network access control guide

SearchSecurity.comCopyright TechTarget 2006

Network access control Learning GuideSearchSecurity.com and SearchWindowsSecurity.com

From PDAs to insecure wireless modems, users have myriad options for connecting to --and infecting -- the network. Created in partnership with our sister siteSearchWindowsSecurity.com, this guide offers tips and expert advice on network accesscontrol. Learn how unauthorized users gain network access, how to block and secureuntrusted endpoints, and get Windows-specific and universal access control policies andprocedures.

TABLE OF CONTENTS

� Securing remote access points……………………………………….. 4� Book chapter: Remote access as an attack vector� PDF: IPsec and SSL VPNs: Solving remote access problems� Product review: 2006 Remote access Products of the Year� Technical tip: A five-point strategy for secure remote access� Technical tip: Remote user security checklist� Technical tip: Five steps to controlling network access� Technical tip: Secure data transmission methods� Technical tip: How to stop a rogue user from circumventing network security� Technical tip: Guarding against malware infection from remote users� Technical tip: Remote network access from privately-owned machines

� Technical tip: Ten tips for safe computing on a public LAN

� Endpoint security tactics………………………………………………21� PDF: Five best strategies for endpoint security� PDF: Layered access control: Six top defenses that work� Product review: Hot Pick: Fireball KeyPoint� Product review: End of the line� Product review: Hark! Who goes there?� Technical tip: Effective endpoint security without a significant investment� Technical tip: Painful patching: How to lock down networked devices� Technical tip: The key to locking out mobile threats� Technical tip: Tips for securing iPods in the enterprise

� Network architecture controls………………………………………..35Glossary definition: DMZ (SearchSecurity.com)Glossary definition: VLAN (SearchSecurity.com)Book chapter: Secure LAN switching (SearchSecurity.com)Expert advice: How to protect a LAN from unauthorized access (SearchSecurity.com)Expert advice: Designing DMZs with various levels of access (SearchSecurity.com)Technical tip: Using 802.1X to control physical access to LANs (SearchSecurity.com)Technical tip: Life at the edge: Securing the network perimeter, Part 2

(SearchSecurity.com)Technical tip: VLAN security (SearchSecurity.com)Technical tip: Popular VLAN attacks and how to avoid them


2

� Firewalls………………………………………………………………46� Product review: 2006 Network Firewall Products of the Year� Technical tip: How to choose a firewall� Technical tip: Choosing the right firewall topology� Technical tip: Placing systems in a firewall topology� Technical tip: Auditing firewall activity� Technical tip: Activating an XP firewall on a LAN� Technical tip: Traffic flow considerations for the Cisco PIX Firewall� Technical tip: Firewall security tips� Technical tip: Firewall redundancy: Deployment scenarios and benefits

� VPNs…………………………………………………………………...61� Glossary definition: SSL� Glossary definition: IPsec� Book chapter: Crypto basics: VPNs� Product review: SSL VPN: AEP SureWare A-Gate AG-600� Product review: Corrent VPN 'connects' with Check Point software� Quiz: SSL vs. IPsec VPNs� Technical tip: Letting telecommuters in – Your VPN alternatives� Technical tip: The inherent capabilities of IPsec selectors and their use in remote-

access VPNs� Technical tip: VPN fast facts: True or false?� Technical tip: Client-side security considerations for SSL VPNs

� Windows-specific network access control procedures……………...76Book chapter: Access control entriesBook chapter: Six steps for deploying Network Access Quarantine ControlChecklist: Hardening Windows School: Advanced checklist on network access

quarantiningChecklist: Harden access control settingsExpert advice: Security risks associated with granting permissions in Windows XPExpert advice: How to deny access when connecting to a share on a Windows 2003

ServerExpert advice: How to detect when non-domain laptops are plugged in to Windows

Server 2003Expert advice: How to set up dual administrative controls for tighter security in

Windows 2000Expert advice: How to remove specific permissions from an account operator in

Windows 2000Expert advice: How to check which permissions are assigned to a user or group in

Windows 2000Expert advice: How to set NTFS permissions on Windows 2000 Terminal ServicesExpert advice: Limiting user and admin accessOpinion: Network admins needs Microsoft-Cisco unity


3

Step-by-Step guide: Network Access Quarantine ControlTechnical tip: Lock down user access and privilegesTechnical tip: Permissions basics for Windows 2000Technical tip: NTFS default permissions for Windows 2000Technical tip: How to implement permissions in Windows 2000/NT

� Network access control policies………………………………………124� Expert advice: Distinguishing a remote access policy from a portable computing

protection policy� Technical tip: Policies for reducing mobile risk� Technical tip: Laptop security policy: Key to avoiding infection� Technical tip: Work with users to secure new technologies in the enterprise� Technical tip: The benefits of writing a policy before a new system deployment� Technical tip: Managing network policy

� Technical tip: Top 10 network security tips


4

Securing remote access points

Book chapter: Remote access as an attack vector16 Jun 2005 | Larstan Publishing

In this excerpt of Chapter 7 from "The Black Book on Corporate Security," authorsHoward Schmidt and Tony Alagna analyze how "unmanaged" remote access can serve asan attack vector.

There are many different types of remote access solutions for mobile employees. There isSSL VPN, which is a Web-based VPN device. There are also different types of Webmailas well as Outlook Web Access. Also, some bigger companies like Citrix have securegateways. Classic IPsec VPNs, as well as different types of portals and intranets andextranets, can also be used for mobile computing.

The quality that all remote access has in common, regardless of the method used, is that itis an endpoint machine and is as vulnerable as any other system on the Internet. In somecases, they are managed machines — a corporate issued asset that is managed by thecorporate IT that has all of the corporate security provisioned security programs.

Corporate resources can now be accessed from anywhere, with most places far fromtrustworthy. The danger here is extreme, because mobile computing environments pluginto random places and in unmanaged systems. Vendors are aware of this security threat,and they're increasingly recommending the deployment of different types of security andscanning technologies. The problem is that most security technologies are not readilydeployable. Antivirus is a very large application, so it is not practical to have anyone whois logging-in remotely to download this software and then scan the hard drive for half anhour before they can access email. Antivirus-type technologies in the "unmanaged space"must be behavioral, small, fast and transactional. Some are emerging in the marketplace.

However, the vulnerability in this mobile communication model is obvious. Besides thegeneral threat of malicious code, these machines have no physical access restrictions.Anybody can load whatever they want on it (the risk of a keystroke-logger, regardless ofwhether it has network connectivity, is huge). A person can walk up five minutes beforeit was used and five minutes after it was used and capture everything that was done onthat machine between those two time points.

Insider Notes: Corporate resources can now be accessed from anywhere, with mostplaces far from trustworthy. The danger here is extreme, because mobile computingenvironments plug into random places and in unmanaged systems. Vendors are aware ofthis security threat and they're increasingly recommending the deployment of differenttypes of security and scanning technologies.

The threat of malicious code is even greater in this unmanaged machine space.Sometimes the people using IPsec VPNs feel safe because this technology prevents split-


5

tunneling (the ability for two or more applications to be communicating simultaneouslywhile the VPN connection is going). Preventing split-tunneling only creates an illusion ofsafety.

A reverse-connecting Trojan functions in the same way in this environment as it does in acorporate environment, by initiating its connection sequence inside out. So, if users cansee the Internet, then so can the malicious code. Even without Internet access, maliciouscode can be scripted to steal or perform actions whenever it comes back online.Malicious code is basically winning in every environment regardless of the situationaldefenses. All situational defenses can do is minimize the types of attacks; it cannot stopattacks.

2006 Remote access Products of the Year02.01.2006 | SearchSecurity.com

VPN 3000 Series ConcentratorsCisco Systems, www.cisco.comWith the proliferation of laptops, PDAs and other mobile devices requiring access to thecorporate network, a VPN purchase is no longer an impulse -- it's an imperative. Theofferings have mushroomed, particularly SSL VPN products, forcing IPsec-dependentmarket leaders to broaden their scope. Included in this wave are Cisco Systems' VPN3000 Series Concentrators -- a smart move judging by the number of readers who ravedabout its endpoint security and ease of use. For this reason, the Concentrators wereawarded the gold medal in remote access.

"Concentrators have proven to be the most compatible and secure, and provide the bestease-of-use out of all the remote access devices I have encountered," wrote oneenthusiastic user. Others who helped make the series' six models collectively tops wereespecially pleased with the Concentrators' security, including their firewall capabilitiesthrough stateless packet filtering and granular access control. The majority also gave theirthumbs-up approval to the wide range of features, documentation and vendor support.

"An excellent tool," said one user.

Scalability is a strong driver. Cisco VPN 3005 and 3015 are designed for

small- to mid-sized enterprises, promising between 100 and 200 simultaneous IPsecsessions, or 50 and 75 WebVPN sessions. The 3020 and higher are geared more towardlarger companies, supporting up to 10,000 IPsec, or 500 clientless sessions runningconcurrently in the 3080 model.

A big plus, according to users, is the VPN series' versatility. Recognizing that SSL VPNproviders were gaining market share, Cisco made sure its 3000 series offered both IPsec-and SSL-based connectivity on a single platform. This allows almost any device within


6

the corporate network to establish an end-to-end secure connection using publicnetworks.

In addition, customers like how easily the Concentrators can be managed through theirsimple Web-based interface to configure mobile devices and monitor all remote-accessusers. That includes pushing policies and updates through the VPN to users and thenscanning for continued compliance before a machine is allowed on to a network.

Some respondents were glad to discover that the VPN 3000 Concentrators work wellwith other applications.

"[We] rarely have problems with these devices," one user wrote. Another summed it upthis way: "[Concentrators are] just plain easy."

VPN-1 Check Point Software Technologies, www.checkpoint.comThis is the other half of the medal-winning Check Point package (with FireWall-1). Oneuser calls it "the most compatible, secure remote access device." It wins high praise forsecurity, performance and overall quality.

VPN GatewayNortel Networks, www.nortel.com"Stable, reliable, robust. Just keeps working." VPN Gateway users particularly like itsperformance and give it consistent "excellent" ratings for security.

A five-point strategy for secure remote access25 July 2005 | George Wrenn | SearchSecurity.com

Managing secure remote access is a tough job. Because remote systems may directlyconnect to the Internet rather than through the corporate firewall, they pose an increasedrisk to your network environment. Virus and spyware protection, and a general VPNnetwork policy isn't enough to keep these systems -- and the network they connect to --safe. Here are five best practices for providing secure remote access.

1. Software controls policyCreate a policy that defines the exact security software controls that must exist onsystems with remote access. For example, you may need to spell out that antivirus, anti-spyware and desktop firewalls must be installed and configured in a specific manner withthe latest signatures, along with which vendors are acceptable. The best practice is todistribute the policy along with the connection setup or similar instructions for end users.Often a zero-tolerance policy is best for endpoint security. End users should meet a set ofguidelines before connecting to the network. No AV, antispyware and desktop firewall?No remote access allowed. The policy should also spell out what ports and services maybe exposed on the system.


7

2. Endpoint security managementChoose a vendor that offers comprehensive endpoint security management and policyenforcement as part of their VPN or remote access solution. It is best to mandate that allremote users use the enterprise sponsored VPN client. That's the only way you are goingto get true policy compliance and assurance of endpoint security posture. Your chosenremote access solution should be able to refuse connections for endpoint systems that donot meet the policy compliance checks. Ideally, the solution should tell end users whichitems are out of compliance so they can remediate the situation prior to attempting toreconnect. This cuts down on help desk calls.

3. Enforce corporate policy complianceInform end users that corporate security policy extends to their remote desktop whenconnected to the enterprise network. For example, no file sharing and other disalloweduse while connected to the corporate network.

4. Reporting featuresReporting on end user compliance is critical. Most of the solutions mentioned above offerreporting capabilities to keep admins updated on the status of the connecting endpoints.Depending on the number of users you have to manage, it may be wise to set up alarmsthat email admins when a machine that is significantly out of compliance tries to connect.In some cases administrative intervention may be warranted -- especially when otheraccess methods to the network may exist.

5. Periodically review policy and reportsEvery couple of months, review policies and reports to identify trends and patterns inaccess violations. This is important to ensure that the policy and technical controls areaddressing your remote access security needs. If you find trends in access violations, addor modify policies accordingly.

About the Author: George Wrenn, CISSP, ISSEP, is a technical editor for our sisterpublication Information Security magazine and a security director at a financial servicesfirm. He's also a graduate fellow at the Massachusetts Institute of Technology.

Remote user security checklist22 Nov 2005 | Kevin Beaver | SearchWindowsSecurity.com

At some point in time, odds are you've had remote users connecting to your network.Telecommuting has several proven productivity and environmental benefits, but it doesn'tcome without its drawbacks -- mostly in the form of information security risks. Whathappens if your remote users' computers have viruses or they transmit sensitive emailsand instant messages over an unsecured wireless link? How about when systems thataren't properly protected can connect directly to your network -- thus offering a directinbound link to anyone wanting to get inside and poke around maliciously.


8

Arguably, many bad things can happen. Unauthorized information access can take place,information leakage can occur, and there's always a possibility that malware can seep inthrough your otherwise hardened network border.

Before you create any new policies or lock down your remote systems, it's very beneficialto determine which remote access vulnerabilities currently exist in your environment.Doing that not only finds missing patches, but it also digs in deeper to findmisconfigurations, unnecessary shares, null session connections and other exploitablevulnerabilities you would not otherwise be able to dig up easily. I suggest you use avulnerability assessment tool such as Tenable Network Security's NeWT, GFI SoftwareLtd.'s LANguard Network Security Scanner, Qualys Inc.'s QualysGuard.

Use one (or more) of these tools on your internally supported images for laptops anddesktops and, if it makes sense, test remote systems owned by your users as well. If thelatter is not an option for political or resource limitation reasons, you could easilydocument instructions for your remote users to do it themselves. Consider having theminstall and run the Microsoft Baseline Security Analyzer (MBSA) on their systems andsharing the reports with you. You could even automate this via login scripts and/or GroupPolicy in Windows. Remember, there are reasons your organization's assets must beprotected.

Once you've determined where your weaknesses exist and have addressed the issues, usethe following checklist of common and not-so-common security safeguards to be sureyou've got your remote systems locked down:

1. Ensure that personal firewall software is installed (Windows Firewall in XPSP2+, BlackICE and so on) and at least provides inbound protection -- outboundapplication protection is nice, especially if you can configure it so your usersaren't hindered by the constant outbound connection requests.

2. Require malware protection (antivirus and antispyware) on every system andensure that updates are being applied in real-time if possible to preventunnecessary infections.

3. Enable strong file and share permissions on remote hard drives and otherstorage devices -- especially on Windows 2000 and NT systems that alloweveryone full access by default.

4. Have a written policy and documented procedures in place for managingpatches. For example, enable real-time Automatic Updates or roll out patchesusing an existing patch management system.

5. Disable null session connections to prevent the unauthorized gleaning of usernames, security policy information and more from remote systems.

6. Implement a VPN (the free Windows-based PPTP is a decent option) or makesure you're running a secure alternative connection such as Windows RemoteDesktop or Citrix.


9

7. Remember to include remote users, computers and applications in yoursecurity incident response plan and disaster recovery plans. Those arecommon oversights that can rattle your nerves if they catch you off guard.

8. Your users will likely download and install IM, P2P and other applicationsthat you can't support or otherwise make you nervous, so be prepared toprevent it in the first place via accounts with minimal privileges (think WindowsVista new feature) and periodic scans of systems looking for such software. Or,standardize on a small number of applications you can manage comfortably.They're going to do it anyway, so the latter option might be the easiest.

For systems configured to use 802.11-based wireless (or ones that may be used as such inthe future), don't forget the following safeguards:

1. Enable WEP at a minimum since it's a lot better than nothing, but ideally haveusers enable WPA2-PSK with strong (20+ random characters) pass-phrases.

2. Require your users to use directional antennae instead of the omni-directionalones that come stock on practically all APs.

3. Enable MAC address controls, which help keep non-techies from snooping oraccessing your network (techies know how to spoof their MAC addresses to getaround this).

4. If possible, require a specific vendor/model of AP and wireless NIC to ensurethey're hardened consistently according to your standards and so you can stayabreast of any major security alerts and necessary firmware or software updates.

5. Remember that users may connect to your network via public hotspots, somake sure you and they understand the security implications and have the propersafeguards in place.

6. Enable secure messaging if a VPN or other hotspot protection is not availablevia POP3s, SMTPs, Webmail via HTTPS and other built-in controls.

7. Disable Bluetooth if it's not needed. Otherwise, it's too risky by default so lock itdown.

These relatively simple and mostly free remote access safeguards, combined with areasonable information security awareness program, will go a long way toward securingyour offsite computers and protecting those things you cannot afford to lose.

About the Author: Kevin Beaver is an independent information security consultant,author and speaker with Atlanta-based Principle Logic LLC. He has more than 17 yearsof experience in IT and specializes in performing information security assessments.Beaver has written five books, including Hacking for Dummies (Wiley), HackingWireless Networks for Dummies and The Practical Guide to HIPAA Privacy andSecurity Compliance (Auerbach).


10

Five steps to controlling network access16 Nov 2004 | Wes Noonan | SearchWindowsSecurity.com

Wes Noonan, author of Hardening Network Infrastructures, reviews steps you can takefrom both a Windows and network perspective to protect your data regardless of what isoccurring at the network perimeter.

One common security mistake is to treat the network and applications as separate entitiesthat never interact. You may have separate people maintaining them, separate securitypolicies, separate procedures and so on. Hardening Windows servers will go a long waytoward protecting the integrity of the data on those servers, but you must also harden thenetwork infrastructure itself. Start by taking the following five steps.

1. Implement access control lists (ACLs)If someone can get inside your network, they can gain access to your Windowssystems. You need to implement strict ACLs on your network equipment andgrant access only to those users that require it. For example, do users in Houstonever need access to systems in New York? If not, chances are the traffic passingbetween those systems isn't essential to the business.

2. Implement network-based access control (NBAC)Connecting systems to the network used to be a hassle: You had to build thenetwork drivers, assign addresses and physically connect systems to get them totalk. Although this made it difficult for unauthorized systems to easily connect tothe network, it created excessive administrative overhead. Then technologies likestar-wired networks and Dynamic Host Configuration Protocol (DHCP) made itexceedingly simple to connect systems to the network. At first I rejoiced! But nowI realize anyone can connect to the network. In fact, approximately 90% of thecustomers I visit have live network jacks that I can easily plug into to gainnetwork access even if they have some written policy that states unauthorizedconnections are not permitted.

NBAC seeks to provide an enforcement mechanism to support those writtenpolicies. With NBAC, you want to define what is an authorized user and ensureconnected systems are running the appropriate patches and software versions. Ifthey aren't, they are placed in quarantine until the system is patched or updated.

3. Restrict remote connectionsImplementing a VPN can be a risky endeavor. It permits network access for bothusers and viruses. Instead of allowing VPN access to your entire network,implement network ACLs that restrict remote users only to the servers andresources they need. For instance, using a VPN to connect Citrix or TerminalServer farms ensures that the only traffic allowed through the VPN is the Citrixtraffic to the Citrix servers; if a remote client's system is infected, it will not infectyour network.


11

4. Restrict and secure wireless connectionsIf implemented behind your firewall, wireless LAN connections create aparticularly large, gaping hole in your network perimeter. As a result, yourwireless LAN connections should be treated like any other remote connection:Terminate them outside your firewall and require a VPN connection to gainaccess to internal and protected resources.

5. Implement IPsecImplementing IPsec on your network is a great way to protect data in transit frombeing compromised. But it's no panacea. For example, if a machine is infectedwith Slammer, IPsec will only ensure the Slammer traffic is encrypted before it istransmitted. When used in conjunction with the other hardening methods,however, IPsec can serve as an effective method for protecting your internaltraffic from prying eyes.

Due to network de-perimeterization, you can no longer rely exclusively on the networkperimeter to protect systems and data. Removing the perimeter entirely is not thesolution, nor is hardening the perimeter alone. You must also harden your Windowssystems and network infrastructures to protect data in the event that the networkperimeter fails or is circumvented.

About the Author: Wesley J. Noonan has been working in the computer industry forover 12 years, specializing in Windows-based networks and network infrastructuresecurity design and implementation. He is a senior network consultant for CollectiveTechnologies, LLC (www.colltech.com). Wes recently authored the book HardeningNetwork Infrastructures for Osborne/McGraw-Hill and previously authored a chapter onnetwork security and design for The CISSP Training Guide by QUE Publishing.

Secure data transmission methods17 Jan 2006 | Chris Apgar | SearchSecurity.com

A significant issue facing security professionals, especially in healthcare organizations, isthe secure transmission of confidential and proprietary information, and protected healthinformation (PHI). When many organizations think of secure transmission, theconversation generally turns to encryption and encrypted email. While this tip touches onemail security, you can find more in-depth information in Email Security School. Themain purpose of this tip is to explore secure data transmission options that are availableto help meet regulatory and legal requirements.

The HIPAA Security Rule, references secure transmission and the use of encryption.Although the Rule does not require the use of encryption, it's included as an"addressable" implementation specification. In other words, a healthcare organizationcovered under HIPAA has three choices: implement the specification as it appears in theRule, implement an alternative that is equivalent to the specification or document why thespecification is not applicable and therefore is not implemented.


12

Given the availability and affordability of encryption technology today, it is difficult for ahealthcare organization to justify not using some form of it when transmitting PHI. Anumber of vendors offer a variety of reasonably priced encryption hardware andsoftware, as well as outsourcing options. Now we'll review the options in more detail.

Email encryptionA number of vendors offer products that encrypt email messages, are easy to use andprovide the ability to send private data, including email attachments, securely. Therecipient can respond using the same encryption method. Many of these products areWeb-based. They work by sending a link to the recipient, who then clicks on it and logson to a secure email server, which the organization either owns or outsources to anappropriate vendor. The recipient is then able to read the email and any attachmentssecurely, and send a secure response including attachments if needed.

There is also non-Web-based technology that allows transportation of secure messagesfrom one person or organization to another, the most common of which is public keyinfrastructure (PKI). PKI requires an exchange of keys used to unlock the encrypted file.For example, Bob wants to send a secure email to Sue, so he gives her a copy of hispublic key to open his encrypted message. Bob retains the private key he used to encryptthe message or file, which he can also use, especially with a digital signature, toauthenticate himself as the sender. A digital signature is a small electronic file that isunique to each sender and specifically authenticates his or her identity. In many states, adigital signature can be used and is enforceable to the same extent as an original signatureon a contract or other legal document.

There haven't been any large PKI deployments as of yet, mainly due to it beingcumbersome, and the difficultly of administering and managing keys. However, PKI hasbeen successful with small deployments and is frequently used for sending large filesbetween organizations such as health plans and healthcare clearinghouses.

One method of secure data transmission often used in conjunction with PKI to encryptand authenticate large data files, is secure file transfer protocol (FTP). However, it is notused for transmission between individuals. The technology is readily available andrecommended for organizations transmitting large amounts of data, such as claimstransactions and electronic remittance advices through clearinghouses.

Web site encryptionOrganizations that use the Web to collect and transmit sensitive data to customers orother organizations need to secure their Web site. The general standard is the use ofsecure socket layers (SSL), which encrypts data transmitted via a Web site. Uponopening an Internet browser, an open or closed lock appears in the lower right handcorner of the Web site. If the lock is closed, it means the data transmitted over the Website is secure, generally by SSL. This allows the transmission and collection of privatedata over a Web site, without worrying about a hacker accessing it. There is no such thingas security without risks, but the use of SSL and secure Web sites when transmitting datasignificantly reduces the risk of it being inappropriately intercepted. Secure Web sites can


13

be established by using internal Web analysts/programmers or working with a vendorwho has expertise in creating an appealing and secure Web presence.

Application encryptionSome organizations transmit data between applications, such as an electronic healthrecord. It is wise to view such transmissions, if the data travels outside an organization, asany message sent over the Internet, meaning it's subject to interception and, unlessproperly protected, misuse. When transmitting sensitive data between applications, it issound and good security practice to evaluate the encryption capabilities of theapplication(s) and implement an encryption solution beforehand. An organization canobtain this technology from the vendor that manufactures the application or a custom-programmed product that accommodates application functionality while protecting thedata as it travels from one point to another.

Remote user communicationRemote users present an additional security risk, because they are often communicatingbetween their home and an organization. This means they not only need to be aware ofsecure data transmission requirements, but also other information security risksassociated with remote access to confidential information. To secure communication withremote users, install a virtual private network (VPN), which encrypts all the data sentbetween its users. This technology is readily available on the market, and it is advisablethat organizations with remote users install it. If a VPN is not established and a modem isnot in use (which is generally not an efficient method of accessing a company network),all data transmitted over the Internet is subject to interception and inappropriate use.

Laptops and PDAsThese portable devices can be easily lost or stolen. Therefore, it is wise for organizationsusing these devices to transport confidential information to encrypt the data stored onthose devices. This protects the organization against inappropriate data disclosure if theportable device is lost or stolen. Encryption programs are available for portable devicesand the cost of such software is reasonable and affordable, even for smallerorganizations.

Wireless networksWireless threats are on the rise and unsecured wireless networks are significant points ofvulnerability and open up organizations to easy hacker access. Therefore, it's becomingincreasingly important, to prevent access by anyone not authorized to access the network.Also, encrypt all data transmitted between wireless devices to prevent inappropriatedisclosure of confidential information. Laptops connected to wireless networks arebecoming more common, especially in hospital emergency rooms where medical andhealth insurance information is collected. These laptops communicate with theorganization's wireless server and update applications, health records, etc. This data isgenerally sensitive and needs the extra layer of protection that encryption provides.

About the Author: Chris Apgar, CISSP, is president of Apgar & Associates, LLC andformer HIPAA Compliance officer for Providence Health Plans in Oregon and SW


14

Washington. He is a nationally recognized data security, privacy, transaction and codesets, regulatory and HIPAA expert. He is a member of the HIPAA Compliance InsiderAdvisory Board, the Security Compliance Insider Advisory Board, the URAC PrivacyAdvisory Committee, and chairs the Oregon and SW Washington Healthcare, Privacy &Security Forum and the Forum's Transaction & Code Set Workgroup. Mr. Apgar nowoperates an independent consulting firm specializing in security, privacy, HIPAA, globaland detailed business process review, information systems project development, andlobbyist activity.

How to stop a rogue user from circumventing network security15 Nov 2005 | ITKnowledge Exchange | SearchSecurity.com

The following question and answer thread is excerpted from ITKnowledge Exchange.

A user identified as Mouse 3333 posed this question:We have a rogue user who knows more than she should. She can grant herself and othersthe authority to access secure files. How can we monitor her activity to review what shehas done? We believe she is using several different user IDs. We have come across acouple and have changed those passwords. Is there anything else we can do to stop her?

A user identified as Layer 9 advised:There are some products that allow you to restrict users internally, but you really have toknow what you are doing to use them. In order to stop this power user fromcircumventing your network's security, you will need to bring in a security consultant,because it is clear that this user knows more than you do about network security. Otherthan hiring a consultant, there are some technical steps you can take as well. Assumingyour Layer 2 network is a Cisco or other SPAN-compliant vendor, doing the followingwill likely reveal what she is doing:

1. Trace back from the desktop to the actual switch port her workstation isconnected to. If you don't have a current wiring diagram or a coding system, youcan use a cheap toner to trace back to the switch. Then trace back your owndesktop to the switch as well. I am assuming they are plugged into the sameswitch, if not you'll want to plug a laptop in from inside the wiring closet.

2. Once you have the port number on the switch, log on to it, enable SPAN and setthe port you are plugged into as the Monitor Port. Then set the port that thesuspect's system is plugged into as the Monitored Port.

3. At this point, download Ethereal, (you can also use Sniffer or Etherpeek if youhave it) and install it on the desktop. Set a filter in your protocol analyzer to filterto all other systems on her MAC or IP. Examine what the packet captures aboutthe activity between the suspect and the logon servers – particularly, with thesystem or systems where the accessed files are stored. These packet captures willshow you what she is doing to get in or at least point you in the right direction.


15

If you don't have a switch that supports SPAN, it's time to upgrade the network. If what Isuggest sounds foreign, then you should consider hiring a consultant.

A user identified as Solutions1 advised:First, make sure your procedural and policy ducks are in a row and carefully adhere tothose guidelines. Second, evaluate your priorities. If you suspect that that one end useracquired "super user" access, then perhaps your priority should be to rebuild your accesscontrol structure, because one "known" violation suggests that there could be others.Third, get management support at an appropriate level before you proceed with yourcapture and detection measures.

A user identified as Bobkberg advised:Here are some other steps you can take to mitigate this risk:

• If you are in a Windows environment, list out all of the members of theadministrators group and check their login history. Turn on security auditing forlogins and for system/file/folder access for likely machines -- then checkregularly.

• If you are in a Unix/Linux environment, check all user and group IDs for rootequivalence or root group membership. If you learn more about the initialsituation, regularly check for login time/date as well as where it occurred. If youare using Network Information Service, check all user IDs there also.

Here is the bottom line -- if you don't receive management's support, email them aboutthe matter clearly and keep their response. It will be your "Pearl Harbor" file.

A user identified as ChinaBJ advised:I suggest you use a combination of IT rules and technical methods to prevent this fromhappening again. Seek help from top management personnel to establish and implementIT rules. As far as technical methods are concerned, you can install a remote controlclient on the suspect's computer from the server and log her actions. If you haveWindows 98 sharing, stop it. It is also necessary to stop Windows 2000 server's supportfor previous Windows authentication. Third, you should implement IPsec to encrypt thecommunications that take place on your server.

A user identified as This213 advised:I agree with Layer9, you should consider hiring a security consultant. I also think shemay have gotten her hands on someone's password. While you have received some soundadvice, I find it interesting that there has been no mention of the authenticationmechanism in use or what OSes and other resources are involved. There may be optionsavailable to you that would not require approval from anyone (depending on your roleand your company's policies).

Once you know what resources have been accessed -- whether they are files in a filesystem or user changes in Active Directory -- you should be able to trace those who haveaccessed them. If you're not logging accesses to resources, I strongly encourage you to. If


16

you're in a Windows environment, there are tools for this. If you're in a Unix/Linuxenvironment, the tools are most likely already in place.

I suggest you have your network penetration tested, both externally and internally, even ifit does turn out to be just a corrupted password. You never know how strong something isuntil you try to break it. Plenty of companies out there do this.

Also, make sure you document everything. Create a situation file, collect hard copies ofall the logs about the affected systems, and place them in the file. Then, document youractions to remedy the situation and put that in the file. Send emails to your superiors anddetail the situation as best as you can. Inform them of the file and its location, and explainhow they can view a *copy* of its contents. Place the emails that discuss the situationinto the file as well. Note that I said a *copy* of the file, always follow the maxim: CYA.Finally, make sure that anyone (management, auditors, etc.) can access the file, so theycan read about the entire situation themselves -- as Bobkberg said, it's your "PearlHarbor" file.

A user identified as SidZilla advised:Don't overlook the non-technical solutions. I would make sure HR is on board with thefact that circumventing security is a fire-able offense, then take the offending employeeto HR and ask her what she is doing, how she is doing it and most importantly, why sheis doing it. If she doesn't answer all three and agree to stop, fire her on the spot.

