Friday, May 16, 2008

iPrism experiences

We're using a St. Bernard iPrism for our filtering here, and it's been a stellar product to work with. Here's a taste of what we've seen when using it:

- An improvement in the amount of perceived "wasted time"
- A great job in filtering out the bad content (porn, etc.)
- An excellent job in reducing the amount of malware-related materials. As an example, we don't have an enterprise anti-malware/spyware solution. The iPrism blocks malicious sites, and that takes care of almost all instances
- A reduction in the amount of viruses our virus-scanners have to address

These are all great examples of why the iPrism has been a big win for us. However, I've recently had 2 issues:
- There is no "social-networking" type of monitor. It's currently all or nothing. Other competitors are now coming out with these features, and it appears to be a hole in iPrism's lineup. I need an elegant way to handle social networks.
- IP spoofing: I've recently (over the last 3 days) had a LOT of issues with blogger.com It appears that Google (who owns blogger) distributes their servers, and this has caused a lot of issues with IP Spoofs. I'm talking to them now about blogger.com It seems that any time I need to write a blog post (or anyone else here), the "Sign in" bar, etc. is blocked. The "blogger.ch" domain is marked as pornography/nudity, and at the same time, if I add an IP-Hostmap entry, it works just fine.

Would I buy the iPrism again? most likely
Would I renew our support/updates contract again? definitely

So, are there any other iPrism users out there who can enlighten me?

Thursday, May 15, 2008

Security Hardening? Windows, Linux?

Here at Calvary I run a few different OS'es for my services: Windows Server 2003 (not R2 yet), Ubuntu Server Edition LTSP, Windows Server 2003 Storage Edition, and pfSense (via FreeBSD).

I read this article over on ars technica about SSH attacks rising (for the short-term it seems). I also read a good portion of the discussion that followed in the forums. The following comment got me pretty good.

Posted by "Muerr":
SANS suggests using the CIS Benchmarks (http://www.cisecurity.org/) as a starting point for hardening your systems according to the Defense In Depth principles taught in SANS courses.

Part of the security implementation should include disabling remote root login from ALL services, not just SSH. In fact, all unnecessary services should be stopped and disabled completely. If you must login as root remotely through SSH, use the option "PermitRootLogin without-password" which will enable SSH key authentication only. TCPwrappers are also desirable, as part of a 'default deny' security stance, and only allowing specific IPs or networks to connect to the sshd daemon.

Security through obscurity is only "good" against casual attacks. A dedicated attacker will find your SSH daemon running on port 10783 or whereever, because they're going to do a full port scan first.

I encourage everyone to read the CIS Benchmarks to get started on securing their Linux and Unix systems. That goes for MacOSX - if they don't have a benchmark, check out one of the BSD documents, since Mac OSX kernel, Darwin, is based on BSD.

Also, SANS provides a number of papers on security in their reading room, and of course, their training courses are probably the best in the industry. http://www.sans.org/

How hardened are my systems? How hardened are most Churches IT assets? Do we pay much, if any attention to "hardening" a system after setup/installation? Should we?

I know that we pretty much block anything from coming into our network at the firewall level (security through deny all).

What do you do, if anything to "harden" your systems?