Securing Organization

Related Chapters

• Chapter 1: Building a Secure Organization

• Chapter 13: Intranet Security

• Chapter 14: Local Area Network Security

• Chapter 48: Virtual Private Networks

2

BUILDING A SECURE ORGANIZATION

3

Distributed Corporate Network

4

Obstacles to Security

• The more robust the security mechanisms, the more inconvenient the process

• What is the right balance between security and productivity?

– Based on an acceptable level of risk • Security/inconvenience ↔ insecurity/ease of use

• Example: waiting in a security line at the airport

5

Computers are Powerful and Complex

• Today’s computers – Store our personal libraries – Take up little space – Provide a “user-friendly” face to the world

• We don’t think much about what goes on “behind the scenes” – Windows Registry, ports, and services

• Accessibility to hard drive data – Many individuals still believe that a Windows login password

protects data on a computer. • Take the drive out, install it as a slave drive in another computer

6

Most Users Are Unsophisticated

• Today’s “power users” – Know more than just applications

– But lack basic security concepts

• Attackers look for the path of least resistance – The average user is a weak link

– Why would an attacker struggle to break through an organization’s defenses when end users are more than willing to provide the keys to bank accounts?

• A security program should be alert to: – Threats caused by untrained and unwary end users

7

Early Days of No Security

• Early PC development focused on what a computer could “do”

– No thought was given to security

– Emphasis was on building sophistication and capabilities

• As computers became connected, focus was on information sharing, not security

8

Current Trend: Share, Not Protect

• Users want: – To share data with everyone

– To access data from anywhere, and quickly

– The same capabilities at home and at work

• Data is shared through web applications, social networking, and online data storage – The ability to easily transfer data outside the control of a

company makes securing an organization’s data that much more difficult.

9

Security isn’t about Hardware and Software

• Firewalls, IDSs, antivirus programs, and two-factor authentication products are tools to assist in protecting a network and its data.

– no product or combination of products will create a secure organization by itself.

• All security products are only as secure as the people who configure and maintain them.

10

Bad Guys Are Very Sophisticated

• Security is a process dependent on people

– Requires time, training, and equipment

• The new hacker profile

– Profitable businesses: e.g., Anonymous

– Hierarchical cybercrime organizations

– State-sponsored hacking

• Creating a secure infrastructure is mandatory

11

How Does Management See Security?

• Management sees security as a: – Drain on the bottom line – Necessary evil

• How can we convey the need for security? – Tangible cost savings – Competitive advantage – Probable threats – Required duty of care in protecting assets – Reduced exposure to lawsuits, fines, bad press – A nonnegotiable requirement of doing business

12

Ten Steps to Build a Secure Organization

1. Evaluate the Risks and Threats

2. Beware of Common Misconceptions

3. Provide Security Training for IT Staff

4. Think “Outside” of the Box

5. DOXing

6. Train Employees

7. Develop a Culture of Security

8. Monitor Systems

9. Don’t Forget the Basics

10. Patch, Patch, Patch

13

1. Evaluate the Risks and Threats

• Evaluate organization and data threats based on: – The infrastructure model

– The business itself

– The specific industry

– The rest of the world (global threats)

• Once threats and risks are identified: – Ignore, accept, transfer or mitigate the risk

• Identify and quantify risk with several available tools (e.g., OCTAVE)

14

2. Beware of Common Misconceptions

• What are some common security misconceptions?

– Our business is simply not a target for malicious activity

– Our organization is immune from employee problems

– A preemployment background check is sufficient

– IT professionals know everything about computers

15

3. Provide Security Training for IT Staff

• Creating a highly skilled security staff is a dynamic process – New vulnerabilities are constantly discovered

• Some ideas to get and stay trained – Obtain fundamental background in security

– Use a vendor-neutral certification program

– Keep updated with current trends

– Achieve the Certified Information Systems Security Professional (CISSP) certification

16

4. Think “Outside” of the Box

• Threats to intellectual assets and technical infrastructure – “Bad guys” inside and outside organizations

• Threats to data dissemination – Employee that leave an organization – USB Flash drives – Other devices connected though USB ports – Handheld devices

• Track usage (e.g., Registry) • Establish policies for acceptable device usage

17

Figure 1.2

Check out Harlan Carvey’s RegRipper to learn more about the Registry.

