As we move data from one computer to the next we can do it by transferring file in the clear text or be securing that data. One of the big questions is how to secure that data for transfer. We can use our browsers, a file transfer tool, or text shells to move this data and every one of them has some type of encryption that they can utilize. The days of making excuses for why we do not encrypt our data over the wire are over.
When it comes to utilizing our browser, it comes pre-set for taking advantage of SSL and TLS. Secure Sockets Layer is a widely used security standard for establishing an encrypted link between a web server and a browser. It creates a behind the scenes connection for passing data between server and client in a secure manner. Only a few years ago you could generate a self-signed certificate for a person web server and could rest a little easier about people seeing the private data transferred. Recently the major browser developers said that if a certificate is self-signed, or not matching the URL, that it would give an error about being insecure. This is due to man-in-the-middle attacks. They would spoof the connection that you thought was secure and then forward the requests to the true web server so you wouldn’t know they were decrypting and re-encrypting all of the data on its way.
Now we have more secure protocols such as TLS which came out to address certain limitations of the Secure Sockets Layer protocol. TLS gives additional security to the transfer of data over wide area network connections. While the older SSL 3.0 is still in use today, there are minor upgrades made to TLS 1.0 which make it much more secure. Where possible each one of your servers should be setup to force TLS encryption if the client is able to do so.
Now we have the matter of whole network connection encryption instead of just one protocol. VPN connections are made which force the network to go across a virtual private network. Most of the time these connections are then routed out the destination network and the public ip of the remote machine will be the ip of the vpn server network. These connections are made using IPSec which is ideal for authentication, integrity, and confidentiality. Each of these are a core item for this process to work because if any part is skipped or not authorized, then the connection could be compromised.
One final item I want to touch on is the use of SSH. This is the default tool used for almost every linux server and is a required item for server deployments. The secure shell created has a high level of encryption so anything sent over is sure to be safe. I am actually a little surprised that windows hasn’t embraced the use of SSH to connect to windows servers in order to provide quicker remote session to their servers. Even with windows core you need to make a remote desktop connection to use the command prompt…. weird. SSH is able to do some really cool stuff such as tunneling. Similar in behavior to the VPN connection, SSH is able to move more than just remote commands on the connection. SCP and SFTP are built off SSH and are able to move files securely. Even your browser can make a local proxy connection to the SSH connection to transfer all browser traffic over SSH.
No comments:
Post a Comment