Guarding against malware infection from remote users2 Sept 2004 | Ed Skoudis, CISSP | SearchSecurity.com

So, you think you've got your malware defenses up to snuff, right? Antivirus tools on themail gateway? Check. AV deployment on all company-owned desktops and laptops?Check. Firewalls blocking all services except those with a defined business need? Check.Thorough malware defenses against infected telecommuters using the VPN from theirlaptops, home desktops and even handheld devices? Um … well, …

Sadly, many organizations today haven't adequately addressed the potential for maliciouscode infection via telecommuters. Often, a home user gets infected by some pathogen onthe Internet and then sets up a VPN connection to the corporate network. Onceconnected, the infected home system acts like the Typhoid Mary on the internal network -- spreading the malicious code and bypassing your perimeter defenses, including Internetfirewalls. How can you stop this plague in your environment? The solution requires bothpolicy and technology.

Make sure to define policies that require home users to keep up-to-date AV tools installedon their systems, regardless of whether the machine is owned by the user or the company.In today's new-worm-every-day world, require that the AV tool be configured toautomatically download new signatures each day and define specific penalties fordisabling the AV tool and its update capabilities.


17

Also, specify in your policy that the corporation reserves the right to search thecomputers of any VPN users across the network, again, regardless of whether the systemis owned by the employee or the corporation. Employ a warning banner to launch duringthe VPN login that requires users to click "OK", acknowledging that their personalsystems could be searched remotely when an incident occurs. Enlisting permission fromthe system owner -- the employee, allows your incident-response team to legally conductthe analysis required to address the problem. Without this policy and warning banner,you have no business searching an employee-owned machine. Alternatively, you cancreate a policy that limits VPN access to only corporate-owned computers. Of course,your company will need to purchase machines for all telecommuters, so make sure thebudget can adequately afford you going that route.

Fortunately, many VPN gateways now offer the capacity to interrogate the client toensure the host system is running an active AV tool with up-to-date signatures and apersonal firewall. Activate these capabilities if your infrastructure supports them; Userswanting access to the corporate playground, first must prove they won't infect the otherkiddies. Also, make sure your VPN gateway passes all traffic through a firewall thatperforms comprehensive filtering -- only allowing access to absolutely required servicesand only to those servers that each remote user needs. Furthermore, consider deployingnetwork-monitoring tools, including network-based intrusion-detection and intrusion-prevention systems, on network segments associated with the VPN and filtering devices -- this will enable you to detect and thwart attacks early.

About the Author: Ed Skoudis, CISSP, is cofounder of Intelguardians NetworkIntelligence, a security consulting firm, and author of Malware: Fighting Malicious Code(Prentice Hall, 2003).

Remote network access from privately-owned machines25 Aug 2004 | Mark Mellis | SearchSecurity.com

IT managers are under increased pressure to provide broad remote-access capabilities.User communities range from casual "day extenders," who only need access to theiremail and the corporate Web portal from their family PC, to full-time telecommuters whouse core applications and IP telephony. Because they depend upon remote access for alltheir work, companies usually don't have too much trouble justifying high-end solutionsfor the full-time telecommuter by providing them with a company-owned computer,firewall and 24x7 help desk access. But how can we effectively (and affordably) supportthe low-end needs of other users?

The upside of allowing users access from their own computers and network connectionsis attractive. Often, remote users don't even want a company laptop -- too much to lugaround. Besides, the family system is likely faster (designed for the kids to blast alienspacecraft with). However, it's the downside that we need to consider.


18

Risks are proportionate to access providedUsers who have full network access to internal enterprise LANs can inflict much moredamage than those who can only use webmail. So, the first step in your strategy entailsproviding tiered access, appropriate to the needs of each user. Many companies can getby with two or three tiers, with webmail at the low end, file and Web application accessin the middle, and full VPN connectivity at the top.

TrainingEnd user security education is essential for successful remote-access programs. It shouldplay a prominent part in your ongoing security education program. You can use onlineprograms on the company intranet. Make sure that you track completion and requireperiodic refresher training. Try awarding a gift certificate to someone selected from thosewho took the course to give users a positive incentive for completing their mandatorytraining. The curriculum should include information on the hazards of active content,including viruses, worms and spyware. Make the point that this instruction will help themprotect their own data as well as that of the company. Also include information onpassword hygiene and what to do in the event that they suspect an incident might be inprogress. Don't forget to include requirements for access to company information.

AuthenticationYou have to know who someone is before you allow them access to any service,including webmail. Typically, we use user names and passwords to provideauthentication, which are vulnerable to interception and compromise. Educating usersabout password hygiene and protecting passwords in transit with encryption used to beadequate, but with today's spyware and keystroke sniffers, two-factor authentication withhardware tokens is practically mandatory for all remote users, even those with low-endprivileges.

If you choose to stay with usernames and passwords, make sure that you don't setyourself up for a denial-of-service attack. Do you use your internal domain authenticationsource for remote access and automatically lock out accounts after a certain number offailed login attempts? If manual intervention by an administrator is required to restore anautomatically locked-out account, your systems are vulnerable. It's a simple matter for adisgruntled employee sitting at a cyber cafe to go down the company directory typingthree bad passwords for every username on the list and lock out the whole company,internal as well as external. It's much better to use separate authentication sources forexternal services or to only lock out accounts for a short period of time. Even lockouts asshort as five minutes will protect you from dictionary attacks.

AuthorizationAppropriate access to internal resources is key. If you have an existing data inventory andauthorization model, it will pay off. If not, you need to identify your information assetsand how they are classified. The best SSL VPN and gateway products have rich access-control models, but they won't do you any good if you don't know which users shouldhave access to which data and where the data is stored. If you haven't classified your data,this could provide the motivation to start.


19

Active content controlViruses are the scourge of the decade and like all effective security programs, viruscontrol should be layered, starting at the edge of the network. Of course every computershould have antivirus software installed and maintained. Here's another place where youcan provide an incentive for good security practices: consider providing antivirussoftware to your end users for free or at a discount. You may not want to use thecorporate edition that you deploy internally, since that would increase your supportburden, but you can still provide the consumer editions to your day extenders. Of courseyou will want to ensure that users renew their subscriptions each year, so considerincluding the renewals in your program. Don't forget to protect the systems used by thefull-time telecommuters as well.

Personal firewallsPersonal firewalls are very common in full VPN environments, and can be useful evenfor day extenders using webmail, because they can help block spyware back channels.You may elect to subsidize their use in a manner similar to that discussed for antivirussoftware.

Information leaksEvery time a browser loads a clear text Web page, a copy of the page is made in thebrowser's cache. Likewise, pathnames and other parameters can be captured by thebrowser's history feature. And end users often download email messages andattachments, as well as files to which they might have access. Obviously this can be aserious problem. All is not lost, however. Browsers do not normally cache datadownloaded over SSL connections. Further, some SSL VPN remote access products havespecial features to clean up after sloppy software and forgetful users. If the risk ofinformation leakage is important for your company, you will want to investigate thesefeatures.

If you can't control, monitorYou won't necessarily have the resources to implement technical controls to compensatefor every threat. That's the bottom line. However, you shouldn't give up. If you can'tcontrol, often you can monitor instead. Monitoring techniques can include network- andhost-based intrusion detection, system auditing and log analysis -- powerful techniquesfor stopping problems in their tracks.

Your company can allow employees to use their home computers. It won't be free, and itlikely won't encompass all the services that some users will want, but it can be donesafely for many services.

About the Author: Mark Mellis, ISACA/CISM, is a consultant with SystemExpertsCorporation, specializing in network security.

Ten tips for safe computing on a public LAN22 Sept 2003 | Ed Yakabovicz | SearchSecurity.com


20

There may be times when your remote users need to connect to a public LAN. Here is achecklist of ten basic tips for ensuring the security of their systems, as recommended bySearchSecurity.com expert Ed Yakabovicz. These are also handy tips to distribute to endusers for keeping home PCs secure.

1. Keep the system's OS patches up to date.

2. Use a personal firewall (software; some are free) and keep track of who is tryingto access your machine.

3. Using the personal firewall, allow no one to connect through Windows to yourmachine. Do not share drives.

4. Use antivirus software to protect your system from any virus or malicious code.Never, never shut it off – for any reason.

5. Conduct a full scan for viruses weekly. Update the antivirus signature file daily.

6. Use a hardware firewall if you can. These can run $40 to $100, but they savemuch time and hassle.

7. Ensure the user ID guest is disabled.

8. Ensure passwords are hard to guess, and do not use administrator unlessnecessary.

9. Run some type of third party cleaner that will check for malicious code andhidden files that could be Trojans.

10. Run defrag once a week.


21

Endpoint security tactics

Hot Pick: Fireball KeyPoint13 Oct 2004 | Tom Bowers, CISSP | SearchSecurity.com

Fireball KeyPointRedCannon, www.redcannon.comTechnically, RedCannon's Fireball KeyPoint is an endpoint security solutionconveniently packaged in a portable USB token. In reality, it's a basic, secure mobilecomputer that uses host machines as conduits for I/O devices, connectivity to the Internetand corporate networks.

When the Fireball KeyPoint is plugged into a USB port, it connects to the RedCannonWeb site or your enterprise's management server for policy and software updates.Updates are loaded before it scans the host PC and grants secure access to network-basedapplications. The token also alerts users to the presence of spyware or malware on thehost PC, but doesn't remove it.

Fireball KeyPoint assesses and authenticates the host machine's compliance withenterprise security policies, granting full access to compliant machines, limited access tomoderately risky machines, or no access to machines that represent a high security risk.For example, hosts with a low-level adware threat could still be granted email access.However, if a more dangerous keystroke logger is detected, Fireball KeyPoint won'tpermit a connection and will advise the user to try another host. The connection to thecorporate network is secured with an IPsec VPN tunnel.

An area of concern is RedCannon's suggested distribution of policy updates via shareddrives -- an open invitation to disaster, since worms like Blaster and My-Doom could usethe open shares to propagate on the LAN. Fortunately, this isn't a requirement; wediscovered during testing that using a Web session secured with SSL or SSH will closethis hole. In light of this review, RedCannon has changed its recommended architecture.

RedCannon's Fireball KeyPoint provides token-based endpoint security, secure Webbrowsing, storage and email, and spyware protection.

Enterprises can configure Fireball KeyPoint to securely run common applications (suchas Web browsers and email) and avoid untrusted applications on host machines.RedCannon's proprietary email is adequate; it has the same basic features and capabilitiesas free or inexpensive email apps like Calypso, Eudora and Thunderbird. The onlydifference with Red-Cannon's secure email is that almost everything runs from the token,and what little runs from the host PC is hashed/encrypted, erasing all traces of thesession.

Email messages are stored and encrypted in a token-based vault.


22

Although RedCannon claims Fireball KeyPoint leaves no residual data on the hostcomputer, our testing found traces of visited Web pages in the Documents and Settingstemp directory after the token was removed. This is disappointing, since the whole pointof this device is to securely browse the Web and access email via an untrusted computer.RedCannon says the bug will be fixed in the next release.

Fireball KeyPoint comes in two sizes -- 256 MB and 512 MB -- but don't let the numbersfool you. Its auto-recovery app takes up approximately 50 MB. The Encrypted Vaultsecure storage provides drag-and-drop capability through Windows Explorer. And, just asthe scanner limits or blocks access to the corporate network, it will also lock down thevault if the host machine presents an unacceptable risk.

The tedious process of integrating Fireball KeyPoint's Fireball Manager into ActiveDirectory -- the only supported directory service -- must be completed before license, keyand policy distribution. Each token must be plugged into a USB port on either the systemhosting the management server or with network share to receive licenses, policies andconfigurations. Wizard-based installation for the Fireball Manager and authentication to asecure Web site/sharepoint for policies/licenses would be on our wish list for the nextversion.

A thin Quick Start Guide and poor documentation complicated the Fireball Manager'sinstallation and configuration. The guide was lacking in nearly every subject, andcompletely missing was a diagram showing the entire architecture, which would haveprevented serious roadblocks during setup and testing.

Despite a number of first-release shortcomings, the Fireball KeyPoint is an endpointsecurity product with potential. Whether you're using an Internet cafe or a homecomputer, the device lessens the most common remote access security concerns. Weexpect future versions only to improve upon this strong foundation.

About the Author: Tom Bowers has worked with computers since the early 80s. He iscurrently the Manager of Information Security Operations for Wyeth Pharmaceuticals,where he leads a team conducting pen testing globally. He also owns Net4NZIX, a smallconsulting firm specializing in pen testing and computer forensics. Tom holds the CISSP,PMP and Certified Ethical Hacker certifications. He can be reached [email protected].

Product Review: End of the line1 June 2004 | Curtis Dalton, CISSP | SearchSecurity.com

Endpoint devices -- laptops, SOHO desktops, public terminals, etc. -- are your biggestsecurity headache. Traveling employees log in without updated AV signatures or thelatest OS patches. Home workers may have no AV or firewall protection. And whoknows what unauthorized software and spyware are on connecting PCs?


23

Users jacked into your LAN may not be much better off. Even the most up-to-datepatching will lag behind the spread of worms and viruses. According to Gartner, 90 % ofcyber-attacks through 2005 will involve known vulnerabilities for which a patch orremedy already exists. Policy notwithstanding, internal employees and contractorsdisable AV scanners, fiddle with registry settings and run Kazaa and Quake on yournetwork.

IT security staffers are often skeleton crews that can't keep up with basic patching, muchless play cop with noncompliant employees and machines. The secure master buildinstalled on each computer before it's released is often rendered obsolete by the latestvulnerability and exploit.

No wonder the number of endpoint security solutions is growing. These products ensurethat each device complies with policy before it's allowed on your network.

Endpoint policeHow do you determine whether a particular host should or shouldn't be allowed to accessthe network? A solution should cover these compliance criteria:

• Authorized OS version and hardware platform.• Required OS patches and registry settings.• Functioning AV software with latest signatures.• Firewall and VPN client with approved policy.• Required company software.• Absence of IM, P2P, spyware or other rogue programs.

Most endpoint solutions attempt to cover these criteria, but in different ways. Most checkcompliance through direct login to the endpoint client and/or remote scanning. Typically,solutions use either a resident agent or thin client.

Solutions can work for remote and/or LAN-based clients, and most require manualremediation.

Direct LoginWhat if you could validate virtually all client systems, including public kiosks and SOHOcomputers? This is the big advantage to the direct login approach.

A gateway device will intercept the endpoint's authentication request and use nativecached account credentials to validate compliance, checking for active processes, registrysettings, OS revision, patches, etc.

The downside: Because of the credential caching, this type of endpoint security gatewayis an important -- and additional -- user information store that must be stringentlyprotected. Also, the gateway must be inline with your authentication servers, which couldintroduce additional points of failure and must be compatible with your authenticationprotocol (LDAP, Active Directory, NT Domain, etc.).


24

One example of this type of gateway is StillSecure's SafeAccess, an agentless solution.The SafeAccess server is a Layer 2 bridge based on Red Hat Linux with Apache forWeb-based management. It's installed on a dedicated server that sits between the VPNgateway and firewall. Since it operates at Layer 2, it requires no IP addresses for devicesin your DMZ. If a remote device is connecting to the corporate LAN for the first time,SafeAccess assigns a unique identifier so it can recognize it in subsequent connectionattempts.

If a remote host isn't a member of the corporate domain, the user is directed to a Weblogon page, allowing the Safe-Access server to log in to the computer (through Windowssupport only) and perform the checks. The login sequence is achieved via the WindowsRPC service from within the VPN tunnel (all IPSec VPN vendors are supported) betweenthe remote host and the corporate VPN gateway. SafeAccess checks for missing patches,software updates, up-to-date AV signatures, policy settings and required or prohibitedprograms.

Noncompliant devices are quarantined using ACLs defined on the SafeAccess server.

Remote Scanning/Agent QueriesMany solutions use vulnerability scanning technology to check the remote client or queryclient-side agents (or a combination of both) to determine if required security programs(firewall, AV, VPN with split tunneling disabled, etc.) are running.

These products eliminate the need to cache user names and passwords on the gatewaydevice. However, client-side software of some kind is required -- a preinstalled agent,ActiveX thin client or browser plug-in.

Check Point Software Technologies' Zone Labs Integrity Clientless Security integrateswith popular SSL VPNs. Its ActiveX thin client uses a combination of signatures andheuristics to detect, quarantine and block systems containing spyware, keystroke loggers,viruses, Trojans, worms, third-party cookies and hacker tools. Clients can be routed to acustomizable URL for remediation.

Citadel Security Software's ConnectGuard uses a host-based agent to draw policies andremediation instructions from Citadel's Hercules patch and configuration server. Theagent monitors all outbound traffic and blocks any connections that violate the corporatesecurity policy. The first version of this product is fairly elementary; it offers noquarantining and only works in conjunction with Hercules.

ENDFORCE's ENDFORCE Enterprise uses a resident agent to check host OS,applications (such as AV, VPN and personal firewall), patches and applicable app or filesignatures. ENDFORCE works in conjunction with most AV solutions, VPNs andpersonal firewalls. If a remote device fails the checks, ENDFORCE provides instructionsor automated remediation steps.


25

InfoExpress' CyberGatekeeper suite offers appliance-based solutions using a residentagent executable or ActiveX thin client.

CyberGatekeeper LAN protects the internal LAN and integrates closely with Ciscoswitches to quarantine noncompliant hosts. The resident agent executable (Windows andLinux supported) checks running processes, registry settings, OS revision and patches,and enforces OS security compliance. Noncompliant hosts are automatically assigned to asegregated VLAN, allowing limited access until updates and configuration changes aremade.

CyberGatekeeper Remote functions much like the LAN product but uses an ActiveX thinclient, which is loaded onto the host via the browser.

Iomart Group's NetIntelligence relies on a host-based agent, which checks for IM, P2P,malware and pornographic files via digital fingerprinting and provides Web contentblocking and copyright theft detection. It can be used to monitor specific apps andremovable devices, such as USB flash memory sticks. NetIntelligence provides integratedKaspersky Labs AV protection, but no integrated VPN support.

Policies are defined by user and group and are pushed down from a central console on ascheduled or ad hoc basis. Policy enforcement is accomplished via client-side accesscontrols applied to the firewall policy. Remediation can be implemented through a centralconsole, which can apply changes individually or by group.

Sygate's Secure Enterprise (SSE) employs a resident agent to enforce policy and verifythat Sygate's firewall, IDS and AV (all popular solutions are supported) are current andoperational. SSE verifies OS version, patches, registry settings and files requirements.Noncompliant devices can be monitored and automatically remediated through user-generated scripts, or blocked entirely via VLAN manipulation.

Sygate plans to release Sygate On-Demand, which can use an ActiveX or Java thinclients instead of agents, and Magellan, a clientless direct login solution.

Symantec's Client Security checks compliance for LAN-based and remote clients. Itsresident agent detects unauthorized activity, attempts to disinfect afflicted devices andprevents access to system or network resources via real-time AV protection, personalfirewall and IDS--all controlled via the management console. Built-in location awarenesscapabilities ensure that the appropriate security policy is applied. For example, the policyfor accessing company headquarters may be different than logging in to a branch office.

This solution is best deployed with Symantec VPN Sentry, which assures up-to-dateClient Security is running. Noncompliant endpoints can be blocked or granted limitedaccess.

Whole Security's ConfidenceOnline solution is completely transparent and requires nosignatures. It uses an ActiveX thin client or Netscape plug-in to check for eavesdropping


26

software and verifies that required processes and applications are running and conform topolicy. Config-urable heuristics are also used to identify and disconnect remote clientsthat display infection symptoms.

Weighing the choicesIt's tempting to steer clear of solutions that require client-side software and all theadministrative pain that it entails.

On the other hand, clientless solutions require that you either trust the proprietarybehavioral traffic analysis or entrust third-party security devices with automated domainadministrator login access on your networks. Since domain administrator credentials arestored somewhere in these boxes, you should be concerned with their hardeningprocesses and understand what services are active. For example, are stored domainpasswords encrypted or hashed, and what hash or cryptography is used? Is your endpointsecurity solution utilizing Apache 2.0.37, which has a few known vulnerabilities, or doesit have an unused, vulnerable version of H.323, which is susceptible to buffer overflowsand DoS attacks?

From a management standpoint, look for solutions that offer global policy controls andgranular ACLs based on location, user ID, group and role. Endpoint security solutionsshould also allow you to quickly tweak policy across client base, such as in response tonew threats. Be sure to check under the hood before you buy.

About the Author: Curtis Dalton, CISSP, CISM ([email protected]), is the founder ofPrincipal Security Group, an information security consulting firm. He has authorednumerous magazine articles and co-authored Security Architecture: Design, Deployment& Operations (Osborne McGraw-Hill, 2001).

Hark! Who goes there? -- Network device compliance6 Apr 2004 | Ben Rothke, CISSP | SearchSecurity.com

Traditional network security has long been about protecting the network perimeter via the"crunchy on the outside, chewy on the inside" method. But that method does nothing tostop viruses and worms from originating inside the network. Examine a corporate campusand count the consultants, service providers and temporary workers accessing thenetwork. How can their access be controlled, ensuring they don't introduce viruses andworms to the network?

Today, many corporate networks are more open than all-night convenience stores. Withthat openness comes lost productivity, industrial espionage, insider abuse and muchmore. Even with layers of firewalls and IDSes, viruses and worms are still the curse oftoday's IT environments. Even for the organization that has an antivirus appliance at theirgateway, end-node security is crucial since so many devices (PDAs, laptops, etc.) arenow bypassing that first-level gateway of protection. A network card and DHCP is all


27

that is needed to access many networks. This is atrocious given the risks that arise from alack of effective end-node security.

Effective end-node security is all about verifying the security compliance of any devicethat connects to the network. Seeing the importance of end-node security, many vendorsare getting into the game. While the company hasn't announced anything directly,Microsoft is working on a trust model of analysis and the quarantining of end points. Twoannouncements, by Symantec Corp. and StillSecure, were made early this week.Symantec Corp. announced the release of Symantec Client Security 2.0, which includesVPN Compliancy Check, and StillSecure announced its agentless end-node securitysolution, StillSecure Safe Access. Others vendor offerings include Infoexpress'sCyberGatekeeper and Sygate's Adaptive Protection, but they don't have the level ofinfrastructure to leverage as Cisco's Network Admission Control (NAC).

NAC isn't a product per se but Cisco's collaborative effort to ensure network devices can'tenter a network until they are compliant with the level of enforcement required. Non-compliant devices can be isolated and denied network access until they are appropriatelypatched. This host isolation is the greatest benefit of NAC. Typhoid Mary showed whatone infected person can do to facilitate the spread of disease -- so too with a singleinfected host. Until it is isolated, there is little that can be done to stop its lingering effecton the rest of the network.

NAC's goal is simple: Ensure hosts can't harm the network. It's the equivalent of showingone's credentials before admission and having a level of enforcement after admittance.An example of NAC credentials would be the most recent antivirus definitions andoperating system patches.

Cisco defined NAC's architecture and the specifications for NAC technology to beintegrated into third-party products. Any developer that wants to integrate NAC into theirsolution licenses the NAC SDK. It is Cisco's hope that NAC will ultimately be ubiquitousat the desktop in the form of the Cisco Trust Agent (CTA) software. CTA will be theinterface between the desktop and NAC, and will be freely available to end-users, muchlike the Adobe Acrobat reader.

The function of any desktop agent is to collect security state information from thedesktop device and to report that information to the connected network where accesscontrol decisions are made and enforced. If the host is compliant, access is granted. Ifnot, the device is placed in a quarantined area where the required patches aredownloaded.

If an agent isn't loaded, default access policies are enforced according to the level ofsecurity desired. The beauty of such an architecture is that there is compulsoryenforcement. Hosts that aren't compliant are denied network access.

End-node security fills the credo of trust but verify. With laptops, cell phones andwireless PDAs easily connecting to the corporate network, the security risks with this


28

level of network ease of use can be utterly dreadful. It will be a while before the variousend-node security initiatives are complete and fully deployed. But as a start, it shows thatthe best information security defense is a strong offense.

About the Author: Ben Rothke, CISSP, is a New-York based security consultant withThruPoint, Inc. McGraw-Hill recently published his book Computer Security: 20 ThingsEvery Employee Should Know. He can be reached at [email protected].

Effective endpoint security without a significant investment2 May 2005 | Ben Rothke, CISSP | SearchSecurity.com

Vendors are touting new products to manage endpoint security, but organizations cansave money by effectively managing three technologies they already employ – firewall,antivirus and patch management.

The endpoint security market grows as more attention is given to the challenges ofsecuring a dynamic digital perimeter. Organizations willing to pay a hefty price canchoose from a variety of products that ensure that endpoint devices comply with policybefore connecting to the network. However, effective endpoint security doesn't have torequire a significant investment in new software or hardware. Most organizations alreadyemploy three effective endpoint security controls: firewall, antivirus and patchmanagement.

Where is your endpoint?The function of perimeter or endpoint security is to ensure that the infrastructure isprotected against external threats. Before you can secure your endpoint, you need todefine it. In the pre-Internet days of the mainframe, endpoint security was simple; thingswere either inside or outside of the data center. Despite the fact that more and more isbeing spent on information systems security, systems are becoming increasinglycomplex, and complex systems are much harder to protect.

Even the physical perimeter is not simple to define. The potential endpoints are many.Some of them include:

• Internet access• Business Partner access• External partnership access• Internal employee access• And more

Know your endpointThe banking industry has a federal requirement known as Know Your Customer (KYC),which is part of the USA Patriot Act of 2001. The purpose of KYC requirements is tocatch those laundering money or attempting tax evasion. Banks are required to determine


29

the source of customer deposits, classify them according to pre-determined profiles andmonitor their banking activity to detect deviations.

Those in information security can take a similar approach to securing the networkperimeter. If you know your endpoint, and are able to detect and respond to anomalousactivities, much can be achieved. Effective endpoint security requires an understanding ofthe infrastructure and a significant commitment to get the job done. Those who havemanagement support and are willing to put in the time to get to know their endpoint havea real chance to create a highly effective information security infrastructure.

Technical controlsFirewallA firewall is often the first line of network defense, ensuring that only allowed traffictraverses the network. Firewalls are often pristine when initially configured, but aftertime, allow far too much traffic and too many protocols through. In addition,management often puts too much confidence in firewalls.

How do you obviate such a predicament? Make sure you have an effective and current setof firewall policies. A firewall can't be effective unless it's deployed in the context ofworking policies that govern its use and administration.

AntivirusViruses, worms, Trojan horses, spyware and more are a huge risk to information security.By deploying antivirus technology at the endpoint, organizations can ensure that malwaredoes not infect the infrastructure.

But when it comes to antivirus software, organizations are only as good as their virusdefinition files. To ensure maximum protection, organizations must make certain thatgateway devices and workstations have updated antivirus signatures on each device.

Patch managementUntil recently, patch management was something a system administrator did when he hadtime; now it is an elemental part of information security. Patch management is a strategicprocess where it must be decided:

• which patches to install• the benefits and implications of implementing the recommended changes• the business benefit of installing a patch• the regulatory requirements• the operational requirements

The year 2005 is no longer your mother's patch environment, where one can leisurelydecide whether or not to patch. Microsoft's Patch Tuesday can easily turn into a BlackWednesday if not handled correctly.


30

Times are changing and information security must change with them. Endpoint securitycomes down to knowing what your perimeter is, knowing what your risks are anddefending against them. When managed effectively, your firewall, antivirus and patchmanagement products will help you do that.

About the Author: Ben Rothke, CISSP is a New-York based security consultant withThruPoint Inc. and the author of Computer Security: 20 Things Every Employee ShouldKnow. He can be reached at [email protected].

Painful patching: How to lock down networked devices26 Apr 2005 | Brien M. Posey | SearchWindowsSecurity.com

What you will learn from this tip: Options for patching endpoints in heterogeneousenvironments.

Given the fact that almost all networks are connected to the Internet nowadays, your onehope of staying secure is to constantly patch all machines on the network with the latestvulnerability fixes. This may not be a big deal in environments consisting only ofWindows 2003 servers and Windows XP workstations, for which you can simply useMicrosoft's Software Update Services (SUS), System Management Server (SMS) or anynumber of third-party tools for patch updates. However, if your computers are runningnon-Microsoft operating systems or non-PC devices, or if your VPN allows connectionsby computers not controlled by your company, keeping everything up-to-date on yournetwork becomes much more complex -- although not impossible.

Comprehensive patch management for heterogeneous environments is considerably moredifficult and more expensive than homogenous environments, but there are ways tomanage patches in such environments. In the sections below, I discuss some of youroptions in difficult patch management situations.

Patching networked devicesMany people don't realize it, but networked non-PC devices, such as personal digitalassistants (PDAs), can pose a significant threat to your network's security. Of all thePDAs you see people using in your company, how many of those PDAs does yourcompany own and maintain? People often bring PDAs into the workplace running an out-of-the-box configuration and attach them to the network. Although PDA-based exploitsaren't as common as PC-based exploits, there are documented cases, nevertheless, whereTrojans were found running on PDAs. Unless you control PDA usage in your company,you could be exposing your network and the data it contains to exploits.

The best way I know to counter such threats is to establish a policy mandating that onlyPDAs issued by the company are allowed to be connected to the corporate network or tocomputers belonging to the company. Once you control all of the PDAs used throughoutthe company, you can focus on patch management.


31

An easy way to patch your mobile devices is to make sure they are running Windows CE4.2 or higher or Windows Mobile 2003 or higher. You can then use the SMS 2003Device Management Feature Pack to manage mobile devices exactly as you wouldcomputers on your network. SMS can discover mobile devices and automatically deploypatches to them.

Patching heterogeneous operating systemsKeeping heterogeneous operating systems patched is more difficult than keeping a purelyWindows environment patched. Doing so requires third-party software. There are lots ofpatch-management solutions out there, but the best choice for your organization willdepend greatly on the operating systems being used and on your budget.

For organizations running only Windows and Linux operating systems, I like GFISoftware Limited's LANguard Network Security Scanner because it's reasonably priced,it does a good job, and it's easy to use.

If you require a more comprehensive patch-management solution, check out CitadelSecurity Software Inc.'s Hercules. I have never actually used this product, so I can't tellyou how good it is, but it exemplifies a tool that can patch Windows, AIX, HP-UX,Solaris, Linux and Mac OSX.

Patching remote computers not controlled by your companyUnpatched computers passing through corporate VPNs have proved particularlytroublesome for sometime now. There is a solution built into Windows Server 2003, butit can be extremely difficult to use. The solution is called Network Access QuarantineControl, which places a machine in a quarantined environment when it connects to yournetwork. At that point, you run a query to make sure the operating system has all of thelatest patches and the remote system is running an approved antivirus program with up-to-date virus definitions. If everything checks out, the PC is allowed to connect to thenetwork. If the machine does not meet all of the requirements set forth by the corporatesecurity policy, the patches are either applied on the spot or the connection is severed(your choice).

As I mentioned, though, the big problem with quarantine mode is that you practicallyneed a doctorate in computer science to configure it -- it is script intensive. However,rumor has it that Microsoft will greatly simplify quarantine mode in Windows Server2003 R2, to be released later this year. The company also plans to change the name toNetwork Access Protection (NAP).

About the Author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professionalfor his work with Windows 2000 Server and IIS. He has served as CIO for a nationwidechain of hospitals and was once in charge of IT security for Fort Knox. As a freelancetechnical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D,Relevant Technologies and other technology companies.


32

The key to locking out mobile threats4 Apr 2005 | Brien M. Posey | SearchWindowsSecurity.com

Mobile devices today are so commonplace that few people pay much mind to them, butmobile devices can pose threats to your network that must not be ignored. Here I'llexplain how they can harm your network and what you can do to prevent exploits.

