SECURITY

I have championed a number of enterprise level security postures most notably for IBM Big Data. There are a number of related products and services out there. Let me lend my expertise in improving the posture of your's.

RECOMMENDATIONS

access controls, network planning - Rob Cohen Enterprise Engineer

1. ACCESS CONTROLS

Password protect all workstations, change every 60 to 90 days maximum.
Change user account passwords every 60 days maximum including external user accounts for vendor sites.
External vendor service accounts (web services) should also be considered quarterly but twice a year is highly recommended.
Utilize internal access controls such as sudo.
Lock down files with world read/write access to be read only.
Understand how SELinux works and use it!
Keep audit levels meaningful, archive for 6mo to a year minimum or as required by compliance regulations.

2. NETWORK PLANNING

Network planning in some ways is like what a City Planner might do to layout sub-divisions and neighborhoods. Good planning leads to less traffic congestion and better performance. That will make the job of securing it a bit easier.

Gather the proper requirements for IP network, domain, and sub-network addressing. Be generous.
Use tiers for Front-facing (exposed), Presentation, (web server), Application/Middleware and Database.
Set up security zones that are both functional and meaningful.
Perform external port scans (use Neesus or similar) and remediate vfulnerabilities before ever exposing a server to the open internet.

3. FIREWALL SECURITY

Your firewall is your first line of defense against unwanted access and attacks.

Use a reputable appliance
Manage your port access diligently, dissable access to un-needed ports
Keep good track of firewall rules
Follow up on changes especially temporary ones and dissable temporary use ports when requirement is completed.
Avoid opening ranges of ports, ranges of sub-nets try and determine what ports are to be used and dissable all others and use specifi IPs whenever possible