Lets talk firewalls. It used to be that if you had a firewall
then you were basically protected against a lot of the threats that
are in the world today. While yes it is true that having a firewall
in place will help mitigate a lot of threats it is still not the only
thing you need on your network or servers. Ok, now that the
disclaimer is out of the way, lets move onto the firewall subject at
hand. From a security standpoint they can help by letting you (the
good guy) see different things on your network while keeping others
(possibly bad people) from fingerprinting your network. Even with a
wealth of types of firewalls including packet filtering, proxy
firewall, and stateful inspection firewalls I would like to cover the
approach of utilizing a firewall to hide behind.
Why would you want to hide? Or what do I gain from being
invisible?
Think about it for a second from the mind of a malicious person.
Actually, lets take the standpoint of an inside threat. As a
disgruntled employee you are wanting to take down something on the
network on your last day of work. You just don't give a crap anymore
and you wont see any of these people after you leave your little
present anyway. You, as a network administrator had previously
decided to try and mitigate some risk by setting up some firewalls.
Each department is blocked from other departments and each department
only has access to the areas of the network that they need access to.
Sounds simple enough right? Wrong.
I have seen quite a few networks where the network administrator
will simply setup the network to allow everyone access to each part
of the network as it makes their job easier. Having firewalls in
place throughout your INTERNAL network is just as important as having
firewalls block threats from outside your network. The biggest thing
that keeps people from doing this is cost. As a disclaimer, I am a
big Cisco guy and so my networks are usually segregated by Cisco
routers. In any vendor network there will almost always be some sort
of method to control traffic. Your setup could be a router on a
stick or a 50+ internal router setup but it all boils down to the
firewall rules that you put into place.
I will cover a couple brief methods of firewalls so I don't leave
you hanging in the wind. The previously mentioned one was with Cisco
gear. ACL's can work wonders. These little things on gear you
already have can be your first line of defense for keeping people in
Customer Support from getting to the Accounting computers. Another
option is the use of transparent Linux firewall/proxy. It acts just
like a switch on your network passing data like normal but inspects
the packets to make sure they are allowed to be there. Again on the
Cisco side but more expensive is your (older) PIX and (new) ASA
firewalls. If you have the money for an ASA, go for it!
What it boils down it is protection. Firewalls are there as a
layer of security and that is what you are looking for. Layers. In
a drive-by scan you want to be hidden so they don't dig deeper. In a
targeted internal or external attack you want to provide as many
road-blocks as possible.
-- Joe McShinsky
Saturday, October 22, 2011
Tuesday, September 13, 2011
Security+ Topic - Cabling
We all know that fiber is the ideal choice for cabling security
for obvious reasons. Here I would like to beyond the textbook answer
of being light instead of electrical impulses. In order to get the
full picture there must be an understanding of how the signal travels
through the wires. In our day-to-day cabling we use copper and that
does great for our needs. If we were to run fiber to all of our
nodes then it would get extremely expensive. These electrical
signals flying down the wire have some inherent problems that must be
addressed though. What you learn about in school is the need to not
have these wires around light fixtures and other items that would be
a problem for your electrical signals.
The TEMPEST project is where the United States Government worked on methods to be able to shield cabling against the loss or interference to/from outside sources. Having top secret data on your network leaking out would be a very bad thing and so these standards were developed to help mitigate data leakage. The TEMPEST program is now the standard for shielding protection against levels of EMI or RFI and any product wishing to claim they are compliant must go through rigorous testing. Generally speaking, the cabling cost almost double to regular cabling.
How can the shielded cabling help your network?
In a sabotage example there are clear benefits to be had with shielded cables. Take for example a company that has a shared server room. Many of the cables that run to the internet service provider will run outside of isolated caged sections or locked server cabinets. If an attacker were able to identify a power over ethernet run they could tap into it and place a small motor near your uplink lines. This type of denial of service would distort the signals going to and from the ISP leaving you with minimal throughput and possibly taking out the connection all-together. While this attack would be very hard to mitigate it is also something that is very specific and very hard to put into place. I would say to worry about other parts of your network before going down to your server room everyday to check the wires.
I want to focus here on the wireless side of “cabling” also. Many internet service providers are transmitting their uplink connection to businesses via wireless access points. These are not the same access points you have in your house but are very similar in nature. They still run on 2.4Ghz or 5Ghz meaning they are still susceptible to a large range of interference. In the example above with uplink sabotage, say the business is running a wireless internet service provider connection. As a competitor, I could easily place something near your uplink bridge that would interfere with your signal. I could be in a van in the parking lot or near the tower that you make a connection to. Either way it would be very difficult to detect where the problem is coming from.
