Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Designing the best network infrastructure for a Human Rights NGO

anonymous2013 at nym.hush.com anonymous2013 at nym.hush.com
Thu Feb 28 06:21:03 PST 2013


Agreed, this kind of advice is what I was hoping to get on LibTech!

On Thu, 28 Feb 2013 14:16:56 +0000 cantona7 at hushmail.com wrote:
>Thanks excellent advice - much to think about.
>
>On Thu, 28 Feb 2013 14:09:39 +0000 "Tom Ritter" <tom at ritter.vg> 
>wrote:
>>On 28 February 2013 07:39,  <anonymous2013 at nym.hush.com> wrote:
>>> Hi,
>>> We are a human rights NGO that is looking to invest in the best
>>> possible level of network security (protection from high-level
>>> cyber-security threats, changing circumvention/proxy to protect 
>
>>IP
>>> address etc, encryption on endpoints and server, IDS/Physical 
>>and
>>> Software Firewall/File Integrity Monitoring, Mobile Device
>>> Management, Honeypots) we can get for a our internal network. I 
>
>>was
>>> wondering if people would critique the following network, add
>>> comments, suggestions and alternative methods/pieces of 
>>software.
>>> (Perhaps if it goes well we could make a short paper out of it, 
>
>>for
>>> others to use.)
>>>
>>> -Windows 2012 Server
>>> -VMWare virtual machines running Win 8 for remote access
>>
>>Windows doesn't scare me, full remote access scares me.  (I'm 
>>amazed
>>at how many people are saying "X is insecure" with no 
>explanations 
>>how
>>or why an alternative is more secure.) Obviously you'll need 
>>something
>>for remote workers, but see the next section...
>>
>>> -Industry standard hardening and lock down of all OS systems.
>>
>>Industry 'Standard' hardening isn't particularly good because
>>'Standard' is 'Standard' and 'Standard' is also hacked over and 
>>over
>>again.  Upgrading your RDP authentication level is a good idea 
>and
>>'Standard' - but what you want most of all is separation of 
>>privilege.
>> I don't mean "Bob the sysadmin is the only person who can 
>>administer
>>the mailserver" I mean "Bob the sysadmin is the only person who 
>>can
>>administer the mailserver, and he can only do it from a separate
>>computer that's on a separate airgapped network and he doesn't 
>use 
>>USB
>>keys".
>>
>>Airgapping brings thoughts of crazy military-levels of paranoia - 
>
>>but
>>it's not all that difficult and it's getting more and more 
>>important.
>>Get a couple cheapish laptops, a separate consumer-level 
>broadband
>>connection, and run red cables plus blue to a few people's desks.
>>
>>Think about it terms of compartmentalisation, both airgapped and
>>non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. 
>>Draw
>>out your network, and then fill an entire section with Red - 
>>that's
>>what the attacker controls.  How does he move to another section? 
>
>>What
>>data does he get?  Brainstorm this part heavily, consider putting 
>
>>it
>>up on a permanent whiteboard and referring to it every time 
>>someone
>>comes in and needs access to X group's fileserver, or what-have-
>>you.
>>
>>> -Constantly changing proxies
>>
>>I have no idea what you intend to accomplish with this.  
>>Performing
>>*more* logging of your employees, or not disabling WPAD sounds 
>>like
>>the opposite of what you'd want.  (And a note on the WPAD item:
>>disable IPv6 too.)
>>
>>> -Sophos Enterprise Protection, Encryption and Patch management
>>> -Sophos mobile management
>>
>>Uh, I guess.  I guess I shouldn't disparage something I've never
>>reviewed and haven't worked with... But my opinion of "Enterprise
>>Protection" products isn't too high until I've seen an 
>independent
>>security firm see how secure the product is and how much it 
>attack
>>surface it adds.
>>
>>> -Encrypted voice calls for mobile and a more secure alternative 
>
>>to
>>> Skype via Silent Circle.
>>
>>So I guess that's RedPhone?
>>
>>> -TrueCrypt on all drives - set to close without use after a
>>> specific time
>>
>>Bitlocker is a fine alternative, and probably easier to 
>>manage/query
>>via Group Policy.
>>
>>> -False and poison pill files
>>> -Honeypots
>>
>>Ooookay.  This isn't a bad idea, but it's pretty damn complicated 
>
>>to
>>set up - you're moving more and more towards something that 
>>requires a
>>24/7 SOC (Security Operations Center) and further away from
>>"Architecting a secure network."
>>
>>> -Snort IDS
>>> -Tripwire
>>
>>And someone full time (or 2 people, really probably a team of 
>>folks
>>operating 24/7) to monitor these?  Cause this stuff doesn't help 
>>you
>>if no one's looking at it.
>>
>>> -Easily controlled kill commands
>>
>>... Huh?
>>
>>> -No wifi
>>
>>Good luck with that.  I guess no one's going to have any 
>>productive
>>meetings or use any MacBook airs, tablets, or phones for work
>>purposes.  (Unlikely.)  Having everyone use the cell towers isn't 
>
>>a
>>great idea either.  This sounds like you haven't done a 
>>requirements
>>gathering phase with your users.
>>
>>-tom
>>--
>>Too many emails? Unsubscribe, change to digest, or change 
>password 
>>by emailing moderator at companys at stanford.edu or changing your 
>>settings at 
>>https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>--
>Too many emails? Unsubscribe, change to digest, or change password 
>by emailing moderator at companys at stanford.edu or changing your 
>settings at 
>https://mailman.stanford.edu/mailman/listinfo/liberationtech




More information about the liberationtech mailing list