New storage features call for greater precautionsMobile devices can threaten your network by allowing hackers to haul away sensitivedata or letting malicious freeloaders into your space. Let me explain. PDAs have a muchgreater storage capacity now than they previously had, in a sense acting as portable harddrives. For instance, an unhappy user or unknown intruder who connects a PDA to anoffice PC could potentially copy sensitive files from the network to the PDA and walkright out the door with them. He could also use a PDA to bring in virus-infected files,whether it be intentional or accidental, or to copy and install a small application on anoffice workstation.

The fact that many people do not think of mobile devices as security concerns is a majorissue. These days, viruses and Trojans are specifically designed to attack mobile devices.This becomes a problem when a device is used to connect to a corporate network over aVPN, Wi-Fi or dial-up link. If a mobile device is infected with a keystroke logger, accesscredentials to the network can be stolen and transmitted to a server on the Internet,compromising a user's authentication credentials for potential hack attempts.

Locking down mobile devicesTo protect your Windows network from mobile threats, create a corporate policy thatbans the use of privately-owned mobile devices. If anyone in the company has alegitimate need for a mobile device, it will be the company's responsibility to provide thatdevice. This will cost the company some money up front, but I believe the benefitsoutweigh the cost.

The first benefit is that you know exactly who is authorized to use mobile devices, andyou can take steps to prevent anyone else from attaching a mobile device to the network.Since many mobile devices attach to PCs through a Universal Serial Bus (USB) orFirewire port, try a product like GFI Software Ltd.'s Portable Storage Control to preventusers from attaching mobile devices or any other portable storage device to their PCs.

Company ownership of mobile devices also enables you to dictate what must be runningon the devices, insuring the devices are used properly. Insist that the mobile device isrunning all of the latest patches and the latest antivirus definitions (yes, there are antivirusprograms for mobile devices).

Following those steps should greatly increase mobile device security in yourorganization, but I also recommend occasionally performing random device audits.Check for unauthorized mobile applications, such as hacker tools, and anything else thatmight compromise security. People tend to have a personal attachment to their mobile


33

devices and might be reluctant to allow the IT department to inspect them. Rememberthough that the device is company property, and you have the right to inspect it anytimeyou feel like it.

Mobile devices pose one additional risk, which is what could happen if the device werelost or stolen. If a user has passwords cached within the device, whoever finds it caninstantly access your network using that information. Insist that mobile device users havepower-on passwords (if supported), and prevent them from caching passwords forconnecting to your network, the Internet or anything else. Some users have been knownto create text files of passwords, ATM PINs and other highly sensitive information. Makeit clear to your users that such files are a very bad idea.

As you can see, mobile devices can easily threaten the integrity and security of yournetwork unless they are properly secured.

About the Author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professionalfor his work with Windows 2000 Server and IIS. He has served as CIO for a nationwidechain of hospitals and was once in charge of IT security for Fort Knox. As a freelancetechnical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D,Relevant Technologies and other technology companies.

Tips for securing iPods in the enterprise28 Dec 2005 | Joel Dubin | SearchSecurity.com

Any external storage device connected to a desktop can be a security risk. This includesUSB keys, flash drives, zip drives – you name it. If it can be attached to a USB port, itcan hold and move data. iPods fit neatly into this category and in most cases should beprohibited in the enterprise.

iPods can hold up to 30 GB of photos, music, MP3s, videos and movies, as well as anyother ordinary data or file type. While they can take -- or steal -- date from the network,they can also introduce spyware and malware into the network. Generally speaking, iPodshave no business purpose and shouldn't be allowed to be connected to your employees'desktops.

But, there are some exceptions. An innovative business use for iPods was recentlydeveloped at a hospital in Geneva. A professor developed software that allows doctors tostore and view medical images on their iPods. Using Apple iChat, several doctors in farflung departments on the same case can look at the images remotely from their iPods andcompare notes simultaneously. The system has saved the hospital the cost of moreexpensive equipment for medical imaging and storage.

So, despite the security risks, a company may want to consider using podcasts fordisseminating information to its employees. A project manager may want to use iPods todistribute diagrams too large to send as email attachments to team members. How do you


34

balance the potential security risk with the potential convenience of iPods and podcasts?Here are some suggestions.

• Restrict the use of iPods to specific projects. Their use should be approved inwriting by the information security department for each employee requiring them.Exemptions should only be made on a per-project basis and not entitle theemployee to unlimited use of their iPod or to connect to the network after theproject is complete.

• iPods must be scanned by antivirus and antispyware software before connectingto the network. This should be written into your information security policy.

• Dedicated file servers should host podcasts or other data to be shared by iPods.Access should be logged and monitored for unauthorized or malicious use. Onlyemployees working on the project with a specific need should be granted access.iPods should also be hardened with unneeded services turned off.

• Only software pre-approved and reviewed by information security should beallowed for use on iPods. As they become more sophisticated, more softwarebecomes available for them. Apple iTunes is an example of another repository foriPod enthusiasts. iTunes must be downloaded to the desktop that will beconnecting to the iPod. Most sane information security policies prohibitemployees from downloading software willy-nilly directly off the Web. For thisreason alone, iTunes wouldn't be allowed on most corporate desktops. Apple thisyear also released a patch for a flaw in iTunes that allowed a hacker to remotelygain control of a user's desktop. By itself, iTunes is a harmless music store, but isit necessary in the office?

• USB ports should be shut off for those users who do not need to connect to thenetwork. This can be done at the BIOS level, or on Windows machines throughthe Device Manager, the Group Policy editor or through registry key settingslocked down on the enterprise build of the desktop distributed to your employees.

About the Author: Joel Dubin, CISSP, is an independent computer security consultantbased in Chicago. He specializes in Web and application security and is the author ofThe Little Black Book of Computer Security available on Amazon.


35

DMZs, LANS and VLANs

Glossary Definition: DMZSearchSecurity.com

In computer networks, a DMZ (demilitarized zone) is a computer host or small networkinserted as a "neutral zone" between a company's private network and the outside publicnetwork. It prevents outside users from getting direct access to a server that has companydata. (The term comes from the geographic buffer zone that was set up between NorthKorea and South Korea following the UN "police action" in the early 1950s.) A DMZ isan optional and more secure approach to a firewall and effectively acts as a proxy serveras well.

In a typical DMZ configuration for a small company, a separate computer (or host innetwork terms) receives requests from users within the private network for access to Websites or other companies accessible on the public network. The DMZ host then initiatessessions for these requests on the public network. However, the DMZ host is not able toinitiate a session back into the private network. It can only forward packets that havealready been requested.

Users of the public network outside the company can access only the DMZ host. TheDMZ may typically also have the company's Web pages so these could be served to theoutside world. However, the DMZ provides access to no other company data. In the eventthat an outside user penetrated the DMZ host's security, the Web pages might becorrupted but no other company information would be exposed. Cisco, the leading makerof router s, is one company that sells products designed for setting up a DMZ.

Glossary definition: VLANSearchSecurity.com

A virtual (or logical) LAN is a local area network with a definition that mapsworkstations on some other basis than geographic location (for example, by department,type of user, or primary application). The virtual LAN controller can change or addworkstations and manage loadbalancing and bandwidth allocation more easily than with aphysical picture of the LAN. Network management software keeps track of relating thevirtual picture of the local area network with the actual physical picture.

VLANs are considered likely to be used with campus environment networks. Amongcompanies likely to provide products with VLAN support are Cisco, Bay Networks, and3Com.

There is a proposed VLAN standard, Institute of Electrical and Electronics Engineers802.10.


36

Book chapter: Secure LAN switchingSaadat Malik | Cisco Press | SearchSecurity.com

This excerpt is from Chapter 5, Secure LAN Switching, of "Network Security Principles& Practices," written by Saadat Malik and published by Cisco Press.

In order to provide comprehensive security on a network, it is important to take theconcept of security to the last step and ensure that the Layer 2 devices such as theswitches that manage the LANs are also operating in a secure manner.

This chapter focuses on the Cisco Catalyst 5000/5500 series switches. We will discussprivate VLANs in the context of the 6000 series switches. Generally, similar conceptscan be implemented in other types of switches (such as the 1900, 2900, 3000 and 4000series switches) as well.

Security on the LAN is important because some security threats can be initiated on Layer2 rather than at Layer 3 and above. An example of one such attack is one in which acompromised server on a DMZ LAN is used to connect to another server on the samesegment despite access control lists on the firewall connected on the DMZ. Because theconnection occurs at Layer 2, without suitable measures to restrict traffic on this layer,this type of access attempt cannot be blocked.

General switch and layer 2 securitySome of the basic rules to keep in mind when setting up a secure Layer 2 switchingenvironment are as follows:

• VLANs should be set up in ways that clearly separate the network's variouslogical components from each other. VLANs lend themselves to providingsegregation between logical workgroups. This is a first step toward segregatingportions of the network needing more security from portions needing lessersecurity. It is important to have a good understanding of what VLANs are.VLANs are a logical grouping of devices that might or might not be physicallylocated close to each other.

• If some ports are not being used, it is prudent to turn them off as well as placethem in a special VLAN used to collect unused ports. This VLAN should have noLayer 3 access.

• Although devices on a particular VLAN cannot access devices on another VLANunless specific mechanisms for doing so (such as trunking or a device routingbetween the VLANs) are set up, VLANs should not be used as the solemechanism for providing security to a particular group of devices on a VLAN.VLAN protocols are not constructed with security as the primary motivatorbehind them. The protocols that are used to establish VLANs can becompromised rather easily from a security perspective and allow loopholes intothe network. As such, other mechanisms such as those discussed next should beused to secure them.


37

• Because VLANs are not a security feature, devices at different security levelsshould be isolated on separate Layer 2 devices. For example, having the sameswitch chassis on both the inside and outside of a firewall is not recommended.Two separate switches should be used for the secure and insecure sides of thefirewall.

• Unless it is critical, Layer 3 connectivity such as Telnets and HTTP connectionsto a Layer 2 switch should be restricted and very limited.

• It is important to make sure that trunking does not become a security risk in theswitching environment. Trunks should not use port numbers that belong to aVLAN that is in use anywhere on the switched network. This can erroneouslyallow packets from the trunk port to reach other ports located in the same VLAN.Ports that do not require trunking should have trunking disabled. An attacker canuse trunking to hop from one VLAN to another. The attacker can do this bypretending to be another switch with ISL or 802.1q signaling along with DynamicTrunking Protocol (DTP). This allows the attacker's machine to become a part ofall the VLANs on the switch being attacked. It is generally a good idea to set DTPon all ports not being used for trunking. It's also a good idea to use dedicatedVLAN IDs for all trunks rather than using VLAN IDs that are also being used fornontrunking ports. This can allow an attacker to make itself part of a trunkingVLAN rather easily and then use trunking to hop onto other VLANs as well.

Generally, it is difficult to protect against attacks launched from hosts sitting on a LAN.These hosts are often considered trusted entities. As such, if one of these hosts is used tolaunch an attack, it becomes difficult to stop it. Therefore, it is important to make surethat access to the LAN is secured and is provided only to trusted people.

Some of the features we will discuss in the upcoming sections show you ways to furthersecure the switching environment.

The discussion in this chapter revolves around the use of Catalyst 5xxx and 6xxxswitches. The same principles can be applied to setting up security on other types ofswitches.

How to protect a LAN from unauthorized access

What steps should I take to use filters to protect a LAN from unauthorized access?QUESTION POSED ON: 04 November 2005QUESTION ANSWERED BY: Joel Dubin, SearchSecurity.com

The first, and easiest, way to protect a LAN is to put it in a separate subnet behind itsown gateway router or firewall. This segregates the LAN from other networks and makesit easier to tune any gateways into it through hubs, switches or routers.


38

The next simplest step, at least for a Windows network, is to simply shut off port 139 onthe gateway router. This prevents a malicious user from trying to map a drive to the LAN.Similarly, turn off NetBIOS over TCP/IP on the workstations within the LAN. Thisprevents some bad guy from trying to directly map a drive to the workstations inside theLAN by using the NetBIOS name of the computer over a TCP/IP connection fromoutside the LAN.

Each workstation can also be configured to only accept traffic from specific IP addresses.Every LAN has a range of internal IP addresses assigned by whoever set up the LAN.The IP filtering feature can be set to only accept traffic from those IP addresses. Butmight that block Internet access? Not necessarily. If the LAN accesses the Internetthrough the gateway, whose IP is in the network's range of accepted IP addresses, thenthe LAN will still be able to connect to the Internet. But it will do so securely since it'sonly accepting the traffic from the accepted gateway and not the Internet directly.

And, of course, tune your firewalls, both at the gateway and on the individual hosts, toonly accept needed TCP protocols. If FTP or Telnet isn't needed, filter them out.

About the Author: Joel Dubin, CISSP, is an independent computer security consultantbased in Chicago. He specializes in Web and application security and is the author ofThe Little Black Book of Computer Security available on Amazon.

Designing DMZs with various levels of access

I need some information on designing DMZs for my local users, customers, partnersand application servers with different levels of access. I have more than 1,100workstations on my LAN, and I want to define different levels of access for localusers, too. I appreciate any guidance.QUESTION POSED ON: 08 January 2004QUESTION ANSWERED BY: Ed Yakabovicz, SearchSecurity.com

Typically the DMZ is designed as the first stop into any company that is connected to theInternet. Do not place any email, databases or any other data that is critical to yourcompany in this zone.

Place servers that you connect for authentication. Now when these devices connect backthrough the DMZ to say a database zone, create a network subnet with only thosedevices. This separates other internal systems from the external and provides a layeredapproach. Now, anyone needing to access say email or other data (shares, files, etc) putthem in another network off the DMZ. I always recommend firewalls at both sides of theDMZ and IDS systems external -- one in the DMZ, one in the Database zone and othersmore or less in all zones.

Security must be addressed as a layered approach. The first step is to filter all trafficbefore it enters the DMZ. So a router only letting in say port 80, 443 to the DMZ. Then


39

the DMZ will only allow traffic such as any application in the DMZ email, SMTP. Pleaseno FTP, because it's too insecure. The DMZ should only allow valid traffic to the devicesbehind it.

Using 802.1X to control physical access to LANs29 Dec 2005 | Michael Cobb | SearchSecurity.com

Network security would be so much easier if you could control which physical computerswere allowed to join your network. It would mean a hacker would have to gain physicalaccess to a particular computer before they could even start to attack your network. Onetechnology used to control admission of computers into a network is 802.1X, a port-based access control. It is mainly used on wireless networks but is increasing inpopularity as an access control method on wired networks too.

802.1X features MAC address filtering. Any machine whose MAC address on thenetwork adapter does not match an entry in the account database is not permitted accessto the network. Unfortunately, like IP addresses, MAC addresses can be spoofed. Thiscreates the possibility of a man-in-the-middle attack, albeit a sophisticated one. Toprevent this type of attack, 802.1X should be combined with the ExtensibleAuthentication Protocol (EAP) to authenticate the client to the network and the networkto the client.

802.1X is one way of preventing entry to your network, but once it authenticates theconnection it assumes all traffic over the connection is legitimate. To really solve theproblem of rogue machines, each computer needs to protect itself from the othercomputers on the network. So, 802.1X should also be used in conjunction with IPSec,which provides end-to-end authentication and encryption between hosts on a network.

Looking ahead to the release of Microsoft Windows Vista/Longhorn, it's understood thatthey will include Network Access Protection (NAP). This feature will allow you toprotect your network from unhealthy computers by enforcing compliance with networkhealth policies. This is similar to Cisco's Network Admission Control (NAC), whichisolates and denies network access to non-compliant devices. While NAP and NAC playa different role from 802.1X in controlling network connections, it will certainly go along way to ensuring trusted computers on the network stay that way.

About the Author: Michael Cobb, CISSP-ISSAP is the founder and managing directorof Cobweb Applications Ltd., a consultancy that offers IT training and support in datasecurity and analysis. He co-authored the book IIS Security and has written numeroustechnical articles for leading IT publications. Mike is the guest instructor forSearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answersuser questions on application and platform security.


40

Life at the edge: Securing the network perimeter, Part 25 Jun 2005 | Michael Cobb | SearchSecurity.com

Divide and conquer -- DMZs

A network DMZ separates and isolates a trusted network from an untrusted network bycreating screened subnets. By dividing the system into segments and creating DMZswhere only intermediate levels of trust exist, the system has a much greater resistance tosuccessive compromise, thereby protecting the key resources even if other componentsfail. DMZs work because network traffic cannot travel between two network subnetswithout being routed.

Your Web servers, FTP servers, mail servers and external DNS servers should be placedin this DMZ, or "perimeter network," along with additional network defenses, such as anIDS. By putting these public services in the DMZ, you put them on a different subnet toyour internal network. Your internal network is where your back-end systems such asdatabase servers should be located. Any machine placed in the DMZ is still at risk, but ifan intruder compromises the DMZ, he does not automatically have access to the internalnetwork.

Each access point into the DMZ blocks and filters network traffic to only allow activityto or from certain network addresses, over certain ports, to pass through. Great careshould be taken so that interactions with the DMZ do not expose the internal network.The barriers between each segment are controlled and screened by firewalls and routers,and protected by access control lists, strong authentication and encryption. For theultimate in DMZ security, place each service on its own DMZ segment, configuringfirewall policies to meet the needs of each server.

Network layoutsThere are two DMZ network layouts we'll look at. The first, called a triple-homedperimeter network, is suitable for low-budget Web sites that do not connect to a criticalinternal network. The second is a back-to-back perimeter network, which is required fore-commerce and other mission-critical Web sites.

Triple-homed perimeter networkThis topology uses a single firewall to separate the Internet, the perimeter network andthe corporate intranet. It is also known as a single-screened subnet because the DMZ isbounded by only a single firewall with three network cards: one connected to the Internet,one to the DMZ and one to the corporate intranet (see figure 1 below). The disadvantageof this network layout is that there is a single point of failure. When ports are openedthrough a perimeter guarded by a single firewall, the perimeter security is unavoidablyweakened. If an intruder compromises the firewall in this topology, he has access to boththe server in the DMZ and the corporate intranet.


41

Figure 1: Triple-homed perimeter network.Note that this topology specifies the use of a secured router between the Internet and theDMZ. Ports on this router should be locked down. Examples of ports that you wouldtypically need open to ensure correct Web server functionality would be port 80 forHTTP and port 443 for HTTPS.

Back-to-back perimeter networkThe back-to-back perimeter network topology shown in figure 2 is widely regarded asone of the most secure. The perimeter network is separated from the Internet on one sideand from the internal network on the other side by using two firewalls. Each firewall hastwo network adapters. The external firewall has one network adapter connected to theInternet and the other connected to the perimeter network, while the internal firewall hasone network adapter connected to the perimeter network and the other connected to theinternal network (see figure 2 below). This provides an added layer of protection. If anintruder from the Internet compromises the perimeter network, he does not automaticallygain access to resources in the internal network, as there is another barrier between theintruder and the rest of the network.

Figure 2: A dual screened subnet or back-to-back perimeter network using twofirewalls.Note that there is another secured router separating the network segments that composethe perimeter network. Although locking down this router is not as important as locking


42

down the router connected to the Internet, ensuring that non-essential ports are closed cangive additional security.

The outside firewall protects against external attacks and manages all Internet access tothe DMZ. The inside firewall manages DMZ access to the internal network. This firewallshould have different rules than the firewall facing the Internet, allowing only inboundapplication-specific service calls to reach specified systems and preventing unsolicitedinbound port 80 Web traffic into the internal network. In other words, the firewall shouldonly pass inbound traffic from a server in the DMZ that needs to communicate with oneof the internal systems. For example, if a Web server communicates with a database viaSQL, open TCP ports in the firewall to pass the SQL queries and responses, and blockeverything else. Security is further enhanced when different makes of firewalls are usedon each side of the DMZ. A hacker is less likely to be able to use the same exploit todefeat both systems.

When segmenting a network for security purposes, always choose physical segmentation.A virtual LAN (VLAN) is a network segment that is logically defined and controlled by aswitch that can assign its ports to two or more VLAN segments rather than have all itsports belong to the same physical segment. Although this reduces the cost of purchasingmultiple switches, the segmentation is virtual. It can be removed and the security theswitch provides can be easily bypassed.

About the Author: Michael Cobb, CISSP-ISSAP is the founder and managing directorof Cobweb Applications Ltd., a consultancy that offers IT training and support in datasecurity and analysis. He co-authored the book IIS Security and has written numeroustechnical articles for leading IT publications. Mike is the guest instructor forSearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answersuser questions on application and platform security.

VLAN security29 Mar 2004 | Tom Lancaster | SearchSecurity.com

This week, I wanted to address VLAN security, which like Ethernet, is a mystery to mostpeople. That may sound like a strange statement, since I'm sure everyone reading this hasbeen using Ethernet for years, but seriously, how many network engineers do you knowwho could explain Manchester bit encoding or how Fast Link Pulses work? Not verymany, of course, and why should they? After all, Ethernet is one of those protocols that"just works." Network administrators don't understand it for the very simple reason thatthey never have to troubleshoot it.

VLANs are pretty much the same way. Sure, the configuration of a few more advancedtopics like VTP and VLAN pruning can give you a mental workout, and of course,nobody likes Spanning-Tree Protocol, but really, when was the last time you reallyneeded to know how your switches implemented VLANs? For the most part, you define a


43

VLAN, and assign ports to it, and define trunk ports and configure which VLANs cancross it... and it just works... simple as that.

But it's precisely this simplicity that can lull you into leaving open a raft of securityvulnerabilities.

So as I was checking a few quick facts for this tip, I ran across an @Stake white paper soconcise and illuminating, despite being 2 years old, that I decided to just link you to itand offer a quick summary.(http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml)

The reason I like this article is because it explains at a high level, several ways yournetwork can be attacked at Layer 2. Many of these aren't nearly as intuitively obvious asthe higher-level attacks we witness daily, so many administrators think that it'simpossible to attack VLANs, which is of course, absurd.

So here are a few key points to remember when configuring your network:

VLAN 1 (on Catalyst switches) is the default for both ports and the "Native" VLAN on802.1Q trunks, which is precisely why you should NEVER use it.

Don't allow dynamic protocols to talk to untrusted devices. Many administrators don'trealize there are a lot of these operating around Layer 2, such as VTP, PAgP, CDP, DTP,UDLD and of course STP.

If at all possible, authenticate all hosts and/or limit their connectivity. Port Security,802.1x and Dynamic VLANs are three methods mentioned in this article you can use.

About the Author: Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15years experience in the networking industry, and co-author of several books onnetworking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide publishedby Sybex.

Popular VLAN attacks and how to avoid them23 May 2005 | Chris Partsenidis | SearchSecurity.com

Configuring three or more switches to support a VLAN and partition a network is a fairlysimple and straight-forward process; however, ensuring a VLAN can withstand an attackis a different story! In order to secure a VLAN, you need to know what to protect it from.Here are a few of the most popular attacks against VLANs, ways you can fight them, andin some cases, minimize their effect.

VLAN hopping attacks


44

The basic VLAN hopping attack is based on the Dynamic Trunking Protocol and, insome cases, the trunking encapsulation protocol (802.1q or ISL). The Dynamic TrunkingProtocol is used for negotiating trunking on a link between two switches or devices andthe type of trunking encapsulation to be used.

Trunk negotiation can be enabled on a switch interface by entering the followingcommand at the interface level:Switch(config-if)#switchport mode dynamic

While this feature might ease the process of configuring switches, it hides a seriousweakness for your VLAN. A station can easily spoof itself as a switch using the 802.1qencapsulation, thereby creating a trunk link and becoming a member of all VLANs.Thankfully, this vulnerability has been fixed in Cisco's newer IOSes. To avoid possibleVLAN hopping attacks, do not use 'dynamic modes' at the interface level and configurethe link as a trunk or access type.

Address Resolution Protocol attacksThe Address Resolution Protocol (ARP) attack is popular in the underground world.Available tools can bypass the switch security feature that creates a virtualcommunication channel between two nodes and prohibits the rest from 'listening' to theirconversation.

With ARP attacks, the intruder obtains IP addresses and other statistics about the networkhe plans to attack, and then uses that information to issue the attack. The intruder floodsthe network switches with ARP broadcasts, telling the network switches that all, or arange, of IP addresses belong to him, thereby forcing all data packets and conversationsto pass through him while he sniffs the data.

You can avoid this problem by using the 'port-security' command available to most high-end Catalyst switches such as the 4000, 4500, 5000 and 6500 series.

Once the port-security feature is enabled on a port, you are able to specify the number ofMAC addresses or the specific MAC address allowed to connect through the port.The command required to enable this security feature is:Switch(config)#set port security port enable

Static ARP should be used for critical routers or hosts such as servers.Lastly, intrusion-detection systems can track and report multiple ARP broadcastsresulting from such attacks.

VLAN Trunking Protocol attackThe VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol designed to makelife easy by automatically propagating VLAN information throughout network switches.Its setup involves a VTP server, effectively a switch, in charge of propagating all VLANinformation. All switches, minus the VTP server switch, are configured as client switches


45

that are responsible for listening for announcements regarding any VLAN changes madefrom the VTP server.

The VTP attack involves a station sending VTP messages through the network,advertising that there are no VLANs on the network. Thus, all client VTP switches erasetheir valid VLAN information databases.

This may also occur if a switch is plugged into the network that is configured as a VTPserver and contains a VTP configuration version higher than the existing VTP server. Inthis case, all switches overwrite their valid information with that obtained by the 'new'VTP server.

Thankfully, there are ways to protect a VLAN from this situation. Either disable VTP alltogether (not advised for a large network with more than five switches) or use MD5Authentication for all VTP messages to ensure no VTP message is processed by the clientswitches if the password contained in the message is not correct.

The commands used to set the VTP password for your VTP Domain are:Switch#vlan databaseSwitch(vlan)# vtp domain passwordSwitch(vlan)#applySwitch(vlan)#exit

About the Author: Chris Partsenidis is the founder and senior editor ofwww.Firewall.cx, a Web site dedicated to network security and protocol analysis. If youwish to read up more on VLAN technologies and their associated protocols, you can referto www.Firewall.cx where the topic is extensively covered. Chris has a bachelor's degreein Electrical Technology and holds the following IT certifications: Cisco CCNA, NovellCNA (3,4,5), Linux LCP, D-Link Engineer, Microsoft MCP, CompTIA A+ & Network+.You can contact Chris via www.Firewall.cx.


46

Firewalls

2006 Network Firewall Products of the YearSearchSecurity.com

NetScreen-5GT and -5XTJuniper Networks, www.juniper.net

Juniper Networks clearly knew what it was doing when it acquired NetScreen in 2004. ItsNetScreen-5GT and -5XT firewall appliances earned consistent "excellent" and "good"responses across the board, earning the gold medal in the network firewall category fortwo years running.

This family of network security solutions is ideal for locking down enterprises' remoteoffices, retail outlets and broadband telecommuter environments. Its integrated securityapplications, routing protocols and policy-based management features have earned it thetop spot among surveyed readers.

The NetScreen-5GT's and -5XT's stateful packet inspection and signature-based deepinspection threat detection, and DDoS protection capabilities, stop network- andapplication-layer attacks. Their Web filtering options (available from third-party vendorWebsense) prevent users from leaking sensitive corporate information, whetherdeliberately or through spyware/phishing attacks. The firewalls offer up to 25 concurrentVPN tunnels, an unlimited number of trusted IP addresses and up to 4,000 concurrentsessions.

Specifically, the 5GT has embedded network-based AV that scans for viruses in email,Web and file-transfer protocols. Its embedded Trend Micro antivirus engine scans IMAP,SMTP, FTP, POP3 and HTTP mail protocols, and checks against an encyclopedia ofmore than 80,000 signatures. (It is important to note that the NetScreen-5XT does notsupport this embedded antivirus gateway scanning.)

The 5GT's and 5XT's embedded IPsec VPN provides Web-based and XAUTHauthentication, with third-party support for RADIUS, LDAP and RSA SecurID.

"We originally selected Juniper because we knew the performance was greater than ourprevious solution. We had no idea we'd be seeing so many other benefits," says MatthewGruett, Internet systems specialist for TDS Telecom.

Both the 5GT and 5XT support key routing protocols -- including BGP, OSPF andECMP -- and integrate into the network with ease. Dial-backup and dual Ethernet portssupport business-critical systems and provide redundancy. Restricted security zonesprotect corporate activity and offer a clear separation between authorized andunauthorized business use. The zones also offer delineation between home and officeusers, allowing employees to access the corporate network though a secure VPN


47

connection (work zone) and maintain their access to the Internet (home zone) throughnormal connectivity.

In addition, the 5GT Wireless appliance also offers support for a wide set of wirelessauthentication and privacy protocols for 802.11b/g networks.

Cisco PIX 500 Series Security AppliancesCisco Systems, www.cisco.comFirewall and PIX are synonymous, says one user. "It's what I trust between me and theInternet."

FireWall-1 Check Point Software Technologies, www.checkpoint.comIt is no surprise that this granddaddy of firewalls continues to draw great user support,getting especially strong ratings for security.

How to choose a firewall17 Oct 2005 | Mike Chapple | SearchSecurity.com

There are dozens of firewalls on the market today. Choosing one for your organizationcan be a daunting task – especially in an industry filled with buzzwords and proprietarytrademarks. Let's take a look at the basics of firewall technology and five questions youshould ask when choosing a firewall for your organization.

1. Why are you implementing a firewall? Sure, this sounds like a simple question.You're probably thinking to yourself, "Because we need one!" But it's importantthat you take the time to define the technical objectives that you have forimplementing a firewall. These objectives will drive the selection process. Youdon't want to choose an expensive, feature-rich firewall that's complicated toadminister when your technical requirements could be met by a simpler product.

2. How will the firewall fit into your network topology? Will this firewall sit atthe perimeter of your corporate network and be directly connected to the Internet,or will it serve to segment a sensitive LAN from the remainder of theorganization? How much traffic will it process? How many interfaces will it needto segment your traffic? Performance requirements such as these contribute asignificant amount to the total cost of new firewall implementations, making iteasy to under- or over-purchase.

3. What type of traffic inspection do you need to perform? This is where thebuzzwords start to come into play. Every vendor out there has a differenttrademark for their traffic-inspection technology, but there are essentially threedifferent options (listed in order of increasing complexity and cost):

• Packet-filtering firewalls use simple rules to evaluate each packet theyencounter on its own merits. They maintain no history from packet to packet,and they perform basic packet header inspection. The simplicity of this


48

inspection makes them speed demons. They're the most inexpensive option,but they are also the least flexible and vulnerable. There's a good chance youalready own equipment capable of performing packet filtering – your routers!

• Stateful-inspection firewalls go a step further. They track the three-way TCPhandshake to ensure that packets claiming to belong to an established session(i.e., the SYN flag is not set) correspond to previous activity seen by thefirewall. Requests to open the initial connection are subject to the stateful-inspection firewall rulebase.

• Application-proxy firewalls contain the highest level of intelligence. Inaddition to stateful inspection, they broker the connection between client andserver. The client connects to the firewall, which analyzes the request(including application-layer inspection of packet contents). If the firewallrules indicate that the communication should be allowed, the firewall thenestablishes a connection with the server and continues to act as anintermediary in the communication. When combined with Network AddressTranslation, both hosts may not even be aware that the other exists – they bothbelieve they are communicating directly with the firewall.

4. Is your organization better suited for an appliance or a software solution?Appliances are typically much easier to install. You normally just plug in theappropriate Ethernet cables, perform basic network configuration and you're readyto configure your firewall rules. Software firewalls, on the other hand, can betricky to install and require tweaking. They also lack the security that's often builtinto the hardened operating systems of firewall appliances. What's the tradeoff?You guessed it! Appliances are more expensive.

