Or a Rose by any other name is hard to correctly identify
Technology is simple. Here’s a summary...
Scrape the tape,
Pop the top,
Twitch the switch,
Put what you got in the slot,
Load the code…
Well, Not exactly. There is a little more to it than that if you do it right.
Let’s start at the very beginning because that is the very first opportunity we have to make mistakes.
A naming convention, labeling practices, color coding and use of a change log and auditing methodology can help you stay organized, improve problem resolution times and minimize mistakes with security consequences.
Here’s how easily thing can get out control. I had been working with a client that has maintained two unconnected networks for internal production and Internet connectivity. The reasoning was straight forward and simple. If you’re not connected you can’t be compromised. I’ve been telling them for years that they would be more secure connected where hosts could stay patched and network access could be controlled, logged and audited. My time has finally come and I am replacing firewalls, reconfiguring the topology and adding redundant ISP services in preparation for the collapse of these networks into a single topology. During the process of testing the load balancing ISP NAT configuration I was very surprised to see inside addresses from the production network being translated on the outside of my new Internet firewall cluster. Remember these are totally isolated networks, or so they thought. Obviously things are not always as they seem. It would seem that similar switches in a common rack in a common wiring closet and same color patch cables have resulted in an inadvertent connection between the two systems. The production network gateway and DNS servers are logically isolated from the outside and provide no Internet resolution so the client was completely unaware of a potential security fiasco.
Practical Advice:
Label the cable, pathways and spaces.
Adopt a labeling and color coding standard such as the ANSI/TIA/EIA 606-A Administrative Standard and make your contractor, consultants and peers to use it religiously. You don’t have to adopt this standard verbatim but its principles should apply. Know where your horizontal cabling, backbone cables, grounding and bonding systems and telecommunication outlets terminate. Use a labeling convention that identifies the floor, closet, rack, panel and port for instance at each data outlet.
Example:
0047-1A-1A45
UTP cable originates in Building 047, Telecommunications Room 1A.in Rack #1, Patch Panel A, Port 45.
Manage your pathways, spaces and racks. This effort pays big dividends in reduced administration and improved problem resolution times down the road. Your cabling contractor should be very familiar with this standard and its principles.
Network Electronics, Routers and Switches:
Physically and logically label all devices with a naming convention that identifies it’s purpose or use and configure electronic port or interface labels to identify mission critical equipment connections.
Example of a Cisco configuration:
hostname CC50_InterValve
!
interface GigabitEthernet0/2
description Embark Internet Interface
!
interface serial0/2
description Crosstown Complex, circuit ID # FL-0000-2236472-XX
An exception to the descriptive electronic name would apply in the case of edge devices or those with publically routable addresses. Although “security by obscurity” ranks really low in terms of effective security strategies, Internet routers and firewalls and wireless devices, shouldn’t be named “bastion_host” or “super_secret_FW” or indicate the company name or specific location. These names imply a purpose and a challenge to the wrong people and may open the consultant to liability issues. Names like “SWI_Valve1” or “Gate_SB50” are far less interesting to an attacker.
Network Host Devices:
Here you can be a little less descriptive in the machine name opting for important but never changing information like the manufacturer, serial number or asset tag and acquisition date i.e “Dell_34672_07”. This naming convention does little help you locate the machine but PC and printers may move from person to person or be redeployed or repurposed into another department or division. Make use of the “Computer Description” field on the Windows Computer Name tab of the computer properties or similar “Comment” fields for other equipment. These fields can be easily changed when machines are moved, redeployed or repurposed and show up in the detail view of the network browser.
Name.......................Computer Description
HP_34672_07 ..........Bldg J, HR, Rm 102. Jackie M., ext 5427
Dell_222476_08 .......Bldg C, Lobby, Public Kiosk #1
Printers show up in the network browser the same way so they can be named similarly. In the installed printer applet in on individual Windows PCs, printers are named for their device driver by default but can be changed if necessary to a descriptive name for the end user like this.
Research_HP_LaserJet_4050N
Network Management:
There are an abundance of network management tools for every conceivable need imaginable. Some are free and some are commercial applications. Some are single purpose and some are feature rich but inevitably you will need the capability to perform an administrative task that is not supported by whatever you have. One of the best and most effective management tools for a large network deployment is an administrator with scripting skills. VBScript, KixTart, Windows script, AutoIT and numerous other languages are relatively simple to learn and offer the ability to rename, add comments, change or add device drivers, perform inventory etcetera.
ANSI/TIA/EIA 606-A Implementation Example-
http://net-services.ufl.edu/infrastructure/labelstandardhorizontal.htm
ANSI/TIA/EIA 606-A Standard quick reference- this is an expansive standard. Here is a summary.
http://74.125.47.132/search?q=cache:bzuzMHx14kwJ:www.flexcomm.com/library/606aguide.pdf+ansi/tia/eia+606a&cd=1&hl=en&ct=clnk&gl=us
KixTart Scripting Language-
http://www.kixtart.org
Author
Timothy Cole
1 comment:
Post a Comment