|
Posted by on July 7, 2006, 12:36 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hey guys,
I've been a lurker here for a while, but I need some specific answers
on this one.
I have a network with about 14 windows 2003 servers, Exchange 2003, and
also host two website in house. We have a PIX firewall and an IDS
System
on the outside of the PIX. But I really need a good solution for
securing
and monitoring our servers and network. right now I really have no way
of
telling if someone has gotten in to our network.Can someone give me
some ideas?
thats for all the help
L Smith
|
|
Posted by Phillip Windell on July 7, 2006, 4:21 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> and monitoring our servers and network. right now I really have no way
> of
> telling if someone has gotten in to our network.Can someone give me
> some ideas?
In my opinion, there is no "real" way. A successful intruder will look just
like any other user because they will be using one of your user's
credentials.
Ask your self if you can actually track reliably what your "good" users are
doing that you already know when and were they are on the network. The
answer will be "no you can't",...you can't enable auditing and logging on
everything they might "touch" and not be so totally over whelmed with the
mass of data that you couldn't do anything with it. Then if you can't do
that, then how would you deal with an intruder that was impersonating
someone else?
The best you can do is monitor failed authentication attempts,...but that
pretty much only covers the File System. Other resources will have to be
dealt with through the Application that makes the resources available,...and
some of those Applications simply won't have the ability to do that.
The "era" of Star Trek with intelligent computers that tell youwhere an
intruder is simply has not "arrived" and such technology does not exist.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
|
|
Posted by =?Utf-8?B?S2FybCBMZXZpbnNvbiBb on July 10, 2006, 3:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options
full time or as a contract service. Do the easy stuff yourself: some method
of patching and antivirus, etc.
There is guidance at www.microsoft.com/technet/security about how to harden
the products you described, but firewall and IDS are somewhat more difficult.
I hate outsourcing IDS, because the results are usually not good. Someone
who cares has to monitor the IDS, because IDS is a waste of money if no one
looks at it.
I might recommend a file change checker as a method of detecting compromise.
www.gfi.com has a good one for free [with no support] called LanGuard SIM,
you have to search to find the download link. You have to run it a few days
and tune out files and folders that change frequently. Note that when
something changes, you may only get one notification, so you want to read
every alert it sends you. This works best on servers that are relatively
static and unchanging, but can also be helpful on workstations as well.
--
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
"lsmith234@gmail.com" wrote:
> Hey guys,
> I've been a lurker here for a while, but I need some specific answers
> on this one.
> I have a network with about 14 windows 2003 servers, Exchange 2003, and
>
> also host two website in house. We have a PIX firewall and an IDS
> System
> on the outside of the PIX. But I really need a good solution for
> securing
> and monitoring our servers and network. right now I really have no way
> of
> telling if someone has gotten in to our network.Can someone give me
> some ideas?
|
|
Posted by Roger Abell [MVP] on July 11, 2006, 3:02 am
If you were Registered and logged in, you could reply and use other advanced thread options
of the PIX seemed strange to me.
You appear to be looking at this more from a network viewpoint
> and monitoring our servers and network. right now I really
> have no way of telling if someone has gotten in to our network.
than from a host viewpoint.
Consider, each host has a defined set of services it is providing,
then any contact with each outside of its defined set of interfaces
would, or may, indicate a probing. If the sum of exposures on
your network is minimized, e.g. client systems with zero footprint
to packets that are not originating from management systems,
servers exposing only the ports needed for their defined roles, etc.,
then an intruder has a very restricted set of machines on which to
mount penetration attempts, making the probing more noticable.
Honeypots can also play well in such an environment, as can use
of such as tripwire on servers, etc..
As was indicated, looking at all network traffic for abnormal
events can be a difficult, or fruitless, effort - depends on quality
with which it is done, resources applied to task, and especially
on what is being done by the intruder (are they just operating
within a compromised account using accesses appropriate for
that account - like the accounting data or product specs - and
just doing things appropriate for the account - like emailing ?).
If you have the freedom to implement it, then check into the
MS guidance on using IPsec for domain isolation. If all machines
only speak to one another within IPsec SA bindings (and you
can log failures) then an intruder can become much more obvious
(and discouraged).
Roger
> Hey guys,
> I've been a lurker here for a while, but I need some specific answers
> on this one.
> I have a network with about 14 windows 2003 servers, Exchange 2003, and
>
> also host two website in house. We have a PIX firewall and an IDS
> System
> on the outside of the PIX. But I really need a good solution for
> securing
> and monitoring our servers and network. right now I really have no way
> of
> telling if someone has gotten in to our network.Can someone give me
> some ideas?
> thats for all the help
> L Smith
>
|
|
Posted by Gary Flynn on July 12, 2006, 12:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Hey guys,
> I've been a lurker here for a while, but I need some specific answers
> on this one.
> I have a network with about 14 windows 2003 servers, Exchange 2003, and
>
> also host two website in house. We have a PIX firewall and an IDS
> System
> on the outside of the PIX. But I really need a good solution for
> securing
> and monitoring our servers and network. right now I really have no way
> of
> telling if someone has gotten in to our network.Can someone give me
> some ideas?
> thats for all the help
> L Smith
>
Install integrity checking software to assess changes and
log monitoring software to assess operations.
http://www.honeypots.net/ids/integrity-management
http://www.loganalysis.org/sections/parsing/generic-log-parsers/index.html
--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
|
| Similar Threads | Posted | | Monitoring downloads | September 27, 2005, 8:05 am |
| application monitoring | May 6, 2007, 5:04 pm |
| Monitoring file usage | September 20, 2005, 10:21 am |
| Monitoring user activity | November 25, 2005, 4:33 pm |
| Monitoring msn messenger presence | March 23, 2006, 1:59 pm |
| A NEED MONITORING MACHINES WHY OPEN PORT | December 1, 2005, 10:34 am |
| browser/remote monitoring problem | April 20, 2006, 9:40 am |
| Windows XP Pro x64 Performance Monitoring Permissions | July 23, 2007, 11:27 am |
| Keylogger or other monitoring method for server | September 18, 2007, 10:02 am |
| Security Logs Monitoring and Alerting Tool | October 24, 2006, 10:09 pm |
|
XML site map