What do you do to verify that your network is secure? [closed]
Securing a network can be a very difficult task. There are a lot of ins and outs hardware and software wise (users aside!)
What steps do you take to verify that your network is secure?
What tools do you use to secure your network?
What are some of the big holes that go regularly un-fixed?
We're a fairly small office and have had to manage on a small budget. Our approach includes:
Network Intrusion Detection: We use StrataGuard Free from StillSecure -- it's a hardened Linux with Snort configured and a very intuitive web interface, plus regular rule updates. Installed the free version on an old box, tuned the rules a bit based on the alerts generated, and viola! Works great, though you need a network switch capable of mirroring traffic to a single port. Non-free versions of StrataGuard have support, a few more bells and whistles, and can deal with higher traffic.
Host-Based Intrusion Detection: We wrote a small .NET app that runs as a service on our Windows boxes and forwards events from the event logs every couple of hours (filtered based on types, IDs, and times of day we choose - as mentioned elsewhere, Randy Franklins Smith's site at http://www.ultimatewindowssecurity.com/Default.aspx has been invaluable in deciding what events to scrutinize) to a central database where we review and retain them.
Periodic in-house audit: Periodically, we once-over each box, make sure all unnecessary services are disabled and ports are closed, and run deep scans with rootkit and malware detection software that's different than the real-time anti-everything running daily. We also use nmap to analyze the network and scan for for vulnerabilities, and wireshark to analyze specific traffic as necessary.
Patch Updates: WSUS ensures and verifies that all our windows boxes are up-to-date on security fixes, and prevents eating up bandwidth. Cron-apt on Linux boxes, haven't figured out a good way to verify the process centrally though. Also, centralized management of server and workstation anti-malware is highly recommended, and available for most business-class versions of these products.
Policy: Perhaps most importantly, even in a small organization you need to start with a document that describes a security program or set of procedures for your organization. The document will outline the risks to your data and how you address them. This is the big one that usually gets ignored, but should you face most any flavor of outside audit it's the first thing you'll need to refer to and wish you had or had updated. Lots of samples on http://www.sans.org/resources/policies/.
The good news for organizations on a tight budget is that, other than the anti-malware suites, all this stuff is free, and -- with the exception of the in-house audits -- are very easy to review daily after the initial time investment to set up.
These answers I'm ripping from my response here
-
Use an IDS
SNORT® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
Snort reads network traffic and can look for things like "drive by pen testing" where someone just runs an entire metasploit scan against your servers. Good to know these sort of things, in my opinion.
Monitor your servers - Graphs can give you a hint if something is unusual. I use Cacti to keep an eye on CPU, network traffic, disk space, temperatures, etc. If something looks odd it is odd and you should find out why it's odd. If traffic suddenly spikes in the App Tier, I'm going to want to know why.