 I'm Efstradios Gavis. I am a professor at the US Merchant Marine Academy. I am also a PhD student at Brooklyn Polytechnic, where I'm working on hardware security and various other random things, forensics, anonymity, kind of annoying my professor in general. But so my talk is on asymmetric defense. It's kind of my experience in the experience of running a small, unfunded IT shop, which I'm sure a lot of people can relate to. The kind of the gist of this talk is that if you're running a small shop, you don't have the necessary resources and time and people and all that to do what is supposed to be done properly. At the Merchant Marine Academy, we compete in the cyber defense exercise. And in that, there's other DOD academies and stuff that they got lots of funding. They do a great job. They can follow proper procedures and all that. At the Merchant Marine Academy, we're kind of left to our own. We don't get any funding. We're kind of out there by ourselves. So this is kind of my experience in teaching the students, try to get the best bang for their buck and all that sort of stuff. What we do in general break a lot of what it's considered to be best practices. That's because best practices are generally designed for programs and places that have resources and time and money and where there's a buy-in from whatever, administration for security and doesn't just look at it as kind of an excess unnecessary space. So if you're in that group, which I'm guessing some people are. What I hope that you take away from this is that simplicity is the only way you're going to get by. If you try to make it complicated, if you try and make it buy-in some solutions that you don't really understand, you're not going to be more secure. You're going to spend more money. You're going to be more confused. But you're not going to be more secure. You need to understand what you have and do it well. If you can't provide a service you understand, then don't provide that service, I guess, or really try to figure out a simple solution for that. It's key. It's very key that you get it to the basic possible configurations. Don't be afraid of your systems. A lot of people, it's often easy to kind of be intimidated by the equipment or a vendor telling you not to mess with it. If a vendor is telling you not to mess with his equipment, then dump the vendor and get it put in something else. So a little more about the academy. It was established to train merchant mariners. Most people don't know what the hell a merchant marine is. They're the guys that run those big, giant ships. The ones that ferry in all of that crap that you buy. They're under the Department of Transportation, which is different than the other academies. The other academies are under DOD and DHS. And it's the smallest of the five service academies in that you've heard of West Point. You've heard of Annapolis. You haven't heard of Merchant Marine Academy. Unless, of course, you're in the shipping industry, then you know what the hell they are. They'll graduate, and they'll go on to do various things, the standard kind of life of a merchant marine is to come through the academy and end up as a Navy reserve. But they'll end up in Coast Guard or whatever, active duty. This year we had an additional, we had some foreign participation in the cyber defense exercise, which was nice. The Royal Military College of Canada, we got to participate. They're a really good group of people. And in general, all of the people that participated are really great. There's a lot of sharing and a lot of support for, amongst all of the academies, even though we razz each other, even though we think that maybe Coast Guard Academy isn't so great, but we do actually support one another. And it's a good environment. I'm glad that the academy is participating. It's a good learning experience. So we have postgraduate schools. We have undergraduate schools. The postgraduate schools don't participate in the prize, per se, but they're just there to kind of lead the bar and whatnot. So in the CDX, the midshipmen were responsible for setting up all sorts of mock enterprise systems. They're given a budget. And that budget was to reflect not only the cost of, say, hardware, but also the cost of labor to administer that particular service. For instance, we couldn't just say, hey, it's a free virus scan or free firewall on every single workstation, because these workstations are supposed to represent hundreds or thousands of computers. So it would be unreasonable to kind of walk around and administer them individually. So they were trying to reflect the costs of a large group and various other things along those lines. So even though all of the products are open source generally, or free, they're not free to implement, not free to use. They do have a cost in terms of operational costs. And then they have to try and administer this network that they were given after they cleaned it up during a live exercise where the NSA is attacking them. They're also in that same time, they're given these injects where they have to do various things, change DNS configurations, respond to a general's orders, or something along those lines, and the standard reporting mechanisms to say, we're under attack at this point. We want to block these IPs. So they're trying to model the CDX as closely as possible to what you might find in kind of a real world experience. We want to get as good of a practice as possible for the machining cadets. So this is kind of the, this is our network. This is by far the simplest of the networks that were out there. And again, this kind of goes to the idea that I'm trying to push here is that you want simplicity if you don't have the manpower. You can't probably see any of this, which is OK. This is just a general network. We have over here, we pile on, we have our routing and our external DNS over here. And then internal, we have an AD over here with an internal DNS. So we're separating those two out. And then over here, we pile on all of our services into one machine. And we kind of lock that down as best we can. We have a web server, or IAM, and our database all over there. And we separate it out over from the rest of the network. So we have a VLAN switch over here and some monitoring, a little monitoring station over there. So some of the cost trade-offs that we went through, or the midshipment went through, were in