Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

Panarchy
Hello

So far, when I have posted on this Mailing-List I have recieved some
very informative replies.

I am currently studying for a few certifications, (amongst them MCSE,
Security+ & the CCNA), and would like to learn how to design a secure
network.

Please help me with this endeavor.

Hypothetical situation;

################################################################
1x Server (no need to go into specs, but let's just say 8GB of RAM and
2x Intel Quad CPU at 2.66GHz)
500x Windows Computers (400x Windows XP, 94x Windows Vista and 6x Windows 7)
80x Linux Computers (Ubuntu... and others?)
46x Mac OS X Computers (Including 10x Tiger, 34x Leopard and 2x Snow Leopard)
3x FreeBSD (2x v7, 1x v9)
################################################################

===============================
630 computer all up, including the Server
===============================

Now onto my question. For a convoluted network as pictured above,
(hypothetical, of course), what kind of Server (NOS included?)
operating system should I install, and how should I configure it?

I want to know this only by a security standpoint. Things that are important;
############
# SECURITY #
############
- Encryption of all traffic (256-bit)
- Shares (if possible to have Shares and still maintain a secure network)
- Centralised secure storage of Data (Storage)
- Centralised secure storage of User accounts
- Unattended installation of (at the very least) the 500 Windows boxes
- Internet

Please tell me what I would need in this situation, not interested in
how many people would be needed, how much money it would cost, or how
much time it would take.

Now time to summarise my questions in an easy to review format;

1. Which Server Operating system should I install on my Server?
2. To make the Network fast (e.g. Gigabit NICs on all computers & more
Servers etc.), as well as secure, what would I need to do?
3. What is the best way to have 256-bit encryption of all traffic on
this network?
4. Is it possible to have Shared folders, yet still attain a
high-level of security on this Network?
5. Would it be possible to have Centralised Storage/Resources?
6. Could it be possible to have a Centralised User Account database,
for this entire network?
7. Would you think it a good idea to use a Debian server for Repositories?

Please try your best to answer those 6 questions.

Thanks in advance,

Chip D. Panarchy

PS: I was planning on making this into many little Messages on this
Mailing-list, however, I decided against it. If you think I should
make them into smaller messages (eg 1 of the 6 questions per message)
then please tell me.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

Chris Hilts
Chip Panarchy wrote:

> ################################################################
> 1x Server (no need to go into specs, but let's just say 8GB of RAM and
> 2x Intel Quad CPU at 2.66GHz)
> 500x Windows Computers (400x Windows XP, 94x Windows Vista and 6x Windows 7)
> 80x Linux Computers (Ubuntu... and others?)
> 46x Mac OS X Computers (Including 10x Tiger, 34x Leopard and 2x Snow Leopard)
> 3x FreeBSD (2x v7, 1x v9)
> ################################################################
>

> 1. Which Server Operating system should I install on my Server?

Whichever one you're competent with. There's no point installing an
operating system you won't be able to use effectively, no matter how
highly recommended it is. Windows Server, Linux, BSD, and so on.

> 3. What is the best way to have 256-bit encryption of all traffic on
> this network?

Hmm, I don't know.  IPSec, probably.

> 4. Is it possible to have Shared folders, yet still attain a
> high-level of security on this Network?

Define "high-level of security". Does your definition of "secure" mean
"no shared folders"?

> 5. Would it be possible to have Centralised Storage/Resources?

Yes.

> 6. Could it be possible to have a Centralised User Account database,
> for this entire network?

Yes.

> 7. Would you think it a good idea to use a Debian server for Repositories?

Repositories of what?  Debian makes a good server.

You're probably going to want more than 1 server for that network, btw.

Chris


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

Wade Richards
In reply to this post by Panarchy
This sounds a lot like "I'm taking a course, and I'd like the Internet
to do my homework for me."   I'll give you generally correct advice,
with enough lies in here to give you a failing grade if you don't verify
my statements.

If I were setting up a system as you described, I'd focus on what the
network clients are capable of, and what requires the least non-standard
configuration on them (because misconfiguration of the client
workstation is an easy way to introduce insecurity, and it's hard for
you to enforce their config).

The Windows boxes want Windows networking, the Unix-like ones want Unix
networking.  A Unix server is most likely to give you both easily,
although almost any server OS can.

So the servers should be running SAMBA for Windows logon and network
shares, plus LDAP and NFS for Unix logon and sharing.  SAMBA can be
configured to authenticate against the local LDAP server, so it can
become your single source of knowledge for user accounts.  You can share
the same directories on the server via SAMBA and NFS, so they become
your centralized storage.

Encrypting network traffic is very much the least of your concern.  So
many people think security means "encrypt stuff!", when it is the high
level protocols (logon, authorization) that matters.  Nobody will bother
with packet sniffing when they can just read the files directly from the
file server.  Besides, in a wired network, the switches will ensure
packets only go to the machines where they are supposed to be, so
sniffing is pointless.  If you really want to waste your time, ipsec, or
tunneling NFS through SSL will work (wireless should use WPA2 with as
many bits as makes you happy.

To make the network fast, you should grease your network cables.  
Security can be improve by adding cable locks to all the computers, and
putting in a steel door with a deadbolt, and bars on the windows.

