No Budget Security Ideas: Part 1
I’ve talked to a few people recently who have control system security responsibility but are on a very tight or non-existent budget. Some things, like the network taps that we discussed recently, do have significant cost but there are many basic security steps that can be taken with little or no capital expense. We’ll identify some of these low or no-cost actions in this blog series starting with the network perimeter in this post.
First one up is simple: review and document your firewall rules. Do you really know what traffic is allowed between your critical control devices/servers/workstations and other networks? This will cost a little time but no cash outlay. The results are almost always surprising. There will likely be something that can can be improved on or holes that can be eliminated — that port that was opened for testing last Fall or other holes that are no longer needed.
An extension of this first recommendation is to use the information you learned by reviewing firewall rules to update your network diagrams. When I had network security responsibility, I always maintained a firewall-centric diagram in addition to traditional network representations. It would illustrate all the inbound and outbound communication from various security zones. This is extremely useful for communicating in meetings and you get bonus points if you can reproduce relevant parts of it on the whiteboard when needed.
And, for the more advanced crowd, how about an automated process that reports on firewall and router configuration changes? There are commercial products, but this is a no-budget post so you might want to check out RANCID — not the punk rock band — the free “config differ” software from Shrubbery Networks that logs into your network devices and maintains a history of changes. It will send e-mail alerts if something has changed which can be incredibly valuable for keeping network admins honest and enforcing change control policies. Just be sure you know what you’re doing when you set up RANCID because your configs and SSH passwords/keys will be stored on the server.
So that wraps up Part 1 of the series. Have a no-budget control system security challenge or idea you’d like us to cover in a future post? Leave it in the comments or send an e-mail.
Author: Jason Holcomb
Posted: February 11th, 2009 under Firewall / Perimeter, Security Tools.
Comments: 2
Comments
Comment from Ron Southworth
Time: February 13, 2009, 2:41 am
Hi Jason,
I am agreeing with you but I would go even further.
People, Policies, Processes and Paperwork are great places to target to make some real improvements in system security along with not just describing firewall configurations. Having good documentation of the system including configuration information information flow diagrams are all useful to develop that all encompassing change management program.
Another Tool for owners and operators is the CS2SAT tool. For those utilities like my salt mine that are cash strapped at least on security line items this tool is very helpful in assisting in gathering all of this baseline information. The tool is available from some of the people you guys have had as speakers on your podcasts (so I am not advertising any “competition” or conflict of interst stuff)
There are also a few tools available from Sadina that are quite useable as well. The tool you mention sounds like a great tool if you are a CISCO customer some of us are not (For better or worse).
All of this stuff is labour intensive and does not take a lot of capital outlay, just time.
Many Thanks
Comment from Jason Holcomb
Time: February 13, 2009, 10:34 am
Ron,
Thanks for the comments. Definitely agree on all the “P’s”.
For those who are interested, more information on CS2SAT can be found here: http://www.scadapedia.com/index.php/CS2SAT.
RANCID is not for everyone. Probably should clarify that even though Cisco is part of the acronym, it does support many other devices and could likely be customized to work with just about anything. Here’s some text from the Shrubbery site: “Rancid currently supports Cisco routers, Juniper routers, Catalyst switches, Foundry switches, Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd), Alteon switches, and HP Procurve switches and a host of others. “
Write a comment