What do you think is the best security perimeter to protect a network?

[solidstar]

What should I do if I suspect that our system is compromised? What do you think is the best security perimeter to protect a network?

 

[rsachoc]

What should I do if I suspect that our system is compromised? What do you think is the best security perimeter to protect a network?

Depends on alot of things, you'll have to be more specific. What is "our system". What do you mean by "security perimeter"?

 

[John Connor]

Honey pots for one.

 

[Red Squirrel]

Lots of thing you can do, a basic step is to be aware of what ports are open to the outside, if any even need to be open (ex: stuff that you are serving to the outside). Also be aware that anything that is open to the outside can cause your entire network to be compromised if that particular service is compromised. Ex: let's say you're running IIS on a VM because you know it's unsecure so the VM does only that, you port forward, it's running, and if something happens to that VM you don't care. But wait, someone manages to remotely execute code, and eventually gets remote access to the machine. Now they can remote into anything that's on your network.

That's where vlans come in. you should split up your network based on purpose/risk. Of course you need a firewall that can handle vlans and takes care of inter-vlan routing and firewall rules. By default stuff from one vlan should not be allowed to talk to stuff in another. Then you can add rules to make exceptions. So back to port forwarding stuff, anything that is serving the outside world should be fairly segregraded from the main network. Make a vlan that you dedicate for internet facing stuff. Each individual machine on that vlan should be configured as if they were fully internet facing. Ex: they each have their own firewall, brute force protection etc.

Then there's wireless, that is another attack vector that can be exploited from the outside - literal outside. So that should be on it's own vlan too. Guest wifi, another vlan.

Of course now days with so much javascript, plugins, and all that crap, just going to a bad web page can also infect you, so stuff that is letting people in is not the only thing to worry about anymore. Technically, a browser should probably be run in a VM that is setup to have minimal access to the rest of the network, but that would be kind of annoying to do. Just be very cautious of what sites you go to. Using Linux probably helps, as a lot of the stuff that causes code to run is probably targeting Windows. That is more of a security through obscurity approach though. Browser based malware is a real issue these days.

Also, be aware of anything that goes or can access your network. As tempting as it is, don't use IoT (Internet of Trash) stuff. Those are basically trojans. If you want to automate stuff, there's tons of Arduino and Raspberry Pi tutorials.

Probably tons more stuff on this topic. Now days the real ennemy is the government and they are much more advanced than any of us, so all we can do is try our best to make their lives harder and hope they go for the low hanging fruit first.

Oh, full disk encryption. Also a good idea. But kinda annoying for anything that you may want to come up on it's own, like servers. Suppose that is where IPMI is a nice thing to have.

Personally my setup is Pfsense + managed switch. Wifi is done by Unifi. Not really a fan of SOHO routers. They're ok if you're setting up a network for grandma but with all the stuff that gets backdoored, hacked, etc these days I would not really trust any of them for my own network.

 

[guidedbyechoes]

It really depends on the type of network you have I would look at IDS/IPS logs if it's not a home network. Proper securing of DMZs and firewall rules that reject private addresses is another.