Securing Organization
Related Chapters
• Chapter 1: Building a Secure Organization
• Chapter 13: Intranet Security
• Chapter 14: Local Area Network Security
• Chapter 48: Virtual Private Networks
2
BUILDING A SECURE ORGANIZATION
3
Distributed Corporate Network
4
Obstacles to Security
• The more robust the security mechanisms, the more inconvenient the process
• What is the right balance between security and productivity?
– Based on an acceptable level of risk • Security/inconvenience ↔ insecurity/ease of use
• Example: waiting in a security line at the airport
5
Computers are Powerful and Complex
• Today’s computers – Store our personal libraries – Take up little space – Provide a “user-friendly” face to the world
• We don’t think much about what goes on “behind the scenes” – Windows Registry, ports, and services
• Accessibility to hard drive data – Many individuals still believe that a Windows login password
protects data on a computer. • Take the drive out, install it as a slave drive in another computer
6
Most Users Are Unsophisticated
• Today’s “power users” – Know more than just applications
– But lack basic security concepts
• Attackers look for the path of least resistance – The average user is a weak link
– Why would an attacker struggle to break through an organization’s defenses when end users are more than willing to provide the keys to bank accounts?
• A security program should be alert to: – Threats caused by untrained and unwary end users
7
Early Days of No Security
• Early PC development focused on what a computer could “do”
– No thought was given to security
– Emphasis was on building sophistication and capabilities
• As computers became connected, focus was on information sharing, not security
8
Current Trend: Share, Not Protect
• Users want: – To share data with everyone
– To access data from anywhere, and quickly
– The same capabilities at home and at work
• Data is shared through web applications, social networking, and online data storage – The ability to easily transfer data outside the control of a
company makes securing an organization’s data that much more difficult.
9
Security isn’t about Hardware and Software
• Firewalls, IDSs, antivirus programs, and two-factor authentication products are tools to assist in protecting a network and its data.
– no product or combination of products will create a secure organization by itself.
• All security products are only as secure as the people who configure and maintain them.
10
Bad Guys Are Very Sophisticated
• Security is a process dependent on people
– Requires time, training, and equipment
• The new hacker profile
– Profitable businesses: e.g., Anonymous
– Hierarchical cybercrime organizations
– State-sponsored hacking
• Creating a secure infrastructure is mandatory
11
How Does Management See Security?
• Management sees security as a: – Drain on the bottom line – Necessary evil
• How can we convey the need for security? – Tangible cost savings – Competitive advantage – Probable threats – Required duty of care in protecting assets – Reduced exposure to lawsuits, fines, bad press – A nonnegotiable requirement of doing business
12
Ten Steps to Build a Secure Organization
1. Evaluate the Risks and Threats
2. Beware of Common Misconceptions
3. Provide Security Training for IT Staff
4. Think “Outside” of the Box
5. DOXing
6. Train Employees
7. Develop a Culture of Security
8. Monitor Systems
9. Don’t Forget the Basics
10. Patch, Patch, Patch
13
1. Evaluate the Risks and Threats
• Evaluate organization and data threats based on: – The infrastructure model
– The business itself
– The specific industry
– The rest of the world (global threats)
• Once threats and risks are identified: – Ignore, accept, transfer or mitigate the risk
• Identify and quantify risk with several available tools (e.g., OCTAVE)
14
2. Beware of Common Misconceptions
• What are some common security misconceptions?
– Our business is simply not a target for malicious activity
– Our organization is immune from employee problems
– A preemployment background check is sufficient
– IT professionals know everything about computers
15
3. Provide Security Training for IT Staff
• Creating a highly skilled security staff is a dynamic process – New vulnerabilities are constantly discovered
• Some ideas to get and stay trained – Obtain fundamental background in security
– Use a vendor-neutral certification program
– Keep updated with current trends
– Achieve the Certified Information Systems Security Professional (CISSP) certification
16
4. Think “Outside” of the Box
• Threats to intellectual assets and technical infrastructure – “Bad guys” inside and outside organizations
• Threats to data dissemination – Employee that leave an organization – USB Flash drives – Other devices connected though USB ports – Handheld devices
• Track usage (e.g., Registry) • Establish policies for acceptable device usage
17
Figure 1.2
Check out Harlan Carvey’s RegRipper to learn more about the Registry.
Identifying connected USB devices in the USBStor Registry key
18
5. DOXing
• Involves gathering information from a variety or sources from the Internet
– High-tech dumpster diving
– Initially developed to harass law enforcement
– May fill in a complete (and possibly uncomplimentary) picture of a person or organization
19
6. Train Employees
• The greatest security asset – Properly trained employees
• Gaining employee support and allegiance – Make time
– Share rationales behind protocols
– Include some “skin in the game”
– Provide advice for properly securing home computers
• Encourage employees to approach management or security team voluntarily
20
7. Develop a Culture of Security
• Security mechanisms included in operating systems and applications – Microsoft TechNet Library – Microsoft Security Compliance Manager
• Correct data leak sources – USB Flash drives – Unallocated cluster data recovery (cipher.exe) – Personal information from Office files
• Operating system mechanisms – Increase the complexity of passwords
21
Microsoft Security Compliance Manager
Figure 1.3
Identify and utilize built-in security features of the operating system and applications.
