Good point. It's a massive job, and sometimes it is best to look at those piecemeal. Start with small goals, and pick low hanging fruit--your example of the server room is good. Set it up with and IDS, a firewall, harden the hosts by turning off/removing unused/unneeded services, setting up tripwire, and encrypt all data on the drives, then look to password policy enforcement. Then start actively securing it (monthly audits, daily log checks, etc.). Doable. Then pick the next lowest hanging fruit and repeat. --patrick darden -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Naslund, Steve Sent: Friday, June 19, 2015 8:31 AM To: Stepan Kucherenko; nanog@nanog.org Subject: [EXTERNAL]RE: OPM Data Breach - Whitehouse Petition - Help Wanted I think one of their major issues is that they look at too much of the network at a time. If they decided they were going to secure a particular data center or building, they might be much better off. If they start with defending the servers from internal as well as external threats and then move toward the perimeter they might make progress. I think they look at the entire comprehensive network and end up with a number or a project that is too big to fathom. First thing would be current IDP/IDS technology so they would at least know where and what the threats are. Steven Naslund Chicago IL 18.06.2015 18:00, shawn wilson wrote:
I'd actually be interested in a discussion of how much you can possibly improve / degrade on a network that big from a management position.