Identifying connected USB devices in the USBStor Registry key

18

5. DOXing

• Involves gathering information from a variety or sources from the Internet

– High-tech dumpster diving

– Initially developed to harass law enforcement

– May fill in a complete (and possibly uncomplimentary) picture of a person or organization

19

6. Train Employees

• The greatest security asset – Properly trained employees

• Gaining employee support and allegiance – Make time

– Share rationales behind protocols

– Include some “skin in the game”

– Provide advice for properly securing home computers

• Encourage employees to approach management or security team voluntarily

20

7. Develop a Culture of Security

• Security mechanisms included in operating systems and applications – Microsoft TechNet Library – Microsoft Security Compliance Manager

• Correct data leak sources – USB Flash drives – Unallocated cluster data recovery (cipher.exe) – Personal information from Office files

• Operating system mechanisms – Increase the complexity of passwords

21

Microsoft Security Compliance Manager

Figure 1.3

Identify and utilize built-in security features of the operating system and applications.

22

Figure 1.4

A view of unallocated clusters showing a Google query

Recover data in the unallocated clusters of a computer’s hard drive.

A view of unallocated clusters showing a Google query

23

Figure 1.5

Cipher wiping a folder called Secretstuff

Use the “disk-scrubbing” utility built into Microsoft Windows operating systems.

24

Figure 1.6 Security options for Mac OS X Lion Mac OS X has some very robust security features, including FileVault, which provides the ability to create an encrypted disk. 25

9. Monitor Systems

• All security products can fail or be compromised – Never rely on one product or tool

• Identify problem areas – Enable logging

– Follow security standards for what to log

• Use tools to collect and parse log files – Example: Kiwi Syslog Server

• Install a packet-capturing tool (e.g., Wireshark) – Analyze and capture traffic in real time

26

Figure 1.7

Kiwi Syslog Se4ver Email Alert Configuration screen

Logging mechanisms and the ability to track user activities are critical. 27

Figure 1.8

The protocol analyzer Wireshark monitoring a wireless interface

Install a packet-capturing tool on your network so that you can analyze and capture traffic in real time.

28

Monitor Systems (2)

• Hire a third-party to audit security – Experienced, knowledgeable, and objective

– Up to speed on new vulnerabilities and product updates

– Not encumbered by administrative duties

– Positioned to make recommendations

• Third-party analysis involves a two-pronged approach – Penetration test

– Audit internal system

29

Don’t Forget the Basics

• Fundamental security mechanisms

– Change default account passwords

– Use robust passwords

– Close unnecessary ports

30

Figure 1.10

Sample output from Fport

Identifying open ports is an important security process.

31

10. Patch, Patch, Patch

• Identify and install updates – Turn on automatic update checking

– Install update when comfortable

• Use administrator accounts for administrative tasks

• Restrict physical access – Keep critical systems in a secure area

• Don’t forget to manage and protect your paper documents

32

Security Control Assessments

• Security control assessments

– Difficult, challenging, and resource-intensive

• Acceptable outcome requirements

– Appropriate set of expectations before, during, and after the assessment

• Organization and assessors should prepare thoroughly

– Preparatory activities

• Address range of issues relating to cost, schedule, and performance

33

INTRANET SECURITY

34

• A network within an organization – Uses the same technology as

Internet

– May be geographically distributed

– Linked to the Internet via gateways (only)

Intranet

35

Intranet Security as News in the Media

36

Another Example

37

38

Smartphones and Tablets in the Intranet

• Reasons for smartphone and tablet success – Functionality and ease of use

• Voice, gesture, touch interfaces

– Customized applications (apps) availability

• Mobile device enterprise integration trends – Work concept stretching beyond tradition – Rapid iteration lifecycles – Low cost allows brand/platform independence – Successful iPad ready for the enterprise – Android smartphones with high adoption rates – Financial services sector activating iPad (iOS)

39

Shift from PCs to Mobile/BYOD

• Balance of security and business concerns – Tilts towards business considerations – IT must adapt security measures to conform

• 2011: Apple shipped 172 million devices • Reasons for shift to mobile devices

– Reinvention of how and where work conducted – Mobile intranet apps available – More functional media usage

• Intranet access now concerned with identity – Consider private cloud environments

40

Figure 13.2 Mobile device adaptation. Source: http://i.zdnet.com/blogs/screen-

shot-2012-02-13-at-173416.png. 41

Security Considerations

• Risk of size and portability

– smartphones because of their size are easy theft targets

• Risk of access via multiple paradigms

– Mobile devices can access unsafe sites using cellular networks and download malware into storage.

– Controlling security using perimeter network access are no longer feasible

• Social media risks

42

How to approach these considerations?

1. Establish a customized corporate usage policy for mobile devices

2. Establish a policy for reporting theft or misplacement

3. Establish a well-tested SSL VPN for remote access

4. Establish inbound and outbound malware scanning

5. Establish WPA2 encryption for Wi-Fi traffic access

6. Establish logging metrics and granular controls

43

How VPNs can Help?

• Protection of data while in transmission

• Protection of data while at rest (data storage)

• Protection of the mobile device itself (in case it fell into the wrong hands)

• App security

44

Mobile device VPN access to company network using token authentication Courtesy: Apple Inc.

These devices are subject to the same factors as any other device remotely accessing VPNs.

Figure 13.3

45

Plugging the Gaps: NAC and Access Control

• NAC: Network Access Control

• NAC appliance: manage endpoint security – Ensures minimum security policy compliance

– Example: Microsoft’s MS Network Policy Server

• Access control relationship triad – Internal users, intranet resources, actions internal users take

on resources

– Give users least amount of access • Use granular classification

• Start with “Deny-All” policy as a baseline

46

Measuring Risk: Audits

• Audits

– Comprehensive intranet security policy cornerstone

– Know the resources being protected

• Tangible or intangible

– Know the relevant threats and vulnerabilities

– Correlate the assets and associated threats and vulnerabilities

– Risk = Value of asset × Threat × Vulnerability

– Prioritizing a list allows the audit procedure to be standardized by risk level

47

Figure 13.4 SQL injection attack. Source: © acunetix.com.

Hackers look for either unhardened server configurations or network switches with default factory passwords

left on by mistake. 48

Guardian at the Gate: Authentication and Encryption

• Two-factor authentication strengthening – Preventing password cracking

• Password length (more than eight characters) • Use of mixed case • Use of alphanumeric characters • Use of special characters

– Windows Active Directory ACL • Can enforce all four requirements

– Trending toward uncommon passwords • Joined-together sentences (passphrases)

• Consider third-factor authentication options

49

Wireless Network Security

• Wireless corporate access – Requires strong encryption: Why?

• Wireless Equivalent Privacy (WEP) – No longer widely used.

• WPA or WPA2 (802.11i) – Stronger encryption compared to WEP

• Wi-Fi antennas and Wi-Fi access points – Identify open wireless access points

– Example: Netstumbler

50

51

52

Shielding the Wire: Network Protection

• Primary network barrier – Rule based and stateful firewalls

• Intrusion prevention systems (IPSs) – Inline appliance using heuristic analysis

• Compare IPS and firewall operations – Location, buffer size, threats blocked, tuning

• Critical data infrastructure design factors – Resiliency, robustness, and redundancy

– Consider syslog and email notification

53

Weakest Link in Security: User Training

• Security awareness communication – During new employee orientation – By ongoing targeted training for users

• Formal security training policy – Drafted and signed off by management, posted on the

intranet, and provided to new recruits – Contents

• Well-defined scope, roles, and responsibilities • Applicable federal or industry mandates

– Deliver via PowerPoint Seminar method or Flash video format presentation

54

Documenting the Network: Change Management

• Change control

– Controls IT infrastructure configuration

– Deliberate and methodical process • Documents and authorizes baseline configuration changes

– Guidance provided in ITIL guidebooks

– Most changes require approval

• Change management goal

– Mandate compliance

55

Rehearse the Inevitable: Disaster Recovery

• Successfully recovering from a disaster can mean resuming critical IT support functions for mission-critical business functions.

• Disaster recovery (DR) tasks – Business impact analysis (BIA) – Organize and test DR plan

• Use recovery point objective (RPO) and recovery time objective (RTO) metrics

• Other considerations – Communication channel resumption, budgets – DR committee functions – Levels of redundancies and backups

• Consider criticality and time-to-recovery criteria

56

Controlling Hazards: Physical and Environmental Protection

• Common-sense physical access topics – Disbursal of cards, access-card permissions

– Monitoring physical data transmission (digital video recording)

– Written or PC-based sign-in log usage

– Contractor laptops must be registered and physically checked in and virus scanned.

– Emergency power supply usage

– Provisions for fire detection and firefighting 57

Know Your Users: Personnel Security

• Users working within intranet-related infrastructures have to be known and trusted.

• Assigning personnel to sensitive areas – Attach security categories and parameters to the positions

• Employee transfer and termination – Requires reassessment and reassignment of sensitive access

tools

– Perform exit interviews

– Terminate system access with one hour

58

Information and System Integrity

• Compare information integrity to system integrity

• Processes to protect information include:

– Antivirus tools

– IPS and IDS tools

– Web-filtering tools

– Email encryption tools

59

Security Assessments

• Advantages – Uncovers various misconfigured items

– Provides a convenient blueprint for changes

– Provides credibility for budgetary assistance

• Consultants take two to four weeks – Primarily use open-source vulnerability scanners

• Penetration test result items – Full-fledged technical report for IT

– High-level executive summary for top management

60

How to Assess Security?

61

Risk Assessments

• Risk is defined as the probability of loss • Risk management is a way to manage the probability of

threats causing an impact • Risk assessment exercise: measures risk

– Reduces network threats, their probabilities, and their impacts

• Describe intranet risks and threats • Security threat assessment

– Explores exploitable vulnerabilities and gaps

• Intranet risk assessment – Identify primarily Web server, database threats

62

LOCAL AREA NETWORK SECURITY

63

Introduction

• As the Internet expanded in its reach across national boundaries and as the number of users increased, potential risk to the network grew exponentially.

• The security policy must be a factor in clients’ level of access to the resources.

• Current network designs implement three levels of trust: most trusted, less trusted, and least trusted.

64

Trust Levels

• Most trusted (intranet)

– These users have to authenticate to a centralize administrator to access the resources on the network.

• Less trusted

– may originate from the intranet as well as the external users who are authenticated to access resources such as email and Web services

• Least trusted (unauthenticated users)

65

Trust Levels (2)

66

Identify Network Threats

• Network security threats can be in one of two categories:

– disruptive type • caused by power failure, virus attack, or any network failure

– unauthorized access type.

67

Establish Network Access Controls

• Hardware or software based controls

– Implemented in a hierarchical structure to reflect network organization

• Network control functions

– Detect an unauthorized access

– Prevent network security from being breached

– Respond to a breach

68

Risk Assessment

• Complete during network initial design phase

– Assess network risk types

• What are some possible risks?

• Develop risk levels to various network threats

– Assess the costs of recovering from attacks

• Cost/benefit analysis

• Return on investment (ROI)

• Total cost of ownership (TCO)

• Design a spreadsheet listing the risks versus the threats

69

Listing Network Resources

• Identify assets (resources) available on the corporate network

• Protect mission-critical components

– Prioritize them (see table next slide)

– Articulate and apply network access control to each component according its priority • e.g., threats to DNS server pose a different set of problems from

threats to the database servers

70

Mission-Critical Components

71

Threats

• Distinguish between threats posed by internal and external users

– internal users traceable, compared to the external users.

• Basic steps

– Identify threats

– Rank threats from most probable to least probable

– Design network security policy to reflect ranking

• What are the most frequent network threats?

72

The Most Frequent Threats to the Network

73

Security Policies

• Fundamental goal: balancing act – Allow uninterrupted network access for authenticated

users

– Deny access to unauthenticated users

• Why is any network only as secure as the last attack that breached its security? – Battle between chief information security officer (CISO)

and hacker

• What are the crucial functions of a security policy?