22
Figure 1.4
A view of unallocated clusters showing a Google query
Recover data in the unallocated clusters of a computer’s hard drive.
A view of unallocated clusters showing a Google query
23
Figure 1.5
Cipher wiping a folder called Secretstuff
Use the “disk-scrubbing” utility built into Microsoft Windows operating systems.
24
Figure 1.6 Security options for Mac OS X Lion Mac OS X has some very robust security features, including FileVault, which provides the ability to create an encrypted disk. 25
9. Monitor Systems
• All security products can fail or be compromised – Never rely on one product or tool
• Identify problem areas – Enable logging
– Follow security standards for what to log
• Use tools to collect and parse log files – Example: Kiwi Syslog Server
• Install a packet-capturing tool (e.g., Wireshark) – Analyze and capture traffic in real time
26
Figure 1.7
Kiwi Syslog Se4ver Email Alert Configuration screen
Logging mechanisms and the ability to track user activities are critical. 27
Figure 1.8
The protocol analyzer Wireshark monitoring a wireless interface
Install a packet-capturing tool on your network so that you can analyze and capture traffic in real time.
28
Monitor Systems (2)
• Hire a third-party to audit security – Experienced, knowledgeable, and objective
– Up to speed on new vulnerabilities and product updates
– Not encumbered by administrative duties
– Positioned to make recommendations
• Third-party analysis involves a two-pronged approach – Penetration test
– Audit internal system
29
Don’t Forget the Basics
• Fundamental security mechanisms
– Change default account passwords
– Use robust passwords
– Close unnecessary ports
30
Figure 1.10
Sample output from Fport
Identifying open ports is an important security process.
31
10. Patch, Patch, Patch
• Identify and install updates – Turn on automatic update checking
– Install update when comfortable
• Use administrator accounts for administrative tasks
• Restrict physical access – Keep critical systems in a secure area
• Don’t forget to manage and protect your paper documents
32
Security Control Assessments
• Security control assessments
– Difficult, challenging, and resource-intensive
• Acceptable outcome requirements
– Appropriate set of expectations before, during, and after the assessment
• Organization and assessors should prepare thoroughly
– Preparatory activities
• Address range of issues relating to cost, schedule, and performance
33
INTRANET SECURITY
34
• A network within an organization – Uses the same technology as
Internet
– May be geographically distributed
– Linked to the Internet via gateways (only)
Intranet
35
Intranet Security as News in the Media
36
Another Example
37
38
Smartphones and Tablets in the Intranet
• Reasons for smartphone and tablet success – Functionality and ease of use
• Voice, gesture, touch interfaces
– Customized applications (apps) availability
• Mobile device enterprise integration trends – Work concept stretching beyond tradition – Rapid iteration lifecycles – Low cost allows brand/platform independence – Successful iPad ready for the enterprise – Android smartphones with high adoption rates – Financial services sector activating iPad (iOS)
39
Shift from PCs to Mobile/BYOD
• Balance of security and business concerns – Tilts towards business considerations – IT must adapt security measures to conform
• 2011: Apple shipped 172 million devices • Reasons for shift to mobile devices
– Reinvention of how and where work conducted – Mobile intranet apps available – More functional media usage
• Intranet access now concerned with identity – Consider private cloud environments
40
Figure 13.2 Mobile device adaptation. Source: http://i.zdnet.com/blogs/screen-
shot-2012-02-13-at-173416.png. 41
Security Considerations
• Risk of size and portability
– smartphones because of their size are easy theft targets
• Risk of access via multiple paradigms
– Mobile devices can access unsafe sites using cellular networks and download malware into storage.
– Controlling security using perimeter network access are no longer feasible
• Social media risks
42
How to approach these considerations?
1. Establish a customized corporate usage policy for mobile devices
2. Establish a policy for reporting theft or misplacement
3. Establish a well-tested SSL VPN for remote access
4. Establish inbound and outbound malware scanning
5. Establish WPA2 encryption for Wi-Fi traffic access
6. Establish logging metrics and granular controls
43
How VPNs can Help?
• Protection of data while in transmission
• Protection of data while at rest (data storage)
• Protection of the mobile device itself (in case it fell into the wrong hands)
• App security
44
Mobile device VPN access to company network using token authentication Courtesy: Apple Inc.
These devices are subject to the same factors as any other device remotely accessing VPNs.
Figure 13.3
45
Plugging the Gaps: NAC and Access Control
• NAC: Network Access Control
• NAC appliance: manage endpoint security – Ensures minimum security policy compliance
– Example: Microsoft’s MS Network Policy Server
• Access control relationship triad – Internal users, intranet resources, actions internal users take
on resources
– Give users least amount of access • Use granular classification
• Start with “Deny-All” policy as a baseline
46
Measuring Risk: Audits
• Audits
– Comprehensive intranet security policy cornerstone
– Know the resources being protected
• Tangible or intangible
– Know the relevant threats and vulnerabilities
– Correlate the assets and associated threats and vulnerabilities
– Risk = Value of asset × Threat × Vulnerability
– Prioritizing a list allows the audit procedure to be standardized by risk level
47
Figure 13.4 SQL injection attack. Source: © acunetix.com.
Hackers look for either unhardened server configurations or network switches with default factory passwords
left on by mistake. 48
Guardian at the Gate: Authentication and Encryption
• Two-factor authentication strengthening – Preventing password cracking
• Password length (more than eight characters) • Use of mixed case • Use of alphanumeric characters • Use of special characters
– Windows Active Directory ACL • Can enforce all four requirements
– Trending toward uncommon passwords • Joined-together sentences (passphrases)
• Consider third-factor authentication options
49
Wireless Network Security
• Wireless corporate access – Requires strong encryption: Why?
• Wireless Equivalent Privacy (WEP) – No longer widely used.
• WPA or WPA2 (802.11i) – Stronger encryption compared to WEP
• Wi-Fi antennas and Wi-Fi access points – Identify open wireless access points
– Example: Netstumbler
50
51
52
Shielding the Wire: Network Protection
• Primary network barrier – Rule based and stateful firewalls
• Intrusion prevention systems (IPSs) – Inline appliance using heuristic analysis
• Compare IPS and firewall operations – Location, buffer size, threats blocked, tuning
• Critical data infrastructure design factors – Resiliency, robustness, and redundancy
– Consider syslog and email notification
53
Weakest Link in Security: User Training
• Security awareness communication – During new employee orientation – By ongoing targeted training for users
• Formal security training policy – Drafted and signed off by management, posted on the
intranet, and provided to new recruits – Contents
• Well-defined scope, roles, and responsibilities • Applicable federal or industry mandates
– Deliver via PowerPoint Seminar method or Flash video format presentation
54
Documenting the Network: Change Management
• Change control
– Controls IT infrastructure configuration
– Deliberate and methodical process • Documents and authorizes baseline configuration changes
– Guidance provided in ITIL guidebooks
– Most changes require approval
• Change management goal
– Mandate compliance
55
Rehearse the Inevitable: Disaster Recovery
• Successfully recovering from a disaster can mean resuming critical IT support functions for mission-critical business functions.
• Disaster recovery (DR) tasks – Business impact analysis (BIA) – Organize and test DR plan
• Use recovery point objective (RPO) and recovery time objective (RTO) metrics
• Other considerations – Communication channel resumption, budgets – DR committee functions – Levels of redundancies and backups
• Consider criticality and time-to-recovery criteria
56
Controlling Hazards: Physical and Environmental Protection
• Common-sense physical access topics – Disbursal of cards, access-card permissions
– Monitoring physical data transmission (digital video recording)
– Written or PC-based sign-in log usage
– Contractor laptops must be registered and physically checked in and virus scanned.
– Emergency power supply usage
– Provisions for fire detection and firefighting 57
Know Your Users: Personnel Security
• Users working within intranet-related infrastructures have to be known and trusted.
• Assigning personnel to sensitive areas – Attach security categories and parameters to the positions
• Employee transfer and termination – Requires reassessment and reassignment of sensitive access
tools
– Perform exit interviews
– Terminate system access with one hour
58
Information and System Integrity
• Compare information integrity to system integrity
• Processes to protect information include:
– Antivirus tools
– IPS and IDS tools
– Web-filtering tools
– Email encryption tools
59
Security Assessments
• Advantages – Uncovers various misconfigured items
– Provides a convenient blueprint for changes
– Provides credibility for budgetary assistance
• Consultants take two to four weeks – Primarily use open-source vulnerability scanners
• Penetration test result items – Full-fledged technical report for IT
– High-level executive summary for top management
60
How to Assess Security?
61
Risk Assessments
• Risk is defined as the probability of loss • Risk management is a way to manage the probability of
threats causing an impact • Risk assessment exercise: measures risk
– Reduces network threats, their probabilities, and their impacts
• Describe intranet risks and threats • Security threat assessment
– Explores exploitable vulnerabilities and gaps
• Intranet risk assessment – Identify primarily Web server, database threats
62
LOCAL AREA NETWORK SECURITY
63
Introduction
• As the Internet expanded in its reach across national boundaries and as the number of users increased, potential risk to the network grew exponentially.
• The security policy must be a factor in clients’ level of access to the resources.
• Current network designs implement three levels of trust: most trusted, less trusted, and least trusted.
64
Trust Levels
• Most trusted (intranet)
– These users have to authenticate to a centralize administrator to access the resources on the network.
• Less trusted
– may originate from the intranet as well as the external users who are authenticated to access resources such as email and Web services
• Least trusted (unauthenticated users)
65
Trust Levels (2)
66
Identify Network Threats
• Network security threats can be in one of two categories:
– disruptive type • caused by power failure, virus attack, or any network failure
– unauthorized access type.
67
Establish Network Access Controls
• Hardware or software based controls
– Implemented in a hierarchical structure to reflect network organization
• Network control functions
– Detect an unauthorized access
– Prevent network security from being breached
– Respond to a breach
68
Risk Assessment
• Complete during network initial design phase
– Assess network risk types
• What are some possible risks?
• Develop risk levels to various network threats
– Assess the costs of recovering from attacks
• Cost/benefit analysis
• Return on investment (ROI)
• Total cost of ownership (TCO)
• Design a spreadsheet listing the risks versus the threats
69
Listing Network Resources
• Identify assets (resources) available on the corporate network
• Protect mission-critical components
– Prioritize them (see table next slide)
– Articulate and apply network access control to each component according its priority • e.g., threats to DNS server pose a different set of problems from
threats to the database servers
70
Mission-Critical Components
71
Threats
• Distinguish between threats posed by internal and external users
– internal users traceable, compared to the external users.
• Basic steps
– Identify threats
– Rank threats from most probable to least probable
– Design network security policy to reflect ranking
• What are the most frequent network threats?
72
The Most Frequent Threats to the Network
73
Security Policies
• Fundamental goal: balancing act – Allow uninterrupted network access for authenticated
users
– Deny access to unauthenticated users
• Why is any network only as secure as the last attack that breached its security? – Battle between chief information security officer (CISO)
and hacker
• What are the crucial functions of a security policy?
74
Security Policies (2)
• The critical functions of a good security policy are: – Appoint a security administrator who is conversant with
users’ demands and on a continual basis is prepared to accommodate the user community’s needs.
– Set up a hierarchical security policy to reflect the corporate structure.
– Define ethical Internet access capabilities.
– Evolve the remote access policy.
– Provide a set of incident-handling procedures.
75
The Incident-Handling Process
• Why is this the most important security policy task? – Sharing resources; keeping network available
– Security breach could compromise operations
• Tools available to monitor network – Intrusion detection and prevention systems
• Monitor network activities
• Log and report nonconforming activity
– Activate response after logging • Use tools to trace source
76
Secure Design Access Controls
• Define security policy on the perimeter router – Configuring appropriate router parameters
• Configure external firewall to filter traffic based on the state of the network connection – Verify packet content against protocol requested
• Use the demilitarized zone (DMZ) for servers – Harden the servers
• Configure firewalls around DMZ • Install intrusion detection; prevention system • Address each network control access points
77
IDS Defined
• Software and hardware based IDS systems – Listens to all activities taking place
– Programmable from past activities
• Acts as both sniffer and analyzer software – Captures data packets defined by TCP/IP
• Intrusion detection outcomes – False positive, false negative, true positive, true negative
• What are the variety of functions performed?
• Snort (NIDS) and GFI LANguard S.E.L.M.
78
IDS Critical Functions
• Can impose a greater degree of flexibility to the security infrastructure of the network
• Monitors the functionality of routers, including firewalls, key servers, and critical switches
• Can help resolve audit trails
• Can trace user activity
• Can report on file integrity checks
• Can detect whether a system has been reconfigured by an attack
• Can recognize a potential attack and generate an alert
• Can make possible security management of a network by nonexpert staff
79
Figure 14.2 An example of a network-based intrusion detection system.
Network-based IDS (NIDS) sensors scan network packets at the router or host level, auditing data packets
and logging any suspicious packets to a log file. The data packets are captured by a sniffer program, which
is a part of the IDS software package. The node on which the IDS software is enabled runs in promiscuous
mode.
Network-IDS
80
A Practical Illustration of NIDS
• An example of a NIDS: Snort – Signature files used to identify potential attack
– Rules files trigger alarm and write to alert.ids
– Snort installed on node 192.168.1.22
– Security auditing software Nmap • Installed on node 192.168.1.20
• Generates ping sweeps, TCP SYN (half-open) scanning, TCP connect() scanning
• Snort used to detect a UDP attack, TCP SYN (Half-Open) scanning
81
Firewalls
• Enforces access policy between two networks
• Internal firewalls arose to protect data from unauthorized internal access
– Led to the design of segmented IP networks
• Use hardware and software technology
• Network security policy implemented in the firewall provides several types of protection
82
Dynamic NAT Configuration
• NAT: Network Address Translation
• First, configure a NAT pool
– Allocate outside addresses to the requesting inside hosts
• Next, define access-list
– Determine inside networks translated by the NAT router
• Finally, correlate the NAT pool and the access list
83
NIDS Complements Firewalls
• Why are firewalls not foolproof barriers? – Not all threats originate outside the firewall.
– The most trusted users are also the potential intruders.
– Firewalls themselves may be subject to attack.
• If the intruder is internal to the firewall, the firewall will not be able to detect the security breach. – Hence, a NIDS would play a critical role in monitoring
activities on the network and continually looking for possible anomalous patterns of activities.
84
NIDS Complements Firewalls (2)
• NIDS enhances security infrastructure – Monitors system activities – Looks for signs of attack
• Responds to the attack and generates an alarm
• Incident response emerging technology – Combines investigation and diagnosis phases – Integral part of intrusion detection and prevention technology
• Continuously evolving technologies – Firewalls, NIDS, intrusion prevention systems
• Securing network systems is an ongoing process in which new threats arise all the time.