5. What operating system is best suited for your requirements? Even appliancesrun an OS and, chances are, you'll need to work with it at some point in yourfirewall administration career. If you're a Linux jockey, you probably don't wantto choose a Windows-based firewall. On the other hand, if you don't know⁄dev⁄null from ⁄var⁄log, you probably want to steer clear of Unix-based solutions.

While I can't recommend a specific firewall to you without knowing your needs, theprocess of answering these questions can help you solidify your thoughts and put you inthe right direction. With these answers in hand, you should be able to intelligentlyevaluate the cost/benefit tradeoff for the various products available on the market today.

About the Author: Mike Chapple, CISSP is an IT Security Professional with theUniversity of Notre Dame. He previously served as an information security researcherwith the National Security Agency and the U.S. Air Force. Mike is a frequent contributorto SearchSecurity, a technical editor for Information Security magazine and the author ofseveral information security titles including the CISSP Prep Guide and InformationSecurity Illuminated.


49

Choosing the right firewall topology17 Oct 2005 | Mike Chapple | SearchSecurity.com

When developing a perimeter protection strategy for an organization, one of the mostcommon questions is "Where should I place firewalls for maximum effectiveness?" Inthis tip, we'll take a look at the three basic options and analyze the scenarios best suitedfor each case.

Before we get started, please note that this tip deals with firewall placement only. Anyonebuilding a perimeter protection strategy should plan to implement a defense-in-depthapproach that utilizes multiple security devices including firewalls, border routers withpacket filtering and intrusion-detection systems.

Option 1: Bastion hostThe first and most basic option is the use of a bastion host. In this scenario (shown infigure 1 below), the firewall is placed between the Internet and the protected network. Itfilters all traffic entering or leaving the network.

Figure 1: Bastion host

The bastion host toplogy is well suited for relatively simple networks (e.g. those thatdon't offer any public Internet services.) The key factor to keep in mind is that it offersonly a single boundary. Once someone manages to penetrate that boundary, they'vegained unrestricted (at least from a perimeter protection perspective) access to theprotected network. This may be acceptable if you're merely using the firewall to protect acorporate network that is used mainly for surfing the Internet, but is probably notsufficient if you host a Web site or email server.

Option 2: Screened subnetThe second option, the use of a screened subnet, offers additional advantages over thebastion host approach. This architecture uses a single firewall with three network cards(commonly referred to as a triple homed firewall). An example of this topology is shownin figure 2 below.


50

Figure 2: Screened subnet

The screened subnet provides a solution that allows organizations to offer servicessecurely to Internet users. Any servers that host public services are placed in theDemilitarized Zone (DMZ), which is separated from both the Internet and the trustednetwork by the firewall. Therefore, if a malicious user does manage to compromise thefirewall, he or she does not have access to the Intranet (providing that the firewall isproperly configured).

Option 3: Dual firewallsThe most secure (and most expensive) option is to implement a screened subnet usingtwo firewalls. In this case, the DMZ is placed between the two firewalls, as shown infigure 3 below.

Figure 3: Dual firewalls

The use of two firewalls still allows the organization to offer services to Internet usersthrough the use of a DMZ, but provides an added layer of protection. It's very commonfor security architects to implement this scheme using firewall technology from twodifferent vendors. This provides an added level of security in the event a maliciousindividual discovers a software-specific exploitable vulnerability.

Higher-end firewalls allow for some variations on these themes as well. While basicfirewall models often have a three-interface limit, higher-end firewalls allow a largenumber of physical and virtual interfaces. For example, the Sidewinder G2 firewall from


51

Secure Computing allows up to 20 physical interfaces. Additional virtual interfaces maybe added through the use of VLAN tagging on the physical interfaces. What does thismean to you? With a greater number of interfaces, you can implement many differentsecurity zones on your network. For example, you might have the following interfaceconfiguration:

• Zone 1: Internet• Zone 2: Restricted workstations• Zone 3: General workstations• Zone 4: Public DMZ• Zone 5: Internal DMZ• Zone 6: Core servers

This type of architecture allows you to take any of the three topologies described aboveand add a tremendous degree of flexibility.

That's a brief primer on firewall architectures. Now that you're familiar with the basicconcepts, you should be able to help select an appropriate architecture for use in varioussituations.


Placing systems in a firewall topology17 Oct 2005 | Mike Chapple | SearchSecurity.com

In the previous tip we explored the basics of choosing a firewall topology. We coveredthe differences between bastion hosts, screened subnets and combining multiple firewallsfor maximum security. Once you have decided which topology best suits your ITinfrastructure, you need to decide where to place individual systems within the chosentopology.

As we discuss this topic, we'll use the concept of security zones to further define ourrequirements. For our purposes, consider a security zone to be all of the systemsconnected to a single interface of a firewall – either directly or through network devicesother than firewalls.

Bastion hostFirst, let's look at the simplest case: the bastion host. In this scenario, all traffic enteringor leaving the network passes through the firewall and it has only two interfaces: a publicinterface directly connected to the Internet and a private interface connected to theintranet. This leaves us with two security zones, making it fairly easy to place systems.We simply put all systems that we would like protected in the private zone!


52

In the case of a bastion host topology, we're assuming that you are not planning to offerany public services to the Internet. If you do need to offer public services (such as DNS,SMTP or HTTP), you should seriously consider the use of an alternate topology. If that isnot possible, you have a difficult decision to face: should you place your public servers inthe public or private zone? If you place them in the public zone, they don't gain anyprotection from the firewall and are more vulnerable to attack. On the other hand, placingthem in the private zone raises the possibility that other, more sensitive systems, may becompromised if the public server falls victim to an attack. You need to carefully weighthe risks and benefits when making this decision.

Figure 1: Bastion host

Screened subnetThe screened subnet scenario, the most commonly deployed firewall topology, is alsosomewhat straightforward. We add an additional zone -- the screened subnet (or DMZ) --that contains all hosts offering public services. In this case, the public zone is directlyconnected to the Internet and contains no hosts controlled by the organization. Theprivate zone contains systems that Internet users have no business accessing, such as userworkstations, internal file servers and other nonpublic applications. The DMZ containsall systems that are intended to provide services to the Internet. This zone contains yourpublic Web server, SMTP server, DNS servers and other similar systems. YourIMAP/POP server may or may not reside in this zone, depending upon your securitypolicy.

Figure 2: Screened subnet

Multi-homed firewallThe final scenario, a multi-homed firewall with more than three interfaces, poses themost interesting challenge. In this case, you have more than three zones, so you have theluxury of further subdividing systems. You'll need to make these subdivisions based uponthe specific security objectives of your organization. One division you might want to


53

make is to place workstations into different zones to provide isolation for sensitivesystems. For example, you might place all systems belonging to accounting into onezone, executive workstations in another zone and other workstations in yet a third zone.You also may wish to subdivide systems offering services to the Internet. For example,systems that provide services to the general public (such as a company Web site) may beplaced in a different zone than systems that offer services only to authenticated users(such as a Web mail server).

Figure 3: Multi-homed firewall

In the end, the choices are yours to make. Now that you've read this tip, you should haveplenty of ideas running through your mind. Sit down and commit them to paper, discussthe options with your colleagues and develop a system placement strategy suitable foryour organization.


Auditing firewall activity17 Oct 2005 | Mike Chapple | SearchSecurity.com

In the first three parts of this series, we explored choosing a firewall platform, choosingan appropriate topology, and placing systems within that topology.

Once you've made it through the challenging phases of firewall selection and architecturedesign, you're finished setting up a DMZ, right? Your rulebase should remain stable andyou'll never have a need to make configuration changes. We can only dream! In the realworld of firewall management, we're faced with balancing a continuous stream of changerequests and vendor patches against the operational management of our firewalls.


54

Configurations change quickly and often, making it difficult to keep on top of routinemaintenance tasks. In this tip, we explore some ways to leverage the logging capabilitiesof your firewall to help keep things in order.

Let's take a look at four practical areas where some basic log analysis can providevaluable firewall management data:

1. Monitor rule activity System administrators tend to be quick on the trigger toask for new rules, but not quite so eager to let you know when a rule is no longernecessary. Monitoring rule activity can provide some valuable insight to assistyou with managing the rulebase. If a rule that was once heavily used suddenlygoes quiet, you should investigate whether the rule is still needed. If it's no longernecessary, trim it from your rulebase. Legacy rules have a way of piling up andadding unnecessary complexity. Over the years, I've had a chance to analyze therulebases of many production firewalls, and I estimate that at least 20% of theaverage firewall's rulebase is unnecessary. I've seen systems where this ratio is ashigh as 60%.

2. Traffic flows Also monitor logs for abnormal traffic patterns. If servers thatnormally receive a low volume of traffic are suddenly responsible for a significantportion of traffic passing through the firewall (either in total connections or bytespassed), then you have a situation worthy of further investigation. While "flashcrowds" are to be expected in some situations (such as a Web server during aperiod of unusual interest), they are also often signs of misconfigured systems orattacks in progress.

3. Rule violations Looking at traffic denied by your firewall may lead to interestingfindings. This is especially true for traffic that originates from inside yournetwork. The most common cause of this activity is a misconfigured system or auser who isn't aware of traffic restrictions, but analysis of rule violations may alsouncover attempts at passing malicious traffic through the device.

4. Denied probes If you've ever analyzed the log of a firewall that's connected to theInternet, you know that it's futile to investigate probes directed at your networkfrom the Internet. They're far too frequent and often represent dead ends.However, you may not have considered analyzing logs for probes originatingfrom inside the trusted network. These are extremely interesting, as they mostlikely represent either a compromised internal system seeking to scan Internethosts or an internal user running a scanning tool – both scenarios that meritattention.

Your firewall audit logs are a veritable goldmine of network security intelligence. Usethem to your advantage!

About the Author: Mike Chapple, CISSP is an IT Security Professional with theUniversity of Notre Dame. He previously served as an information security researcherwith the National Security Agency and the U.S. Air Force. Mike is a frequent contributorto SearchSecurity, a technical editor for Information Security magazine and the author of


55

several information security titles including the CISSP Prep Guide and InformationSecurity Illuminated.

Activating an XP firewall on a LAN10 Oct 2005 | ITKnowledge Exchange | SearchSecurity.com

The following question and answer thread was excerpted from ITKnowledge Exchange.

A user identified as stanslad posted the following question:"We would like to activate an XP firewall in our corporate LAN. However, I've beenadvised not to do so because activating such a firewall causes complications for LAN-based users, applications and services. What should we do?"

A user identified as hedgehog advised:"I would enable it first on a small test bed of controlled clients and see how it goes. Keepin mind that, as with most personal firewalls, the WinXP firewall will have someconnectivity problems, especially with client-server apps or with those that need to 'ping'the machines to work. You will need to determine which ports/services are in use andopen them in the firewalls. If you allow laptops into your corporate LAN, a personalfirewall should be mandatory on those machines. While having a personal firewall on adesktop is not as critical, they also contribute to your overall security."

A user identified as csmric advised:"When I initially deployed SP2 throughout our organization, I enabled an XP firewall andcreated 'holes' in it as necessary. However, as we proceeded, I found more and moreLAN-related problems. The Terminal Server users, the various antispyware and antivirussolutions we employ became too much to keep up with as I opened more and more holes.Since we use a hardware (PIX) firewall and an ISA Server, I decided to disable the XPfirewall on all computers. We have used this configuration for 6 months now and haven'texperienced any adverse reactions. I would also recommend configuring the laptops sothey use the XP firewall. This protects the laptops when the user is not on your LAN."

A user identified as gstornelli advised:"On small, well-protected networks, I have used group policy to disable the firewallwhile the workstation is on the network, and enable the firewall while the workstation isoff the network. That way you don't have to deal with apps that are only run while in theoffice, while protecting the notebook users when they're on the road."

A user identified as poppaman2 advised:"While I agree that a desktop firewall is a good idea, I disagree that the XPSP2 firewallshould be deployed. It is an ingress-only firewall and leaves outgoing data untouched. Isuggest, depending upon how much security is needed, something a bit more robust, suchas Sygate, Tiny, Black Ice or Zone Alarm."


56

A user identified as amigus advised:"I disagree with the notion that an ingress-only firewall is not useful or adequate. Egressfiltering usually comes with a significant maintenance burden. While egress filtering isvery useful (and often recommended) on network firewalls it's not that useful onworkstations. In my opinion, there are only two reasons you would want to use egressfiltering:

1. You want to limit the communications of user-installed applications.2. You have spyware problems.

With respect to limiting application network exposure, it's rather difficult because (mostof the time) if they can install applications, they can also pass through the firewall usingthe same privilege they used to install it. With respect to spyware, again, the userprobably has too much privilege. With that said, I believe egress filtering is more troublethan it's worth and for what it's worth, it seems Microsoft agrees. If you're serious aboutsecurity, spend your time making your network work with unprivileged user accounts,rather than wasting your helpdesk resources configuring cranky firewalls. If you reallywant egress filtering, implement it on your network firewall. And, if you really want tolimit the scope of workstation communication, use IPSec."

Traffic flow considerations for the Cisco PIX Firewall17 Mar 2005 | Tom Lancaster | SearchSecurity.com

In most small environments, firewalls are deployed in simple, common schemes, such asa firewall with three "legs": one for the Internet, one for the intranet and one for a DMZ.Another common scheme is two firewalls in series, where you have the intranet, afirewall, the DMZ, another firewall and finally the Internet. But as time goes by, thingsseem to become more complex. Some designs can get fairly contorted, putting firewallsin awkward positions that can compromise your security if you're not careful.

In any event, you need to pay attention to how traffic flows through your firewall. Andthis is particularly true of the Cisco PIX Firewall. While it's one of the most highlyregarded firewalls, it does have some quirks that may not be obvious to the casualobserver.

Primarily, you should make sure that the security levels on the interfaces reflect therealities of the traffic that flows through your network. This is because of the way theAdaptive Security Algorithm works. For starters, the ASA sets the default permissions.By default traffic is allowed to pass from an interface with a "higher" security level to a"lower" security level (such as from the Inside (100) to Outside (0) interfaces) but notfrom lower to higher. However, you may be tempted to override those with access-control lists, because, for example, another administrator wants to place a server in a zonewhere it really doesn't belong, and expects you to secure it anyway. Or maybe you wanttraffic to go in and out of a zone through the same interface.


57

So, you can configure the PIX in this manner, and it will block traffic like you configure,but what you need to realize is that you may not be getting the benefit of all the PIX'sstateful features, again because of the way the ASA works. Specifically, features like theinspection engines and HTTP(S) and FTP filtering only work in one direction. Forexample, SMTP inspection is only from lower to higher interfaces, while NetBIOSinspection only applies from higher to lower interfaces. Filtering is only from higher tolower.

Thus, you may be paying for and expecting the robust protection of a top-shelf firewall,but designing yourself into a level of protection not much better than ACLs on a regularrouter. So as a general rule of thumb, don't put any security device into an unconventionalsituation without some due diligence.

One last caveat: The details of the behavior of these features may change as new versionsof the PIX OS are released, so don't rely on my examples above to guide your design;check it yourself on CCO.

About the Author: Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15years experience in the networking industry, and co-author of several books onnetworking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guidepublished by Sybex.

Firewall security tips28 Oct 2004 | Shelley Bard | SearchSecurity.com

WhenWhen vulnerabilities are identified that apply to your system and whenever patches andupgrades are applied. Examine your guidance policies at least annually.

WhyWhen your organization's networks are connected to the Internet without adequatesecurity measures, you are vulnerable to attack.

StrategyIn the limited space available here, I cannot possibly address how to secure a firewall.Instead, I'll note the considerations that go into doing so and point you to some usefulresources. CNSS Instruction No. 4009, revised May 2003, National InformationAssurance (IA) Glossary defines a firewall as a "system designed to defend againstunauthorized access to or from a private network." I prefer CERT's definition: "Acombination of hardware and software used to implement a security policy governing thenetwork traffic between two or more networks, some of which may be under youradministrative control (e.g., your organization's networks) and some of which may be outof your control (e.g., the Internet)."


58

A DMZ (Demilitarized Zone) is a combination of firewalls -- a perimeter networksegment logically between internal and external networks. Also called a "screenedsubnet," its purpose is to enforce the internal network's IA policy for external informationexchange and to provide external, untrusted sources with restricted access to releasableinformation while shielding internal networks from outside attacks. In some circles theDMZ is considered a part of the firewall, while other circles consider the DMZ the landof the sacrificial hosts. One way to think of a DMZ is as a group of hosts that are guidedby a unique security policy. This policy balances some of the strictest controls againstpublic access and availability requirements.

When putting in a firewall, CERT recommends a four-part approach: prepare, configure,test and deploy. To prepare, design the firewall system and have a written firewallsecurity policy for each one that identifies who is allowed to log in to it, configure andupdate it. It should also outline the logging and management practices. The next step iscritical: configure. Here you will acquire the firewall hardware and software; acquire thedocumentation, training and support; install the firewall hardware and software;configure IP routing, packet filtering, and logging and alert mechanisms. DISA'sNetwork Infrastructure Security Checklist, Version 5 release 2.2, is a combination ofminimum security requirements and best practices designed to ensure a system is lockeddown as much as possible while still being useful. The Checklist requires, for example,that firewalls placed in the network infrastructure are only those having a CommonCriteria (CC) Protection Profile evaluation of EAL4 or greater. Check out the CCProtection Profile evaluation product ratings. The Network Infrastructure SecurityChecklist discusses, among other things, which features of Cisco's IOS and Juniper'sJUNOS systems should be present or absent for a more secure network setup. Next, testthe firewall and deploy the system into operation. Considerations to fold into yourplanning and configuration include proxies, stateful inspection or dynamic packetfiltering, network address translation, virtual private networks, IPv6 or other non-IP v4protocols, network and host intrusion detection and prevention technologies, routing androute management, switching and virtual local area networks, and encryptiontechnologies

More informationHelpful checklists can be found at the NIST Web page. A nifty feature of this page is asign-up for email notifications when a checklist or implementation guide has beenupdated. And William R Cheswick & Steven M Bellovin's "Firewalls and InternetSecurity" will help you appreciate how far we've come and yet how little we'veaccomplished in firewall technology and practices in 10 years.

About the Author: Shelley Bard, CISSP, CISM, is a senior security network engineerwith Verizon Federal Network Systems (FNS). An information security professional for17 years, Bard has briefed and written infosecurity assessments and technical reports forthe White House and Department of Defense, special interest groups, industry andacademia.


59

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflectthose of Verizon FNS.

Firewall redundancy: Deployment scenarios and benefits20 Apr 2004 | Mike Chapple | SearchSecurity.com

Many network administrators have considered implementing dual firewalls. It is anexpensive option, and the administrator who proposes the idea is likely to encounter aresponse like "$5,000 for a firewall? Don't we have one of those already?" There are,however, several good reasons to deploy multiple firewalls in your organization. Let'stake a look at a few scenarios.

Fault tolerance and load balancingMany organizations choose to implement dual firewalls in a parallel fashion, as shown inthe figure below. When the router is properly configured, this provides the added benefitsof fault tolerance and load balancing. Both firewalls should be configured to "fail-safe,"that is, in the event of a failure, they should automatically block all traffic. Whenconfigured in this fashion, the firewalls provide fault tolerance; when one fails, the otheris able to carry the network traffic and keep the failure transparent to users.

The second benefit to this strategy, load balancing, is a performance benefit. The routermay be configured to divide traffic between the two firewalls, either on a priority basis oron a fair-share basis. Spreading the traffic out among multiple firewalls in this fashionhelps prevent the bottleneck problems that plague many networks.

Enhanced perimeter protectionIt's also possible to deploy the two firewalls in a series circuit, as shown in the illustrationbelow. When configured in this fashion, all traffic passing into or out of the network mustpass through both firewalls. This setup is sometimes deployed in high-securityenvironments to protect against firewall-specific vulnerabilities. In this case, the twofirewalls are from different vendors and may even run on different operating systems.


60

Protected subnetsThe final scenario we'll discuss is shown in the figure below. In this case, secondaryfirewall(s) are used to protect subnets of the internal network that have greater securityrequirements than the network as a whole. This type of scenario may be used, forexample, to provide an accounting department added protection for sensitive financialdata they wish to protect from other internal users.

Overall, the deployment of multiple firewalls offers a variety of benefits, ranging fromgreater performance to enhanced security. If your security environment warrants this typeof scenario and your wallet is big enough, it's definitely an option worth considering.

About the Author: Mike Chapple, CISSP, currently serves as Chief Information Officerof the Brand Institute, a Miami-based marketing consultancy. He previously worked asan information security researcher for the U.S. National Security Agency. His publishingcredits include the TICSA Training Guide from Que Publishing, the CISSP Study Guidefrom Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also theauthor of About.com Guide to Databases.


61

VPNs

Glossary definition: SSLSearchSecurity.com

Secure Sockets LayerThe Secure Sockets Layer (SSL) is a commonly-used protocol for managing the securityof a message transmission on the Internet. SSL has recently been succeeded by TransportLayer Security (TLS), which is based on SSL. SSL uses a program layer located betweenthe Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP)layers. SSL is included as part of both the Microsoft and Netscape browsers and mostWeb server products. Developed by Netscape, SSL also gained the support of Microsoftand other Internet client/server developers as well and became the de facto standard untilevolving into Transport Layer Security. The "sockets" part of the term refers to thesockets method of passing data back and forth between a client and a server program in anetwork or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digitalcertificate.

TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If aWeb site is on a server that supports SSL, SSL can be enabled and specific Web pagescan be identified as requiring SSL access. Any Web server can be enabled by usingNetscape's SSLRef program library which can be downloaded for noncommercial use orlicensed for commercial use.

TLS and SSL are not interoperable. However, a message sent with TLS can be handledby a client that handles SSL but not TLS.

Glossary definition: IPsecSearchSecurity.com

IPsecIPsec (Internet Protocol Security) is a framework for a set of protocols for security at thenetwork or packet processing layer of network communication. Earlier securityapproaches have inserted security at the application layer of the communications model.IPsec is said to be especially useful for implementing virtual private networks and forremote user access through dial-up connection to private networks. A big advantage ofIPsec is that security arrangements can be handled without requiring changes toindividual user computers. Cisco has been a leader in proposing IPsec as a standard (orcombination of standards and technologies) and has included support for it in its networkrouters.

IPsec provides two choices of security service: Authentication Header (AH), whichessentially allows authentication of the sender of data, and Encapsulating Security


62

Payload (ESP), which supports both authentication of the sender and encryption of dataas well. The specific information associated with each of these services is inserted intothe packet in a header that follows the IP packet header. Separate key protocols can beselected, such as the ISAKMP/Oakley protocol.

Officially spelled IPsec by the IETF, the term often appears as IPSec and IPSEC.

Book chapter: Crypto basics: VPNsChey Cobb | John Wiley & Sons | SearchSecurity.com

In this excerpt of Chapter 3 from "Cryptography for Dummies," author Chey Cobbexplains how virtual private networks (VPNs) use encryption to secure data in transit.

When businesses communicate over the Internet, there is no protection promised orimplied. Everything is done out in the open and can be seen, captured, destroyed orcopied by anyone who cares to try. It's like cities, towns and villages connected by roads.You transport whatever is on those roads at your own risk. Businesses began to see theneed for a safer alternative as they did business with remote partners and employees inremote locations. Thus, the Virtual Private Network (VPN) was invented.

VPNs use encryption to protect the traffic between any two points. It's like building atunnel with special access controls between those cities, towns and villages. The tunnelsaren't available to everyone, and to the people up above, they are invisible. Before youcan enter the tunnel, you must prove your identity, your packages must be of certaintypes and the delivery address must be verifiable. If that isn't secure enough for you, aVPN also has the ability to disguise the packages through encryption. That way, ifsomeone manages to gain unauthorized access by fooling the access guards or by digginganother tunnel that intersects with your tunnel, the intruder won't know which packagesto steal because he can't tell one from another.

VPNs have been around for enough years now to consider them a standard securitymechanism. On the other hand, the way vendors create their VPN hardware and softwareis not necessarily interoperable. If you are communicating with someone who doesn'thave the same sort of setup, it may take a few days or weeks of juggling cables andcommands to get it working correctly. In general, VPNs are considered fairly reliable asfar as security mechanisms go. Sure, there are hacks, but you really don't hear about toomany of them. Either they are not happening often, or companies are just not telling.

VPNs are capable of encrypting two different ways: transport and tunneling. Thetransport encryption sets up a secure, encrypted link across the Internet wires, and itencrypts the data (payload) you are sending to the other end. This is the equivalent of thedelivery truck carrying a package via the underground passageway. (I'm not using theword tunnel here because I don't want to confuse you!) The encryption is invisible to theuser — other than passwords, passphrases, or a special card to plug into the computer, theuser doesn't have to press a button that says "encrypt" or "decrypt." All the data in transit


63

is protected from sight. The only drawback to transport encryption is the fact that theheaders on the data are sent in the clear. In effect, that's like disguising the package andthen putting a label on it that says what's inside. Maybe not the smartest thing to doconsidering that intruders may occasionally gain access.

The other form of VPN encryption, tunneling, not only sets up a secure, encrypted linkbetween two points, but it also encrypts the headers of the data packets. That's better. Notonly do you have a disguised package, but the address and the contents listed on thepackage's label are in code so they're not easily recognizable. As I mention earlier, theVPN standards aren't necessarily standard, so you'll have to see what protocols thevendor is using. The vendor will have tons of transfer protocols to choose from, but thetunneling protocols are fairly limited. Just to give you an introduction, here are thetunneling protocols:

• GRE = Generic Routing Encapsulation• IPsec = Secure Internet Protocol• L2F = Layer 2 Forwarding• PPTP = Point To Point Tunneling Protocol• L2TP = Layer 2 Tunneling Protocol (PPTP + L2F)

If you set up a VPN for your customers, business partners and employees, they can gainsome comfort in the fact that their data isn't traveling in the clear. One point to remember,though: Many road warriors have automated the process of logging in to their VPN andhave a shortcut on the desktop. On top of that, a laptop is not properly protected withproper access controls -- turn it on and it's yours. In this instance, a stolen laptop caneasily be used to log on to a VPN, and you'll never know it unless the employee alertsyou. In addition to access controls for laptops, you may also want to consider diskencryption to protect the data stored on the laptop. Just something to keep in mind.

VPNs are relatively easy to set up now, and you can usually find experienced staff toinstall and manage them. As I mention earlier, sometimes it takes a little effort to get twodifferent VPNs talking to one another, but that doesn't last forever. Many vendors areincluding VPN capabilities in their routers so the system is practically plug and play. Justremember to change the default settings such as the administrator password. VPNs aregreat at protecting the data in transport, but they do not encrypt the data on your drives --that data is still in the clear.

SSL VPN: AEP SureWare A-Gate AG-60023 Aug 2005 | George Wrenn | SearchSecurity.com

AEP SureWare A-Gate AG-600AEP Systems, www.aepnetworks.comPrice: $8,995/400 users


64

AEP Systems SureWare A-Gate AG-600 provides SSL VPN remote access forconnecting external users to internal systems.

The appliance provides clientless access to HTTP and Windows Terminal Server appsand full access to client-server apps from Windows XP/2000 clients. It has four Ethernetinterfaces, features high availability and session-level failover and handles 400simultaneous connections. Enterprises will appreciate its capacity to cluster up to 16boxes for supporting thousands of users.

AEP packs strong security in the AG-600, which runs a hardened version of Linux.Booting the box over a serial connection initially blocks access to system resources.You'll need to set a password and options for Web-based administration, remote rootlogins to the network, SSH, syslog and SNMP to unlock configuration. This is a radicaldeparture from security hardware that, once connected, and without so much as apassword, allows anyone to configure network and device settings.

We launched a browser, authenticated and proceeded to solve the obfuscated text riddle,or 'completely automated public Turing test to tell computers and humans apart'(CAPTCHA) utility. CAPTCHA is an image with slightly skewed characters andnumbers, designed for enhancing authentication and preventing automated attacks. Youdecipher and type a displayed code and enter a user name and password.

Configuration is a comprehensive process using GUI setup tabs, although the interfaceconspicuously lacks a help menu. We methodically assigned IP addresses to Ethernetinterfaces and configured the LAN/WAN interfaces, DNS server, incoming access to port443 (SSL) and external gateway to route traffic to the Internet.

Setting up digital certificates for authenticating users is a breeze. Clicking on the sitesecurity tab allows you to create a certificate signing request (CSR). We pasted our CSRinto a VeriSign form to access a trial certificate, and, with our new SSL-site identity, weconfigured the remote access policy. AG-600 supports two Windows authenticationoptions: LDAP for AD domains, and the Windows Server Message Block file sharingprotocol (SMB) for old-school domain services. A-Gate also integrates with Sun LDAPand Novell NDS servers. Its RADIUS support hooks into other authentication methods,including CASQUE, Crypt-Card and SecurID. Our configuration using the internaldatabase and Windows SMB domain authentication worked flawlessly.

AG-600 provides two modes of VPN access: A-Gate Anywhere can proxy applicationtraffic via a Java applet, for instance, to Windows Terminal Services; the A-Gate Centralis a thin-client SSL VPN that enables access to TCP/UDP applications. Users launch theclient by clicking the link on the user A-Gate portal page, which is customizable to reflectuser's branding. Establishing WAN access to these services was an easy configuration ofA-Gate's host MYSQL database, server names and IP addresses. But, adding theAnywhere Web servers to the remote access configuration, and again in the portal page,was bothersome; an automated mechanism would be easier.


65

Policy configuration was a challenge. While we easily defined a HTTP global accesspolicy for authenticated users, the GUI made it tough to configure more granular accesscontrol rules. It's confusing to decipher how menu branches relate to others in the tree. Amore intuitive grid or matrix for defining devices, URL strings as services and authorizedusers/groups would be simpler.

While AG-600's granular policy and portal elements could use some tweaking, thishardcore appliance provides enviable security defaults and convenient access to sensitiveapplications.

About the Author: George Wrenn, CISSP ([email protected]), is atechnical editor for Information Security and a security director at a financial servicesfirm. He's also a fellow at the Massachusetts Institute of Technology.

Corrent VPN 'connects' with Check Point software7 Jul 2005 | Mike Chapple | SearchSecurity.com

Corrent's SR110 SSL VPN Web Security Gateway with Check Point Connectra 2.0Corrent, www.corrent.comPrice: Starts at $11,700 for hardware and software license

Corrent's SR110 SSL VPN Web Security Gateway, an appliance running Check PointSoftware Technologies' Connectra 2.0 SSL VPN software, offers easy administration, anintuitive client experience and strong security. However, the SR110 is priced in the uppertier of VPN appliances.

The Connectra software provides point-and-click administration through a well-designedWeb interface. User authentication may be managed through the internal Connectra userdatabase, but enterprises will prefer to integrate with LDAP, RADIUS and SecurIDsystems for authentication and authorization. We used Connec- tra's LDAP interface toperform authentication against Active Directory.

The Web-based process for adding applications is straightforward. For example, to add aWeb application, we simply specified the name and location of the application and thedesired protection level (a combination of allowable authentication techniques andcaching status). The SSL Network Extender ActiveX control, a Connectra Web plug-in,allows the use of any network-based Windows application. It tunnels endpoint trafficover SSL. We used the SR110 to access a Windows Server 2003 file server, an Ex-change 2000 Web Outlook server, an IMAP server (using the Connectra integrated client)and several Web-enabled apps.

Clients are presented with the Connectra portal, which provides a consolidated view ofauthorized apps.