Wireless connections have their place and I am not saying to rule them out completely. Wired connections will be king for a very long time due to security and speeds available. Keep these in mind if your company is in the position to have to worry about mitigating attacks on the physical level.
-- Joe McShinsky
The TEMPEST project is where the United States Government worked on methods to be able to shield cabling against the loss or interference to/from outside sources. Having top secret data on your network leaking out would be a very bad thing and so these standards were developed to help mitigate data leakage. The TEMPEST program is now the standard for shielding protection against levels of EMI or RFI and any product wishing to claim they are compliant must go through rigorous testing. Generally speaking, the cabling cost almost double to regular cabling.
How can the shielded cabling help your network?
In a sabotage example there are clear benefits to be had with shielded cables. Take for example a company that has a shared server room. Many of the cables that run to the internet service provider will run outside of isolated caged sections or locked server cabinets. If an attacker were able to identify a power over ethernet run they could tap into it and place a small motor near your uplink lines. This type of denial of service would distort the signals going to and from the ISP leaving you with minimal throughput and possibly taking out the connection all-together. While this attack would be very hard to mitigate it is also something that is very specific and very hard to put into place. I would say to worry about other parts of your network before going down to your server room everyday to check the wires.
I want to focus here on the wireless side of “cabling” also. Many internet service providers are transmitting their uplink connection to businesses via wireless access points. These are not the same access points you have in your house but are very similar in nature. They still run on 2.4Ghz or 5Ghz meaning they are still susceptible to a large range of interference. In the example above with uplink sabotage, say the business is running a wireless internet service provider connection. As a competitor, I could easily place something near your uplink bridge that would interfere with your signal. I could be in a van in the parking lot or near the tower that you make a connection to. Either way it would be very difficult to detect where the problem is coming from.
Wireless connections have their place and I am not saying to rule them out completely. Wired connections will be king for a very long time due to security and speeds available. Keep these in mind if your company is in the position to have to worry about mitigating attacks on the physical level.
-- Joe McShinsky
Saturday, August 6, 2011
Security+ Topic - Browser Add-Ons
We all love our browsers and the things they are able to do for
us. For the general user it allows them to check facebook, google
for something, and the list goes on and on. A lot of these people
will also have little browser add-ons that they use to enhance their
internet experience. While this is great and all there are still
issues that need addressed from a security standpoint. Security
professions are having to deal with new types of attacks that are
very different from your standard username and password attacks.
Everything from the secure connection to the server, activex, buffer
overflows, cgi scripting, cookies, cross-site scripting, input
validation, java applets, javascript, and popups makes even the most
security aware person check their knowledge twice about just how
secure they are when browsing the internet.
Just how safe am I and are these issues really relevant to me?
Being secure in an unsecure environment is the end goal here. One of the first ways to be able to do is the use of secure socket layer and transport layer security. This is most interesting to me as you will still see a lot of sites that just don't want to use https for their clients. The way I look at it is that if you are not looking out for the protection of my data why would I do business with you? Even for your internal network it is important to implement https. Programs are available to listen to the network and then give you a list of usernames and passwords that it finds during the course of just sitting there. Yes switched networks help to mitigate but it is not an end-all solution. There are even browser extentions (as we are on the subject) to check if a website has https functionality and will switch you to their secure connection for you. Cost is always a factor. Why pay for secure certificates for your internal network when its just employees logging in? Credentials are still being sent in the clear text is why. Recently I read a forum post where they said 99% of their company had gone to wireless connectivity and they were loving it. The security portion of my brain immediately put up a red flag and worried very much for their company. Here is the deal (and a topic for another discussion), wifi packets can still be captured and decrypted in the future. So you may be secure right now, tomorrow, or even next week but what if the encryption is broken tomorrow? Your competitor or enemy could have been gathering packets for this very moment to happen and now all your secrets are theirs because they had been collecting packets for the last 6 months. Anyway, moving on with browser add-ons...
Add-ons make for additional functionality in your browser that give for a better user experience. Problem is, things like buffer overflows and cgi scripts can cause havoc on systems that are not hardened. Some user interface sites were never designed with much security in mind as they were only supposed to be used by the programmers and their co-workers. Fast forward a few years down the road and now someone decided it would be good for the entire company to use. Now you have an interface that could be subject to buffer overflows due to a lack of input validation or cgi scripts that are executing malicious code because they are setup to allow crazy permissions.
I recently added an add-on for my browser to keep people from tracking me. While not all done with cookies they are still a common method for data miners to push advertisements on you. Same thing here with cross-site scripting as a site you visit may choose to do a little digging of their own to see what you are currently looking at in other tabs. Taken one step further they could even use your session to get into a site in the background that you don't even know about.
Some add-ons are good and some can create a problem. Either way it would be in your best interest to get some of these good ones so that you can protect yourself from potential threats.
