Yes, the Reading Room at SANS is terribly comprehensive and daunting!!
Now, firewall security/insecurity - where do you start - whole books have been written on this subject!
OK, lets concentrate on just 3 things:
1) You need to run applications, whether server based or workstation based. All of these open holes in your firewall and your security from the moment you run them is at the mercy of those applications! Web Servers, Mail Servers, IE, Outlook, et al are all vulnerable to various exploits. Keeping up to date with security patches and service packs helps but remember that these are always one step behind the hacker.
Most common attacks are "buffer-overflow" attacks that give "debug" access to your PC or server. An attack of this nature will give the attacker user rights in the context that the application was running - so if you are logged on as Joe then the user can do whatever Joe can, if you are logged on as Administrator - well! Server applications typically run in the system user context i.e. administrator so an attack against a server application will usually yield admin rights! Once in as system an attacker can grab your list of passwords and run them through a cracker at 2.8 million + combinations per second and will usually have all your user passwords in a couple of days unless you use strong passwords with special characters such as @~#%$".
OK, if they break in as Joe then they can use the ftp.exe command line utility to grab a trojan from the Net. They use the Microsoft Task Scheduler to add this to a scheduled process. Task processes will always run in the system context - voila! They hook this into a port that you allow through the firewall (like 53 for DNS) and they can inspect the rest of your network at will from inside your firewall!
2) The TCP/IP protocol was designed before we had much experience with the wide-scale hacking we see today. As a result, there are a number of design flaws that lead to possible security problems. Some examples include smurf attacks, ICMP Unreachable disconnects, IP spoofing, and SYN floods. The biggest problem is that the IP protocol itself is very "trusting": hackers are free to forge and change IP data with impunity. IPsec (IP security) has been designed to overcome many of these flaws, but it is not yet widely used.
3) Firewalls leak. Most people assign too many outgoing permissions. Also you have to allow certain protocols to all users ie. port 53 if you don't run your own DNS server - that exposes holes where people can spoof their source port to get round your firewall. There's lots of info on this. Also stateful inspection firewalls are better than just packet filters. These analyse the type of traffic travelling down a port to see if its the kind of traffic that is normally associated with such a port.
Once a hacker gets a foothold then the more integrated that your network is the quicker they can achieve total comprimise. Consequently, your network is as secure as your weakest link! That is why the weakest links need protecting as well with intrusion detection/prevention/sandboxes/personal firewalls, etc
A good starting strategy is as follows:
1) Disable all unecessary services on servers and workstations. You would be surprised how few services need to run for your system to function. Most importantly disable the Task Scheduler on all PC's.
2) Patch all operating systems with latest Service Packs and security patches. Ditto for all applications - servers and workstations.
3) Have strong passwords - these can still be easy to remember i.e. "£)$(*DbJones is actually shift 230498DbJones - this could be a child's birthday with the shift key pressed and a name.
4) Restrict write/execute access on directories on user PC's to administrator accounts
5) Do not log onto workstations as an administrator account.
6) Remove dangerous command line applications like ftp.exe , tftp.exe, cacls.exe, net.exe, net1.exe from user workstations. They are never used but make things easier for a hacker. Remember even if they get in they somehow need to get files onto the comprimised PC's.
All of the above are referred to as "System Hardening". I am writing some papers on this with explanations which will be useful for people running Windows. There is a lot on the Net but no-one seems to have pulled all of the suggestions together. Even the CIA advice doesn't cover everything
Then think of the rest as medieval warfare. You want to put as many obstacles in the way of the attacker as possible. That's where desktop firewalls, sandboxes, IDS, anti-virus comes in. Hopefully they will just go and find an easier target.
Bear the following statement in mind and be paranoid.
“First accept the following statement - THERE IS NO WAY OF PREVENTING AN INTRUDER FROM ENTERING YOUR SYSTEMS IF CONNECTED TO THE INTERNET. Once you have accepted the statement and its implications then design your security strategy to cope with the consequences of that statement”.
Once you accept the first bit, the second stage is common sense.
I hope this helps.
Regards
Emeric