Re: Securing a Network - What's the most secure Network/Server OS? - Is there a secure way to use Shares?

[John Jasen <jjasen () realityfailure org>]

Chip Panarchy wrote:
<snip>
> ################################################################
> 1x Server (no need to go into specs, but let's just say 8GB of RAM and
> 2x Intel Quad CPU at 2.66GHz)
> 500x Windows Computers (400x Windows XP, 94x Windows Vista and 6x Windows 7)
> 80x Linux Computers (Ubuntu... and others?)
> 46x Mac OS X Computers (Including 10x Tiger, 34x Leopard and 2x Snow Leopard)
> 3x FreeBSD (2x v7, 1x v9)
> ################################################################

<snip>

> Now onto my question. For a convoluted network as pictured above,
> (hypothetical, of course), what kind of Server (NOS included?)
> operating system should I install, and how should I configure it?
>
> I want to know this only by a security standpoint. Things that are important;

If you're just focusing on the security of the base OS out of the box,
then OpenBSD would be the way to go.

By the time you bolt LDAP and SAMBA and NFS to the box, you've increased
your profile to the point of almost making the inherent security of the
base OS moot.

In a mixed environment such as yours, where about 80% seems to be
windows, you're probably better off starting with win2kx server, where
x=3r2 or x=8.

Windows clients do not like central authentication against anything
other than an AD server. Its possible, to various degrees, depending on
which way you go, but difficult. Additionally, you have to re-solve the
policy and package delivery problems that AD can help you with.

Linux and OS X systems can be configured to authenticate against an AD
server. If you run Win2k3r2 or greater on the AD box, or have installed
the Services for Unix extensions, its a lot easier.

> ############
> # SECURITY #
> ############
> - Encryption of all traffic (256-bit)

As others have mentioned, encryption is great for making sure the bad
guys can't see it. It can suck for allowing the good guys to see it.
What problem are you trying to solve?

> - Shares (if possible to have Shares and still maintain a secure network)

Define "secure". One definition of a secure box didn't include
networking, a floppy drive or cd. :)

You probably can have network shares and fall within the "acceptable
risk" for your business, which is an important distinction.

> - Centralised secure storage of Data (Storage)

The same applies here.

> - Centralised secure storage of User accounts

The same applies here.

> - Unattended installation of (at the very least) the 500 Windows boxes

Yes, this is possible with a windows server. Also with a server than
answers PXE, as I understand it.

> - Internet

Maybe its just me, but except for a home network or really cheap small
business, I would not be running my AAA (authentication, authorization
and access) server, storage server, and internet gateway all on the same
box.

You may need to break out these services into independent boxes: for
example, an AD controller on one; a linux kerbNFS+Samba on a second to
handle storage; and an openbsd firewall box handling the internet gateway.

<various snips here and below>


> 2. To make the Network fast (e.g. Gigabit NICs on all computers & more
> Servers etc.), as well as secure, what would I need to do?

A good switching solution with lots of backplane bandwidth; multiple
connections into your storage server; vlan traffic segregation; and
monitoring your network performance for congestion and working around them.

> 3. What is the best way to have 256-bit encryption of all traffic on
> this network?

Assuming you want to (see above), have you looked at ipsec?

-- 
-- John E. Jasen (jjasen () realityfailure org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring