【 Weak current College 】 network security design of the top 10 common mistakes

Although we all know that the network security is enterprise information security of the most important part, but I actually see is that many corporate security for network design and not very seriously. Next, I will introduce several network security design, common errors, those errors will have on the future of enterprise network security.
1: set up the peace of mind

I want to speak to the first error more biased toward plan instead of network design. This error I usually have it call it "design is the ultimate peace of mind." Committed such an error of enterprises generally hard to design a secure network, but it ignores the late for the design of regular reassessment. Because the network risks are constantly changing, so the enterprise network security design should evolve. The best way is to regularly conduct network security design.

2: open on your firewall for excessive port

We all know open too many ports are not good, but sometimes also have to be more open to several ports. Take MicrosoftOfficeCommunicationsServer2007R2, if you plan to provide external access to functionality that you want to open a dozen ports. In addition, it will randomly open OCS2007R2 lots of ports. In this case, the network security administrators do?

The best solution is to use the reverse proxy (such as Microsoft's ForeFrontThreatManagementGateway). Reverse proxy location between the Internet and local needs and opening multiple ports on the server. This setting, the server does not need to open a large number of ports, and the server will first go through reverse proxy blocking and filtering, and passed to the server. This design not only for the server to the external network, the former hidden can also help ensure that external malicious request does not reach the server.

3: different application mix

The economic crisis, enterprises are less likely to spend money to purchase new equipment, so as far as possible to squeeze the existing equipment resources became the only choice. In this context, the enterprise will normally be on a single server installation of multiple application services to enable a server to play multiple roles. Although it is not prohibited, but in the computer industry have a law, that is, the more code, a security vulnerability.

I am not saying that each server can only run one application, or play a service role, but at least we should carefully consider what should be the application or service roles are merged into a single server. For example, the minimum requirements, an Exchange2007 requires three server roles (hubtransport, clientaccess, as well as the mailboxserver), you can set these three roles on a single server. But if you want to provide for the external customer service don't OutlookWebAccess. Because the ClientAccessServer server role requires IIS to achieve OutlookWebAccess, that is, if you client access server role and the role the mailboxserver hubtransport placed on one server, you put your mailbox database open to all hackers on the Internet.

4: ignores the network workstation

Last year there was a press interview with me over the phone, he asked: do you think is the greatest threat to network security. My answer is: the workstation in the network is the largest network security threats. Now I still hold the same view. I always see the enterprise in the strengthening of not only the network server security, but at the same time ignoring the network on each workstation. Unless the workstation security measures is very good, otherwise the use of its employees is very easy to inadvertently allow the system to be malware intrusion.

5: if necessary, do not use SSL encryption

We all know, when the user needs to enter sensitive information on the site (such as user name, password, credit card number, etc.), the website uses SSL technology to encrypt the information. But many enterprises in the wrong. I have met many times, the enterprise will be sensitive and non-sensitive information in a mixed on a page, when a user visited that page, you will receive a prompt asking the user whether to also view security content and non-secure content. Most of the users in the face of this when you are prompted to select both secure and non-secure content, such as network security introduces risk.

A less obvious but more common errors that companies rarely encrypt their site on some key pages. In my view, any information relating to safety, safety equipment and contact information should go through SSL encryption. This is not because they are part of sensitive information, but by the encryption page lets the user believes his visit is the official website, rather specious phishing Web site.

6: use the self-signed certificate

Because some totally ignore the importance of SSL encryption, so Microsoft started in some products has joined the self-signed certificate. This allows users to browse Web pages, even if the enterprise's Web site without requiring a certificate, you can use SSL encryption.

Although the self-signed certificate to be better than no certificate is strong, but it is not an one from a trusted certificate authority that issued the certificate. Self-signed certificate's main role is used to activate the software security features until the administrator has taken the appropriate security measures. Although the self-signed certificate for SSL encryption, but the user will receive a warning message of the browser, promptedHousehold system does not trust the certificate. In addition, some SSL-based web services (such as ActiveSync), because the trust relationship is not fully compatible with self-signed certificates.

7: too many security record

Although the records of the various networking events are important, but avoid too lengthy record content is also important. Too long log will let administrators are hard to find important security events. Therefore, instead of all system events are logged, it is better to focus on those really important events.

8: random grouping virtual server

Virtual server will normally be based on its performance in the Group on the host. For example, on a single server to build a performance-demanding applications of virtual server, and several of the match on the system performance requirements lower virtual server, you can implement application rationalization of resources. From the perspective of resource use that doing so is very correct, but from a security perspective, it necessarily.

From a security point of view, I suggested that a stand-alone server placement for Internet applications of virtual server. In other words, if you need to build three Internet users of virtual server, you can consider these three virtual servers are grouped, placed on the same host, but do not place the schema type of the server (such as domain controllers) placed on the same host.

The reason for this proposal is for a virtual server overflow attacks. The so-called overflows attack, the hacker from one virtual server overflow, which in turn control the host of attacks. Although I know that real life is still not really seen such an attack, but I am sure that sooner or later. When that day comes, on the same host if you have installed other important virtual servers on the enterprise network, will be a disaster for network administrators, lifting the threat will become more difficult.

9: the Member servers in DMZ

Be avoided, then try not to use any member server in the DMZ. Otherwise, once the invasion, this member server will likely reveal a lot of information about Active Directory.

10: upgrade patch requires the user to install

This article covers the last common network security bugs is the security patch installation to rely completely on the user manual. Recently I saw a lot of corporate network computers are dependent on the Windows Automatic Updates service automatically patched. Unfortunately, this type of design requires user to click the mouse to make patches to confirm, but many users know, after installing the patch will restart the system. In order to avoid such troubles, many users chose to stop automatic updates. Therefore, instead of the right to install patches to the user as a patch management solution that automatically system patches distributed to every computer on, bypass the user of any operation.