74

Security Policies (2)

• The critical functions of a good security policy are: – Appoint a security administrator who is conversant with

users’ demands and on a continual basis is prepared to accommodate the user community’s needs.

– Set up a hierarchical security policy to reflect the corporate structure.

– Define ethical Internet access capabilities.

– Evolve the remote access policy.

– Provide a set of incident-handling procedures.

75

The Incident-Handling Process

• Why is this the most important security policy task? – Sharing resources; keeping network available

– Security breach could compromise operations

• Tools available to monitor network – Intrusion detection and prevention systems

• Monitor network activities

• Log and report nonconforming activity

– Activate response after logging • Use tools to trace source

76

Secure Design Access Controls

• Define security policy on the perimeter router – Configuring appropriate router parameters

• Configure external firewall to filter traffic based on the state of the network connection – Verify packet content against protocol requested

• Use the demilitarized zone (DMZ) for servers – Harden the servers

• Configure firewalls around DMZ • Install intrusion detection; prevention system • Address each network control access points

77

IDS Defined

• Software and hardware based IDS systems – Listens to all activities taking place

– Programmable from past activities

• Acts as both sniffer and analyzer software – Captures data packets defined by TCP/IP

• Intrusion detection outcomes – False positive, false negative, true positive, true negative

• What are the variety of functions performed?

• Snort (NIDS) and GFI LANguard S.E.L.M.

78

IDS Critical Functions

• Can impose a greater degree of flexibility to the security infrastructure of the network

• Monitors the functionality of routers, including firewalls, key servers, and critical switches

• Can help resolve audit trails

• Can trace user activity

• Can report on file integrity checks

• Can detect whether a system has been reconfigured by an attack

• Can recognize a potential attack and generate an alert

• Can make possible security management of a network by nonexpert staff

79

Figure 14.2 An example of a network-based intrusion detection system.

Network-based IDS (NIDS) sensors scan network packets at the router or host level, auditing data packets

and logging any suspicious packets to a log file. The data packets are captured by a sniffer program, which

is a part of the IDS software package. The node on which the IDS software is enabled runs in promiscuous

mode.

Network-IDS

80

A Practical Illustration of NIDS

• An example of a NIDS: Snort – Signature files used to identify potential attack

– Rules files trigger alarm and write to alert.ids

– Snort installed on node 192.168.1.22

– Security auditing software Nmap • Installed on node 192.168.1.20

• Generates ping sweeps, TCP SYN (half-open) scanning, TCP connect() scanning

• Snort used to detect a UDP attack, TCP SYN (Half-Open) scanning

81

Firewalls

• Enforces access policy between two networks

• Internal firewalls arose to protect data from unauthorized internal access

– Led to the design of segmented IP networks

• Use hardware and software technology

• Network security policy implemented in the firewall provides several types of protection

82

Dynamic NAT Configuration

• NAT: Network Address Translation

• First, configure a NAT pool

– Allocate outside addresses to the requesting inside hosts

• Next, define access-list

– Determine inside networks translated by the NAT router

• Finally, correlate the NAT pool and the access list

83

NIDS Complements Firewalls

• Why are firewalls not foolproof barriers? – Not all threats originate outside the firewall.

– The most trusted users are also the potential intruders.

– Firewalls themselves may be subject to attack.

• If the intruder is internal to the firewall, the firewall will not be able to detect the security breach. – Hence, a NIDS would play a critical role in monitoring

activities on the network and continually looking for possible anomalous patterns of activities.

84

NIDS Complements Firewalls (2)

• NIDS enhances security infrastructure – Monitors system activities – Looks for signs of attack

• Responds to the attack and generates an alarm

• Incident response emerging technology – Combines investigation and diagnosis phases – Integral part of intrusion detection and prevention technology

• Continuously evolving technologies – Firewalls, NIDS, intrusion prevention systems

• Securing network systems is an ongoing process in which new threats arise all the time.