-- Joe McShinsky
Just how safe am I and are these issues really relevant to me?
Being secure in an unsecure environment is the end goal here. One of the first ways to be able to do is the use of secure socket layer and transport layer security. This is most interesting to me as you will still see a lot of sites that just don't want to use https for their clients. The way I look at it is that if you are not looking out for the protection of my data why would I do business with you? Even for your internal network it is important to implement https. Programs are available to listen to the network and then give you a list of usernames and passwords that it finds during the course of just sitting there. Yes switched networks help to mitigate but it is not an end-all solution. There are even browser extentions (as we are on the subject) to check if a website has https functionality and will switch you to their secure connection for you. Cost is always a factor. Why pay for secure certificates for your internal network when its just employees logging in? Credentials are still being sent in the clear text is why. Recently I read a forum post where they said 99% of their company had gone to wireless connectivity and they were loving it. The security portion of my brain immediately put up a red flag and worried very much for their company. Here is the deal (and a topic for another discussion), wifi packets can still be captured and decrypted in the future. So you may be secure right now, tomorrow, or even next week but what if the encryption is broken tomorrow? Your competitor or enemy could have been gathering packets for this very moment to happen and now all your secrets are theirs because they had been collecting packets for the last 6 months. Anyway, moving on with browser add-ons...
Add-ons make for additional functionality in your browser that give for a better user experience. Problem is, things like buffer overflows and cgi scripts can cause havoc on systems that are not hardened. Some user interface sites were never designed with much security in mind as they were only supposed to be used by the programmers and their co-workers. Fast forward a few years down the road and now someone decided it would be good for the entire company to use. Now you have an interface that could be subject to buffer overflows due to a lack of input validation or cgi scripts that are executing malicious code because they are setup to allow crazy permissions.
I recently added an add-on for my browser to keep people from tracking me. While not all done with cookies they are still a common method for data miners to push advertisements on you. Same thing here with cross-site scripting as a site you visit may choose to do a little digging of their own to see what you are currently looking at in other tabs. Taken one step further they could even use your session to get into a site in the background that you don't even know about.
Some add-ons are good and some can create a problem. Either way it would be in your best interest to get some of these good ones so that you can protect yourself from potential threats.
-- Joe McShinsky
Monday, August 1, 2011
Security+ Topic - Access Control
So lets talk a little about access control, in specific the
technical aspect of determining which information should be allowed
to interact with other information or users. This could be anything
from servers getting resources, a cross-connect in a database table,
or an application requiring some sort of access to work. Its not
only limited to the technological side though. There are still
people to take into consideration as they have needs that may go
beyond a simple login to their computer. Without being to specific
on an operating system, there are measures called access control
lists that help take care of what can and cannot be accessed. These
can be found on almost any piece of equipment that has to deal with
multiple users or access control.
What does this mean for you?
First of all it means you need to check yourself. You put security measuring in place for a reason right? Test them. Oh you just have a firewall and you think your good? Lets take a look at that then. What are you wanting to protect? What is the risk analysis for what is on your network or the work done by employees on your network? How are attackers or inside threats going to get into your network? Do you have accounts without passwords? Are internal servers viewable from the outside? Lets face it, you could ask yourself what-if questions all day long. The big thing here is that you take a real hard look at what is going on with your network. Its easy to overlook something when you are dealing with the same network for the last year. There are little things that you know in the back of your mind that you are going to address or not that big of a deal but when a third party comes in and takes a look at your network they see it as a hole for attack.
I worked for a company a while back that had to be in compliance with processing credit card data. When we started this new project it made me a bit nervous as I was worried about data breach. I had to make sure I took an attack point of view to cover as many bases as I could. This turned out to be a continual process also. I am a huge fan of the Nagios monitoring software and so that is what I use to make sure certain things are working or not working on my network. Even though it has a wealth of plugins to monitor the network I have chosen to write custom scripts that will check for things not working either.
For the risk analysis of my internal network I chose very specific outside DNS servers in order to mitigate my DNS highjacking risk. In order to enforce this I then applied firewall rules that denied any DNS traffic unless its destination went to those specific DNS servers. To bring this full 360 I then told Nagios to check a few DNS servers on the internet. If the DNS server was the ones I said are ok then the check returned ok and if the check failed against an unauthorized server then it was ok also. The second half to this is that if a unauthorized DNS server responded then I know that a firewall rule got messed up or another rule allowed it (top down design).
Each organization has a different risk analysis and here I presented just a couple things in order to help you with yours. I hope that you are able to utilize some of this in your own network in order to help protect your domain controllers, web servers, clients, printers, and all sorts of other stuff you have to perform a risk analysis against.
-- Joe McShinsky
What does this mean for you?
