Sad, really. It's mostly due to apathy and no mandate from higher-ups to pursue stronger security, but in general our farm is only strong enough to keep generic attacks at bay. 0-days, man-in-the-middle, hell even some SSL vulnerabilities are possible for us. We have a "security team" so we defer most of the security precautions to them and just keep our base software configured not to let anyone unauthorized in.
However, utilizing host-based as well as network-level intrusion detection tools, combined with kernel-level and userland-level security patches and mandatory security access control policies is the best all-around solution. Grsecurity for kernel patches, an OS base with strong security in mind (many new distros use things like stack-smashing-protecting patches to glibc), snort for network IDS, tripwire/portsentry/others for host-based IDS, SELinux configured for all your hosts to further enforce your access requirements.
And of course, diligence: monitor security lists (particularly the one for your distro/kernel) and update immediately when a patch comes out.
Sad, really. It's mostly due to apathy and no mandate from higher-ups to pursue stronger security, but in general our farm is only strong enough to keep generic attacks at bay. 0-days, man-in-the-middle, hell even some SSL vulnerabilities are possible for us. We have a "security team" so we defer most of the security precautions to them and just keep our base software configured not to let anyone unauthorized in.
However, utilizing host-based as well as network-level intrusion detection tools, combined with kernel-level and userland-level security patches and mandatory security access control policies is the best all-around solution. Grsecurity for kernel patches, an OS base with strong security in mind (many new distros use things like stack-smashing-protecting patches to glibc), snort for network IDS, tripwire/portsentry/others for host-based IDS, SELinux configured for all your hosts to further enforce your access requirements.
And of course, diligence: monitor security lists (particularly the one for your distro/kernel) and update immediately when a patch comes out.