85

Monitor and Analyze System Activities

• Low threat: immediate response not critical – Use interval-oriented data capturing, analysis – Possibly no full-time network security personnel to respond to

notification

• Imminent threat with mission-critical data – Use real-time data gathering and analysis – Automate notification

• Analysis levels: signature and statistical – Examine data packets – Look for evidence of threat – Must understand makeup of data packet

86

Signature and Statistical Analysis

• Signature analysis – Known attack patterns stored in a database

• Compare data packet contents against attack pattern in database

– Performed by most commercial NIDS products • Client may add Snort NIDS software patterns

• Statistical analysis – Identifies deviations from normal patterns

– Uses traffic pattern statistical analysis

– Clever hacker may generate false positives

87

Signature Algorithms

• Signature analysis algorithms – Pattern matching

• Use a fixed sequence of bytes in a single packet

– Stateful pattern matching • Match in context within the state of a stream

– Protocol decode-based analysis • Decode elements as client or server would

– Heuristic-based analysis • Example: signature used to detect a port sweep

– Anomaly-based analysis • Geared to look for network traffic that deviates

88

Security Countermeasures Checklist

• Countermeasures checklist disadvantages – Does not guarantee secure LAN environment – Cannot prevent all adversary penetrations

• Security comes at a cost – Expenses related to security equipment – Inconvenience, maintenance, and operation

• Evaluate acceptable risk level – Based on numerous factors

• Incorporate security throughout entire life cycle – Security policy enforcement is key

89

VIRTUAL PRIVATE NETWORKS

90

What is a VPN?

• “Fundamentally, a VPN is a set of tools which allow networks at different locations to be securely connected, using a public network as the transport layer.” -James Yonan

• The key to this technology is the ability to route communications over a public network to allow access to office servers, printers, or data warehouses in an inexpensive manner

91

Introduction

• Virtual Private Networks (VPNs) often set up within organizations

• VPN types

– Connects two separate LANs in different locations

– Remote computer connecting through the Internet to the home network

• Hardware and software costs for VPNs have plummeted in recent years

92

93

Remote Access VPN

Remote user with VPN client

VPN gateway

Server

Figure 48.1 A high-level view of a VPN

VPNs are used by businesses to allow employees access to their home networks while traveling.

Remote Access VPN

94

95

Site-to-Site VPN

VPN gateway

VPN gateway

NY Office

LA Office

History

• Telephone companies first created VPNs

– ATT offered Centrex

– Businesses leased lines from the phone company

• Early designs used hub-and-spoke architecture

– Daisy chains were used to cut costs of leased lines

96

Figure 48.3

The hub in the early days.

Hub and spoke architecture was a prominent early architecture for VPN systems using leased lines.

History

97

History

Figure 48.4

Example of a daisy chain VPN implementation

This structure was employed to reduce costs associated with utilizing leased lines in a hub-and-spoke architecture.

98

History

• VPNs were invented – Offered great return on investment

– Cheaper than using leased lines

• IPsec brought encryption to VPN in 1995 – Initially very expensive and slow

– Processing speeds today have made it available even on small routers

• Other technologies – Tun (tunnel) and Tap

99

History

• OpenVPN

– One of many open source VPNs in use today

• Secure Socket Layer VPN

– Fast-growing encryption scheme

• Transport Layer Security (TLS)

– Future for standardization

100

Who is in Charge?

• Several organizations that publish standards

– Internet Engineering Task Force (IETF)

– Institute of Electrical and Electronic Engineers (IEEE)

– American National Standards Institute (ANSI)

• Private companies working toward new protocols

101

VPN Types

• IPsec • L2TP (Layer 2 Tunneling Protocol) • L2TPv3 or higher • L2F (Layer 2 Forwarding) • PPTP (Point-to-point Tunneling Protocol) • MPLS (MultiProtocol Label Switching) • MPVPN (Multi Path Virtual Private Network) • SSH • SSL-VPN (Secure Socket Layer (SSL) VPN)

102

VPN Types (cont.)

• IPsec – Majority of processing work is done by interconnecting

hardware

• L2TP – Uses the session layer in the OSI model

– Sometimes combined with IPsec because it is a weak protocol

– Server/user setup that can handle many users at one time

103

VPN Types (cont.)

• L2TPv3 or higher

– Advancement of L2TP for large carrier-level information transmissions

– Draft protocol released in 2005

• L2F

– Developed by Cisco Systems

– Protocol allows for virtual dial-up and sharing of modems, ISDN routers, servers, and other hardware

104

Figure 48.8

The operation for tunneling Ethernet using the L2TPv3 protocol.

L2TP is an acronym for Layer 2 Tunneling Protocol. 105

VPN Types (cont.)

• PPTP VPN

– Point-to-point tunneling protocol

– Invented in 1990s by Microsoft, Ascend, 3Com, and other vendors

– Not as secure as IPsec

– Updated in 2003 to strengthen security

106

VPN Types (cont.)

• MPLS – System for large telephone companies or huge

enterprises to get great response times for VPN • With huge amounts of data

– Improvement over ATM and Frame relay

• MPVPN – Created by Ragula Systems Development Company

– Enhances the quality of service of VPNs • Can aggregate two lines to create a faster connection

107

• SSL-VPN – Interface that gives users VPN-

like services through a Web browser (not a VPN)

– OpenVPN • Open source, built on

OpenSSL

• Compatible on all platforms (Windows, Linux, BSD, MacOS)

• Embodied in firmware, incl. DD-WRT, OpenWRT, …

• openvpn.net

• SSH – Protocol that allows network

traffic to run over a secure channel between devices

– uses public-key cryptography

VPN Types (cont.)

108

Authentication Methods

• Usernames and passwords are most common authentication methods

• Random number generators on tokens are also used for authentication

• Hashing – Mixing up the characters in encryption scheme using a

computer algorithm

• HMAC (keyed Hash Message Authentication Code) – Type of encryption that uses an algorithm together with a key

109

Authentication Methods (cont.)

• MD5

– One of the best file integrity checks available today

• SHA-1

– Secure hash algorithm with 160 bits

– Designed by the National Security Agency

– SHA-224 to SHA-512 also exist • Number refers to the number of bits in the algorithm

110

Symmetric Encryption

• Sender and receiver have the same key

• DES and AES

– Common symmetric encryption standards

• Once AES was released, DES was withdrawn and 3-DES released

– 3-DES repeats DES encryption process two more times

111

Asymmetric Cryptography

• RSA protocol

– Implementation of public/private key cryptography

– Algorithm uses two large random prime numbers

– Can be used for digital document signing

112

Edge Devices

• Additional security measure on the “edge” of a network

– having two locked doors is better than one.

– Edge devices such as a random number-generating token are used to increase security along with usernames and passwords

• Authentication scheme uses a key fob with a random number generator

– The number changes every 30 to 60 seconds

– Username and passwords must also match for the user to be allowed access

113

Passwords

• Weak passwords – Words that can be found in the dictionary

– Short combinations of numbers

• Strong passwords – Use multiple words, mixed spelling, and mixed upper and

lower case

– Add numbers in with characters

– Use special characters

– Long password (> 12 characters)

114

Hackers and Crackers

• Methods to secure your network

– Use 256 or 512-bit encryption systems

– Have users change VPN passwords frequently

– Don’t give out your VPN password

– Deactivate accounts that have not been used for 30 days • Remove stale accounts from the system

115

Mobile VPN

• Host Identity Protocol (HIP)

– Protocol to keep mobile devices connected

• No standard yet

– IETF studying mobile technology and working toward a standard

116

OTHER SECURITY ISSUES

117

Other Security Issues

• Leakage prevention – Malicious leakage

– Unintentional leakage

• Data Retention – Legal compliance

• Disaster recovery & business continuity

• Insider threat prevention and detection/auditing

• Patch updates

• Hire competent people!!!

118

business.time.com

119

Don't be too greedy! Ref: krebsonsecurity.com, 3/10/2014

"Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans."