85
Monitor and Analyze System Activities
• Low threat: immediate response not critical – Use interval-oriented data capturing, analysis – Possibly no full-time network security personnel to respond to
notification
• Imminent threat with mission-critical data – Use real-time data gathering and analysis – Automate notification
• Analysis levels: signature and statistical – Examine data packets – Look for evidence of threat – Must understand makeup of data packet
86
Signature and Statistical Analysis
• Signature analysis – Known attack patterns stored in a database
• Compare data packet contents against attack pattern in database
– Performed by most commercial NIDS products • Client may add Snort NIDS software patterns
• Statistical analysis – Identifies deviations from normal patterns
– Uses traffic pattern statistical analysis
– Clever hacker may generate false positives
87
Signature Algorithms
• Signature analysis algorithms – Pattern matching
• Use a fixed sequence of bytes in a single packet
– Stateful pattern matching • Match in context within the state of a stream
– Protocol decode-based analysis • Decode elements as client or server would
– Heuristic-based analysis • Example: signature used to detect a port sweep
– Anomaly-based analysis • Geared to look for network traffic that deviates
88
Security Countermeasures Checklist
• Countermeasures checklist disadvantages – Does not guarantee secure LAN environment – Cannot prevent all adversary penetrations
• Security comes at a cost – Expenses related to security equipment – Inconvenience, maintenance, and operation
• Evaluate acceptable risk level – Based on numerous factors
• Incorporate security throughout entire life cycle – Security policy enforcement is key
89
VIRTUAL PRIVATE NETWORKS
90
What is a VPN?
• “Fundamentally, a VPN is a set of tools which allow networks at different locations to be securely connected, using a public network as the transport layer.” -James Yonan
• The key to this technology is the ability to route communications over a public network to allow access to office servers, printers, or data warehouses in an inexpensive manner
91
Introduction
• Virtual Private Networks (VPNs) often set up within organizations
• VPN types
– Connects two separate LANs in different locations
– Remote computer connecting through the Internet to the home network
• Hardware and software costs for VPNs have plummeted in recent years
92
93
Remote Access VPN
Remote user with VPN client
VPN gateway
Server
Figure 48.1 A high-level view of a VPN
VPNs are used by businesses to allow employees access to their home networks while traveling.
Remote Access VPN
94
95
Site-to-Site VPN
VPN gateway
VPN gateway
NY Office
LA Office
History
• Telephone companies first created VPNs
– ATT offered Centrex
– Businesses leased lines from the phone company
• Early designs used hub-and-spoke architecture
– Daisy chains were used to cut costs of leased lines
96
Figure 48.3
The hub in the early days.
Hub and spoke architecture was a prominent early architecture for VPN systems using leased lines.
History
97
History
Figure 48.4
Example of a daisy chain VPN implementation
This structure was employed to reduce costs associated with utilizing leased lines in a hub-and-spoke architecture.
98
History
• VPNs were invented – Offered great return on investment
– Cheaper than using leased lines
• IPsec brought encryption to VPN in 1995 – Initially very expensive and slow
– Processing speeds today have made it available even on small routers
• Other technologies – Tun (tunnel) and Tap
99
History
• OpenVPN
– One of many open source VPNs in use today
• Secure Socket Layer VPN
– Fast-growing encryption scheme
• Transport Layer Security (TLS)
– Future for standardization
100
Who is in Charge?
• Several organizations that publish standards
– Internet Engineering Task Force (IETF)
– Institute of Electrical and Electronic Engineers (IEEE)
– American National Standards Institute (ANSI)
• Private companies working toward new protocols
101
VPN Types
• IPsec • L2TP (Layer 2 Tunneling Protocol) • L2TPv3 or higher • L2F (Layer 2 Forwarding) • PPTP (Point-to-point Tunneling Protocol) • MPLS (MultiProtocol Label Switching) • MPVPN (Multi Path Virtual Private Network) • SSH • SSL-VPN (Secure Socket Layer (SSL) VPN)
102
VPN Types (cont.)
• IPsec – Majority of processing work is done by interconnecting
hardware
• L2TP – Uses the session layer in the OSI model
– Sometimes combined with IPsec because it is a weak protocol
– Server/user setup that can handle many users at one time
103
VPN Types (cont.)
• L2TPv3 or higher
– Advancement of L2TP for large carrier-level information transmissions
– Draft protocol released in 2005
• L2F
– Developed by Cisco Systems
– Protocol allows for virtual dial-up and sharing of modems, ISDN routers, servers, and other hardware
104
Figure 48.8
The operation for tunneling Ethernet using the L2TPv3 protocol.
L2TP is an acronym for Layer 2 Tunneling Protocol. 105
VPN Types (cont.)
• PPTP VPN
– Point-to-point tunneling protocol
– Invented in 1990s by Microsoft, Ascend, 3Com, and other vendors
– Not as secure as IPsec
– Updated in 2003 to strengthen security
106
VPN Types (cont.)
• MPLS – System for large telephone companies or huge
enterprises to get great response times for VPN • With huge amounts of data
– Improvement over ATM and Frame relay
• MPVPN – Created by Ragula Systems Development Company
– Enhances the quality of service of VPNs • Can aggregate two lines to create a faster connection
107
• SSL-VPN – Interface that gives users VPN-
like services through a Web browser (not a VPN)
– OpenVPN • Open source, built on
OpenSSL
• Compatible on all platforms (Windows, Linux, BSD, MacOS)
• Embodied in firmware, incl. DD-WRT, OpenWRT, …
• openvpn.net
• SSH – Protocol that allows network
traffic to run over a secure channel between devices
– uses public-key cryptography
VPN Types (cont.)
