Need halp locking down and auditing a network

Trying to help a friend (not my network) but he’s looking to lock down his network and gain some visibility on what is going on.
Main needs:

  • Audit on file transfers across network and for anything that leaves the network (like thru vpn)
  • Stuff like scp, sftp, cifs etc
  • Audit on files changed on disk (server and desktop)
  • Audit on files copied off a device (like to usb)
  • Audit on files being emailed out

Essentially if a file is touched, copied, updated etc it needs to have a trail as to where it went (from ip, to ip etc)

When I say “audit” I’m looking for logging at a min and poss reporting. Can build reports off of logs so that’s no biggie

Current infrastructure:

  • cisco vpn
  • several windows servers (3)
  • several workstations (10 - 20)
  • several iphones and tables (10-20)
  • several voip phones (10-20)
  • unknown firewall

As far as auditing files over the wire I was thinking pfsense and squid might work

I was thinking even nagios might work for emails

For auditing stuff on the windows servers/desktop this could be implemented with an audit policy afak but don’t think this would audit files copied to external media (may be wrong)

Any input would be great!

3 Likes

Hire some is your best choice

1 Like

They already got burned by a “cisco” consultant… just trying to get some idea’s to point him into the right direction.

Did they vet the guy? Look into his credentials and history?

Ya i know all about cisco techs as ive been banned from forum for posting manufacturer recommendations but cisco guy said i was wrong and arguement ensued(forget linus and his “friendly” forum)
Ya cisco not on my like list

Still what fellow wants is not 5 minute setup, more like 5 weeks as learning of employee usage scenarios are examined

Think they tried* but are not tech savvy. I work as sw dev and have been forced into doing more dev-ops work but am in no means a “security expert” lol I looked at the consultants resume and it looked good I guess (on paper)

Problem is that anyone can lie on a resume. There is a guy in a bar that I go to that thinks he knows everything about IT but doesn’t know the difference of basic issues. He isn’t C level but he apparently is some big time director at a government contracting company.

Just because you have the certs doesn’t mean you know what you’re talking about.

1 Like

I’ve reached out to my local owasp meetup and am getting some feedback. I do appreciate the community feedback and will try to post the solution… once I figure out what it is lol

The way I’ve seen most companies implement this is by:

  • locking down internet access to a whitelist of predetermined websites only accessible through a proxy that you control
  • locking down LAN to 802.1x so you have a whitelist of machines allowed to connect
  • removing any privileges employees might have on existing through group policy (whitelisted binaries only, no plugging in USB things, …) Thus forcing the use of a server where you have backups and audit logs

Typically you’d need 2 staff permanently employed who can manage this, it’s fine if they do other stuff (either for you or for someone else, but you need one at site all the time to ensure business continuity). They need basic windows admin and network admin skillset and you need to hire them and pay them slightly above market to keep them (because there’s only 2 of them; losing them is costly). You’ll probably be bringing in contractors once in a while to do “forklift work”.

I haven’t seen office-in-a-box type guide on these kinds of setups, but they’re fairly common.

1 Like

Not sure how to do this on a budget, my work addresses those goals with an array of tools that have licenses. I would be interested in open source alternatives just out of curiosity. Splunk did reduce it’s ingest license though :wink: