens the already short boot time offered by 9.04. It hasn’t reached 10 seconds yet, but it’s close. This will make many business users happy because boot time is not productive.

9: HAL deprecation

Some subsystems are being moved away from HAL. Most important (to business users at least) will be suspend/hibernate. Many know that suspend/hibernate has been a big issue for Linux. By moving these systems from HAL to DeviceKit-Power, DeviceKit-Devices, and udev, these systems will be much more reliable. This should mean that suspend and hibernate will work exactly as expected.

10: Telepathy

Telepathy is new to Linux and will serve as a pluggable framework for real-time communication via chat, voice/video over IP, and logging. Even more exciting, the framework will be available to many programs. Telepathy will be able to share connections between multiple clients (such as messaging, email, and collaboration tools). As of now, the stable components of Telepathy are Gabble (Jabber/XMPP connection manager), Salut (link-local XMPP connection manager), Idle (IRC connection manager), and Telepathy-SofiaSIP (SIP connection manager). Many other tools are under development. The primary benefit of Telepathy is that it will provide a standard interface that will simplify third-party development for applications that need to communicate with voice/IM functions.

A bright future

If you’re like me, you’re excited with the possibilities that Ubuntu 9.10 offers on all levels — personal and enterprise. The Ubuntu experience just keeps getting better and the 9.10 release goes a long way to prove that.

Hello world!

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!