108
Authentication Methods
• Usernames and passwords are most common authentication methods
• Random number generators on tokens are also used for authentication
• Hashing – Mixing up the characters in encryption scheme using a
computer algorithm
• HMAC (keyed Hash Message Authentication Code) – Type of encryption that uses an algorithm together with a key
109
Authentication Methods (cont.)
• MD5
– One of the best file integrity checks available today
• SHA-1
– Secure hash algorithm with 160 bits
– Designed by the National Security Agency
– SHA-224 to SHA-512 also exist • Number refers to the number of bits in the algorithm
110
Symmetric Encryption
• Sender and receiver have the same key
• DES and AES
– Common symmetric encryption standards
• Once AES was released, DES was withdrawn and 3-DES released
– 3-DES repeats DES encryption process two more times
111
Asymmetric Cryptography
• RSA protocol
– Implementation of public/private key cryptography
– Algorithm uses two large random prime numbers
– Can be used for digital document signing
112
Edge Devices
• Additional security measure on the “edge” of a network
– having two locked doors is better than one.
– Edge devices such as a random number-generating token are used to increase security along with usernames and passwords
• Authentication scheme uses a key fob with a random number generator
– The number changes every 30 to 60 seconds
– Username and passwords must also match for the user to be allowed access
113
Passwords
• Weak passwords – Words that can be found in the dictionary
– Short combinations of numbers
• Strong passwords – Use multiple words, mixed spelling, and mixed upper and
lower case
– Add numbers in with characters
– Use special characters
– Long password (> 12 characters)
114
Hackers and Crackers
• Methods to secure your network
– Use 256 or 512-bit encryption systems
– Have users change VPN passwords frequently
– Don’t give out your VPN password
– Deactivate accounts that have not been used for 30 days • Remove stale accounts from the system
115
Mobile VPN
• Host Identity Protocol (HIP)
– Protocol to keep mobile devices connected
• No standard yet
– IETF studying mobile technology and working toward a standard
116
OTHER SECURITY ISSUES
117
Other Security Issues
• Leakage prevention – Malicious leakage
– Unintentional leakage
• Data Retention – Legal compliance
• Disaster recovery & business continuity
• Insider threat prevention and detection/auditing
• Patch updates
• Hire competent people!!!
118
business.time.com
119
Don't be too greedy! Ref: krebsonsecurity.com, 3/10/2014
"Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans."
120
VPN from SSH Tunneling/Port Forwarding
A Poor-man's VPN
Secure SHell
• Replaces insecure "telnet"
• And does a lot more
122
• Local port forwarding – Forward local port on SSH
client to destination via SSH server
• Remote port forwarding – Forward remote port on SSH
server to destination via SSH client
• Dynamic port forwarding – Forward all traffic on SSH
client to various destinations via SSH server
• Conditions – SSH server can be directly
accessed by SSH client
– Port forwarding is enabled on SSH server
– Destinations are addressable • By SSH server for LPF & DPF
• By SSH client for RPF
– For DPF, each application must be configured to use SOCKS as a proxy
3 Modes of Port Forwarding
123
Scenario: Firewall Blocks Access to Application Server but Allows Access to SSH Server
App server with open port wxyz
Allowed
Blocked
Firewall SSH server
Remote client
124
SSH Local Port Forwarding
SSH server
App server
Allowed
Made possible indirectly
Firewall
ssh johnny@ssh-server –L lport:app-server:rport
Port lport on “localhost”
Port rport
Forward to rport
port lport on “localhost” is mapped/forwarded to port rport on app-server
Remote client
125
Eg 1: Remote Desktop Connection via SSH Tunneling
SSH server
Accept remote desktop connection
Allowed
Made possible indirectly
Firewall
ssh johnny@ssh-server –L 53389:win-server:3389 Set “localhost:53389” as “remote computer”
“localhost:53389”
Port 3389
Forward to 3389
Remote client
2
1
126
IPSEC
127
Securing network layer
• IPsec provides security services at the Network/IP Layer
• IPsec is currently the only security protocol that secures all Internet traffic at and above IP layer
IPsec Tunnel
128
Communication between layers
Application layer
TCP layer
IP layer
Network driver
Application layer
TCP layer
IP layer
Network driver
IP layer
Network driver
IP layer
Network driver
message
TCP payload
IP payload
Data link payload
IP payload
Data link payload
Host A Host B Router Router
129
Application of IPsec: Virtual Private Network (VPN)
(gateway to gateway)
(gateway to gateway)
130
Typical TCP/IP packet
Ethernet header
IP header
TCP header
Data Ethernet
checksum
131
IPv4 Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
IHL: Internet Header Length Total length: length of datagram Red box: AH mutable—modified by routers, i.e., cannot be protected Yellow box: modified by routers, but restored before being checked by AH Destination address is mutable in “source routing” option, but predictable so not choose as mutable in AH
padding
version IHL Service type total length
identification flags Fragment offset
Time to live protocol Header checksum
Source address (32 bits)
Destination address (32 bits)
options
132
IPv6 Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Simplified, but allows extension via “Next Header” field. Red box: mutable for AH
version traffic class flow label
payload length next header hop limit
source address (128 bits)
destination address (128 bits)
133
IPv6 extension headers
• Optional IP information is encoded in separate headers, and placed between the IPv6 header and the upper-layer header.
