Hi,
Le 07/01/2019 à 11:41, Brian Kantor a écrit :
Yes, you're being thrown into the network security swamp, and having to learn to swim while trying to keep your head above water.
How about sharing our best practices and tools to secure our AMPRNet networks ?
-- In our first iteration, our network was not using AMPRNet addresses, but private addressing (10.44.0.0/16). In a network point of view, TKNet was considered as one of our customers. Connections to the ourside world was done througn NAT / port openings. And security was managed, at no additional cost for HAM community, on our corporate firewalls (with paid security services from the manufacturer).
Our next iteration will start using AMPRNet addressing, with direct BGP announcement. As the network setup is slightly different from what we're using in our business, and as our datacenter main bandwidth provider is not BGP-capable, we must build a completely independant network, and thus, we can't secure it anymore with our corporate firewalls. So, we have to secure it from scratch, preferably with free/open-source software solutions, so that everybody can re-use them anywhere. And I must say I was really afraid when I saw all incoming crap on our first BGP-connected IP (44.190.11.1) ! That's the main reason why we delayed our migration to AMPRNet addressing, until we can install and validate appropriate security tools.
As we are an island, our subnets will be announced from two places only (our DCs in Ajaccio and Bastia), and all incoming traffic from Internet will arrive only via those two places. Our main security systems will be placed here. All communication to/from all the other sites on the island goes through those two DCs.
Our current (partially implemented) design is using :
*1/ Separate subnets* : Our network is splitted into two main categories ("zones"), with separated network interfaces and IP subnets : - Full AMPRNET/HamNet : machines that will be accessible only through AMPRNet address, and that will have no incoming access from Internet - What we called DMZ : machines that will require bidirectional communication with Internet : XLX, Echolink, D-Star, DMR, Asterisk and other VoIP gateways, web server, meteo, webcams, etc... (typically using 44.190.11.0/24 space) * **2/ Firewalling* We're using Shorewall. It's an open-source high layer over iptables. It allows easier and intuitive setup. It uses "zones", which IMHO is a must-have feature for firewalls.
*3/ Blocking known threats :* We're downloading blocklists from SANS (https://isc.sans.edu/api/threatlist?json) and we are adding it to the firewall blacklist table with a cron task.
*4/ Network Intrusion Detection and Prevention :* We would like to implement SNORT, which is free, and which provides a freely downloadable malware ruleset. It also offers more precise paid rulesets for businesses that can afford, but I think the free version would do the job for us. Anyway, implementation with our Shorewall firewall is not trivial, and requires some amount of work...
*5/ Fail2Ban* If the previous tools are to be installed at the gateways, this one is to be installed on a specific machine. It scans application log files, and it can block unwanted incoming IPs based on their behavior, by issuing a "blacklist add" command to the local firewall. For example, our main web server (http://tknet.radioamateur.tk) uses Wordpress. We have fail2ban plugins that scan Apache logs for known Wordpress attacks (typically, brute-force attacks on the admin password). The main problem with Fail2ban is that it requires fine tuning of plugins, which themselves require fine wnowledge about how the application works. It's not a "Plug and Play" setup. But lots of HowTos are available on the net for common applications such as Apache or Asterisk.
*6/ ToDo* - How to secure a DNS server (I never installed a public DNS before) - How to scan/check the security from the outside, and provide alerts ? Is it possible to automate some things ?
-- What about other security tools you are using on your networks ? Do you know some good "scanners" that we could use to check our network security from the outside ?
Thank you in advance. 73 de TK1BI