Low budget network security solution

Started by PopeyesPappy, August 30, 2019, 07:48:24 AM

Previous topic - Next topic

PopeyesPappy

I work for a company owned by a small Native American nation. The tribe has several companies that specialize in different things. One that does logistics. One that does facilities support. One that does weather forecasting. Another that does security work. One that just provides back office support to the other companies. That kind of thing. Most of but not all of our business is with the government.

Fucking Government IT security regulations are killing us. The expense has been astronomical. A couple of months ago the boss pointed at me and said, "Find a way to cut costs!" I wrangled a budget out him, got a lot of help from a couple of guys that don't know the first thing about systems administration, and we came up with this.



A bunch of used hardware running open source software. We are still testing and it hasn't gone live yet, but we are hoping to move everything over to this hardware in a couple or 3 months.

There are 6 separate networks. A guest network. One for VOIP. A redundant LAN. A redundant LAN that connects the servers to the SAN's. A management network that just connects management ports. And a separate security management network. 

We have two separate ISP's. WAN A  is a symmetrical 1 Gig fiber. WAN B is copper based 1 Gig down and 35 Meg up. The routers are Dell R610's running PFSense. The servers are Dell R710's running CentOS. They are setup as a high availability cluster with four Dell R510's configured as SAN's. Each of the 510's has 24 TB of drives, but each box is setup for RAID 6 and there are two mirrored pairs so about 40 TB of usable storage. I don't even know what the hardware is for the security server. It is whatever we were using before we bought the Dell we are using now. It is running Security Onion. It is the master node and has a VM storage node for logging. Each of the routers and servers have a VM configured as a forward node for NIDS running Snort and Bro, and HIDS running Wazuh. The Security Onion master does the analysis. It integrates the Sguil, Squert, Kibana and CapMe tools into a single console.

One of the harder problems we are working on is each company's VM has to be a stand alone domain. That requirement is written in stone due to the kind of organization we are. While we employees often do things for multiple companies, the companies have to be completely separate entities. We can't even appear to look like divisions of the same company.

Another is two factor authentation. We need something that will text most of us, but it needs to support a token based system for people that sit in government facilities without access to cell phones.

Anyway, that's where we are going right now, but if any of you who got through this TLDR post have suggestions on how we should do things differently I'd be happy to listen. As I said this is all being setup by a few guys with little to no experience in systems administration, and we are learning as we go...
Save a life. Adopt a Greyhound.

Baruch

#1
The government prefers to work with giant private corporations, who make campaign contributions.  I have until recently been involved in military level computer work.  We converted to two-factor access about 10 years ago.  Government contractors only caught up 5 years ago, after massive civilian gov failures.  You have to be fully tied into the Pentagon as the top node (chain of trust on email etc).  The military is more successful than the pathetic failures of the civilian agencies (GSA/OMB).  As a government-associated entity, you have to play ball by their rules.  And like unfunded mandates of Congress, paying for it, is your problem.  Of course, being part of the government network, back doors are included, that only Cyber Command and NSA have access to.  This is modern legal wiretapping.

So I wish you luck.  If you don't have the local expertise to bring your organization to DoD level security, then the usual rule is to hire a recent retiree from Cyber Command or NSA.  Double dip is the trip.  And cyber weaknesses develop daily.  It is a full time job for one or more people to secure just one network, preferably one and a spare.

The only low budget solution is to not connect at all.  Already in 1991, that was the policy of one commercial outfit I worked for.  Dynamic live connection is simply too dangerous and too expensive.
Ha’át’íísh baa naniná?
Azee’ Å,a’ish nanídį́į́h?
Táadoo ánít’iní.
What are you doing?
Are you taking any medications?
Don't do that.

PopeyesPappy

Full compliance wasn't required by run of the mill contractors until 17. We have been there since 17, but it has been expensive. Microsoft CAL's alone are killing us, and management of our servers is currently being outsourced. That isn't cheap either. The way I see it our main avenue for savings is going to be open source software. If we can keep using CentOS there is zero software cost for our server OS, but even if we have to swap to RedHat it is going to be cheaper than Microsoft. Some of the other opensource tools available for network security require subscriptions too if you want the latest updates as soon as they are available, but once again those are cheaper than something like Barracuda.

We aren't on the government network. I don't even want to think about being on the government network. The people we have that are on the government network use GFE computers and software. But you dont' have to be connected to the government to be required to follow their rules, and their rules are getting more expensive every day.
Save a life. Adopt a Greyhound.

Baruch

Good clarification.  Yes, for a more intimate relationship with Uncle Sam, GFE is the way to go.  But if you don't have local expertise, you pretty much have to outsource the security, if not the whole setup.  Unfortunately this puts on the squeeze.  Your existing contract didn't figure in expenses that developed after the start of contract.  That is the fault of the contract.  Growing room, or you have to tighten your belt elsewhere to pay for the increased IT expenses.

Now, not saying you shouldn't be on Linux ... but the Fed heads don't like you to be on anything other than MS Server.  Unless it is highly specialized with your own cadre of IT experts ... like the NSA server farm.  Even CIA outsourced to Amazon.
Ha’át’íísh baa naniná?
Azee’ Å,a’ish nanídį́į́h?
Táadoo ánít’iní.
What are you doing?
Are you taking any medications?
Don't do that.

PopeyesPappy

Quote from: Baruch on August 30, 2019, 04:06:49 PM
Your existing contract didn't figure in expenses that developed after the start of contract.  That is the fault of the contract.  Growing room, or you have to tighten your belt elsewhere to pay for the increased IT expenses.

It's called an escalation rate. The government understands escalation rates, but they don't like them. They insist escalation rates are kept low. A small business like ours is lucky if we can get 2.5% a year. The average contracting officer doesn't really care if new government requirements drive up costs beyond that point. You can request an equitable adjustment, but it has been my experience that those are few and far between.
Save a life. Adopt a Greyhound.