66

Connectra leverages Check Point's experience in perimeter security by integrating theSmart-Defense network and application security controls. Network security controlsinclude protection against DoS attacks (such as Teardrop and LAND), TCP/IP protocol-based attacks and network probes; application controls include inspection of HTTP andFTP traffic. The controls stopped several of our URL-based attacks, as well as a SQLinjection attack against a Web-based form.

The wizard-based installation was smooth, taking about an hour from opening the box toestablishing client connections. The installation guide provides detailed instructions for avariety of network configurations, including template firewall rules necessary forinstalling the appliance in a DMZ. The SR110 has six Ethernet ports, two of whichsupport Gigabit Ethernet.

We were disappointed with Connectra's lack of Fire-fox client browser support, but Webportal access is available through IE, Mozilla, Netscape and Safari. SSL NetworkExtender functionality is limited to IE on Windows 2000/XP.

The SR110's steep price may discourage some enterprises. The $3,700 cost of Corrent'sappliance combined with the $8,000 cost of a 50-user Connectra license from CheckPoint (which increases to $30,000 for 250 users) makes the price tag soar far above someestablished competitive products. For example, a Cisco VPN 3005 concentrator (whichsupports 50 SSL VPN sessions) lists at $2,995, and $35,000 will purchase a Cisco VPN3060, which supports 500 clientless Web sessions.

Price notwithstanding, an appliance that incorporates ease of use for admins and usersand strong security offered by Connectra merits consideration for secure access toenterprise applications.

About the Author: Mike Chapple, CISSP, currently serves as Chief Information Officerof the Brand Institute, a Miami-based marketing consultancy. He previously worked asan information security researcher for the U.S. National Security Agency. His publishingcredits include the TICSA Training Guide from Que Publishing, the CISSP Study Guidefrom Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also theauthor of About.com Guide to Databases.

Quiz: SSL vs. IPsec VPNsSearchSecurity.com

Test your knowledge of IPsec and SSL VPNs with this quiz to help you determine whichtechnology best suits your organization's needs.

1.) Which type of VPN encryption sets up a secure, encrypted link between twopoints, but does not encrypt the headers of the data packets?a. Transport encryptionb. Tunneling encryption


67

2.) Which of the following is a basic requirement of an SSL VPN?a. Proxy access and protocol conversionb. Remote-access orientationc. Extranet supportd. Highly granular access controlse. All of the above

3.) In which scenario is an IPsec VPN generally considered a better solution than anSSL VPN for remote access?a. Telecommuters coming from fixed sites, using managed corporate devices andterminating in a secure, private network on either side.b. Telecommuters without fixed access who want to come in from a variety of sites.

4.) Which layer of the network does an IPsec VPN operate on?a. Layer 3b. Layer 4c. Layers 4 though 7d. None of the above

5.) Which of the following operational modes is the simplest and most usable, as wellas the most supported by SSL VPNs?a. Application translationb. Port forwardingc. Proxyd. Network extension

6.) Which of the following describes an IPsec VPN?a. Requires host-based clients and hardware at a central location. Users have full officefunctionality, but there's very little granularity in access control.b. Does not require a client download. Remote connections made via a Web browser or adownloadable Java or ActiveX agent. Role-based access can be assigned for each user,and application and client administration is eliminated.

7.) True or False: SSL VPNs are inherently less secure than IPsec VPNs.a. Trueb. False

8.) Encapsulating Security Payload (ESP) allows for...a. Authentication of the sender of datab. Encryption of the datac. Both authentication of the sender and encryption of the datad. None of the above

9.) Which of the following features of SSL VPNs help avoid the risk of leavingsensitive information on public PCs used to access a corporate network?a. Secure logout


68

b. Credential scrubbingc. Auto forms completion disablingd. All of the above

10.) What is the transmission of data through a public network in such a way thatthe routing nodes in the public network are unaware that the transmission is part ofa private network?a. Tunnelingb. Virtual private networkc. Output feedbackd. Promiscuous mode

Answer Key:1. a. Transport encryption2. e. All of the above

3. a. Telecommuters coming from fixed sites, using managed corporate devices andterminating in a secure, private network on either side.

4. a. Layer 35. c. Proxy6. a. Requires host-based clients and hardware at a central location. Users have full

office functionality, but there's very little granularity in access control.7. b. False8. c. Both authentication of the sender and encryption of the data9. d. All of the above10. a. Tunneling

Letting telecommuters in -- Your VPN alternatives1 Oct 2005 | Rebecca Rohan | SearchSecurity.com

There are other options to give telecommuters access to your network and its applicationsthan a traditional VPN. According to this article from Informit, if you weigh your accessand security requirements against the cost and complexity needed you might find otheroptions to a traditional VPN.

What are the best ways to let telecommuters into your network?

The answer that helps administrators sleep most securely is a fixed Virtual PrivateNetwork (VPN). A VPN uses end-to-end encryption to carve out a private tunnel over thepublic network.

The most secure VPN is the traditional arrangement with the telecommuter coming froma fixed site, ideally using a managed, corporate device and terminating in a secure,private network on either side. Quite a bit of effort can go into setting up thisarrangement; you need to see that hardware, software and settings, as well as


69

authentication, are set up perfectly and maintained on both ends, despite user changes tosoftware, firmware and hardware, but the security can be worth the trouble.

Let's throw out some protocols -- literally. There are three or four at this end of the pool.Only one from this group is secure enough to take seriously: IPSec, especially inconjunction with L2TP.

IPSec is the standard to buy; it encrypts at the packet level. PPTP has weak encryptionkeys, weak password hashing and unauthenticated control traffic. L2TP traffic can beread by network sniffers. However, when combined with IPSec for encryption, L2TPbecomes unreadable and offers IPSec authenticated access for multiple protocols. Just besure the device you buy supports the combined IPSec and L2TP standard.

SSLMaybe you have mobile employees without fixed access who want to come in from avariety of sites. Salespeople are the typical example, as they may need to connect to yournetwork from a hotel room or a customer site.

Things may actually be easier for them, depending on how much trust they request fromyour network. In recent years, Secure Sockets Layer (SSL) VPN appliances, such asthose sold by Aventail and Juniper, have sprung onto the planet and ask nothing of thevisitor except an SSL-enabled browser -- no software installation, no matching hardware.Remote users can come into the VPN from anyplace that has an SSL browser or kiosk.

The administrator manages access rights and authentication rites in advance, setting updifferent rules based on who the user is, how secure a "neighborhood" he's calling fromand so on. If he phones into the office from an airport kiosk, the user may not see thosemedical records he would get if he were calling from an approved device at home -- atleast not if the administrator set things up correctly. You don't want the good doctorlooking at your record from the airport, because he can forget to log out. "Hey, look atthis, man." "Is this thing on?" Talk about letting in the rabble.

And therein lies the first of the security concerns with SSL VPNs. Another concern withSSL VPNs is the recent discovery that local desktop search engines cache and index SSLVPN sessions, even though the VPNs have tools to wipe their own caches. Some SSLVPN vendor tools are available to combat this new threat.

Microsoft Terminal ServicesMicrosoft Terminal Services lets users work on applications in thin client fashion from aremote location. Terminal Services, part of Windows' NT Server 4.0 Terminal ServicesEdition, Windows 2000 and .NET Server, is a time-honored institution at many shopswith ID badges and telecommuters who sport authentication token fobs. They get a newpassword number each 30 seconds and type it, along with their login, whenever they needto get in. (That's just one way to authenticate, of course.)


70

When initially released, "Term Server," like its parent Citrix WinFrame from CitrixSystems Inc., became an enticing way for many shops to let employees accessapplications remotely, and it remains so to this day. With the addition of Citrix' SecureICA Services' 128-bit, end-to-end encryption, (not included) Term Server traffic becomesmore secure. You have to think about what happens after that secure log-in.

Remote ControlPerhaps the easiest to set up, lowest-budget solution for telecommuter access is remotecontrol software, such as Symantec's PC Anywhere. These packages allow the remoteuser to literally control the machine back at the office. VNC is an open source selectionthat runs on Windows, Mac, Linux and other platforms; it can be more trouble andadditional skills are required, but you only pay if it works.

Some remote control software, such as Netopia's Timbuktu Version 7, use non-standardencryption when sending copies of your screen over the Internet. Currently, Timbuktuuses a proprietary method to scramble bits and randomize parts of the screen. Expertsadvise against using home-grown encryption, as even well-known methods often fail topass muster once put under scrutiny and, with a proprietary cipher, you're getting whatGramma called "a pig in a poke." (Netopia says it plans to employ an as-yet unannouncedform of standard encryption in its next version of Timbuktu.)

Meanwhile, Altiris Inc.'s Carbon Copy uses 128-bit MD5 encryption duringauthentication only, and the MD5 collision weakness that came to light in 2004 shouldn'tbe a problem for Carbon Copy. However, Carbon Copy's data stream is guarded by a 64-bit proprietary encryption key for each packet sent. Users may define any key forauthentication of the data stream -- presumably if they provide the key.

Symantec Corporation just announced PC Anywhere 11.5 with AES encryption (up to256-bit cipher strength) for both authentication and the data stream. The new version ofpcAnywhere also offers host address blocking, 13 different methods of authentication(including RSA SecurID authentication), the ability to specify TCP/IP addresses andsubnets that are allowed to connect, and the option to hide pcAnywhere hosts fromTCP/IP browse lists.

Check security specs before you buy, because these things change. Go to BugTraq(http://www.securityfocus.com/archive/1) and check the product name (in date order) forsecurity reports.

Also, make sure you can blank the screen in the office so telecommuters don't have anaudience watching what they're doing from home.


71

The inherent capabilities of IPSec selectors and their use in remote-access VPNs31 Mar 2004 | Lisa Phifer, VP, Core Competence, Inc. | SearchSecurity.com

In a SearchSecurity webcast, speaker Lisa Phifer, vice president and owner of consultingfirm Core Competence, addressed technological developments in virtual privatenetworks. Here Lisa answers a user-submitted question that she didn't have time toanswer during the broadcast. If you missed our webcast, New Directions in VPNs, orwould like to review it, you may listen to the recorded webcast on-demand.

You mentioned during the webcast that IPsec can access the entire network behindthe firewall whereas SSL can access only the assigned server. But I noticed that youset that in IPsec by setting the subnet address range rather than the entire network.Am I missing something here?

Good catch. I didn't elaborate on this in the webcast, but there's a difference between thecapabilities inherent in IPsec selectors (traffic filters) and the way in which mostcompanies use them. IPsec selectors can be based on entire IP subnets, partial subnets,individual destinations, protocol types and source/destination ports. That means that it'spossible to create an IPsec selector that permits encrypted access to just one server andjust one application (port) on that server (depending upon product support).

But in practice, most remote-access VPNs are configured with fairly coarse IPsecselectors, allowing access either to an entire subnetwork or (more often) to alldestinations (0.0.0.0/0.0.0.0). The latter is very common; to avoid split tunneling, alloutbound traffic is sent via the IPsec tunnel. Once the traffic reaches the VPN gateway, itis decrypted and forwarded along to the final destination, whether that's inside the privateIntranet or somewhere on the public Internet. This configuration lets the companymonitor, log and filter all user traffic, no matter what the destination -- for example,stripping a malicious attachment at the VPN gateway that the user might otherwise pickup while downloading shareware from a public Web site.

SSL VPNs that act as circuit-layer proxies can be configured in a similar fashion toforward all outbound application traffic across the SSL VPN tunnel. However, many SSLVPN products are configured in a more granular fashion to ignore or drop traffic that liesoutside the VPN policy and relay only that application traffic covered by the VPN'spolicy. SSL VPN products do tend to allow more granularity in filter configuration thaneven the most granular IPsec selectors -- for example, filtering on individual URLs, Webobjects or even application commands. Using this kind of fine granularity can requiremore complex policy maintenance and so is usually done with group-level policies thatapply the same complex filters to a set of users, rather than to individual users.

In short, product capabilities vary, but it's more important to decide the level of policygranularity your business requires, and then make sure the product you pick can supportthan level of granularity without a lot of administrative overhead.


72

About the Author: As owner of consulting firm Core Competence, Lisa Phifer advisescompanies regarding security needs, product assessment and the use of emergingtechnologies and best practices. She has been involved in the design, implementation andevaluation of security and network management products for more than 20 years.

VPN fast facts: True or false?1 Aug 03 | Lisa Phifer, VP, Core Competence | SearchSecurity.com

SSL VPNs are inherently less secure than IPSec VPNs. False. While they differarchitecturally, both VPNs can be deployed securely -- or poorly. Security builds uponstandards and products that implement them, but ultimately depends upon appropriatedeployment and sound policy definition.

SSL VPNs can be used anywhere that IPSec VPNs can be used. False. IPSec isgenerally considered a better solution for site-to-site VPNs, where it better satisfies broadapplication needs and performance demands. SSL is better suited in scenarios whereVPN administrators have no control over client software installation, such as extranetcollaboratives or nonwork computers (kiosks and homes).

SSL VPNs are suitable for enterprise-class deployment. True. Some SSL VPNgateways are designed for large-scale deployment. They support high user volume,encryption via hardware acceleration and redundancy through failover and loadbalancing. Many argue that SSL VPNs are more suitable for large populations becausethey reduce the cost of software distribution. To meet the needs of differentconstituencies, many companies will likely end up with both.

IPSec VPNs offer more extensible infrastructure. True. IPSec was designed to secureany IP traffic and is configurable to support any IP application. SSL was designed tosecure HTTP and has been successfully extended to secure many other applications.However, extensibility ultimately depends on how an SSL VPN product is designed andperforms in production environments.


Client-side security considerations for SSL VPNs23 Mar 2004 | Lisa Phifer, VP, Core Competence, Inc. | SearchSecurity.com

Companies tired of VPN client software installation and configuration are beingincreasingly drawn to "clientless" solutions like SSL VPNs. However, using a browser-based VPN to go "clientless" still requires client-side vulnerability analysis andmitigation.


73

The lure of SSL VPNsAccording to Frost and Sullivan, the SSL VPN market exploded in 2002, growing at acompound annual rate of 49% through 2010. The big draw? SSL VPNs leveragebrowsers present on nearly every desktop and handheld to avoid adding software.Security policy can be largely dictated by the VPN gateway, reducing remoteconfiguration. Circumventing these IT pain points should cut the cost of remote access.

What's more, browser-based VPNs enable remote access from more locations. Travelerscan use public PCs at business centers and Internet cafes. Teleworkers can use home PCswithout IT oversight. Business partners can use PCs administered by other companies.Permitting remote access from these venues increases convenience, availability andproductivity. But, there's a catch: loss of IT control over the hosts used for remote access.

Leave nothing behindMost public PCs contain traces of past user activity: Outlook inboxes filled with privateemail, browser caches containing Webmail text and password-laced cookies, and fileattachments saved to temp directories. Leaving this sensitive data behind on public PCsposes considerable risk, but relying on users to clean up after themselves is a very badidea. Many have no idea what they leave behind; even those who know how to wipe theirtracks clean make mistakes.

To address this risk, most SSL VPNs take steps to automatically clean up after eachremote access session, no matter who owns the remote PC. Features to look for whenconsidering SSL VPN products include:

• Secure logout -- Forced session disconnection and browser window close,typically based on centrally defined inactivity or duration timeouts.

• Credential scrubbing -- Deleting cached credentials at session end or preventingthem from being cached on the client in the first place.

• Temp file clean up -- Deleting files created during the session or blocking theircreation, including cached pages, offline content and downloaded programs.

• Cookie blocking -- Removing cookies at session end, or better yet, no personallyidentifiable or reusable information written to cookies during sessions.

• Auto forms completion disabling -- Avoiding client storage of data entered inprivate Web page forms that might otherwise be visible to subsequent users.

• Personal information profile disabling -- Preventing access to, and use of, userdata commonly integrated with browsers, like Outlook Address Book entries.

• Browser history removal -- Stopping VPN URLs from being used as a launchpoint for common Web server attacks (e.g., password-guessing, DoS floods, scriptinjection).

Prevent tunnel compromisePost-session clean up is essential, but it doesn't go far enough. PCs available for publicuse in cafes, airports and conference centers are readily accessible to strangers 24/7,


74

greatly increasing the risk of compromise. Attackers can install packet-capture tools,keystroke loggers and even desktop session recorders to obtain usernames, passwords andprivate data. Spyware, remote access Trojans and denial-of-service zombies can beimplanted to probe or attack corporate resources during active VPN sessions.

To prevent IPsec/L2TP/PPTP VPN tunnel compromise on company laptops, mostcompanies mandate client-side personal firewalls, antivirus software and up-to-datesecurity patches. These measures are typically part of the "remote access bundle" that ITinstalls and configures on every host, either directly or by supplying software andinstructions to employees. For "clientless" access, this may not be practical or possible.

Some argue that SSL VPNs pose less risk because network VPNs use secure tunnels toconnect remote hosts to private networks, while SSL VPNs typically connect individualclient applications to private servers. A narrower window of opportunity can eliminatesome vulnerabilities -- for example, preventing Trojan access to other systems and ports.However, this really depends upon the product and policy granularity.

To implement more granular policies, look for products that can define access rightsbased not just on application, but also on individual commands (e.g., permit read but notwrite or delete) and user/group-specific URLs and objects (e.g., folders, accounts).Granularity is a double-edged sword: Look for incremental or hierarchical groupingfeatures, and design your policies with both maintenance and performance in mind.

Stop problems before they startA smaller window of opportunity helps, but is that enough? Depending upon yourbusiness risk, additional measures may be appropriate to secure your VPN.

• To adjust permissions to reflect threat level, look for products that supportpolicies that differentiate between company-administered hosts and all others. Forexample, Nokia's Secure Access System can restrict access to applications andfeatures, depending upon the system from which a VPN session is initiated.

• To defeat password compromise by keystroke loggers and session recorders, useone-time passwords or two-factor authentication. Options are more limited onpublic PCs -- for example, USB tokens or biometric devices require clientsoftware -- but other mobile methods are widely supported (e.g., RSA SecurID,S/Key).

• To defeat session data capture and client-side malware, look for VPN productsthat integrate client-side security checks into access policies. A growing numberof VPN products now offer scan-on-connect. Examples include MicrosoftWindows Server 2003 Quarantine, CheckPoint's VPN-1 SecureClient (integratedwith PestPatrol and others), Cisco's VPN Client (integrated with ZoneLabs'Integrity), Aventail's End Point Control (integrated with Bluefire and others), andNeoteris (integrated with WholeSecurity and others). Scan-on-connect mayensure that desktop security measures are active and up-to-date and cansometimes detect the presence of malware, preventing VPN session establishmentby compromised hosts. Although many do require installed client software, some


75

are "clientless" -- for example, Zone Labs' download-on-demand host integritychecker.

These are just some of the steps you can take to address client-side security concerns fornetwork-level and browser-based VPNs. Keep in mind that all VPNs pose some risk;effective VPN deployment requires understanding and managing inherent vulnerabilities.Going "clientless" with an SSL VPN may avoid new client-side software, but it stillrequires client-side vulnerability analysis and mitigation.



76

Windows-specific network access control procedures

Book chapter: Access control entriesPaul Cooke | Realtimepublishers.com | SearchWindowsSecurity.com

Access control entriesWhile the ACL is the overall structure for providing permissions in Windows 2000, it'sreally the ACEs that carry all the real access control information. Although there aredifferent types of ACE structures, as I mentioned earlier, all ACEs include a SID, anaccess mask, flags to determine inheritance of the ACE, and the ACE type.

All ACEs are somewhat similar, but Windows 2000 supports six ACE types, as shown inTable 5.4. Of these six ACE types, three are generic and can be used in ACLs for anysecurable object. The other three are object-specific and can be used only in ACLs forAD objects.

ACE Type Description

Access-denied

Generic Denies access to an object in a DACL.

Access-denied

Object-specific

Denies access in a DACL to a property or property set or tolimit inheritance to a specified type of child object.

Access-allowed

Generic Allows access to an object in a DACL.

Access-allowed

Object-specific

Allows access in a DACL to a property or property set or tolimit inheritance to a specified type of child object.

System-audit

Generic Logs attempts to access an object in a DACL.

System-audit

Object-specific

Logs attempts in a SACL to access a property or property set orto limit inheritance to a specified type of child object.

Table 5.4: The six types of ACEs.

While generic and object-specific ACEs are extremely similar, there are a couple ofdifferences between them. The differences can be categorized primarily by thegranularity of access control that they provide for ACE inheritance and object access.Generic ACEs can distinguish between container and non-container objects only whenthey're inherited, and they can only apply to an entire object. Object-specific ACEs candistinguish between which child objects can inherit them and can be used on a singleattribute, or a set of attributes, of an object.

Whether ACEs are generic or object-specific isn't something that you need to concernyourself with every day. Whenever you modify an ACL, Windows 2000 automatically


77

constructs the appropriate ACE and takes care of all the implementation details.However, knowing a little bit about what is going on under the hood is useful.

Book chapter: Six steps for deploying Network Access Quarantine ControlJonathan Hassell | Apress | SearchWindowsSecurity.com

In this section, you'll look at the actual deployment of NAQC on your network. There aresix steps, each outlined in separate subsections ahead.

Creating quarantined resourcesThe first step is to create resources that you can actually access while the quarantinepacket filters are in place for a remote client. Examples of such resources include DNSservers and DHCP servers, so you can retrieve IP address and connection information andfile servers that will download the appropriate software to update out-of-compliancemachines. In addition, you can retrieve Web servers that may describe the quarantiningprocess or allow a remote user to contact IT support via email if any problems occur.

There are two ways you can specify and use a quarantined resource. The first is toidentify certain servers on your network because these quarantine resources withoutregard to their physical or network location. This allows you to use existing machines tohost the quarantined resources, but you also have to create individual packet filters forquarantined sessions for each of these existing machines. For performance and overheadreasons, it's best to limit the number of individual packet filters for a session.

If you decide to go this route, you'll need to enable the packet filters shown in Table 7-1.

Table 7-1. Packet filters for distributed quarantine resources

Traffictype

Sourceport

Destinationport

Alternatives

Notifier n/a TCP 7250 None.

DHCP UDP 68 UDP 67 None.

DNS n/a UDP 53You can also specify the IP address of any DNSserver.

WINS n/a UDP 137You can also specify the IP address of any WINSserver.

HTTP n/a TCP 80You can also specify the IP address of any Webserver.

NetBIOS n/a TCP 139You can also specify the IP address of any fileserver.

Directhosting

n/a TCP 445You can also specify the IP address of any fileserver.


78

You can also configure any other packet filters peculiar to your organization. The otherapproach is to limit your quarantined resources to a particular IP subnet. This way, youjust need one packet filter to quarantine traffic to a remote user, but you have to readdressmachines and, in most cases, take them out of their existing service or buy new ones.

When you use this method, the packet filter requirements are much simpler. You simplyneed to open one for notifier traffic on destination TCP port 7250, and one for DHCPtraffic on source UDP port 68 and destination IDP port 67. For all other traffic, youshould open the address range of the dedicated quarantine resource subnet. And again,you can also configure any other packet filters peculiar to your organization.

Writing the baseline scriptThe next step is to actually write a baseline script that will be run on the client. This isreally independent to your organization, but all scripts must run RQC.EXE if the baselinecompliance check was successful and they should include the following parameters:

The switches and arguments are explained in the following list:

• The ConnName argument is the name of the connectoid on the remote machine,which is most often inherited from the dial-in profile variable %DialRasEntry%.

• The TunnelConnName argument is the name of the tunnel connectoid on theremote machine, which is most often inherited from the dial-in profile variable%TunnelRasEntry%.

• The TCPPort argument is, obviously, the port used by the notifier to send asuccess message. This default is 7250.

• The Domain argument is the Windows security domain name of the remote user,which is most often inherited from the dial-in profile variable %Domain%.

• The Username argument is, as you might guess, the username of the remote user,which is most often inherited from the dial-in profile %UserName%.

• The ScriptVersion argument is a text string that contains the script version thatwill be matched on the RRAS server. You can use any keyboard characters except/0 in a consecutive sequence.

Here is a sample batch file script:

@echo off

echo Your remote connection is %1echo Your tunnel connection is %2echo Your Windows domain is %3echo Your username is %4

set MYSTATUS=


79

REM Baselining checks begin here

REM Verify Internet Connection Firewall is live.REM Set CHECKFIRE to 1-pass, 2-fail.

REM Verify virus checker installed and sig file up.REM CHECKVIRUS is 1-pass, 2-fail.[insert various commands to verify the presence of AV software and sig file]REM Pass results to notifier or fail out with message to user.if "%CHECKFIRE%" == "2" goto :NONCOMPLIANTif "%CHECKVIRUS%" == "2" goto :NONCOMPLIANT

rqc.exe %1 %2 7250 %3 %4 Version1-0 REM These variables correspond to arguments and switches for RQC.EXEREM %1 = %DialRasEntry%REM %2 = %TunnelRasEntry%REM RQS on backend listens on port 7250REM %3 = %Domain%REM %4 = %UserName%REM The version of the baselining script is "Version1-0"

REM Print out the statusif "%ERRORLEVEL%" == "0" (

set ERRORMSG=Successful baseline check.

) else if "%ERRORLEVEL%" == "1" (set ERRORMSG=Can't contact the RRAS server at the corporate network.

Contact a system administrator.) else if "%ERRORLEVEL%" == "2" (

set ERRORMSG=Access is denied. Please install the Connection Manager

profile from http://location and attempt a connection again.) else (

set ERRORMSG=Unknown failure. You will remain in quarantine mode until thesession timeout is reached.

)echo %ERRORMSG%goto :EOF

:NONCOMPLIANTechoecho Your computer has failed a baseline check for updates onecho your machine. It is against corporate policy to allow out of


80

echo date machines to access the network remotely. Currentlyecho you must have Internet Connection Firewall enabled andecho an updated virus scanning software package with theecho latest virus signature files. For information about how toecho install or configure these components, surf toecho http://location.Echo You will be permitted to access only that location untilEcho your computer passes the baselining check.

Of course, the batch file is simple. You can make it as complex as you like; you can evencompile a special program, because the postconnect script option in CMAK allows you torun an .exe file.

Installing the listening componentsThe Remote Access Quarantine Agent service, known otherwise as RQS.EXE, must beinstalled on the Server 2003 machines that are accepting incoming calls using RRAS.RQS is found in the Windows Server 2003 Resource Kit Tools download, which you canfind on the Microsoft Web site. Once you've run the installer for the tools, select theCommand Shell option from the program group on the Start menu, and run RQS_SETUP/INSTALL from that shell. This batch file will copy the appropriate binaries to theWindowsRootSystem32RAS folder on your system and modify the service and Registrysettings so that the listener starts automatically when the server boots up.

NOTE: To remove RQS.EXE, type RQS_SETUP/REMOVE at a command prompt.

There's a bit of manual intervention required, however. You need to specify the versionstring for the baseline script. The listener service will match the version reported by theremote computer to the value stored on the RRAS computer so you can make sure thatthe client is using the latest acceptable version of a script. To make this change manuallyafter you've run RQS_SETUP from the Tools download, do the following:

1. Open the Registry Editor.2. Navigate to the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRqskey.3. Right-click in the right pane, and select New String.4. Name the string AllowedValue.5. Double-click the new entry, and enter the string that refers to an acceptable version ofthe script.

Alternatively, you can modify the RQS_SETUP batch file, so this step can be automatedfor future deployments. Do the following:

1. Open the RQS_SETUP.BAT file in Notepad.2. Select Find from the Edit menu.3. In Find What, enter Version10, and click OK. The text cursor should be on a line that


81

says: REM REG ADD %ServicePath% /v AllowedSet / t REG_MULTI_SZ /dVersion10Version1a0Test.4. To add just one acceptable version, delete "REM" from the beginning of the line.5. Now, replace the text "Version10Version1a0Test" with the script version string youwant to be passed by RQC.EXE.6. If you want to add more than one acceptable version, replace the text"Version10Version1a0Test" with the acceptable version strings, each separated by the"0" line.7. Save the file, and then exit Notepad.

RQS is set as a dependency of RRAS. However, when RRAS is restarted, RQS doesn'tautomatically restart, so you'll need to manually restart it if you ever stop RRASmanually.

NOTEBy default, RQS.EXE listens on TCP port 7250. To change the default TCP port,navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesrqskey, create a new REG_DWORD value called Port, and set it to the desired port.

Analyzing creating a quarantined connection profileThe next step is to create a quarantined Connection Manager profile, which happens to bea plain-vanilla profile with a few modifications. For one, you need to add a postconnectaction so that your baseline script will run and return a success or failure message to theRRAS machine. You also need to add the notifier to the profile.

In this section, I'll assume you're familiar with creating custom connectoids with theConnection Manager Administration Kit (CMAK) wizard, because the whole process isbeyond the scope of this chapter and this book. The process begins to differ at theCustom Actions screen (shown in Figure 7-1), so I'll begin this procedural outline there:

1. Navigate to the Custom Actions screen, and fill in subsequent screens as appropriate.


82

Figure 7-1. The Custom Actions screen of the CMAK wizard

2. Select Post-Connect from the Action type drop-down list, and then click the Newbutton to add an action.3. The New Custom Action dialog box is displayed, as shown in Figure 7-2.4. Type a descriptive title for the postconnection action in the Description box. InProgram to Run, enter the name of your baseline script. You can also use the Browsebutton to look for it. Type the command-line switches and their arguments in theParameters box. Finally, check the two bottom boxes, Include the Custom ActionProgram with This Service Profile and Program Interacts with the User.5. Click OK, and you should return to the Custom Actions screen. Click Next.6. Continue filling in the wizard screens as appropriate, until you come to the AdditionalFiles screen, as depicted in Figure 7-3.


83

Figure 7-2. The New Custom Action dialog box

Figure 7-3. The CMAK wizard Additional Files screen

7. Click Add, and then enter RQC.EXE in the dialog box. You can use the Browse buttonto search for it graphically. Once you're finished, click OK.8. You'll be returned to the Additional Files screen, where you'll see RQC.EXE listed.Click Next.9. Complete the remainder of the wizard as appropriate.

Distributing the profile to remote usersThe profile you created earlier is made into an executable file that can be distributed toyour remote users and run on their systems automatically. This creates a profile withoutany intervention after that. There are several options for actually getting that executablefile to your users.


84

You could transmit the executable file as an attachment to an email message, or betteryet, make a link to the executable file hosted on a Web server somewhere. In the emailmessage, you could include instructions to run the file and use those new connectoids forall future remote access. You could also have the executable run as part of a logon orlogoff script, but to do that, you'd need to either have your users log on through a dial-upconnection, or wait until the mobile users returned to the home network and connected atthe corporate campus to the network.

Regardless of which method you choose, if you want to initially transmit the profileinstaller to your users, then you should always place the latest version of the profileinstaller on a quarantined resource somewhere, so that client computers that don't passyour baseline script's compliancy checks can surf to a Web site and download the latestversion without compromising the integrity of your network further.

Configuring the quarantine policyThe final step in this process is to configure the actual quarantine policy within RRAS. Inthis section, I'll create a quarantine policy within RRAS that assumes you've posted theprofile installer on a Web server that is functioning as a quarantined resource.

NOTEIf RRAS is configured to use the Windows authentication provider, then RRAS usesActive Directory or an NT 4 domain (remember, the RRAS machine needs only to berunning Server 2003; it doesn't need to belong to an Active Directory-based domain) toauthenticate users and look at their account properties. If RRAS is configured to useRADIUS, then the RADIUS server must be a Server 2003 machine running InternetAuthentication Service (IAS). Incidentally, IAS also uses Active Directory, which is anNT domain to authenticate users and look at their account properties.

