[liberationtech] Designing the best network infrastructure for a Human Rights NGO

cantona7 at hushmail.com cantona7 at hushmail.com
Thu Feb 28 06:16:45 PST 2013 

Thanks excellent advice - much to think about.

On Thu, 28 Feb 2013 14:09:39 +0000 "Tom Ritter" <tom at ritter.vg> 
wrote:
>On 28 February 2013 07:39,  <anonymous2013 at nym.hush.com> wrote:
>> Hi,
>> We are a human rights NGO that is looking to invest in the best
>> possible level of network security (protection from high-level
>> cyber-security threats, changing circumvention/proxy to protect 
>IP
>> address etc, encryption on endpoints and server, IDS/Physical 
>and
>> Software Firewall/File Integrity Monitoring, Mobile Device
>> Management, Honeypots) we can get for a our internal network. I 
>was
>> wondering if people would critique the following network, add
>> comments, suggestions and alternative methods/pieces of 
>software.
>> (Perhaps if it goes well we could make a short paper out of it, 
>for
>> others to use.)
>>
>> -Windows 2012 Server
>> -VMWare virtual machines running Win 8 for remote access
>
>Windows doesn't scare me, full remote access scares me.  (I'm 
>amazed
>at how many people are saying "X is insecure" with no explanations 
>how
>or why an alternative is more secure.) Obviously you'll need 
>something
>for remote workers, but see the next section...
>
>> -Industry standard hardening and lock down of all OS systems.
>
>Industry 'Standard' hardening isn't particularly good because
>'Standard' is 'Standard' and 'Standard' is also hacked over and 
>over
>again.  Upgrading your RDP authentication level is a good idea and
>'Standard' - but what you want most of all is separation of 
>privilege.
> I don't mean "Bob the sysadmin is the only person who can 
>administer
>the mailserver" I mean "Bob the sysadmin is the only person who 
>can
>administer the mailserver, and he can only do it from a separate
>computer that's on a separate airgapped network and he doesn't use 
>USB
>keys".
>
>Airgapping brings thoughts of crazy military-levels of paranoia - 
>but
>it's not all that difficult and it's getting more and more 
>important.
>Get a couple cheapish laptops, a separate consumer-level broadband
>connection, and run red cables plus blue to a few people's desks.
>
>Think about it terms of compartmentalisation, both airgapped and
>non-airgapped-but-separate-Domains/VLANs/Authorisation contexts. 
>Draw
>out your network, and then fill an entire section with Red - 
>that's
>what the attacker controls.  How does he move to another section? 
>What
>data does he get?  Brainstorm this part heavily, consider putting 
>it
>up on a permanent whiteboard and referring to it every time 
>someone
>comes in and needs access to X group's fileserver, or what-have-
>you.
>
>> -Constantly changing proxies
>
>I have no idea what you intend to accomplish with this.  
>Performing
>*more* logging of your employees, or not disabling WPAD sounds 
>like
>the opposite of what you'd want.  (And a note on the WPAD item:
>disable IPv6 too.)
>
>> -Sophos Enterprise Protection, Encryption and Patch management
>> -Sophos mobile management
>
>Uh, I guess.  I guess I shouldn't disparage something I've never
>reviewed and haven't worked with... But my opinion of "Enterprise
>Protection" products isn't too high until I've seen an independent
>security firm see how secure the product is and how much it attack
>surface it adds.
>
>> -Encrypted voice calls for mobile and a more secure alternative 
>to
>> Skype via Silent Circle.
>
>So I guess that's RedPhone?
>
>> -TrueCrypt on all drives - set to close without use after a
>> specific time
>
>Bitlocker is a fine alternative, and probably easier to 
>manage/query
>via Group Policy.
>
>> -False and poison pill files
>> -Honeypots
>
>Ooookay.  This isn't a bad idea, but it's pretty damn complicated 
>to
>set up - you're moving more and more towards something that 
>requires a
>24/7 SOC (Security Operations Center) and further away from
>"Architecting a secure network."
>
>> -Snort IDS
>> -Tripwire
>
>And someone full time (or 2 people, really probably a team of 
>folks
>operating 24/7) to monitor these?  Cause this stuff doesn't help 
>you
>if no one's looking at it.
>
>> -Easily controlled kill commands
>
>... Huh?
>
>> -No wifi
>
>Good luck with that.  I guess no one's going to have any 
>productive
>meetings or use any MacBook airs, tablets, or phones for work
>purposes.  (Unlikely.)  Having everyone use the cell towers isn't 
>a
>great idea either.  This sounds like you haven't done a 
>requirements
>gathering phase with your users.
>
>-tom
>--
>Too many emails? Unsubscribe, change to digest, or change password 
>by emailing moderator at companys at stanford.edu or changing your 
>settings at 
>https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list