Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Designing the best network infrastructure for a Human Rights NGO

Tom Ritter tom at ritter.vg
Thu Feb 28 06:09:06 PST 2013


On 28 February 2013 07:39,  <anonymous2013 at nym.hush.com> wrote:
> Hi,
> We are a human rights NGO that is looking to invest in the best
> possible level of network security (protection from high-level
> cyber-security threats, changing circumvention/proxy to protect IP
> address etc, encryption on endpoints and server, IDS/Physical and
> Software Firewall/File Integrity Monitoring, Mobile Device
> Management, Honeypots) we can get for a our internal network. I was
> wondering if people would critique the following network, add
> comments, suggestions and alternative methods/pieces of software.
> (Perhaps if it goes well we could make a short paper out of it, for
> others to use.)
>
> -Windows 2012 Server
> -VMWare virtual machines running Win 8 for remote access

Windows doesn't scare me, full remote access scares me.  (I'm amazed
at how many people are saying "X is insecure" with no explanations how
or why an alternative is more secure.) Obviously you'll need something
for remote workers, but see the next section...

> -Industry standard hardening and lock down of all OS systems.

Industry 'Standard' hardening isn't particularly good because
'Standard' is 'Standard' and 'Standard' is also hacked over and over
again.  Upgrading your RDP authentication level is a good idea and
'Standard' - but what you want most of all is separation of privilege.
 I don't mean "Bob the sysadmin is the only person who can administer
the mailserver" I mean "Bob the sysadmin is the only person who can
administer the mailserver, and he can only do it from a separate
computer that's on a separate airgapped network and he doesn't use USB
keys".

Airgapping brings thoughts of crazy military-levels of paranoia - but
it's not all that difficult and it's getting more and more important.
Get a couple cheapish laptops, a separate consumer-level broadband
connection, and run red cables plus blue to a few people's desks.

Think about it terms of compartmentalisation, both airgapped and
non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. Draw
out your network, and then fill an entire section with Red - that's
what the attacker controls.  How does he move to another section? What
data does he get?  Brainstorm this part heavily, consider putting it
up on a permanent whiteboard and referring to it every time someone
comes in and needs access to X group's fileserver, or what-have-you.

> -Constantly changing proxies

I have no idea what you intend to accomplish with this.  Performing
*more* logging of your employees, or not disabling WPAD sounds like
the opposite of what you'd want.  (And a note on the WPAD item:
disable IPv6 too.)

> -Sophos Enterprise Protection, Encryption and Patch management
> -Sophos mobile management

Uh, I guess.  I guess I shouldn't disparage something I've never
reviewed and haven't worked with... But my opinion of "Enterprise
Protection" products isn't too high until I've seen an independent
security firm see how secure the product is and how much it attack
surface it adds.

> -Encrypted voice calls for mobile and a more secure alternative to
> Skype via Silent Circle.

So I guess that's RedPhone?

> -TrueCrypt on all drives - set to close without use after a
> specific time

Bitlocker is a fine alternative, and probably easier to manage/query
via Group Policy.

> -False and poison pill files
> -Honeypots

Ooookay.  This isn't a bad idea, but it's pretty damn complicated to
set up - you're moving more and more towards something that requires a
24/7 SOC (Security Operations Center) and further away from
"Architecting a secure network."

> -Snort IDS
> -Tripwire

And someone full time (or 2 people, really probably a team of folks
operating 24/7) to monitor these?  Cause this stuff doesn't help you
if no one's looking at it.

> -Easily controlled kill commands

... Huh?

> -No wifi

Good luck with that.  I guess no one's going to have any productive
meetings or use any MacBook airs, tablets, or phones for work
purposes.  (Unlikely.)  Having everyone use the cell towers isn't a
great idea either.  This sounds like you haven't done a requirements
gathering phase with your users.

-tom



More information about the liberationtech mailing list