1. Open the RRAS Manager.2. In the left pane, right-click Remote Access Policies, and then select New RemoteAccess Policy from the context menu. Click Next through the introductory pages.3. The Policy Configuration Method page appears. Enter Quarantined VPN remote accessconnections for the name of this policy, as shown in Figure 7-4. Click Next when you'vefinished.


85

Figure 7-4. The Policy Configuration Method screen

4. The Access Method screen appears. Select VPN, and then click Next.5. On the User or Group Access screen, select Group, and then click Add.6. Type in the group names that should be allowed to VPN into your network. If alldomain users have this ability, enter Everyone or Authenticated Users. I'll assume there'sa group called VPNUsers on this domain that should have access to VPN capabilities.Click OK.7. You'll be returned to the User or Group Access page, and you'll see the group nameyou added appear in the list box, as shown in Figure 7-5. Click Next if it looks accurate.

Figure 7-5. The User or Group Access screen


86

8. The Authentication Methods screen appears. To keep this example simple, use the MS-CHAP v2 authentication protocol, which is selected by default. Click Next.9. On the Policy Encryption Level screen, make sure the Strongest Encryption setting isthe only option checked, as shown in Figure 7-6. Then click Next.

Figure 7-6. The Policy Encryption Level screen

10. Finish out the wizard by clicking Finish.11. Back in RRAS Manager, right-click the new Quarantined VPN remote-accessconnections policy, and select Properties from the context menu.12. Navigate to the Advanced tab, and click Add to include another attribute in the list.13. The Add Attribute dialog box is displayed, as depicted in Figure 7-7.

Figure 7-7: The Add Attribute dialog box


87

14. Click MS-Quarantine-Session-Timeout, and then click Add.15. In the Attribute Information dialog box, type the quarantine session time in theAttribute Value field. Use a sample value of 60, which will be measured in seconds, forthis demonstration. Click OK, and then OK again to return to the Advanced tab.16. Click Add. In the Attribute list, click MS-Quarantine-IPFilter, and then click Addagain. You'll see the IP Filter Attribute Information screen, as shown in Figure 7-8.

Figure 7-8. The IP Filter Attribute Information dialog box

17. Click the Input Filters button, which displays the Inbound Filters dialog box.18. Click New to add the first filter. The Add IP Filter dialog box is displayed. In theProtocol field, select TCP. In the Destination port field, enter 7250. Click OK. 19. Now,go back to the Inbound Filters screen, and select the Permit Only the Packets ListedBelow option. Your screen should look like Figure 7-9.

Figure 7-9. The completed Inbound Filters screen


88

20. Click New and add the input filter for DHCP traffic, and repeat the previous steps.Make sure to include the appropriate port number and type as described earlier in thischapter.21. Click New and add the input filter for DNS traffic, and repeat the previous steps.Make sure to include the appropriate port number and type as described earlier in thischapter.22. Click New and add the input filter for WINS traffic, and repeat the previous steps.Make sure to include the appropriate port number and type as described earlier in thischapter.23. Click New and add an input filter for a quarantine resource, such as a Web server,where your profile installer is located. Specify the appropriate IP address for the resourcein the Destination Network part of the Add IP Filter screen, as shown in Figure 7-10.

Figure 7-10. The Add IP Filter box, where you add a quarantined Web resource

24. Finally, click OK on the Inbound Filters dialog box to save the filter list.25. On the Edit Dial-in Profile dialog box, click OK to save the changes to the profilesettings.26. Then, to save the changes to the policy, click OK once more.

Creating exceptions to the ruleAlthough it's certainly advantageous to have all users connected through a quarantinedsession until you can verify their configurations, you may find some logistical or politicalproblems within your organization that mitigate this requirement. If so, the simplest wayto excuse a user or group of users from participating in the quarantine is to create anexception security group with Active Directory. The members of this group should be theones that need not participate in the quarantining procedure.

Using that group, you should create another policy that applies to the exceptions group,which is configured with the same settings as the quarantine remote-access policy you


89

created earlier in the chapter. This time, though, don't add or configure either the MS-Quarantine-IPFilter or the MS-Quarantine- Session-Timeout attributes. Once you'vecreated the policy, move the policy that applies to the exceptions group so that it'sevaluated before the policy that quarantines everyone else.

Checklist: Hardening Windows School: Advanced checklist on network accessquarantining14 Jun 2005 | Jonathan Hassell | SearchWindowsSecurity.com

One of the easiest and arguably most prevalent ways for nefarious software or Internetusers to creep into your network is not through firewall holes or brute-force attacks -- noris it any means that might occur at your campus or corporate headquarters. It's throughmobile users trying to connect to your business network while on the road.

Consider why that is the case: Most remote users are authenticated only on the basis oftheir identities, and no effort is made to verify that their hardware and software meetscertain baseline requirements. It is not uncommon for remote users to fail any or all of thefollowing guidelines:

• The latest service pack and security hotfixes must be installed;• The company-standard antivirus software must be installed and running with the

latest signature files;• Internet or network routing must be disabled;• Windows XP Internet Connection Firewall (ICF) (now named Windows Firewall)

or any other approved firewall must be installed, enabled and actively protectingports on the computer.

You would expect business desktops to follow policy, but mobile users have traditionallybeen forgotten or grudgingly accepted as exceptions to the rule. Therefore, they becomean active port for malware to enter and infect your network. That's why I'm going toexplain why you need to use a security feature introduced in Windows Server 2003,Network Access Quarantine Control (NAQC), which gives you a chance to vetcomputers trying to access your network remotely, effectively closing ports.

Sound like a decent idea? Browse through the checklist below to learn more aboutquarantining.

Hardening Windows School Checklist: Know your network access quarantineoptions

� Understand how Network Access Quarantine Control (NAQC) worksHere's basically how NAQC works: Under NAQC, when a client establishes aconnection to a remote network's endpoint -- a machine running the Routing andRemote Access Service (RRAS) -- the destination Dynamic Host ConfigurationProtocol (DHCP) server gives the remote, connecting computer an IP address, but an


90

Internet Authentication Service (IAS) server establishes a "quarantine mode." Inquarantine mode, a set of packet filters restricts the traffic sent to and received from aremote access client, and a session timer limits the duration of a remote client'sconnection in quarantine mode before being terminated. Once the remote computer isin quarantine mode, the client computer automatically executes the baseline script.Windows runs the script and, if satisfied with the result, contacts the listening servicerunning on the Windows Server 2003 back-end machine to report it. Quarantine modeis then removed and normal network access is restored. If Windows is not satisfiedwith the result, the client is eventually disconnected when the session timer reachesthe configured limit as described above.

� Decide on your preferred criteria for allowing regular access to your networkWhat would you like to check when remote users try to connect? Here are someideas:

• The latest approved operating system service packs installed• Antivirus software installed, working and updated with the latest signature

files• Firewall protections enabled• Internet routing disabled

� Begin planning your resource areas for users in quarantine modeUnder NAQC, you can establish a limited set of resources within the quarantine areawhere users can download information and software to help them rectify any issuesthat prevent them from accessing the unrestricted network. Consider posting a Webpage explaining the quarantine process. Include information on how to get help fromthe help desk. You might also include a link to the latest service pack, a copy of yourcorporate antivirus software and individual links to hotfixes that you require. Giveyour users the power to self-correct their problems while still enhancing security onyour network.

� Explore the Routing and Remote Access Service (RRAS) policy functionalityA great guide to RRAS can be found at ServerWatch.com, and Chapter 11 of mybook Learning Windows Server 2003 explains how to set up RRAS, and teaches youhow to use policies and quarantining.

About the Author: Jonathan Hassell is an author, consultant and speaker residing inCharlotte, North Carolina. Jonathan's books include RADIUS and Learning WindowsServer 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seenregularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PCPro and Microsoft TechNet magazine. He speaks around the world on topics includingnetworking, security and Windows administration.


91

Checklist: Harden access control settings12 Jul 2005 | Roberta Bragg | SearchWindowsSecurity.com

Whether you're protecting sensitive data from malicious outsiders or preventing internalusers from accessing systems not assigned to them, you have your work cut out for youwhen it comes to access control. This collection of checklists written by Roberta Braggwill help you along your way. She details specific steps to take in locking down defaultWindows access control settings and offers access control best practices.

Checklist 1: Three security mandates for any Windows environment

� Disable or rename the Administrator accountIt's important to prevent or restrict access to the local Administrator account.Attackers are well aware of it and its all-powerful presence on the computer.Malicious software is often written to use this account. While the attacker would stillhave to know or deduce the account's password to use it, he won't have the chance totry if the account is disabled.

Security Option: Use "Accounts: Administrator account status" to disable theAdministrator account on Windows XP and Windows Server 2003 computers.On Windows 2000 computers this option is not available. Instead you can thwartattacks by renaming the Administrator account. If an attack involves the use of anaccount named "Administrator" and no such account exists, then the attack will notwork.

Security Option: Use "Accounts: Rename Administrator Account" to rename thisaccount in Windows 2000. However, please keep in mind that internally Windowscomputers use a unique security ID (SID) -- not a name. If the attacker knows theAdministrator account SID, simply renaming the account does nothing. This SID iscomposed of a unique number and a standard relative ID (RID). An attacker or well-crafted malicious program can easily determine the Administrator account SID,unless you change that as well. (A future checklist will tell you how to protectWindows from such attacks.)

Even on computers where you can disable the Administrator account you shouldrename the account. Another account with administrative privileges can always beused to re-enable the Administrator account.

So what are the problems with disabling or renaming the Administrator account?First, many people will complain that this is security through obscurity. An attackermight be able to deduce the account name or SID, so disabling or renaming theaccount is not a sure preventative. Second, some people are under the falseimpression that they must use the Administrator account to administer the computer.If it's disabled, they say, how can they administer the computer? Preventing the use ofthe Administrator account does not mean you or others can't have administrativerights on the computer. Each user requiring such access can have an account with


92

membership in the Administrators group. Disabling and renaming the account doesnot prevent administrative access, it just makes it harder for would-be attackers to getin.

� Disable or rename the Guest accountWhile the Guest account has few privileges, it is included in the Everyone groupwhen permissions are being evaluated -- and the Everyone group can access manysystems. The Guest should be disabled by default. You just have to make sure it staysthat way or rename it. Disabling and renaming this account may only remove lowaccess rights, but this is a step that can be done quickly and easily, and doing so willtypically cause no problems.

Security Option: Use "Accounts: Rename Guest Account" to rename the account.

� Hide logon namesBy default the last account used to logon is displayed on the logon screen after theuser has logged off. This allows anyone in close proximity to the machine to read thename, giving him half of the information he needs to access the computer and perhapsthe network. He still has to know or deduce the password, but his job is easier than ifhe had to obtain both the account name and its password.

Security Option: Use the "Interactive: Do not display last user name" option to ensurethe previously used logon name is removed from the logon screen.

Once again, some people will say these measures are security by obscurity and offerlittle value. They'll ask who cares if someone knows Joe User's logon name. They'llalso maintain that it's a nuisance for users to enter their account names each time theylogon. Baloney! A few keystrokes are all it takes. Requiring users to enter theirinformation each time also ensures that they know their account names. Rememberthat not every user has limited access. You really don't want others to know the logonaccount names for administrators or other highly privileged users. Hiding the logonname can help you guard that information.

How to find and set the above Security OptionsOn a workgroup server or desktop (computers that are not joined in a domain)1. Start/Administrative Tools/Local Security Policy2. Navigate to Local Policies/Security Options3. Scroll down to the appropriate setting.4. Make the recommended change.

In a domain environmentThe first step in making any change to Group Policy in a domain environment is toensure that the change does not violate official organization security policy. Make sureyou clear changes appropriately. In a domain environment, Group Policy managementshould be assigned to a limited number of administrators. Technical controls should alsobe in place to enforce this. Use the following steps to stay in compliance:


93

1. Create or open the Group Policy Object that will apply to computers you want tomanage.

2. Navigate to Windows Settings/Security Settings/Local Policies/Security Options.3. Scroll to the appropriate setting.4. Make the recommended change.

Checklist 2: Block anonymous access

To deduce the SID of the Administrator account, the attacker obtains the account list,translates the account into a SID, retrieves the computer part of the SID, adds the knownAdministrator account portion and then uses the deduced SID in a logon attack or tofigure out the new name of the Administrator account. To foil this process, use thesecurity options below, which block anonymous access and other types of attacks that useanonymous access.

� Disable the option "Network Access: Allow anonymous SID/name translation."This option, once disabled, prevents anonymous SID/name translation. Combine thisoption with the one below to keep an attacker from using an anonymous connectionto deduce account names.

� Enable the option "Network Access: Do not allow anonymous enumeration ofSAM accounts."When enabled, this option prevents the enumeration of the user account list via ananonymous connection. When both this and the above security options are used, youcan keep the changed name of the Administrator account hidden from an attackerusing an anonymous connection.

� Enable the option "Network Access: Do not allow anonymous enumeration ofSAM accounts/shares."When enabled, this option also prevents anonymous enumeration of shares. Sharesoffer opportunities for system connections and data theft. If shares are properlyprotected by permissions, then anonymous access won't matter. If share permissionsare not correct, or when they inadvertently offer access to an anonymous connection,you need to block anonymous connection to stop data theft. This option comes inhandy on systems like Windows 2000, which include the anonymous SID in theEveryone group, where the group is given access permissions.

� Disable the option "Network Access: Let Everyone permissions apply toanonymous users."On Windows XP and Windows Server 2003 systems, anonymous users are excludedfrom the Everyone group and cannot gain access to resources given to that group.Keep this option disabled to prevent access.

� Enter the names of named pipes if necessary in option "Network Access: NamedPipes that can be accessed anonymously."


94

Named pipes are another way network connections can be made by client/serverprograms. In this scenario, one part of a program runs on one computer and anotherpart on another computer. Some legacy programs require anonymous access overthese named pipes. If anonymous access is blocked, use this option to allow it whererequired.

� Enter the name of shares if necessary in the option "Network Access: Sharesthat can be accessed anonymously."Here again, some legacy applications may require anonymous access to shares.Instead of allowing anonymous access to all shares, enter the names of shares thatrequire anonymous access.

Checklist 3: How to properly set account lockout options

It seems some true and tested security recommendations are backfiring. Specifically, let'stake for example the usual advice to set account lockout options in a Windows domain.

If you do set account lockout and someone tries to logon to an account using the wrongpassword, the account will automatically lock after the specified number of tries -- andno one can logon using it.

Setting this option is supposed to provide two advantages:1. A would-be attacker can't use the account unless he's capable of guessing thepassword within the number of tries you set.2. If you have enabled auditing, configured it to record these events and reviewed yourlogs, you may discover these attempts at compromise.

On the other hand, setting this option may also bring two disadvantages:1. Legitimate users may fumble-finger attempts at logon and lock themselves out. Doesthis seem far-fetched? I once did so in front of an audience of 500 people.2. Automated attacks on accounts can trigger whole-scale lockout of multiple accounts.The password cracking attempt becomes a denial-of-service attack (and some say thatmay have been the goal).

Still, I believe that properly-implemented account lockout options can work to youradvantage. Account lockout settings should be set in a Group Policy Object linked to thedomain. You'll find them at Windows Settings/Security Settings/Account Policies/AccountLockout Policy. Here's how to use them.

� Set account lockout threshold to 25 invalid logon attemptsAfter 25 tries the account will be locked out. (Even I don't think I'd enter an incorrectpassword 25 times!) This should keep the authorized user from locking themselvesout just because they are having a brain hiccup. It does give the attacker a little moretime to get the password, but unless the password is simple, 25 tries is hardly enoughto compromise the account.


95

� Set account lockout duration to 30 minutesFor Windows Server 2003, this is the default if the threshold is set. The accountlockout duration is the length of time that the account will remain locked out before itis reset. It's a good idea to set this feature. The alternative is to require administratorsto reset accounts, a time-consuming venture in a large environment -- a real show-stopper should you get massive account lockout due to an automated attack. Yes, youwill increase the risk that an attack can succeed. All the attacker has to do is wait outthe lockout time and try again. On second thought, make your account lockoutduration something other than 30 minutes. Let's foil the would-be attacker readingthis document.

� Set the "reset account lockout counter after ..." option to 30 minutesWindows keeps track of the number of bad password attempts in a lockout counter.This setting returns that total to zero after the number of minutes you prescribe. Byproviding a time here, the counter won't continue to increase if the time limit isreached. That can also keep the help desk calls down. It also allows an attacker toprogram around your defense. All she has to do is fly in under your radar (so tospeak), sending, for example, 24 tries in 30 minutes, then none for a couple ofminutes, then continue the cycle until she succeeds. But she'd have to know yoursettings, and if you're doing a good job of reviewing your audit logs, you shouldnotice this pattern pretty quickly.

� Set auditing for logon events and monitor logsAccount lockout locks out accounts. That should let you know that something isamiss. However, if you aren't auditing logon events, you're missing many other moresubtle attempts at compromise. It may be the only way to nip such an attack in thebud or prevent it from occurring again by helping you discover the source of theattack.

� Protect accounts from automated attacks originating from the InternetWhere would such attacks come from? Intuition says from the Internet. You shouldn'tbe able to logon from the Internet without some remote-access service such as a VPN.Unless an attacker can establish such an authenticated, authorized connection, he can'trun an automated attack from the Internet. Block NetBIOS ports from Internet accessand require the use of VPNs, SSL or other secure remote-access processes.

� Protect accounts from automated attacks originating from external usersProtect accounts from automated attacks originating from partners, customers andothers whom you may allow access to your networks. Isolate resources you makeavailable to these users. They shouldn't have free access to your entire network.

� Protect accounts from insider attacksThis is the really rough one. Your legitimate users have to be able to authenticate tothe domain. How can you protect yourselves from their abuse of this privilege? Every


96

practice that you adopt that limits users' ability to install and run unauthorizedsoftware helps you to mitigate this risk.

Checklist 4: Restrict access to prevent insider hacks

Insiders are often to blame for more computer compromises than outsiders. That meansyour employees and fellow workers create more havoc for your network than all themalicious people on the Internet. Limit your losses by preventing users from accessingsensitive systems and logging on to machines other than those assigned to them.

WARNING: You can seriously hamper user ability to log on by setting the wrong userrights. Please do the following steps in a test environment.

� Step 1: Keep users out of systems that don't concern them.You'll want to set file permissions, but before you do, quarantine users so they canonly access and log on to a limited number of computers. To do so, open theiraccount property pages in Active Directory Users and Computers, select Account taband click the Log On To button. Next click "The following computer" button, enterthe name of a computer the user is allowed to access and click the Add button. Ifusers must have access to multiple desktop computers and laptops, simply add thosecomputer names. This works well when multiple people need to use any one ofseveral computers in a lab or department.

If you want to keep an account from logging on at any computer, just enter the nameof a non-existent computer. Setting log-on-to computers does not restrict users fromaccessing data on other computers across the network. To limit network access,configure user rights.

User rights specify what a user can do on a computer. Set them in the default domaincontroller Group Policy Object (GPO) to limit access on domain controllers, and inGPOs linked to organizational units when you want to impact a subsection ofcomputers joined in the domain. User rights are located in the GPO under WindowsSettings --> Security Settings --> Local Policy --> User Rights Assignment.

� Step 2: Restrict rights that directly impact computer access.User rights configuration is similar to file permission settings; if the right is notgranted, the user does not have it. The following rights directly impact access tocomputers and should be limited.

• Access this computer from the networkThis right only allows identified user groups access to the computer. Bydefault, the Everyone group has this right, and may not want that. To restrictthis right, add groups that should have the right to access the computer, andthen remove the Everyone group. Be careful not to lock out service accounts.• Deny access to this computer from the networkRemember, by default, if a user does not have the right to access thecomputer, he is denied access implicitly. Use this right sparingly to define


97

those accounts that should never, under any circumstances, access thecomputer from the network. By default, Windows Server 2003 locks out thesupport_388945a0 account. You could use this right to prevent the localadministrator account from being used on the network.

� Step 3: Harden log on and deny logon rights.Be careful handling log on and deny logon rights. Each right has an associatedcounterpart -- a deny user right. Use deny rights sparingly, usually only to managethose accounts that should never have the right. Follow the table below forrecommendations.

User right Meaning Recommendation

Allow logon locally

If a user has thisright, he can sit atthe console and logon.

Restrict access to all servers by adding groups thatrepresent those authorized to configure or manage theserver. Then remove the users group. Be cautious here.If the machine is a terminal server, locking up locallog on is not the choice to make. TheSUPPORT_388945a0 account is denied this right.

Allow logon throughterminalservices

If this machine is aterminal server,users need this right.

Restrict terminal services to those users who areactually authorized to use the servers.

Log on as abatch job

Batch jobs are jobsthat run in thebackground. Theyare often scheduledwith the taskscheduler.

Limit this right only to accounts that might be used torun these types of jobs -- and then only if the accountsneed it. Accounts used for SUPPORT_388945a0, localservice and Internet Information Services-related(IUSR, IWAM and IIS) WPG (Microsoft Word forWindows vector graphics) are given this right. Don'tremove these groups unless the tasks they perform areno longer necessary on these computers.

Log on as aservice

Services also run inthe background.

Limit this right to services that may need it (by defaultthe network service account is given this right).Ordinary users do not need it.

Checklist 5: Set account options to limit systems access

Password policies aren't the only way to control access to your Windows systems. Anaccount that grants access to your computer systems is a privilege not a right. Noteveryone should have an account, nor should employees with accounts have unrestrictedaccess to your systems. You don't make everyone an administrator, right? So why notrestrict access using all the tools at your disposal? I don't mean you should invest inchains, whips or restrictive leather gear -- just use native Windows tools like accountoptions to limit system access, as you'll learn in the checklist below. Following the


98

checklist, you'll find steps for actually locating and changing account options in ActiveDirectory.� Set logon hours

This is the span of time users are authorized to logon. Restricting logon to normalwork hours prevents users, or anyone who learns their account and passwordinformation, from accessing your network at off hours when few people are around todiscover the unauthorized access. Setting logon hours can also hamper unauthorizeduse of remote access during those hours.

� Set log-on-to machinesBeing able to logon from any computer in the domain is a nice convenience, but it's abit too risqué for me. Selecting specific computers to use for logon may help preventunauthorized actions that could result in data theft or damage. It is especiallyimportant to limit guests, temporary workers, students and contractors.

� Set "Smart card is required for interactive logon" where smart cards are usedIf you don't require smart cards for interactive logon, users may forgo their smart cardand use a password instead. You don't want this to happen. Smart card technologyhelps you escape the many weaknesses of password use. If users can choose whetheror not to use their smart cards, you've lost that advantage. Also, users won't have toreport a lost smart card in order to get a new one; if the wrong person finds anenvelope with a smart card inside and the PIN number written on it -- game over.

As a general rule, users should never store PIN numbers with their smart cards, butthere is no way to guarantee they won't. If a user reports a missing smart card andmust receive a new one to logon, revoke the certificate assigned to the smart card toprevent the use of the lost card.

� Set "Account is sensitive and cannot be delegated," at least for administratoraccountsAccount delegation is a useful tool for multi-tiered applications. It enables you todelegate authority for access, and gain tighter control and accountability of thataccess. However, delegating administrator accounts is not a good idea. Prevent thatfrom happening by checking the "Account is sensitive and cannot be delegated" box.

� Set an account expiration dateMany of you hire part-time help, contractors and other temporary workers. When they(or any regular employees) leave their jobs, are you immediately made aware of thechange so you can disable and eventually delete their accounts? Leaving excessaccounts enabled on your systems is not a good security move. The compromise anduse of these accounts might go unnoticed for a very long time. If all accounts haveexpiration dates set, temporary workers will need to have it extended in order to workpast their length of service. If they leave early, at least the account will be expired. Ifsetting account expiration dates for all employees is difficult to manage, at least setexpiration dates for temporary workers.


99

How to locate and change account options in an Active Directory domainOpen Active Directory Users and Computers, navigate to the container where useraccounts are stored (either the Users container or possibly several organizational unitsdepending on your Active Directory design) and double click on the user account. Tomake changes, click on the check boxes or manipulate other controls. User details on astandalone Windows 2000, Windows XP or Windows Server 2003 computer can befound in the Computer Management\Local Users and Groups\Users container. However,many of the account details described above are not accessible there. To use those thatmake sense, you'll have to use the Net User command. Net User is also helpful in adomain. Use it to change account options for multiple accounts at one time. Alternativelywrite a script. Information on doing both can be found at Microsoft's support site andMicrosoft TechNet.

Checklist 6: Tighten default settings to prevent unauthorized access

Many people say information security is a journey: No action you take to secureWindows will make much difference if you don't keep doing more and stay one-stepahead of your nemesis. Even if you spend lots of money, hire the best people, knowsecurity backward and forward, implement Fort-Knox-like physical security and anti-logic bomb bunker technologies, you're still going to lose. Someone will be one stepahead of you.

Hogfeathers! This kind of attitude will leave you open to attack. Sure as letting a bullloose in a glass shop, it will result in damaged goods -- your network and your computerswill be penetrated.

Instead of bemoaning what you don't know, what you can't do and what the enemyknows, get a grip and start hardening systems. Truth be told, doing so, like eating goodfood and not standing on a hill during a lightening storm, can protect you from anextraordinary percentage of common attacks.

You have to modify Windows system defaults. Defaults are established to help the mostpeople get the most use out of their systems. You should address this issue from thestandpoint of what you want your users to be able to do with their systems. If you reducetheir possibilities, you also reduce risk.

Start by disabling unnecessary network connections. These network connections areenabled by default. The key word here is not 'disable' -- it's 'unnecessary.' You may needthese connections on some systems but you should have a security policy that defineshow and when to use these connections and how they may be secured. Meanwhile, takethe attitude that all things should be locked down, and loosened only after need versusrisk has been evaluated.

� Disable 802.11 wireless network connections


100

If enabled, 802.11 wireless cards can serve as connection points for attackers even ifusers don't know that they have wireless capabilities. Even administrators and trainedtechnical users may indivertibly expose their systems to risk by leaving wirelessunprotected. If secure wireless networks are implemented and security practicesextend to the workstation, then and only then should you enable them.

Before disabling, open the 802.11 network connection property page and use theadvanced tab to firewall the connection. This protects the connection when it isenabled.

� Disable Bluetooth connectionsBluetooth connections are used for short-range wireless synch or to communicatewith a range of wireless devices, such as phones and printers. However, manysystems do not need this capability, and your security policy may deny it to others. Ifyou have to rely on Bluetooth, you're taking a risk, which each organization mustweigh for itself. But by all means, turn off Bluetooth unless you know you absolutelyneed it for wireless devices to work.

� Disable infrared connectionsInfrared technologies allow wireless connectivity primarily for synching withhandheld systems, but they may also be used for printing or file transfer. Whenanother infrared system is in range, and its owner wants to transfer a file to yoursystem, a popup asks you if you want the file. It will not distinguish between malwareor important files -- that's your job. Files are stored using your privileges. Uncheckingthe Allow others to send files to your computer using infrared communications box inthe Wireless Link Control Panel applet prevents accidental transfer.

� Disable FireWireFireWire -- a fast, short-range network connection often used for connecting audioand video devices -- may be used to network computers together and can be bridgedwith an Ethernet connection that enables a system with only Firewire access to accessyour network. Firewire is configured using the 1394 network connection viewable inNetwork Connections. It is enabled by default. Firewall the connection, and thendisable this device.

About the Author: Roberta Bragg is author of Hardening Windows Systems and aSearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and MicrosoftMVP, and a well-known information systems security consultant, columnist and speaker.


101

Security risks associated with granting permissions in Windows XP

I am in the process of a desktop lockdown review for a Windows XP deployment.We need to define the security risks associated with granting permissions to selectdirectories and registry settings for the average user (member of local users). Thesepermissions are required to allow applications to function. I have found whitepapers from Microsoft and CIS that recommend certain permissions, but noneexplain the impact of not granting those permissions.QUESTION POSED ON: 05 August 2003QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

The reason for granting permissions on registry keys and so forth is to allow customgroups the ability to run applications. The reason permissions are necessary is that someapplications insist on making changes or opening files and keys as if to make changes --permission usually granted only to administrators. Therefore, many companies havefound that they need to make users members of administrative groups just so they can runcertain applications. There is far less risk granting selected users permission on selectedkeys, files, etc., than there is in giving them administrative privileges, and thereforeaccess to many more keys and files, as well as elevated privileges. On the other hand, ifyou are not using applications that require this level of access, then you should not begranting permissions. You may want to review the situation by using test groups, then trygranting and not granting permissions while running applications to determine if there aresome you can eliminate. The free utilities regmon and filemon available fromSysinternals can help you determine exactly which items are being accessed.


How to deny access when connecting to a share on a Windows 2003 Server

I have a Windows XP Professional workstation that is trying to connect to a shareon a Windows 2003 Server in a workgroup environment. When I try to connect tothe share on the server, I get an access denied message. I checked sharing andsecurity permissions for this user, and they are set to full control. Is there anythingelse I can check to give this user access?QUESTION POSED ON: 19 July 2004QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

Share permissions can be complicated. It sounds like you have checked the first obviousthing. Both the permissions on the share and the security permissions on the folder mustbe considered before access is granted. The next issue is the user ID. In a Windowsworkgroup, you must be either using the same user ID and password on both machines,or when configuring the share, do so as another user by entering a password and user IDin the "Connect using a different user name." Here is a list of things to check:


102

1. Share permissions.

2. Security permissions on the folder that is shared (and permission on any files andsubfolders you want to access).

3. Are you using an account and password for the server?

4. Check the local security policy of the server -- user rights. Make sure the username you are using has the right to connect to the server remotely and is notdenied the right to logon to this machine.

5. Check the local security policy of the server -- security options. Accounts limitlocal account use of blank passwords to console. (Don't change this. If you do,make all accounts use passwords)

6. Check to see if any changes have been made to security policy.

7. Make sure the local user account on the server is enabled, and not locked out.


How to detect when non-domain laptops are plugged in to Windows Server 2003

We are trying to stop users from plugging in laptops that are not part of the domainfor security reasons. Every once in a while we see a crazy workgroup name on thenetwork. My question: Is there any way I can set up some type of alert so when thisdoes happen I will be notified? Thanks.QUESTION POSED ON: 13 September 2004QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

Some network management products may have this facility. There are also some newtechnologies that might help. They are based on either requiring every computer to bescanned and pass a security review before being able to connect to the network orrequiring a set of access control lists on switches and other network devices. Or they arebased on preventing unauthenticated computers from accessing network resources.

In the first case, the security review can look for things like computer identity and refuseaccess to those not authorized. This is similar to the Network Quarantine control processavailable with Microsoft Windows Server 2003, but for the LAN. The user might plugthe computer into a jack, but cannot access anything since the computer cannot pass thesecurity test. This is a new technology that Microsoft is working on. Cisco has a productSecure Access Control Server for Windows that can configure access control lists onfirewalls, routers, switches and so on to control access.


103

In the second case, IPSec policies are used on domain resource computers and requireany computer to have its own certificate and authenticate before accessing resources. Theuser may be able to plug his computer into the network, but any attempt at accessing anetwork resource will be "access denied" since the computer cannot pass the security test.Desktop systems owned by your company will need appropriate certificates provided, aswill servers. Microsoft has a document on how they implemented this solution which iscalled Domain isolation.


How to set up dual administrative controls for tighter security in Windows 2000

I work in a large corporation as a liaison between finance and IT. We have ActiveDirectory in place worldwide. Corporate documentation on AD consists ofmountains of intranet documents on the rollout and objectives, but they never talkabout anything other than monitoring performance, replication and otherwisemaking sure it works from an IT perspective. What I want is a littlefinance/business-relevant functionality.

