how-to-get-microsoft-esque-security-with-open

Posted by:

admin 15 years, 3 months ago

I was duly impressed with the recent ComputerWorld article about how Microsoft fends off 100,000 attacks per month. That is a lot of attacks! The article doesn't mention what Microsoft has spent on security, but my guess is: More than your company's revenues. So what is a poor company to do? Like wine, it is easy find a good bottle of $30 wine, the challenge is finding a good bottle of $8 wine (and were talking magnum). Luckily, thanks to open source software and the many tools built into Linux, even the stingiest of companies can have good security.

It also occurred to me that we have already configured and tested most of these packages with our two-factor authentication system, which is much, much less expensive than smart cards.

I will take each element of the Microsoft security architecture and try to find a less expensive, often free, replacement. In addition to smart-cards, Microsoft uses firewalls, IDS//IPS, Network Access Quarantine Control (NAQC), VPN, strong passwords, webmail and IM and Sharepoint for remote users. There are excellent choices in every area, except for NAQC. If anyone knows of a product or solution I'm missing, please add it in the comments.

Firewall, IPS, VPN, Antispam.

This was easy: Iptables, Snort, Nessus, Tripwire, OpenVPN and Spamassassin, just for starters. There are lot of strong network protection tools in the Linux world. The Computerworld article really focused on 'letting the good guys in' in a scalable way, not 'keeping the bad guys out'. I will note that OpenVPN is fast and easy to configure and supports PAM authentication. That will make your choice of two-factor authentication easier.

Email & IM without VPN

To avoid the VPN getting bogged down, Microsoft remote users can log into Exchange and IM without being on the VPN. It's a little unclear from the article whether or not Microsoft uses two-factor authentication for these services, but I assume they do. So much critical information passes over e-mail these days that it would be silly to have these services outside the VPN without strong authentication, if you require strong authentication for the VPN. Luckily for our purposes, we can easily deploy Squirrelmail over https with two-factor authentication using saslauth, cyrus and imapproxy (more details here: http://www.wikidsystems.com/howtos/two_factor_webmail/. It is also surprisingly easy to configure a number of IM servers for PAM authentication, such as Wildfire

Extranet sites

The section on setting up extranets was particularly interesting:

Microsoft IT has set up several SharePoint sites as secure password-protected extranets. More accurately, what Microsoft IT did was empower employees to set up their own SharePoint sites as intranets or extranets, depending on the target audience and sensitivity of the material, and post their own content.

So perhaps Microsoft is not using two-factor authentication for their extranets? Perhaps it is prohibitively expensive to deploy smart-cards to non-employees? I'm guessing that the policy is content that is shared with partners has to be password-protected and internal content must be protected by two-factor authentication. It is tough to do an apples-to-apples comparison, but I think it is safe to assume that you could provide similar functionality with a number of various open source solutions, such as Plone, Mambo, Drupal, etc. In particular, Plone has proven itself to be very secure and has a robust, built-in access control system that can be managed by folder. You can also easily allow file sharing via secure copy, using WinSCP for example.

Two-factor authentication

Smart-cards are definitely only for the well-off. I could be wrong, but I think they have only been implemented by governments, oil companies and near monopolies. Microsoft claims a cost of (https://www.microsoft.com/technet/itshowcase/content/smartcrd.mspx) $70 per user for each smart card to start, plus a loss rate of 1.5% per user per month at $26 per re-issuance or (if my math is correct 71,000 employees * 1.5% * 26) $27,690 per month or $332,280 per year after an upfront investment of $4,970,000. I suspect it takes some scale to get to that number. WiKID's commercial two-factor authentication system starts at only $25 per user per year, and of course, the open source version is free.

It is interesting that the article does not mention Microsoft using Terminal Services. I think remote desktop is an excellent solution if done securely, so I will add to our solution FreeNX. It is very fast and tunneled through SSH for security. It supports PAM, so strong authentication is not a problem. It is supports remote X as well as VNC and RDP. You could argue that using remote desktop encrypted with SSH is as secure as using a VPN with quarantine capabilities. It certainly is going to be faster for the end user.

To sum up, here is an open source configuration comparable to the Microsoft infrastructure:

• Defense: IPTables, Nessus, Snort, Tripwire
• VPN: OpenVPN
• Email & IM: Squirrelmail with https and two-factor authentication through PAM. A jabber server such as Wildfire or jabberd for IM.
• Extranet sites: A CMS system such as Plone. File sharing via WinSCP & Putty
• Remote Desktop – As a bonus we throw in remote desktop access secured by two-factor authentication and SSH encryption.

To be fair, most companies don't need the scalability that Microsoft needs and much of what is impressive about what they have done is based on scale. This post does not address that, but I'm convinced that these open source solutions will scale extremely well.

• Tags:
• Information Security,
• Open Source

• ← 24-questions-from-hhs
• Eyeing risks while cutting spending →