Rob Cohen Enterprise Engineer
SECURITY
I have championed a number of enterprise level security postures most notably for IBM Big Data. There are a number of related products and services out there. Let me lend my expertise in improving the posture of your's.
RECOMMENDATIONS
access controls, network planning - Rob Cohen Enterprise Engineer
1. ACCESS CONTROLS
-
Password protect all workstations, change every 60 to 90 days maximum.
-
Change user account passwords every 60 days maximum including external user accounts for vendor sites.
-
External vendor service accounts (web services) should also be considered quarterly but twice a year is highly recommended.
-
Utilize internal access controls such as sudo.
-
Lock down files with world read/write access to be read only.
-
Understand how SELinux works and use it!
-
Keep audit levels meaningful, archive for 6mo to a year minimum or as required by compliance regulations.
2. NETWORK PLANNING
Network planning in some ways is like what a City Planner might do to layout sub-divisions and neighborhoods. Good planning leads to less traffic congestion and better performance. That will make the job of securing it a bit easier.
-
Gather the proper requirements for IP network, domain, and sub-network addressing. Be generous.
-
Use tiers for Front-facing (exposed), Presentation, (web server), Application/Middleware and Database.
-
Set up security zones that are both functional and meaningful.
-
Perform external port scans (use Neesus or similar) and remediate vfulnerabilities before ever exposing a server to the open internet.
3. FIREWALL SECURITY
Your firewall is your first line of defense against unwanted access and attacks.
-
Use a reputable appliance
-
Manage your port access diligently, dissable access to un-needed ports
-
Keep good track of firewall rules
-
Follow up on changes especially temporary ones and dissable temporary use ports when requirement is completed.
-
Avoid opening ranges of ports, ranges of sub-nets try and determine what ports are to be used and dissable all others and use specifi IPs whenever possible