saying, we could have had multiple machines and multiple servers. But from an administrative point of view, at any given point, we might only have one midshipment, one student in the shop watching the network. So again, you can't really have what you could, but we found it probably easier to just concentrate everything onto one box. Yeah, it puts all of our eggs in one basket. And yeah, it's kind of risky. But if you're running a shop with just one person, you're kind of living in a risky world anyway. So it's, again, not necessarily the best of plans for everyone, but it's a solution for keeping these costs down. It keeps monitoring down, keeps administration down. You don't have to worry about trying to patch a number of different machines. You can just focus on the one machine and make sure that's running very well. So we made some mistakes, obviously. We had some last-minute course corrections. And we'll talk about those a little later, but primarily we started off using a lot of these GUI interfaces to do the administration and all that. And then we ultimately transitioned to using FreeBSD for most of the infrastructure. So just kind of get you an overview of some of the other things that we covered here is it's good to learn multiple operating systems. And again, I'm not really saying anything that's earth-shattering here. I'm just trying to get a basic understanding of IT and security out to everyone here. And to say that learning multiple operating systems is important. You want to know more than just Windows. You want to be able to have more than one tool in your bag. There's multiple tools out there, and you should understand them. FreeBSD, Ubuntu, Gen2, there's a whole bunch of them. So kind of play around with them. Don't put them in production until you're comfortable with them, but get out there and just play with it. I'm sure everyone has an old machine out there that they can play with and they can start messing around with. And you certainly should do so. When you feel comfortable, you can roll it into production. That's kind of, again, not rocket science. Just keep it simple. You want to keep it simple. NSA puts out a bunch of pretty good guides on how to secure a number of different things. What they don't do is they don't keep the URL very consistent, so I'm not certain if this is still the one. They refer to it as the snack and various other things. So they should probably solidify on one URL, or at least redirect from the old ones. You can usually find them if you dig around on the website anyway. So even though I'm a big proponent of Linux and I use it for as much as I can, you can't, as an administrator, ignore Windows. It's just the world we live in. And that's OK. It's a good operating system for what it does. And that is it keeps people comfortable in an environment where they've been for some time. We use group policies. Make sure you use that, obviously. If you're running a network, use an AD and join it into a group. So the group policies will allow you to administer a number of the workstations at the same time, and you're not walking around to each one. And you can push them down all at the same time. It's good stuff. But don't get too carried away with it, because there's a tendency to, at least when you leave mid-shim into lockdown a network, or you get kind of all excited about security, you start locking everything down. And then pretty soon none of your users can do anything. So you want to make sure that you're locking it down, but not so that it's completely unusable. In terms of other Windows, the primary Windows OS that they used in this exercise was XP. But we did have a little some Vista in there. And it was OK. From a security point of view, it actually is OK. From everything else, kind of not so good, I don't think. So Windows 7 seems to be doing better in a lot of other ways. So hopefully it will continue to get better. So you want to, again, keep the tools simple. We found troubles. We wanted to track them down. System internals are free tools. You can download them. You can use them. They're great process explorers. Let you see what's going on. And even what's important when you're administering a network, you have to understand what your baseline is, what is good versus what is not good. So get a good machine, a machine that you trust, one that you just built and you know isn't owned. And just look at it. Look at what it looks like normally with Process Explorer, what's the normal network traffic that it generates, and kind of get a feel for that. Once you're comfortable in there, then you can start noticing, well, this is kind of not behaving well. It seems slower than normal. It has too many processes running. I don't know what these are. So it kind of gives you a, it's helpful in getting you a baseline. Firewalls, you want to use kind of, the internal one is good. Coreforce, if you're familiar with it, is really good. It can really lock everything down. It can really lock everything down. And it's a very solid product. But it can also make everything completely unusable, too. So again, you don't want to get too carried away with it. Any virus stuff is obviously a no-brainer as well. You want to run that. But don't get too carried away with these scans. I've seen these administrations set up so that it's scanning all files all the time. It just thrashes the hard drive the entire day. And you're really not any more secure. If it's scanning the whole day, you're still not going to be protected from your zero days. You're still not going to be catching every single vulnerability. So you've got to keep it all in perspective. You don't want to get too carried away with tools that aren't really designed to catch everything instantaneously. So keep it reasonable. If the hard drive is thrashing, it's going to be the number one reason why your users are going to complain because their system is slow because their hard drive is spinning all the time. I wanted to say a few things about passwords. Passphrases is what I advocate. Passphrases are like long phrases. They can be gibberish phrases. They can be sensible phrases, even although that's not ideal. If you choose like, say, four or five different words that are somewhat related in your mind, you build a passphrase, that's a lot better than a password that's just a random letter. You can make passwords very long in that way. You can easily