• There are 6 possible extension headers, appearing in the following order (note the 2 DOHs !) – Hop-by-Hop Options header – Destination Options header – Routing header – Fragment header – Authentication header – Encapsulating Security Payload header – Destination Options header
134
Data flow & headers
Host A Host B Routers
Application
TCP
Ethernet driver
IP
Application
TCP
IP
Data link
IP
Ethernet driver
data
ETH H
TCP H data
IP H TCP H data
IP H TCP H data
data
ETH H
TCP H data
IP H TCP H data
IP H TCP H data
135
7 groups in IPsec docs
Authentication Algorithm
Architecture
Encryption Algorithm
ESP Protocol
AH Protocol
DOI
Key Management
136
ESP and AH
• AH provides integrity
• ESP provides integrity in addition to optional encryption
• There are not same: both provides integrity protection of everything beyond the IP header, but AH provides integrity protection for some of the fields inside the IP header as well
137
IPsec v.s. SSL and others
TCP
IP
Network driver
Appl IKE (ISAKMP/Oakley in IPsec), S/MIME, Kerberos, Proxies, SET, PGP
Application Layer
Transport Layer
Network Layer
Data link Layer
SSL, TLS, SOCKS
AH, ESP (in IPsec), Packet filtering,
Tunneling (L2TP, PPTP, L2F), CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP
138
Tunneling/Encapsulation
• a technique to wrap a packet in a new one, by attaching a new header to the original one
• the entire original packet becomes the payload of the new one
• 2 advantages
– to carry traffic from a different network protocol
– to provide total protection of the encapsulated packet, including address information
139
Tunneling (cnt’d)
Payload IP header New IP header
payload of the new IP packet
140
2 operation modes of IPsec (both for AH & ESP)
TCP header
Data/ message
IP header
TCP header
Data/ message
New IP header
IPsec header
IP header
Data/ message
IPsec header
IP header
Original IP packet
Transport mode protected packet
Tunnel mode protected packet
TCP header
141
Use of the modes
• transport mode
– for end to end security
• tunnel mode
– for end to end security, but mainly for gateway to gateway security (a gateway is an intermediate system s.a. a router or a firewall)
host A
host B
host A
host B
gate way
gate way
142
ESP
• ESP is a protocol header inserted into an IP packet to provide the following services: – data confidentiality – limited traffic flow confidentiality – connectionless data integrity – data origin authentication – optionally, counter replying
• modes of operation – transport mode (to be inserted between an IP header and an upper
layer protocol header s.a. TCP or UDP header) – tunnel mode (to encapsulate an entire IP datagram)
143
ESP protected IP packet
ESP trailer
ESP header
IP header
protected data
encrypted
authenticated
ESP Auth.
144
ESP Protected data
TCP header
Data/ message
IP header
Data/ message
Transport mode protected data
Tunnel mode protected data
TCP header
145
ESP protected IP packet (cnt’d)
protected data
SPI (security parameters index)
IP header
sequence #
IV (initialization vector)
pad pad length next header
authenticator/ICV
en
crypted
auth
en
ticated
ESP header
ESP trailer
ESP Auth. (integrity checking value ICV) 146
ESP: integral part of IPv6
protected data
SPI (security parameters index)
IP header
sequence #
IV (initialization vector)
pad pad length next header
authenticator/ICV
en
crypted
auth
en
ticated
ESP header
destination options
extension headers
ESP trailer
ESP Auth.
147
Algorithms for ESP
• encryption – mandatory: DES-CBC
– optional: CAST, RC5, IDEA, 3DES, AES, …
• authentication – mandatory keyed hash
• HMAC-SHA-96, HMAC-MD5-96
– optional: DES-MAC
• (does not have digital signature currently)
148
AH
• AH is a protocol that provides every service ESP provides except confidentiality, namely: – connectionless data integrity
– data origin authentication
– optionally, counter replying
• modes of operation – transport mode (to be inserted between an IP header and
an upper layer protocol header s.a. TCP or UDP header)
– tunnel mode (to encapsulate an entire IP datagram)
149
AH authenticated IP packet
AH header
IP header
protected data
authenticated (except mutable fields)
SPI (security parameters index)
sequence #
authenticator/ICV
reserved payload length next header
150
AH: integral part of IPv6
AH header
IP header
protected data
authenticated (except mutable fields)
ext. headers
dest. options
151
AH Protected data (same as ESP)
TCP header
Data/ message
IP header
Data/ message
Transport mode protected data
Tunnel mode protected data
TCP header
152
A B
Gateway Gateway
New IP Header
AH or ESP Header
TCP
Data
Orig IP Header
Encrypted tunnel
Tunnel Mode
153
Algorithms for AH
• authentication
– mandatory keyed hash • HMAC-SHA-96, HMAC-MD5-96
– optional: DES-MAC
• no public key based digital signature currently
154
ESP or AH?