First of all it means you need to check yourself. You put security measuring in place for a reason right? Test them. Oh you just have a firewall and you think your good? Lets take a look at that then. What are you wanting to protect? What is the risk analysis for what is on your network or the work done by employees on your network? How are attackers or inside threats going to get into your network? Do you have accounts without passwords? Are internal servers viewable from the outside? Lets face it, you could ask yourself what-if questions all day long. The big thing here is that you take a real hard look at what is going on with your network. Its easy to overlook something when you are dealing with the same network for the last year. There are little things that you know in the back of your mind that you are going to address or not that big of a deal but when a third party comes in and takes a look at your network they see it as a hole for attack.
I worked for a company a while back that had to be in compliance with processing credit card data. When we started this new project it made me a bit nervous as I was worried about data breach. I had to make sure I took an attack point of view to cover as many bases as I could. This turned out to be a continual process also. I am a huge fan of the Nagios monitoring software and so that is what I use to make sure certain things are working or not working on my network. Even though it has a wealth of plugins to monitor the network I have chosen to write custom scripts that will check for things not working either.
For the risk analysis of my internal network I chose very specific outside DNS servers in order to mitigate my DNS highjacking risk. In order to enforce this I then applied firewall rules that denied any DNS traffic unless its destination went to those specific DNS servers. To bring this full 360 I then told Nagios to check a few DNS servers on the internet. If the DNS server was the ones I said are ok then the check returned ok and if the check failed against an unauthorized server then it was ok also. The second half to this is that if a unauthorized DNS server responded then I know that a firewall rule got messed up or another rule allowed it (top down design).
Each organization has a different risk analysis and here I presented just a couple things in order to help you with yours. I hope that you are able to utilize some of this in your own network in order to help protect your domain controllers, web servers, clients, printers, and all sorts of other stuff you have to perform a risk analysis against.
-- Joe McShinsky
Saturday, July 30, 2011
SSH Verify Login
What if your username and password to your linux box became compromised? Security is layers. Having a 100 character password doesn't help if someone knows it. What if you didn't even know your password though? Scratch that, what if you had a 2 tier password model for logging into your linux box? Sound good? Then keep reading.
This is a little bash script that will help identify you as a authorized user of a system in case of user/pass compromise. There are two parts to the script. The first part is checking to see if you are logged in via SSH. I do this to make sure you are connected to the internet as the check sends out an email. I also do this in case you are logging in via a gui; you don't want to get locked out from something behind your gui window. The second part is sending out the email/text with a random number. You then check your email/text message and enter the number into the script after ssh login.
Place this script at the end of your .profile
Example: /home/billy/.profile
Just change the [email address] below to your email address.
#############################
# Verify SSH Identity 2011-07
# Written by Joe McShinsky
#############################
wai=`whoami`
getpts=`who am i | awk '{ print $2 }'`
getssh=`ps aux | grep ssh | fgrep "$wai@$getpts" | wc -m`
if [ $getssh -gt 50 ]
then
clear
echo "Verifying Your Identity..."
echo "Enter Passcode:"
send=`echo "$RANDOM"`
echo "$send" | mail -s"`date` SSH Login" [email address]
read pass
if [ $pass = $send ]
then
echo "Welcome Master"
else
exit
fi
fi
Item of note. Some ISP's don't allow you to send mail directly from your computer (prevent spam). I will edit this later with a code change utilizing a smtp program.
Confirmed Platforms:
- OpenSUSE 11.4
This is a little bash script that will help identify you as a authorized user of a system in case of user/pass compromise. There are two parts to the script. The first part is checking to see if you are logged in via SSH. I do this to make sure you are connected to the internet as the check sends out an email. I also do this in case you are logging in via a gui; you don't want to get locked out from something behind your gui window. The second part is sending out the email/text with a random number. You then check your email/text message and enter the number into the script after ssh login.
Place this script at the end of your .profile
Example: /home/billy/.profile
Just change the [email address] below to your email address.
#############################
# Verify SSH Identity 2011-07
# Written by Joe McShinsky
#############################
wai=`whoami`
getpts=`who am i | awk '{ print $2 }'`
getssh=`ps aux | grep ssh | fgrep "$wai@$getpts" | wc -m`
if [ $getssh -gt 50 ]
then
clear
echo "Verifying Your Identity..."
echo "Enter Passcode:"
send=`echo "$RANDOM"`
echo "$send" | mail -s"`date` SSH Login" [email address]
read pass
if [ $pass = $send ]
then
echo "Welcome Master"
else
exit
fi
fi
Item of note. Some ISP's don't allow you to send mail directly from your computer (prevent spam). I will edit this later with a code change utilizing a smtp program.
Confirmed Platforms:
- OpenSUSE 11.4
Subscribe to:
Posts (Atom)