We have an application used to conduct very sensitive transactions. It can be set upto use Windows authentication to grant access, assuming that users have been mademembers of the appropriate global groups that have access to the network/databaseresources (group membership is controlled exclusively by a group manager withinfinance in this case). Using the features of Windows authentication is good becauseit reduces finance's need to know IT and maintain an IT infrastructure. Instead, wecan piggyback on IT's engineered solution rather than having to support our own,for which we don't have either the expertise or the budget.

But there is one critical issue for us following our corporate security standardsimplemented through AD -- a single helpline person has the authority to resetpasswords for user IDs. In the worst case, a malicious, knowledgeable helplineperson could reset a user's password and then enter our sensitive finance system,posing as an authorized user. Finance can't tolerate a single administrativeauthority outside our organization with the ability to control access to our system inthis manner (our back door). On the other hand, finance is at risk if that authorityresides completely within finance, too, because that person would probably possessmuch more knowledge about our sensitive system and how to violate it.

What we want is dual administrative activities to take place when a user requeststheir password to be reset -- allow the helpline to reset the user password as per ourcorporate standard, but require a second, unrelated person to confirm the validityof the action from within finance for users of this particular system. The question ishow. If somehow, a network agent were able to monitor members of the global


104

group that grants access to our application and then, if a password change wasmade to any member, they'd be automatically removed from the global group,which only finance can administer (i.e., add them back to the group), that would beideal. In that case, a password reset by the helpline would also require finance torestore membership to the group with access to the application (dual administrativecontrol when a password reset takes place).

Is there any way that AD could be configured such that a password reset couldtrigger removal from certain sensitive network groups that the AD administratorwould NOT have control over? This would allow for dual administration and lessrisk of an internal hacker accessing sensitive network resources. Is there anotherway that dual administration could be implemented when resetting a user'spassword? Would group policies help? Should we monitor event logs and sendalerts that would run VB scripts to remove the member?QUESTION POSED ON: 05 June 2003QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

Yes, the administrator could reset the user's password. I know of no way to take out-of-the-box AD and make it remove this privilege for the administrator. (There may be somedeep and dirty AD config in the ACLS, however, but an admin could change them back.)However, if the administrator does not know the user's password, and uses the resetfunction, he cannot reset the password back to what the user used. So the user, when shetries to log on next, will not be able to, and will have to contact the help desk to have herpassword reset. This activity, of course, should be investigated. Yes, users do forget theirpasswords; but, couple this with a strong audit policy in the event log, and event 627 "Auser's password was changed" will be recorded. You can match these with user requests.In addition, you can set up EFS so that an administrator would have to access the filesfrom the user's workstation in order to decrypt them.

When the reset password privilege is delegated to a help desk, even more interestingissues abound. We tend to hire and vet administrators and expect a little more of them,and pay them well. We believe they know the rules, and we watch these privilegedpersons a little more closely. Help desk personnel are often not paid well, have lesseducation and turnover is rampant. Even if you solve all those issues for the help deskperson in your case, you still should work on getting some monitoring (see the audit routeabove).

And, yes, your solution might work. You could script removal from a group afterpassword reset. You could also make that a requirement, write a password reset scriptthat first removes the user from a group, then resets the password. The help desk uses thisinstead of Active Directory Users and Computers.

I like the concept, too. It separates duties; that is, the help desk can reset a password ifthey remove a user from group. Finance can put a user in group. Neither can do both.There would have to be collaboration for a malicious act.


105

Still, a rogue admin or a help desk person (if the privileges aren't worked out correctly)can access the normal password reset functionality in Active Directory Users andComputers. A number of things can go wrong. Ideally, if files are that sensitive and therisk cannot be tolerated, you need to adapt some other method of authentication like asmart card or biometrics. With Windows 2000, certificate services come free. You wouldhave to purchase the cards and/or readers, but the software is there. You would have tosecurely implement them; and, no -- once done, you do not have to make every user use asmart card, you can just use it for the finance group and you can require that the smartcard, not the password, is used. If a smart card is lost or damaged, a new one can beissued. This can be done in a way in which only the user sees the PIN. Even if the card islost, it cannot be used without the PIN. After a small number of PIN "guesses," the cardself-destructs.

Let me know what you do, and how it works for you. Developing sound and securebusiness practices from mounds of technical information is not always easy.


How to remove specific permissions from an account operator in Windows 2000

How can I remove the permissions to delete a user account from the accountoperator in Windows 2000?QUESTION POSED ON: 02 April 2003QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

There are two ways to approach this problem.

1. To allow account operators to do everything to manage accounts except deleteuser accounts, you can deny account operators the "Delete all child objects"permission on the users container in Active Directory users and computers. If alluser accounts do not reside in this container, you will have to make the samechange to all user account containing organizational units (OUs).

2. The second option is to create a custom security group and only give it thepermissions over user accounts that you desire. After creating the group, use thedelegation of control wizard. When you are done, add members to this group thatyou wish. Delegation of administrative authority to security groups may be ofhelp.


How to check which permissions are assigned to a user or group in Windows 2000


106

I'm using Windows 2000 server and NTFS file system. There have been a lot ofpermission changes for certain folders and files, so I have lost control of where andwhich permissions have been changed. It's easy to open folder or file properties andfind which permissions are applied to whom, but I would like to get another view; Iwould like to take a user or group and see where and which permissions on the filesystem level they have. How do I get that, because tons of files are stored on theserver and I cannot check every file properties step-by-step. Thanks, Roberta.

QUESTION POSED ON: 21 May 2003QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

Use the SomarSoft Utility DumpSec, a free utility; see also Hyena, a product by the folksthat provide the free one.


How to set NTFS permissions on Windows 2000 Terminal Services

What is the guideline for setting NTFS permissions on a Windows 2000 ServerTerminal Services with Citrix MetaFrame 1.8? I have been told by Microsofttechnical support NOT to mess with the group "Everyone," to leave permissions atdefault and create a new group and restrict NTFS permissions to that group. Doesthat sound correct? I have been told you cannot set the permissions like you could inNT 4.0 Terminal Server Edition. Is that correct?

QUESTION POSED ON: 23 September 2002QUESTION ANSWERED BY: Roberta Bragg | SearchWindowsSecurity.com

There appears to be more than one issue here:

1. Since you say you were told to create a new group and restrict NTFS permissionsto that group, I'm assuming you want to restrict access by setting denypermissions. If this is so, then yes, create the group and set "deny permissions" forit. You cannot deny access to the Everyone group; if you do so, you will do justthat, deny access to everyone.

Since deny access is usually applied first, no amount of "allow access" willoverride this. Instead, grant "allow access" to those who need access. Thosewithout access will be denied by default. The "deny access" permissions help withmore granular access restrictions, but Windows 2000, like NT, does not grantaccess to anyone implicitly.

2. What access do you wish to adjust? System access? Data file access? As youknow, in some areas, the group Everyone is explicitly given access. In many casesyou can remove this access, but you must make sure to replace it by giving the


107

SYSTEM and appropriate users access explicitly. You should always use cautionwhen doing this, and do so on test systems. I am unable to find out if CitrixMetaframe also requires explicit access to areas, where it is getting that accessbecause of default group "everyone." If this is so, then if you could determinewhere that is necessary, then you can make the appropriate adjustments. I suggestyou work with your Citrix support to determine if this is possible.

3. Windows 2000 is different than Windows NT 4.0 Terminal Server edition, andthat may be the cause of some problems. Permissions set on the system files arenot the same. This could be the answer here. You cannot merely set permissionsin Windows 2000, as you may have in Windows NT.

4. It's always easier to just leave the defaults. I know of no explicit reason why youcannot make some adjustments to file permissions, but there is no easy answerhere. As always, you must determine what access is required before you blithelychange access. Depending on where you wish to change permissions, you mayneed to know the access required by Windows, Citrix Metaframe and useraccounts.


Limiting user and admin access03.09.2006 | Wes Noonan | SearchWindowsSecurity.com

Allowing granular access to the many objects on your Windows network to various userscan present some problems. In this set of questions and answers, Windows networksecurity expert Wes Noonan shares how to selectively limit object access from users andadmins alike.

Q: How can I prevent a domain user or computer from accessing all servers on thenetwork? I only want them to be able to access one server.

A: One effective method of doing this would be to add the user to a group that you create(for example Server A Users) and then remove them from the domain users group. Next,make the group that you created a member of the appropriate local groups on the serverto grant them the level of access you desire. For example, if you want them to be just aregular user, you can add the global group to the local "Users" group.

Q: How can I prevent certain users who are domain administrators from loggingonto domain controllers?

A: That depends on the kind of user they are. If they are a member of a group that grantsthem rights on domain controllers (for example, Domain Admins) there really isn't a wayto do that. If your domain is small enough, you could specify the list of computers they


108

are allowed to login to, excluding the domain controllers, but I think this would rapidlybecome unmanageable (every time you add a computer, potentially you need to updatethe list of computers they can login to) as well as being rendered ineffective if the usersin question are domain admins (they can always come in behind you and undo it).

Now, assuming that this is not a domain admin, the ability to logon to a domain controlleris defined in the Default Domain Controllers Group Policy. You can view this by rightclicking on the Domain Controllers OU in Active Directory Users and Computers andselecting "Properties". Click on the "Group Policy" tab, select the policy and click "Edit".Navigate using the Group Policy Object Editor to the following branch:

Computer Configuration > Windows Settings > Security Settings > Local Policies > UserRights Assignment

In the right hand window, look for either "Log on locally" or "Allow Logon Locally" (itdiffers depending on which version of Windows you are using). Double click on thepolicy and add/remove users from that list accordingly and check the box next to "Definethese policy settings:" to define who will be allowed to logon locally. By default, thefollowing accounts/groups can logon locally to domain controllers:

1. Account Operators

2. Administrators

3. Backup Operators

4. Print Operators

5. Server Operators

6. Corresponding Internet Users (IUSR_)

As always, rather than directly editing the Default Domain Controllers Group Policy, youshould create a new group policy object with the settings you want. Also, be advised thatchanging the default settings can cause unexpected and potentially damaging results toyour systems.

Q: If you have two domains on your network that are located at the same physicalsite and you want to implement an account policy that requires passwords of at leasteight characters and should meet complexity requirements -- do you apply theaccount policy setting at the site? What account policies should you use?

A: You would need to apply the account policy separately on each domain. Even thoughthe group policy MMC snap-ins will display the "Password Policy" branch for OU's andsites, you can only define the password policy at the domain level. This is because therecan only be a single password policy in a given Active Directory, which effectivelymeans that you can only define it at the domain level. Also, just as a note regarding bestpractices, rather than modifying the default domain policy, you should go ahead andcreate an additional group policy object with the password policy settings that you wantto apply.


109

Q: I have an NTFS folder on Windows 2000 Advanced Server. I want to set rights tothis folder so that users are not able delete files or folders, while at the same timethey are able to save and make changes in that folder. How can I do this?

A: This can be done by editing the advanced security properties of the folder and files. Todo this, right click on the folder in question and select "Properties." Select the Securitytab and click "Advanced." Add or edit the appropriate users and specify the followingpermissions:

Traverse Folder/Execute DataList Folder/Read DataRead AttributesRead Extended AttributesCreate Files/Write DataCreate Folders/Append DataWrite AttributesWrite Extended AttributesRead PermissionsChange Permissions

You may or may not need all of the above permissions for your specific requirements.The key is to remember to NOT grant the "Delete Subfolders and Files" and "Delete"permissions.

Keep in mind that you may need to remove inheritance to allow you to make thenecessary changes.

About the Author: Wesley J. Noonan has been working in the computer industry forover 12 years specializing in Windows-based networks and network infrastructuresecurity design and implementation.

Opinion: Network admins needs Microsoft-Cisco unity30 Jul 2004 | Laura E. Hunter | SearchWindowsSecurity.com

You were at the coming out party for Windows Server 2003 in April of 2003, admit it.But did you notice that neat little feature standing alone in the corner because nobodywas asking her to dance? Her name was Network Access Quarantine Control, and as newfeatures go, it was amazing how little attention she garnered.

This little toy could look at your incoming remote access clients, check their patch levels,antivirus signatures and other pertinent security details, and then grant or deny access toyour internal network based on the client's overall "fitness" level. This was huge, people!OK, so maybe it wasn't all that easy to deploy. All right, I admit it, it was a bear. But itwas still a major leap forward in perimeter security for Microsoft products.


110

The next major advance will arrive in the next release of 2003 -- R2 -- scheduled forrelease in mid-2005. Currently dubbed "Network Access Protection," this tool improveson NAQC in two significant ways:

• It creates simpler, GUI-based administration and implementation, rather than theextensive scripting needed for NAQC. In addition, Microsoft has promisedinteroperability with a number of third-party products, including antivirus andexisting remote-access technologies.

• It extends the functionality of the protection to all types of connections, bothremote access and LAN-based. This part is key because the pervasiveness of"always-on" Internet connectivity, wireless hotspots and smaller Internet-capabledevices like cell phones and PDAs has greatly blurred the distinction betweenwhat is a locally connected versus a remote-access client. In many ways, the ideaof the network perimeter has ceased to be a physical entity like a border router,and has become a much more logical concept.

However, Microsoft's entry into this market seems likely to place it in competition withexisting network perimeter security software, most notably Cisco's Network AccessControl. Now, I'm a big bad capitalist, and am of the opinion that competition is good forany industry, especially the software business. Competition for customer dollars almostinevitably leads to better products for the money, as different vendors develop moredesirable features to "get the contract."

But when security is at stake, interoperability must trump the desire to turn a profit. Atthe risk of sounding utopian, the idea of a "greater good" needs to extend to the Internetand Internet-connected machines, since their security and well-being affect us all.

At the moment, the Microsoft and Cisco perimeter security products are gearing up to notquite speak to one another. NAP is slated to use PEAP (Protected Extensible AccessProtocol), whereas Cisco's NAC is only meant to run on Cisco equipment. Given theprominence of both vendors' products in the enterprise network, this could proveproblematic.

If the two offerings don't end up working and playing well together, networkadministrators who rely on both vendors' products will be forced to jury-rig a solution,either by building their own or using a product from a third-party vendor to createinteroperability. I don't know about you, but I get nervous whenever I'm forced to use theword "jury-rig" in connection with network security.

Granted, this may be putting the cart before the horse somewhat, since there isn't much inthe way of clearly defined standards for secure network access. But a significant positiveindicator for the future is Microsoft's support for 802.1x authentication, both in WindowsServer 2003 and Longhorn. If current or future iterations of the Microsoft and Ciscoperimeter security offerings can be built according to industry standards -- either 802.1xor some future model -- the security of all those who rely on Microsoft and Ciscotechnology will certainly benefit.


111

Step-by-Step guide: Network Access Quarantine Control5 Jan 2006 | Jonathan Hassell | SearchWindowsSecurity.com

One of the easiest and arguably most prevalent ways for nefarious software or Internetusers to creep onto your network is not through holes in your firewall, or brute-forcepassword attacks, or anything else that might occur at your corporate headquarters orcampus. It's through your mobile users, when they try to connect to your businessnetwork while on the road. You would expect your business desktops to follow policy,but in the past, mobile users have traditionally been forgotten or grudgingly accepted asexceptions to the rule. However, Windows Server 2003 includes a new feature in itsResource Kit, called Network Access Quarantine Control (NAQC), which allows you toprevent remote users from connecting to your network with machines that aren't up-to-date and secure. NAQC provides a different sort of security and addresses a different, butequally important, sector of communications than VPN or IPSec.

Step 1: Learn how it worksNAQC prevents unhindered, free access to a network from a remote location until afterthe destination computer has verified that the remote computer's configuration meetscertain requirements and standards, as outlined in a script.

To use NAQC, your remote access clients must be running Windows 98 Second Edition,Windows Millennium Edition, Windows 2000, or Windows XP Home or Professional.These versions of Windows support a connectoid, which is simply a dial-up or VPNconnection profile located in the Network Connections element in the user interface,containing three essential elements:

• Connection information, such as the remote server IP address, encryptionrequirements and so on.

• The baselining script, which is a simple batch file or program used to assess thesuitability of the client computer (more on this in a bit).

• A notifier component, which talks to the destination network's backend machineand negotiates a lift of the client's quarantine.

These elements are united into one profile using the Connection Manager (CM)Administration Kit (CMAK) in Windows Server 2003. Additionally, you'll need at leastone Windows Server 2003 machine on the back end running an approved listeningcomponent; for the purposes of this guide, I'll assume you're running the Remote AccessQuarantine Agent service (called rqs.exe) from the Windows Server 2003 Resource Kit,because that is the only agent available at press time. Finally, you'll need a NAQC-compliant RADIUS server, such as the Internet Authentication Service in WindowsServer 2003, so that network access can be restricted using specific RADIUS attributesassigned during the connection process. Here is a detailed outline of how the connectionand quarantining process works, assuming you're using rqc.exe on the client end from theCMAK and rqs.exe on the back end from the Resource Kit:


112

1. The remote user connects his computer, using the quarantine CM connectoid tothe quarantine-enabled connection point, which is a machine running RRAS.

2. The remote user authenticates.

3. RRAS sends a RADIUS Access-Request message to the RADIUS server -- in thiscase, a Windows Server 2003 machine running IAS.

4. The IAS server verifies the remote user's credentials successfully and checks itsremote access policies. The connection attempt matches the configured quarantinepolicy.

5. The connection is accepted, but with quarantine restrictions in place. The IASserver sends a RADIUS Access-Accept message, including the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes, to RRAS.

6. The remote user completes the remote access connection with the RRAS server,which includes leasing an IP address and establishing other network settings.

7. RRAS configures the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings for the connection, now in quarantine mode. At this point, theremote user can only send traffic that matches the quarantine filters -- all othertraffic is filtered -- and can only remain connected for the value, in seconds, of theMS-Quarantine-Session-Timeout attribute before the quarantine baselining scriptmust be run and the result reported back to RRAS.

8. The CMAK profile runs the quarantine script, currently defined as the "post-connect action."

9. The quarantine script runs and verifies that the remote access client computer'sconfiguration meets a baseline. If so, the script runs rqc.exe with its command-line parameters, including a text string representing the version of the quarantinescript being used.

10. rqc.exe sends a notification to RRAS, indicating that the script endedsuccessfully.

11. The notification is received by rqs.exe on the back end.

12. The listener component on the RRAS server verifies the script version string inthe notification message with those configured in the registry of the RRAS andreturns a message indicating that the script version was either valid or invalid.

13. If the script version was acceptable, the rqs.exe calls theMprAdminConnectionRemoveQuarantine API, which indicates to RRAS that it'stime to remove the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeoutsettings from the connection and reconfigure the session for normal networkaccess.

14. Once this is done, the remote user has normal access to the resources on thenetwork.

15. rqs.exe creates an event describing the quarantined connection in the Systemevent log.


113

Step 2: Create quarantined resourcesYou need to create resources that actually can be accessed while the quarantine packetfilters are in place for a remote client. Examples of such resources include DNS serversand DHCP servers, so that IP address and other connection information such as suffixaddresses, DNS server addresses, and the like can be retrieved; fileservers to downloadappropriate software to update out-of-compliance machines; and Web servers that candescribe the quarantining process or allow a remote user to contact IT support via email ifany problems occur.

You can specify and use a quarantined resource in two ways. The first is to identifycertain servers, which can be spread across your network, as these quarantine resources.This allows you to use an existing machine to host the quarantined resources, but youalso have to create individual packet filters for quarantined sessions for each existingmachine. For performance and overhead reasons, it's best to limit the number ofindividual packet filters for a session.

If you decide to go this route, you'll need to enable the packet filters shown in thefollowing table:

Table 1. Packet filters for distributed quarantine resources

Traffic Type SourcePort

DestinationPort

Alternatives (instead of specifying portinformation)

QuarantineNotifier

None TCP 7250 None

DHCP UDP 68 UDP 67 None

DNS None UDP 53You also can specify the IP address of anyDNS server.

WINS None UDP 137You also can specify the IP address of anyWINS server.

HTTP None TCP 80You also can specify the IP address of anyweb server.

NetBIOS None TCP 139You also can specify the IP address of anyfile server.

Direct Hosting None TCP 445You also can specify the IP address of anyfile server.

You also can configure any other packet filters that are particular to your organization.The other approach is to limit your quarantined resources to a particular IP subnet. Thisway, you need just one packet filter to quarantine traffic to a remote user, but you mightneed to readdress machines and, in most cases, take them out of their existing service orbuy new ones.


114

Using this method, the packet filter requirements are much simpler. You just need toopen one for notifier traffic on destination TCP port 7250, one for DHCP traffic onsource UDP port 68 and destination IDP port 67, and for all other traffic, the addressrange of the dedicated quarantine resource subnet. And again, you can configure anyother packet filters that are particular to your organization.

Step 3: Write the baselining scriptThe next step is to write a baselining script that will be run on the client. You can writethis script in any scripting environment supported by your Windows clients, or even as acompiled EXE program. This script can check whatever you want -- there is no standardlevel of baseline, as it's only what you feel comfortable with letting onto your network.You also can use any sort of interaction with any program that your scriptingenvironment will allow. The baseline script is very flexible and can use whateversoftware resources you have available.

Here is an example batch file script:@echo offecho Your remote connection is %1echo Your tunnel connection %2echo Your Windows domain is %3echo Your username is %4set MYSTATUS=REM Baselining checks begin hereREM Verify Internet Connection Firewall is enabled. Set CHECKFIREto 1-pass, 2-fail.

REM Verify virus checker installed and sig file up. CHECKVIRUS is1-pass, 2-fail.

REM Pass results to notifier or fail out with message to user.if "%CHECKFIRE%" = = "2" goto :NONCOMPLIANTif "%CHECKVIRUS%" = = "2" goto :NONCOMPLIANTrqc.exe %1 %2 7250 %3 %4 Version1-0 REM These variables correspond to arguments and switches for RQC.EXEREM %1 = %DialRasEntry%REM %2 = %TunnelRasEntry%REM RQS on backend listens on port 7250REM %3 = %Domain%REM %4 = %UserName%REM The version of the baselining script is "Version1-0"REM Print out the statusif "%ERRORLEVEL%" = = "0" (set ERRORMSG=Successful baseline check.) else if "%ERRORLEVEL%" = = "1" (set ERRORMSG=Can't contact the RRAS server at the corporatenetwork. Contact a system administration.


115

) else if "%ERRORLEVEL%" = = "2" (set ERRORMSG=Access is denied. Please install the ConnectionManager profile from http://location and attempt a connectionagain.) else (set ERRORMSG=Unknown failure. You will remain in quarantinemode until the session timeout is reached.)echo %ERRORMSG%goto :EOF:NONCOMPLIANTechoecho Your computer has failed a baseline check for updates onecho your machine. It is against corporate policy to allow out ofecho date machines to access the network remotely. Currentlyecho you must have Internet Connection Firewall enabled andecho an updated virus scanning software package with theecho latest virus signature files. For information about how toecho install or configure these components, surf toecho http://location.Echo You will be permitted to access only that location untilEcho your computer passes the baselining check.:EOF

Of course, this batch file is simple. I've added the necessary comments throughout thescript so that you can follow the action. It's important to keep in mind that you can makethe script as complex as you want; you even can compile a special program because thepost-connect script option in CMAK allows an .exe file to be run.

The one requirement of every baseline script is that it must run rqc.exe if the baseliningcompliance check was successful and included the following parameters:rqc ConnName TunnelConnName TCPPort Domain Username ScriptVersionThe switches and arguments are explained in the following list:

• The ConnName argument is the name of the connectoid on the remote machine,most often inherited from the dial-in profile variable %DialRasEntry%.

• The TunnelConnName argument is the name of the tunnel connectoid on theremote machine, most often inherited from the dial-in profile variable%TunnelRasEntry%.

• The TCPPort argument is, obviously, the port used by the notifier to send asuccess message. This default is 7250.

• The Domain argument is the Windows security domain name of the remote user,most often inherited from the dial-in profile variable %Domain%.

• The Username argument is, as you might guess, the username of the remote user,most often inherited from the dial-in profile %UserName%.


116

The ScriptVersion argument is a text string that contains the script version that will bematched on the RRAS server. You can use any keyboard characters except /0 in aconsecutive sequence.

Step 4: Install the listening componentsThe Remote Access Quarantine Agent service, known otherwise as rqs.exe, must beinstalled on the Windows Server 2003 machines accepting incoming calls using RRAS.RQS is found in the Windows Server 2003 Resource Kit Tools download, which you canfind on the Microsoft Web site at http://www.microsoft.com/windowsserver. Once you'verun the installer for the tools, select the Command Shell option from the program groupon the Start menu, and run RQS_SETUP /INSTALL from that shell. This batch file willcopy the appropriate binaries to the %SystemRoot%System32RAS folder on your systemand modify service and registry settings so that the listener starts automatically when theserver boots up.

A bit of manual intervention is required, however, to finish the installation: you need tospecify the version string for the baselining script. The listener service will match theversion reported by the remote computer to the value stored on the RRAS computer tomake sure the client is using the latest acceptable version of a script. This is a great wayto enforce changes you make to your baseline scripts: if a user isn't using the latestversion of the scripts (and therefore isn't making the latest analysis of the system basedon your needs), he won't be released from the quarantine mode.

To make this change manually after you've run RQS_SETUP from the Tools download,follow these steps:

1. Open the Registry Editor.

2. Navigate to theHKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Rqs key.

3. Right-click in the right pane, and select New String.

4. Name the string AllowedValue.

5. Then, double-click the new entry, and enter the string that refers to an acceptableversion of the script.

Step 5: Creating a quarantined connection profileThe next step is to create a quarantined Connection Manager profile, which happens to bea normal profile you might create for any standard dial-up or VPN connection, with onlya few modifications. For one, you need to add a post-connect action so that yourbaselining script will run and return a success or failure message to the RRAS machine.You also need to add the notifier to the profile.Let's look at using the CMAK to create a custom connectoid including the necessaryNAQC components.

1. Open the CMAK from the Administrative Tools menu, and then click Next off theintroductory screen.


117

2. Select Create a new service profile, and then click Next.

3. In the Service name box, type a name that you want to use for the connection.This should be something familiar to users, such as "Connect to Corpnet" orsomething similar.

4. In the File name box, type a name that you want to use for the service profile.This name is used for the files that CMAK creates while building the serviceprofile. Do not use any of the following characters in the filename:

< SPACE > ! , ; * = / : ? ' " < >

5. Click Next.

6. I'll assume here that you do not have an existing CM profile to merge, so simplyclick Next to bypass the screen that appears that asks you to merge profileinformation.

7. If you want to add a line of support information to the logon dialog box, type it inthe Support information box -- for example, "For customer support, [email protected]." This is optional. Click Next when you've finished.

8. Specify whether the service requires a realm name, and then click Next.

9. If you want to configure custom Dial-Up Networking entries, click Add. In thePhone-book Dial-Up Networking entry dialog box, type the phonebook Dial-UpNetworking entry that you want. Click Next.

10. Specify whether you want to assign specific DNS or WINS server addresses or aDial-Up Networking script, and then click OK. Click Next.

11. If you want to add VPN support to the service profile, click to select the Thisservice profile checkbox, and then click Next. Specify the server in the Serveraddress box, specify whether you want to assign specific DNS or WINS serveraddresses and whether to use the same user credentials that are used for a dial-upconnection, and then click OK. Click Next.

12. (Here is where the quarantine steps begin.) The Custom Actions screen appears.

13. Select Post-Connect from the Action type drop-down box and then click the Newbutton to add an action. The New Custom Action dialog box is displayed.

14. Type a descriptive title for the post-connection action in the Description box. InProgram to run, enter the name of your baselining script. You also can use theBrowse button to look for it. Type the command-line switches and theirarguments in the Parameters box. Finally, check the two bottom boxes, Includethe custom action program with this service profile and Program interacts with theuser.

15. Click OK, and you should return to the Custom Actions screen. Click Next.

16. Continue filling in the wizard screens as appropriate, until you come to theAdditional Files screen.


118

17. Click Add, and then enter rqc.exe in the dialog presented next. You can use theBrowse button to search for it graphically. Once you're finished, click OK.

18. You'll be returned to the Additional Files screen, where you'll see rqc.exe listed.Click Next.

19. Complete the remainder of the wizard as appropriate.

Step 6: Distribute the profile to remote usersThe profile you just created is made into an executable file that you can distribute to yourremote users so that they can run it on their systems automatically, creating a profilewithout any intervention after that. You have several options for actually getting thatexecutable file to your users.

You can transmit the executable file as an attachment to an email message, or better yet,as a link to the executable file hosted on a web server somewhere. In the email message,you can include instructions to run the file and use the new connectoids for all futureremote access. You also can have the executable run as part of a logon or logoff script,but to do that, you need to either have your users log on through a dial-up connection, orwait until the mobile users return to the home network and are connected at the corporatecampus to the network.

Regardless of which method you choose to initially transmit the profile installer to yourusers, you always should place the latest version of the profile installer on a quarantinedresource somewhere, so client computers that don't pass your baselining script'scompliancy checks can surf to a web site and download the latest version withoutcompromising further the integrity of your network.

Step 7: Configuring the quarantine policyThe final step in this process is to configure the actual quarantine policy within RRAS. Inthis section, I'll create a quarantine policy within RRAS that assumes you've posted theprofile installer on a web server that is functioning as a quarantined resource.

1. Open the RRAS Manager.

2. In the left-pane, right-click Remote Access Policies, and then select New RemoteAccess Policy from the context menu. Click Next through the introductory pages.

3. The Policy Configuration Method page appears. Enter Quarantined VPN remoteaccess connections for the name of this policy. Click Next when you're finished.

4. The Access Method page appears next. Select VPN, and click Next.

5. On the User or Group Access page, select Group, and click Add.

6. Type in the group names that should be allowed to VPN into your network. If alldomain users have this ability, enter Everyone or Authenticated Users. I'll assumethis domain has a group called VPNUsers that has access to VPN capabilities.Click OK.


119

7. You'll be returned to the User or Group Access page, and you'll see the groupname you added appear in the list box. Click Next if it looks accurate.

8. The Authentication Methods page appears. To keep this example simple, use theMS-CHAP v2 authentication protocol, which is selected by default. Click Next.

9. On the Policy Encryption Level page, make sure the Strongest Encryption settingis the only option checked. Then, click Next.

10. Finish out the wizard by clicking Finish.

11. Back in RRAS Manager, right-click the new Quarantined VPN remote accessconnections policy, and select Properties from the context menu.

12. Navigate to the Advanced tab, and click Add to include another attribute in thelist.

13. The Add Attribute dialog box is displayed.

14. Click MS-Quarantine-Session-Timeout, and then click Add.

15. In the Attribute Information dialog box, type the quarantine session time in theAttribute value box. Use a sample value of 60, which will be measured inseconds, for the purposes of this demonstration. Click OK, and then OK again toreturn to the Advanced tab.

16. Click Add. In the Attribute list, click MS-Quarantine-IPFilter, and then click Addagain. You'll see the IP Filter Attribute Information screen.

17. Click the Input Filters button, which displays the Inbound Filters dialog box.

18. Click New to add the first filter. The Add IP Filter dialog box is displayed. In theProtocol field, select TCP. In the Destination port field, enter 7250. Click OK.

19. Now, back on the Inbound Filters screen, select the Permit only the packets listedbelow radio button.

20. Click New and add the input filter for DHCP traffic, repeating the preceding stepsand including the appropriate port number and type as described earlier. Followthe same directions to allow DNS and WINS traffic.