• AH protects IP header itself whereas ESP only protects everything beyond the ESP header
• AH friendly to export control? • AH designed by IPv6 guys and ESP did not really
care about IPv6, just make it work • Modified TF-ESP works with firewall and NAT
(copy ports etc. info in clear text) • In AH, MAC before data, in ESP MAC after data
(efficiency for data delivery) 155
IKE
• For AH or ESP to protect IP packets, a Security Association (SA) must be first established between two communicating parties
• This is done dynamically by using IKE. IKE negotiates SAs on behalf of IPsec and populates entries in the relevant Security Association Database (SADB).
156
Security association (SA)
• A container to store information on
– all the security parameters required
– Can be viewed as a generalization of shared secret “keys”
– Can also be viewed a secure channel/connection built on top of the shared keys
• for one-way/unidirectional secure communications between two hosts (except IKE SA)
– (need 2 SAs for two-way communications)
157
Data in an SA
1. Mode of the authentication alg. for AH, and keys to the alg.
2. Mode of the encryption alg. for ESP, and keys to the alg.
3. Presence & size of crypto synch for the encryption alg.
4. How to authenticate (what protocol, algorithms and keys)
5. How to secure data (what protocol, algorithms and keys )
6. How often to change/refresh keys
7. How to authenticate in ESP (alg. mode., transform, and keys)
8. Lifetimes of keys
9. Lifetime of the SA itself
10. Source address of the SA
158
2 phases in IKE
• Purpose of Phase 1
– To establish an IKE SA (also called ISAKMP SA) between the 2 IKE peers. This IKE SA is subsequently used in Phase 2 to establish, in a secure way, general purpose SAs for all IPsec security services
• Purpose of Phase 2
– To negotiate & establish, in a quick way, IPsec SAs required for various security services, by the use of the IKE SA established in Phase 1
159
Modes in IKE
• 2 modes for Phase 1 – Main mode (mandatory)
• Being able to protect identities
– Aggressive mode (optional) • Using only 3 message flows rather than 6
• 1 mode for Phase 2 – Quick mode
• Other modes – Informational modes – New group mode for new Diffie-Hellman groups
160
Phase 1 main mode (6 messages)
Responder Initiator Offer proposal with multiple transforms
Accept one
DH pub key & additional data
DH pub key plus additional data
ID & authenticator
ID & authenticator
161
Phase 1 aggressive mode (3 messages)
Responder Initiator Offer proposal with multiple transforms, DH pub key, ID, additional data
Return proposal with a single transform, DH pub key, ID, authentication data, additional data
Authentication data
162
Phase 2 quick mode (3 messages)
Responder Initiator ISAKMP header for quick mode, (HASH1, SA with multiple transforms, Noncei, DH pub key of initiator (optional, for PFS only), IDi, IDr ) key-SKEYID-e
ISAKMP header for quick mode, (HASH2, SA with single transform, Noncer, DH pub key of responder (optional, for PFS only), IDi, IDr ) key-SKEYID-e
ISAKMP header for quick mode, ( HASH3 ) key-SKEYID-e
Note: HASHi acts as an authenticator
163
Efficiency of IKE
A single IKE SA in Phase 1
Phase 2 negotiation 1 Phase 2 negotiation n ……
IPsec SA1 IPsec SAt … IPsec SA1 IPsec SAs … …
Multiple Phase 2 negotiations
IPsec SA bundle
IPsec SA bundle 164
E/D Network
encrypted hash value
E/D
initiator
pre-shared secret
Responder
encrypted hash value
HASHI HASHI
HASHR HASHR
165
IKE Phase I: Pre-Shared Key
sign Network
HASHI
signature
of HASH-I
HASH-R
sign
OK
initiator Responder signature
of HASH-I
HASH-R
OK HASHR
responder initiator
initiator private key
responder private key
verify
verify
166
IKE Phase I: Digital Signature
encrypt Network
NONCEI
encrypted
NONCE-I
NONCE-R
encrypt
initiator Responder encrypted
NONCE-I
NONCE-R
NONCER
responder initiator
initiator private key
reponder private key
decrypt
decrypt
NONCER
NONCEI
167
IKE Phase I: Public Key Encryption
Transport adjacency
host A
gate Way 1
SA 1 (ESP transport)
SA 2 (AH transport)
host B
gate Way 2 Internet
168
Iterated tunnelling (1)
host A
gate Way 1
SA 1 (tunnel)
SA 2 (tunnel)
host B
gate Way 2
Both end-points for the SAs are the same
Internet
169
Iterated tunnelling (2)
host A
gate Way 1
SA 1 (tunnel)
SA 2 (tunnel)
host B
gate Way 2
one end-point for the SAs is the same
Internet
170
Iterated tunnelling (3)
host A
gate Way 1
SA 1 (tunnel)
SA 2 (tunnel)
host B
gate Way 2
neither end-point for the SAs is the same
Internet
171
Is it for IPsec?
If so, which policy
entry to select?
…
SPD
(Policy)
…
SA Database IP Packet
Outbound packet (on A)
A B
SPI & IPsec
Packet
Send to B
Determine the SA and its
SPI
IPsec processing
172
Outbound Processing
Use SPI to
index the SAD
…
SA Database
Original IP Packet
SPI & Packet
Inbound packet (on B) A B
From A
…
SPD
(Policy)
Was packet properly
secured?
“un-process”
173
Inbound Processing