It's always a good idea to use a Debian server for repositories, because
the Debian kernel and file system has native support for dpkg file
formats, so performance is much faster with them.  You may choose to
have your Ubuntu and Windows machines automatically get patches from
your central patch repository, so you can pre-test them all before
roll-out.   Or, you can have the machines automatically get the patches
from Ubuntu.com and MSFT directly.  It depends on how much effort you're
willing to put into testing patches.  If you go the direct route, then
buggy patches may impact your system.  If you go the indirect route,
then your testing delay between a patch being released by the vendor and
you deploying it may allow an exploitation.  It depends on which risk
you want to take.

The server can be Debian, Ubuntu, Windows server, BSD or Mac.  It could
even be running OS/360.  The key question is which are you most
comfortable using, and which are you most capable of keeping patches
up-to-date and systems securely configured.  If I were setting it up, it
would be Debian.  If you're taking a MSCE course, your best choice is
probably Windows server or Windows 95.

    --- Wade

Chip Panarchy wrote:

> Hello
>
> So far, when I have posted on this Mailing-List I have recieved some
> very informative replies.
>
> I am currently studying for a few certifications, (amongst them MCSE,
> Security+ & the CCNA), and would like to learn how to design a secure
> network.
>
> Please help me with this endeavor.
>
> Hypothetical situation;
>
> ################################################################
> 1x Server (no need to go into specs, but let's just say 8GB of RAM and
> 2x Intel Quad CPU at 2.66GHz)
> 500x Windows Computers (400x Windows XP, 94x Windows Vista and 6x Windows 7)
> 80x Linux Computers (Ubuntu... and others?)
> 46x Mac OS X Computers (Including 10x Tiger, 34x Leopard and 2x Snow Leopard)
> 3x FreeBSD (2x v7, 1x v9)
> ################################################################
>
> ===============================
> 630 computer all up, including the Server
> ===============================
>
> Now onto my question. For a convoluted network as pictured above,
> (hypothetical, of course), what kind of Server (NOS included?)
> operating system should I install, and how should I configure it?
>
> I want to know this only by a security standpoint. Things that are important;
> ############
> # SECURITY #
> ############
> - Encryption of all traffic (256-bit)
> - Shares (if possible to have Shares and still maintain a secure network)
> - Centralised secure storage of Data (Storage)
> - Centralised secure storage of User accounts
> - Unattended installation of (at the very least) the 500 Windows boxes
> - Internet
>
> Please tell me what I would need in this situation, not interested in
> how many people would be needed, how much money it would cost, or how
> much time it would take.
>
> Now time to summarise my questions in an easy to review format;
>
> 1. Which Server Operating system should I install on my Server?
> 2. To make the Network fast (e.g. Gigabit NICs on all computers & more
> Servers etc.), as well as secure, what would I need to do?
> 3. What is the best way to have 256-bit encryption of all traffic on
> this network?
> 4. Is it possible to have Shared folders, yet still attain a
> high-level of security on this Network?
> 5. Would it be possible to have Centralised Storage/Resources?
> 6. Could it be possible to have a Centralised User Account database,
> for this entire network?
> 7. Would you think it a good idea to use a Debian server for Repositories?
>
> Please try your best to answer those 6 questions.
>
> Thanks in advance,
>
> Chip D. Panarchy
>
> PS: I was planning on making this into many little Messages on this
> Mailing-list, however, I decided against it. If you think I should
> make them into smaller messages (eg 1 of the 6 questions per message)
> then please tell me.
>
>
>  


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

Sebastian Günther-4
In reply to this post by Panarchy
* Chip Panarchy ([hidden email]) [01.03.09 15:30]:

> Hello
>
> So far, when I have posted on this Mailing-List I have recieved some
> very informative replies.
>
> I am currently studying for a few certifications, (amongst them MCSE,
> Security+ & the CCNA), and would like to learn how to design a secure
> network.
>
> Please help me with this endeavor.
>
[ Hypothetical situation; ]

> Now onto my question. For a convoluted network as pictured above,
> (hypothetical, of course), what kind of Server (NOS included?)
> operating system should I install, and how should I configure it?
>
> I want to know this only by a security standpoint. Things that are important;
> ############
> # SECURITY #
> ############
> - Encryption of all traffic (256-bit)
> - Shares (if possible to have Shares and still maintain a secure network)
> - Centralised secure storage of Data (Storage)
> - Centralised secure storage of User accounts
> - Unattended installation of (at the very least) the 500 Windows boxes
> - Internet
>
> Please tell me what I would need in this situation, not interested in
> how many people would be needed, how much money it would cost, or how
> much time it would take.
Well you need information about what should be secured and against what
threat it should be secured.

Any of your information does not explain what you are trying to achieve.

Security is not a sole purpose, it is a pool of measures against one or
more threads. There is no such thing as 100% security...

>
> Now time to summarise my questions in an easy to review format;
>
> 1. Which Server Operating system should I install on my Server?
> 2. To make the Network fast (e.g. Gigabit NICs on all computers & more
> Servers etc.), as well as secure, what would I need to do?
> 3. What is the best way to have 256-bit encryption of all traffic on
> this network?
> 4. Is it possible to have Shared folders, yet still attain a
> high-level of security on this Network?
> 5. Would it be possible to have Centralised Storage/Resources?
> 6. Could it be possible to have a Centralised User Account database,
> for this entire network?
> 7. Would you think it a good idea to use a Debian server for Repositories?
>
> Please try your best to answer those 6 questions.
I count 7...
But I won't answer to any of these, because there are missing some
fundamental constraints in this scenario to make any useful suggestions.

Sebastian

--
 " Religion ist das Opium des Volkes. "      Karl Marx

 SEB@STI@N GÜNTHER         mailto:[hidden email]

attachment0 (205 bytes) Download Attachment