21. Click New and add an input filter for a quarantine resource, such as a web server,where your profile installer is located. Specify the appropriate IP address for theresource in the Destination network part of the Add IP Filter screen.

22. Finally, click OK on the Inbound Filters dialog box to save the filter list.

23. On the Edit Dial-in Profile dialog box, click OK to save the changes to the profilesettings.

24. Then, to save the changes to the policy, click OK once more.

About the Author: Jonathan Hassell is author of Hardening Windows (Apress LP) andis a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and ITconsultant residing in Raleigh, N.C., who has extensive experience in networkingtechnologies and Internet connectivity. He runs his own Web-hosting business, Enable


120

Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementingthe RADIUS authentication protocol and overall network security.

Lock down user access and privileges16 Jun 2005 | SearchWindowsSecurity.com

Users should not be Administrators. Malware tends to execute with the privileges of thecurrently logged-in user. If the user did not have access to key system files and was notauthorized to install software, the malware would be stopped dead in its tracks.Unfortunately, in most cases users do have Administrator privileges on their ownmachines; which means that malware executed under their privileges has carte blanche onthe system as well.

Many users, particularly those in the executive suites, jump and holler when talk beginsof removing or restricting their access to their own machines. For the sake of security,general access should be limited, but that is a tough, uphill battle which requires thesupport of senior leadership to have any chance of success.

Permissions basics for Windows 200009.18.2002 | Adesh Rampat | SearchWindowsSecurity.com

Plan before you assign permissions

All Windows 2000 administrators want to allow the right people access to the rightinformation. To do that, you must understand the most basic form of security --permissions.

Most network administrators are already familiar with the setting up of permissions tofiles/folders, so this article looks at the major concepts you should consider whenapplying permissions to files/folders. You need to do proper planning before you actuallyassign permissions.

One of the benefits of using Windows 2000 over Windows 98 or Me, for workstations aswell as servers, is the ability to use file and folder permissions. To enable file and folderpermissions, you need to use NTFS: they are not available on FAT. So when you upgradeto Windows 2000, if you are concerned about file/folder security, you must convert thatFAT partition to NTFS. This is normally done during the upgrade process.

Use caution when applying the deny permission, because the deny permission takesprecedence over any allow permission. All other permission is cumulative or additive.For example, if a user has been assigned the "Read" permission to a file, but is also amember of a group that has been assigned the "Write" permission, the user's effectivepermission to the file is "Write." If, on the other hand, a user has been assigned the "Deny


121

Write" permission, then that user will not be able to write to the file or folder, even ifhe/she also belongs to a group that has been assigned Full Control.

To properly assign permissions:

1. Calculate what permissions you are going to use for files/folders. Permissions forfiles/folders are "least restrictive." For example, Paul is a user that has beenassigned Read permission to a file. He also is a member of the shipping group thatwas assigned Full Control to the same file. The result is that Paul's permission forthe file will be Full Control, because the "least restrictive" permission will applyto users, and Full Control is less restrictive than Read.

2. Then perform separate calculations for shares using the "least restrictive" rule.For example, the shipping folder is now shared. Paul is assigned changepermission. The shipping group (of which Paul is a member) has been assignedRead Only permission. Based on the "least restrictive" rule this user now hasChange permission to the shared folder.

Permission for files and shares are always additive or least restrictive.

What would Paul's effective permission be? It is the combined permission for Paul whenhe accesses files and folders within the shared folder. This is calculated using the mostrestrictive rule. So because Paul is accessing the file (for which he has Full Control)through the shared folder (for which he has Change permission), then his effectivepermission (combined permission) would be Change since this is the most restrictivebetween the shared folder (Change) and the file permission (Full Control). Paul has FullControl for the file and Change permission for the share folder. Therefore Paul's effectivepermission is Change.

About the Author: Adesh Rampat has 10 years experience with network and ITadministration. He is a member of the Association of Internet Professionals, the Institutefor Network Professionals, and the International Webmasters Association. He has alsolectured extensively on a variety of topics.

NTFS default permissions for Windows 200011 Feb 2003 | Adesh Rampat | SearchWindowsSecurity.com

We all know, or should, that using NTFS as the file system in Windows 2000 for theworkstations in your company is the better security decision to make, although there maybe a slight performance hit when using this file system. When you upgrade to Windows2000, of course, you get the option of installing NTFS or using the FAT system. Theformer requires a "clean install," which means you must wipe out the computer's driveand restore all the data in some way. Still, it's worth it for the security available. Butwhen you do this, there are some default permissions the installer grants, and you need toknow what they are and where they're applied.


122

The NTFS filing system has been around since the introduction of Windows NT. As weknow this filing system offers much more enhanced security features than the standardFAT system.

Administrators should, however, be aware of the various permissions that are used,especially when sharing a drive, so that they can, if necessary, change some of the defaultsettings. Since the list of permissions is lengthy I have included the following link, whichshould be used as a guide for administrators and anyone one else who might be interestedin the various permission that are available when sharing a resource.

http://support.microsoft.com/default.aspx%3Fscid=kb%3BEN%2DUS%3Bq244600

This link will take you to the Microsoft TechNet page. Simply type Q244600 (theknowledge based article) then click the go button.

(If you're upgrading to Windows XP, you have the option to convert to NTFS afterinstallation, by starting a command window and then executing the CONVERTcommand. For permissions in XP, click this link:http://support.microsoft.com/default.aspx?scid=kb;en-us;290403.)


How to implement permissions in Windows 2000/NT20 Mar 2002 | Adesh Rampat | SearchWindowsSecurity.com

When implementing permissions in Windows NT/2000 the network administrator shouldensure that NTFS volumes are being used and not FAT volumes.

A good idea when deciding to implement permissions to folders is that the networkadministrator can group users who require various forms of permissions and then applythe assigned permissions to the folder. Assigning individual user permission can createsome manageability problems especially for larger networks.

For all new folders that are created the default permissions assigned to the "Everyone"group is Full Control. You may want to change the Everyone group's permission for afolder to read access, and then any new subdirectories created after that will get the newpermission settings.

You should perform periodic checks to ensure that the permissions assigned to thecurrent group are appropriate.


123

File-level permission checks should also be conducted periodically to ensure that thegroup of users, or in some cases a single user, has the appropriate rights assigned.

The network administrator should place program and data files in separate locations.Assigning write access to data files requires special attention. By assigning write accessusers can copy files from the server to their local hard drive and vice versa. If the useraccess rights are set up properly on a Windows 2000 workstation, then users should notbe able to copy files from the network server to their local drives. It's also a good idea toset Audit options, especially where you've granted write access to a folder

There may be instances where users need access to certain sensitive folders in anapplication but some users within the group will not require access to that particularfolder. In that case, share the folders that contain the sensitive information with a dollarsign ($) to hide them from unauthorized persons. As your Windows help system will tellyou, such folders are not visible from My Computer, but can be viewed using the SharedFolders snap-in.



124

Network access control policies

Distinguishing a remote access policy from a portable computing protection policy

What is the best way to distinguish a remote access policy from a portablecomputing protection policy?

QUESTION POSED ON: 4 November 2005QUESTION ANSWERED BY: Shon Harris | SearchSecurity.com

These two policies have very distinct focuses.

A remote access policy should address the following items and concepts:► Standardize remote connectivity for:

• Any system type, whether it is company owned or personally ownedcomputers, PDAs, smart phones, laptops, Blackberries, etc.

• User type (employee, vendor, contractors, partners, etc.)• Connectivity type, as in dial-in modems, frame relay, ISDN, DSL, VPN, SSH,

and cable modems, etc.► Remote access should only be allowed to carry out company-related functions► Reduce potential unauthorized use of company resources► Connectivity and encryption requirements:

• VPN, SSL, SSH and encryption needs for sensitive data► Employee is responsible for ensuring:

• Family members do not violate any company policies• Antivirus signatures, hot fixes and patches are up to date• Personal firewall is installed and properly configured• Authentication credentials are not shared• System is not connected to another network that is not owned by the company

or employee• No use of non-company email accounts are used• Non-approved hardware configurations are not used

► Authentication type that is allowed• Passwords, passphrases, one-time passwords, private key, etc.

► Enforcement• Disciplinary actions, termination, prosecution

While a portable computing protection policy should address the following items andconcepts:

► Standardize connectivity and configurations for:


125

• Notebook computers, Tablet PCs, Palm Pilots, Microsoft Pocket PCs usingWindows CE, text pagers, smart phones, FireWire devices, USB drives, etc.

• User type (employee, vendor, contractors, partners, etc.)• Connectivity type, as in remote, LAN, WAN, wireless, etc.

► Allowable usage• Smart phones with cameras may be banned in sensitive areas for example

► Classified data needs to be encrypted during transfer or synchronization steps► Roles that are allowed to use certain portable devices:

• Only executives may be able to use and connect Blackberry devices to thenetwork

► Specific types of security software may be required for specific types of devices• Additional security software may need to be installed and properly configured

► Asset management• Company owned portable devices must be properly tagged and documented• User must register device with company before attempting to connect it to the

network► Portable devices should not be left unattended in public areas► Public network may be setup to allow only Internet accessibility for portable

devices► Prior to transfer of ownership or disposal of portable device, all sensitive data

must be properly destroyed► Access should only be allowed to carry out company related functions► Reduce potential unauthorized use of company resources► Connectivity and encryption requirements:

• VPN, SSL, SSH and encryption needs for sensitive data► Employee is responsible for ensuring:

• Antivirus signatures, hot fixes and patches are up to date if applicable• Personal firewall is installed and properly configured if applicable

• Authentication credentials are not shared• System is not connected to another network that is not owned by the company

or employee• No use of non-company email accounts are used• Non-approved hardware configurations are not used

► Authentication type that is allowed:• Passwords, passphrases, one-time passwords, private key, etc.

► Enforcement• Disciplinary actions, termination, prosecution

About the Author: Shon Harris is a CISSP, MCSE and President of Logical Security, afirm specializing in security educational and training tools. Shon is a former engineer inthe Air Force's Information Warfare unit, a security consultant and an author. She hasauthored two best selling CISSP books, including CISSP All-in-One Exam Guide, andwas a contributing author to the book Hacker's Challenge. Shon is also the co-author ofGray Hat Hacking: The Ethical Hacker's Handbook.


126

Policies for reducing mobile risk25 Apr 2006 | Lisa Phifer | SearchSecurity.com

Today, many workers are carrying PDAs, smartphones and other mobile computingdevices containing at least some business data, such as contact lists, account passwords,confidential emails and file attachments. A 2005 Nokia study found that 21% of USemployees carry PDAs and 63% carry mobile phones used for business. While thesedevices are increasingly well-connected, they are largely unsecured and can pose asignificant risk to business networks and data. Reducing that risk starts with establishingan information security policy that deals with both employee-purchased and company-owned mobile devices.

Risky businessWhen a mobile device is lost or stolen, any business data it contains is jeopardized. Laws,such as California SB1386 (and similar laws introduced in 35 states last year), requirecompanies to notify individuals whose private information may have been compromised.And businesses that violate industry mandates like HIPAA and GLBA face hefty fines oreven jail time. But many companies cannot even enumerate the data carried by lost orstolen mobile devices.

A growing number of workers are using PDAs and smartphones to access businessnetworks and applications. In the Nokia study, commonly-used mobile applicationsincluded email, instant messaging, corporate database access, sales force automation,field service, CRM and ERP/supply chain applications. Companies without mobile-specific applications may still face mobile exposure through traditional applications. Forexample, many employees synchronize company email onto PDAs or forward messagesto smartphones. Therefore, if lost or stolen, these devices can be used to gainunauthorized access to an otherwise private network and applications therein.

Additionally, many mobile devices now support multiple wireless interfaces, creatingnew attack vectors. Mobile phones with Bluetooth can be "BlueBugged" (used by anattacker to place calls) or "BlueSnarfed" (accessed to retrieve contacts and calendars).Cradled PDAs can become Wi-Fi bridges into corporate networks. When used correctly,wireless interfaces can aid productivity, but safeguards are needed to prevent misuse orattack.

Security policyTo manage these risks, companies need to define which mobile devices are allowed andunder what conditions. They should place limits on network and application access, andon business data storage and transfer. Security measures and practices should be required,and processes defined to monitor and enforce compliance.

These decisions should be documented in a mobile device security policy -- a formalstatement of the rules by which mobile devices must abide when accessing businesssystems and data. Such policies may include the following sections:


127

1. Objective: Identify the company, organizational unit and business purpose of thepolicy. For example, the intent of the policy may be to prevent disclosure ofcompany-confidential data when transferred to or stored on PDAs and mobilephones, no matter who owns those devices.

2. Ownership and authority: Identify those responsible for policy creation andmaintenance (development team), those responsible for policy monitoring andenforcement (compliance team), and those responsible for policy approval andmanagement oversight (the policy's owners).

3. Scope: Identify the users/groups and devices that must adhere to this policy whenaccessing business networks, services and data. Enumerate the mobile devicemodels and minimum OS versions allowed to access or store business data.Identify the organizational units that are (or are not) permitted to do so. Forexample, you may forbid business data storage on unapproved devices, or youmay require users to register personal devices before using them for business.

4. Risk assessment: Identify the business data and communication covered by thispolicy -- your company assets that may be placed at risk by mobile devices. Foreach asset, identify threats and business impacts, taking into consideration bothprobability and cost. For example, when a mobile device is lost, hardwarereplacement is probably just a small fraction of the impact. If your risk assessmentdetermines that data carried by a mobile device is more valuable than the deviceitself, this may lead you to focus on data backup and confidentiality as your toppriority.

5. Security measures: Identify recommended and required mobile securitymeasures and practices, including:

• Power-on authentication to control lost/stolen device use• File/folder encryption to prevent unauthorized data disclosure• Backup and restore to protect against business data loss or corruption• Secure communication to stop eavesdropping and backdoor network

access• Mobile firewalls to inhibit wireless-borne attacks against devices• Mobile antivirus and IDS to detect and prevent device compromise• Application and interface authorization to control program installation,

network use, synchronization and data transfer to/from removable storage

For example, your policy may mandate authentication, specifying the minimumlength and complexity for passwords and any applications that are excluded fromauthentication (e.g., accepting incoming phone calls without entering a password).Your policy may also define a process for mobile password reset that isconvenient yet safe for users who cannot easily return to the office.

6. Acceptable usage: Define what users must do to comply with this policy,including procedures required for device registration, security software downloadand installation, and policy configuration and update. Enumerate best practices


128

that users are required to follow, including banned activities. If users understandwhat they can and cannot do and why, they will be less frustrated and more likelyto comply with stated policy.

For example, you may implement a mobile security system that automaticallydetects any PDA cradled to a corporate desktop. That system may prompt the userfor self-registration and then push security software and policy onto the PDA.Your policy might explain this procedure and require that users cradle anypurchased PDA to their office desktop before using it to store business data. Itmight also describe unauthorized use that will be blocked, like beaming businessdata over Bluetooth or copying data to removable storage.

7. Deployment process: Define how you plan to implement and verify your mobilesecurity policy. It is a good idea to begin with a trial, taking both your mobilesecurity software and defined procedures out for a test drive with a small group ofusers. Many security policies fail because they prove impractical to deploy or use.Working out these kinks before requiring everyone to follow your policy willincrease voluntary compliance and overall effectiveness. Don't forget to includetraining for administrators and users in your deployment process.

8. Auditing and enforcement: Voluntary compliance is nice, but insufficient fortruly managing business risk. Effective policies ensure compliance throughmonitoring and enforcement. For example, you may adopt a mobile securitysystem that checks for a correctly-configured security agent whenever a PDA orphone is synchronized over-the-air or cradled. Be sure to consider all points ofnetwork entry (e.g., email server, VPN gateway, Wi-Fi AP, desktop PC cradle),and define a business process to deal with non-compliance and intrusion. Somemobile security systems can hard-reset devices that have been stolen or appear tobe under attack, but your policy should clearly define the conditions under whichthis potentially destructive step will be invoked.

About the Author: Lisa Phifer is vice president of Core Competence Inc., a consultingfirm specializing in network security and management technology. Phifer has beeninvolved in the design, implementation, and evaluation of data communications,internetworking, security, and network management products for nearly 20 years. Sheteaches about wireless LANs and virtual private networking at industry conferences andhas written extensively about network infrastructure and security technologies fornumerous publications. She is also the guest instructor for SearchSecurity.com's WirelessSecurity Lunchtime Learning.

Laptop security policy: Key to avoiding infection16 Sept 2003 | Ed Tittel | SearchSecurity.com


129

I'm taking a short emergency break from my ongoing series on security policy documentlibrary elements to sound a note of caution regarding the handling of traveling employeelaptops.

In the wake of recent discussions with several Fortune 500 companies whose internalnetworks were safe from the onslaught of Blaster, Welchia, SoBig and others, but someor all of whose traveling sales or technical staff got infected by same, I've started torecognize that security policy for laptops is pretty darn important. Although thesecompanies were able to withstand big impacts from these worms, others weren't so lucky.Entire groups or departments of salespeople or technical staff found themselvesessentially disconnected from e-mail and network access for anywhere from a full day toas long as a week, depending on how soon they could get their machines repaired andrecovered.

In light of this situation, I can't stress enough how important it is to develop andimplement security policy for laptops, and to keep remote and roving workers as safe asthose behind corporate firewalls and other infrastructure elements. To that end, I'm goingto refer to a recent posting by Microsoft (yes, that paragon of security itself) that actuallymakes a great starting point for laptop security policy, then add a few additionalrecommendations.

At www.microsoft.com/security/protect you'll find the following admonitions. "3 steps toensure your PC is protected:

• Use an Internet firewall• Get computer updates• Use up-to-date antivirus software"

If followed, this simple prescription would have protected all of the people whosemachines were essentially taken out of service by these worms.

The missing details, of course, require some expansion of this simple but effective list:

• Choosing the right Internet firewall depends on other corporate policies, vendorselection and so forth. In passing, let me mention that an out-of-the box defaultinstall of Norton Internet Security in August produced a machine that showed novulnerabilities whatsoever (zero!) to security scans from Steve Gibson Research,SecuritySpace.com and even Norton's own more exhaustive Web-based scan.

• Getting updates is not the issue; installing them is what really counts. Companiesshould either impose the policy of enforced access to automatic update servicesfrom vendors, or provide regular image delivery or patching services of somekind to employees to make sure they're running the latest, greatest, and safest OSand application images.

• Picking and using antivirus software likewise depends on other policies andvendor selections and again should be combined with automatic updates and e-mail warnings to download signature files when automatic update intervals don'tsuffice to maintain proper levels of protection.


130

• Other elements of security policy, such as remote access mechanisms, VPN use,access controls and privileges, and so forth also need to be consistently enforcedto prevent unauthorized access to internal systems and resources.

• Some type of entire drive or directory-based encryption is strongly advised toprotect information.

With these simple policy elements in force, laptops needn't pose any more of a threat tosecurity than other systems in use.

About the Author: Ed Tittel is Vice President of Content Services at iLearning, aCapStar company based in Austin, Texas. As creator and series editor for Exam Cram 2,Ed's worked on numerous titles on Microsoft, Novell, CompTIA and securitycertifications, including Security+, CISSP and TICSA.

Work with users to secure new technologies in the enterprise18 Nov 2005 | Al Berg | SearchSecurity.com

New technologies make my head hurt. My geeky side loves to play with the latest toysand see what they can do. My Infosec Director side (the side that pays the bills) reacts tonew technologies like Dracula to a nice garlic sandwich. How can I keep my organizationsafe without limiting my users to outdated technologies? Here are a few tips andtechniques I find helpful.

Stop and take a deep breathSome security practitioners react to new technologies with panic and the issuance of sternedicts against using USB drives/PDAs/EVDO cards/wireless LANs, etc. Stop and take adeep breath. In most cases, users have a legitimate need to fill. It is your job to find a wayfor them to fill that need safely, not to keep them from being efficient. Besides, issuingstern edicts typically serves only to increase awareness of the "forbidden" (and thus muchmore interesting) technology and tends to drive users underground, making your jobmore difficult and adversarial.

Work with your users, not against themMake sure that your users feel comfortable talking to you about new technologies. Youwant them to come and tell you about the neat new gizmo or software they just bought(or better yet, are thinking of buying). They will not do this if they perceive that you aregoing to arbitrarily stop them from using anything new. A better approach is to sit downwith the user, understand what they are trying to accomplish with the new technology,and try and get them to raise the security questions themselves.

For example, when smartphones came on the scene, users fell in love with the ability tostuff their cellphone/PDA with all the important information they need while workingoutside the office. These little gems quickly became nightmares for security people. Bysitting down with users, acknowledging all of the good things about smartphones andmaneuvering them into asking about how their customer lists, passwords and other


131

confidential information could be protected, I was able to get them to drive the process ofsetting security standards for the new devices. The resulting standards combineencryption, password protection and the prompt reporting of device loss and subsequentremote self destruct of data, allowing us all to sleep at night. Because the users feltincluded in the process of analyzing the problem and coming up with the policies, theywere willing to accept the addition of some security measures that create a little bit ofinconvenience.

Compare new technologies to oldAnother way to deal with new technologies is to compare them with existingtechnologies. In many cases, from a security point of view, the new gizmo is a lot likesome older gizmo, except faster, cheaper and with prettier blinking lights. This makes iteasier to explain the security issues to users and can cut down on the need for more andmore policies. For example, we are starting to see laptops with built in broadband classInternet connections over wireless public networks (like EVDO or WiMax) being offeredfor sale. Plugging one of these into a corporate network provides an attacker with a "backdoor," bypassing all of your expensive firewalls. If you think about it, we've had thisproblem before with dial up modems. By explaining this new technology to users incomparison to modems, it is easy to make them understand the risks. No new policies areneeded to deal with this issue as most companies' modem policies are broad enough todeal with this new form of connectivity. You can allow the use of these connections withthe proper firewall measures – just not while connected to the corporate LAN.

Educate usersNew technologies should be part of your awareness efforts. If your users are clamoringfor the ability to use those cute little USB thumb drives to carry documents and data, youcan either disable USB ports and explain why, or you can show your users how to use anencrypted thumb drive to protect data while in transit. Either option may be a legitimatestrategy for your organization, or even for a subset of your organization. It depends onwhat your company does and how sensitive the information is. The point here is that nomatter which choice you make, explaining the logic to users is going to be key in gettingthem to accept and comply with new policies and standards.

Know what's on the horizonInfosec departments should be looking ahead to find out what new technologies are mostlikely to pop up in their organizations. Every company seems to have a few earlyadopters who can be counted on to buy and try every new gadget that hits the market.Make these people your buddies and keep tabs on what new technologies they arelooking at and how they are using them. Remember: your mission here is to gatherinformation, not to stamp out new and better ways of doing things.

Become a business enablerThere are going to be times when saying no to a new technology is the right answer.However, if that is the route you are going to take, make sure that you have analyzed therisks and rewards of the new technology thoroughly and that your users understand why


132

they can't use the latest gadget. Offer some alternatives to help users get the functionalitythey are seeking – safely.

As a group, information security has a bad reputation as being the department that says,"No." We need to work on this and change our role from business obstacles to safe-business enablers. Working with users to introduce new technologies is one way to dothis.

About the Author: Al Berg, CISSP, CISM is the Director of Information Security forLiquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutionalblock equities trading. According to INC. magazine in 2004, Liquidnet was the fastestgrowing privately held financial services company in the US and the 4th fastest growingprivately held company in the US across all industries.

The benefits of writing a policy before a new system deployment15 Sept 2004 | Charles Cresson Wood | SearchSecurity.com

Consider this scenario: A multi-national company is revamping its network defenses on aworldwide basis. It locates the relevant internal information systems specialists aroundthe world and engages them in a dialog on how to increase the organization's networksecurity. The enhanced security they seek includes content filtering, intrusion detectionand other capabilities not yet deployed.

The budget for the project does not include sufficient resources to handle organizationalissues, such as the establishment of a single manager in charge of network security acrossthe organization. Instead, technical staff specifies, selects and deploys hardware andsoftware, thinking that through these system components information security will beachieved. Staff training, documentation, organizational communications channels andother non-technical factors are postponed until the end of the project, and some are thendropped entirely in order to make a deadline and keep resource consumption down.

Although certain managers receive their bonus for bringing in the project on-time and on-budget, the actual level of security delivered is, as a result, significantly lower than itshould be. This is due to a lack of effort to integrate business needs with new securityfunctionality and because the organization's ability to effectively manage these newsystems is questionable.

When organizations decide to write a policy after a security system is deployed, they aremissing an opportunity to use the policy-writing process as a way to get consensusamongst a variety of different managers about the functionality of these security systems.The very act of writing a policy begs questions such as the impact on the business, theinterfaces with related systems, the degree to which there must be end-user involvementand training, as well as the technical capabilities that must be available in order toproperly manage the security systems.


133

When a policy is written before deployment, the policy can direct staff to select hardwareand software that genuinely meets collectively-determined business needs. Also, politicalissues and disagreements about what should be done will be immediately highlighted,and hopefully resolved, all before any money is spent on the involved system. This canhelp prevent the organization from committing itself to purchasing, leasing, renting oroutsourcing certain security capabilities only later to find that these same capabilities arein some way objectionable and inappropriate for the organization in question.

As an example, consider a content management system that can, among other things,examine and log the nature of the Internet material being sent and received by specificworkers. If a particular worker is distributing unauthorized copies of copyrightedsoftware, the content management system will note this. At first this sounds good, but thefunctionality may be a problem for existing privacy policies and laws, depending on theorganization and country involved. Before technical staff proceeds to acquire and installsuch a system, it is important that privacy policies and laws be examined, and thatapproval is obtained. Then a draft policy about a content management system can beprepared.

In terms of keeping costs down and project timelines short when deploying asignificantly modified or new security system, it is best to write policies early. Here arethe benefits of doing so:

• Policies help to define the scope of a system, help to clarify the objectives of asystem and help to get alignment from all those concerned with the involvedsystem.

• Writing policies prior to deployment forces people to look at issues such asnecessary changes in business operations.

• This approach also forces people to communicate their ideas in concrete andexplicit terms, particularly when it comes to the business and operational impactsof a new or significantly modified system.

• Writing policies before deployment may also make it clear that project budgetsare insufficient, that desired project timelines are overly-optimistic, and/or thattechnical staff plans are at odds with business reality.

These days most people wouldn't think of building a house without a blueprint and otherplans like a permit from a local government authority, but many people still continue tobuild information systems (which by the way are even more complex) without the benefitof planning documents such as policies.

When you're developing a project plan for the next major security system upgrade, orperhaps the deployment of an entirely new system, be sure to include sufficient time inthe early stages of the project to develop policies. Architectures, procedures andconfiguration standards come later, in part because they are a function of the hardwareand software selected. But policies should be vendor neutral and technology agnostic.Policies should talk about necessary control capabilities, affected business processes andrequired worker interactions with the involved systems. Thus, the overview that policies


134

provide should be one of several early planning tools in every major information securityproject.

About the Author: Charles Cresson Wood, CISSP, CISA, CISM, is an independentinformation security consultant based in Sausalito, Calif. He specializes in thedevelopment of information security documents including policies, standards, proceduresand job descriptions. He is also the author of the book and CD-ROM entitled InformationSecurity Policies Made Easy.

Managing network policy22 Jul 2004 | Pete Lindstrom | SearchSecurity.com

Managing the complexities of large, distributed networks is a daunting task, withhundreds, even thousands, of mixed-vendor bridges, switches, routers and gateways.Managing the security settings on these devices from a central console sounds wildlyimpractical -- the requirements are complex, and there are too many fast-moving parts.But, the demands of global business and regulatory compliance are forcing enterprises toconsider management consoles that push granular policy updates to heterogeneousdevices. There are several environments in which this functionality is critical:

• Multinational enterprises, which may want to segment their networks to complywith the regulatory requirements of the host nation.

• Manufacturing environments, in which headquarters may need an administrativeconnection to the plant but the company doesn't want anyone or anythingtouching the computers running the assembly line.

• HR and finance departments, which share a lot of sensitive information amongthemselves and little with other employees and customers.

• Business partner connections or newly acquired enterprises, where the "other end"of the network is unknown.

• Enterprises carving out logical networks for users, Web server farms,management backbones, etc., with specific risk thresholds and securityrequirements.

Managing each set of devices based on particular needs is imperative, but how? Customscripts can help, and most network vendors have some sort of console; but, for the mostpart, these devices are operated independently. Network security provisioning solutionsprovide centralized management of heterogeneous network devices -- routers, switchesand even VPNs and firewalls. Aside from stronger configuration control, the solutionsalso offer SSO for network devices, central logging and, in most cases, networkconfiguration management. Here are a few:

• Gold Wire Technology's Formulator manages ACLs and other configurationparameters and provides infrastructure integrity to network devices, popularfirewalls and Linux and Solaris OSes.


135

• Voyence's VoyenceControl! is a Java application that provides lifecycle changemanagement services. It features support for templates, rollback and workflow.

• Rendition Networks' TrueControl is a Windows 2000 application that managesmany network devices, including wireless access points and VPN concentrators.

• Intelliden's R-Series software is a Java application that performs device modelingalong with its core network configuration features.

• Solsoft's Policy Server models a network and provides "point-and-click" securitydesign, automatically calculating the ACLs required to allow access from a sourceendpoint to a server. It pushes out these changes and keeps track of them.

Today's enterprises and their distributed environments are too complex and theirrequirements too diverse to manage efficiently, but manage them you must. Networksecurity provisioning solutions offer an option that makes sense.

About the Author: Pete Lindstrom, CISSP, is research director at Spire Security.

Top 10 network security tips22 Nov 2002 | Mark Edmead | SearchSecurity.com

I was asked by a client to develop a "best practices" guide for securing Microsoft IIS 5.0.In my search for supporting reference material, I came across a very informativedocument called The 60 Minute Network Security Guide on the National Security AgencyWeb site (www.nsa.gov). The document is only about 40 pages long, but it's packed withvaluable pearls of wisdom on how to secure your network enterprise, including specificinformation for Windows and Unix systems. The document is what is known as a "bestpractices" guideline for network security. Here's a summary:

1. Make sure you have a security policy in place -- The security policy is the formalstatement of rules on how security will be implemented in your organization. Asecurity policy should define the level of security and the roles andresponsibilities of users, administrators and managers.

2. Make sure all of your operating systems and applications are patched with thelatest service packs and hotfixes -- Keeping your systems patched will closevulnerabilities that can be exploited by hackers.

3. Keep an inventory of your network devices -- Develop and maintain a list of allhardware/software components, and understand which default softwareinstallations provide weak security configurations.

4. Scan TCP/UDP services -- Turn off or remove unnecessary services. Unneededservices can be the entry point attackers use to gain control of your system.

5. Establish a strong password policy -- Weak passwords could mean acompromised user account.

6. Don't trust code from non-trusted sources.


136

7. Block certain e-mail attachment types -- This list includes .bas, .bat, .exe and .vbs.

8. Don't provide more rights to system resources than necessary -- Implement theconcept of "least privilege".

9. Perform your own network security testing -- Find the holes before the attackersdo!

10. Implement "defense-in-depth" -- Don't rely on just one control or system toprovide all the security you need.

I recommend downloading this document and reading it from cover to cover. It's packedwith excellent tips and techniques to help secure your network environment.

About the Author: Mark Edmead, CISSP, SSCP, TICSA, is president of MTE Software,Inc. (www.mtesoft.com), and has more than 25 years' experience in softwaredevelopment, product development and network systems security.