get a 20 or 30 character password. And in terms of password security, size does matter. So we wanted to do that. So passphrases. And it also keeps it easier to remember. And don't get too crazy with swapping out the passwords and other similar requirements out there that you have to change your passwords every 90 days and all that. I don't necessarily believe that's actually making us more secure. But if you have to follow that, at least try and make it as painless as possible. You can remember a sentence a lot better than you can remember jumbled words. So you don't even need to necessarily advocate the funny characters and all that sort of stuff, although that's a good idea. In terms of a small network, if you're building a network, you have this option only in small networks. If you want to build real networks or VLANs. I like VLANs. I think having a switch that's centrally managed that you can control a bunch of different ports on is a good idea. It doesn't have to be crazy expensive. You can get a very reasonable gigabit managed switch nowadays with a decent number of ports without breaking the bank. So you should definitely look into that. But if you have a bunch of little switches lying around and you want to use them, that's cool too. You can certainly model a VLAN and a real network and a VLAN network all in the same thing. But not if your network is too big. If it's a large network, forget it. But in a small network, you can definitely get away with it. From the application security point of view, our applications, firewalls, gateways, there's a couple different products out there. There's a number of them. We played around with MonoWall, IPCOP, Untangle, PFSNs, a couple others. They're pretty good. They're really good, actually. MonoWall is really great. And we were actually using that all the way up into the very end when we dropped it for FreeBSD. Untangle is actually a really impressive and has a lot of different things. Seems to be easy to administer. The danger in these interfaces and these tools is that you don't really have a full understanding of what's going on in the background. But from a learning point of view, they're very good. They do the basic configurations and you can kind of get a sense of what is there and how a system should be set up. And so in our case, when the students migrated off onto the FreeBSD system ultimately, they had a better understanding. They felt more comfortable with the system in general. So that when they moved to the FreeBSD, there wasn't any problems. They understood what was going on. So check these out. They're all very good. They're all free. You can all download them and check them up and play with them. On the application side, we used e-box again all the way up until the end and when we dropped it in favor of FreeBSD. Webmin is also another possibility that's been around for a lot longer than e-box. It's not as pretty, but e-box certainly is good. Again, it sets up a lot of different things for you and you can kind of get the basic set up without a lot of pain, not a lot of pain. And again, Untangle is also available in this space too. Untangle is probably one of the better tools to kind of wrap everything up. I like to kind of diversify a little bit. So if you're going to do it for your routing and all that sort of stuff, then I'd probably try to pick something else just to kind of get a little diversity. If there is a vulnerability in the UI and the environment, then you might have yourself in a lot of trouble, unless of course you're concentrating it all onto one box and then, again, you have a single point of failure anyway. You might as well at least make your administrative abilities easy. So at the academy, we did, in good spirits of what the government can do, was we hired a Russian to help us out. So Boris is one of the guys at Polly, and he's kind of a free BSD freak. And so he really understands what's going on and is comfortable and happy to teach and kind of help others out. So we brought him in, and in short order, a day or two, he had the midshipmen kind of convinced that, hey, free BSD is the way for them. They felt comfortable based off of what they had done with the other tools, the free, with mono wall and PF sense and all that, that they didn't feel too burdened by free BSD. So don't be afraid of it. So in comparison of the two, when we got to it, we couldn't do a few things. The netting was a little more difficult or it was simpler under free BSD. All of these things we could do with the other environment except the split DNS environment. We wanted to segment the DNS environment, and it wasn't as easy to do in e-box and mono wall. We couldn't quite get that working right. Under free BSD, obviously, those sort of things are somewhat easy to do. So there's lots of good guides out there, and you can do this. Free BSD is you can route to VLAND, you can do all sorts of stuff like that. It's very good. We also use an environment of PF and IPFW so that we have a better blend of for netting and for firewalling, and that's just a comfort. One syntax is easier to understand than the other. Free BSD, we also did for the application server. We replaced e-box. E-box is really great again up until the point where we're like, well, we're not quite certain how we want to set it up. So during the actual gameplay, we moved the e-box down to the backup machine, and we moved free BSD into our primary machine. So obviously setting up web server and email and database and Java, which is the IAM client for those of you don't know. Pretty straightforward. Again, you shouldn't be afraid of free BSD. So in general, like I said, what I wanted to get across here is we have a quick talk. I had a quick talk. So we want to keep it as simple as possible. We don't want it to be complicated. If you don't understand it, it's not secure at all. Security is not about one thing. You need to jump in, get your feet wet, and really start understanding what's going on. If you don't understand it, it's not good. Don't panic, just do it. So that's more or less what I was trying to get across. If you're out there, you hack boats or you hack students or something, let me know. I'd be happy to talk to you. And I'm always willing to listen to some suggestions. If you think you have a better idea in terms of small network administration, it's always welcome. Hope everyone enjoyed the talk. Thanks.