120

VPN from SSH Tunneling/Port Forwarding

A Poor-man's VPN

Secure SHell

• Replaces insecure "telnet"

• And does a lot more

122

• Local port forwarding – Forward local port on SSH

client to destination via SSH server

• Remote port forwarding – Forward remote port on SSH

server to destination via SSH client

• Dynamic port forwarding – Forward all traffic on SSH

client to various destinations via SSH server

• Conditions – SSH server can be directly

accessed by SSH client

– Port forwarding is enabled on SSH server

– Destinations are addressable • By SSH server for LPF & DPF

• By SSH client for RPF

– For DPF, each application must be configured to use SOCKS as a proxy

3 Modes of Port Forwarding

123

Scenario: Firewall Blocks Access to Application Server but Allows Access to SSH Server

App server with open port wxyz

Allowed

Blocked

Firewall SSH server

Remote client

124

SSH Local Port Forwarding

SSH server

App server

Allowed

Made possible indirectly

Firewall

ssh johnny@ssh-server –L lport:app-server:rport

Port lport on “localhost”

Port rport

Forward to rport

port lport on “localhost” is mapped/forwarded to port rport on app-server

Remote client

125

Eg 1: Remote Desktop Connection via SSH Tunneling

SSH server

Accept remote desktop connection

Allowed

Made possible indirectly

Firewall

ssh johnny@ssh-server –L 53389:win-server:3389 Set “localhost:53389” as “remote computer”

“localhost:53389”

Port 3389

Forward to 3389

Remote client

2

1

126

IPSEC

127

Securing network layer

• IPsec provides security services at the Network/IP Layer

• IPsec is currently the only security protocol that secures all Internet traffic at and above IP layer

IPsec Tunnel

128

Communication between layers

Application layer

TCP layer

IP layer

Network driver

Application layer

TCP layer

IP layer

Network driver

IP layer

Network driver

IP layer

Network driver

message

TCP payload

IP payload

Data link payload

IP payload

Data link payload

Host A Host B Router Router

129

Application of IPsec: Virtual Private Network (VPN)

(gateway to gateway)

(gateway to gateway)

130

Typical TCP/IP packet

Ethernet header

IP header

TCP header

Data Ethernet

checksum

131

IPv4 Header

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

IHL: Internet Header Length Total length: length of datagram Red box: AH mutable—modified by routers, i.e., cannot be protected Yellow box: modified by routers, but restored before being checked by AH Destination address is mutable in “source routing” option, but predictable so not choose as mutable in AH

padding

version IHL Service type total length

identification flags Fragment offset

Time to live protocol Header checksum

Source address (32 bits)

Destination address (32 bits)

options

132

IPv6 Header

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Simplified, but allows extension via “Next Header” field. Red box: mutable for AH

version traffic class flow label

payload length next header hop limit

source address (128 bits)

destination address (128 bits)

133

IPv6 extension headers

• Optional IP information is encoded in separate headers, and placed between the IPv6 header and the upper-layer header.

• There are 6 possible extension headers, appearing in the following order (note the 2 DOHs !) – Hop-by-Hop Options header – Destination Options header – Routing header – Fragment header – Authentication header – Encapsulating Security Payload header – Destination Options header

134

Data flow & headers

Host A Host B Routers

Application

TCP

Ethernet driver

IP

Application

TCP

IP

Data link

IP

Ethernet driver

data

ETH H

TCP H data

IP H TCP H data

IP H TCP H data

data

ETH H

TCP H data

IP H TCP H data

IP H TCP H data

135

7 groups in IPsec docs

Authentication Algorithm

Architecture

Encryption Algorithm

ESP Protocol

AH Protocol

DOI

Key Management

136

ESP and AH

• AH provides integrity

• ESP provides integrity in addition to optional encryption

• There are not same: both provides integrity protection of everything beyond the IP header, but AH provides integrity protection for some of the fields inside the IP header as well

137

IPsec v.s. SSL and others

TCP

IP

Network driver

Appl IKE (ISAKMP/Oakley in IPsec), S/MIME, Kerberos, Proxies, SET, PGP

Application Layer

Transport Layer

Network Layer

Data link Layer

SSL, TLS, SOCKS

AH, ESP (in IPsec), Packet filtering,

Tunneling (L2TP, PPTP, L2F), CHAP (challenge handshake protocol) PAP (password auth. protocol), MS-CHAP

138

Tunneling/Encapsulation

• a technique to wrap a packet in a new one, by attaching a new header to the original one

• the entire original packet becomes the payload of the new one

• 2 advantages

– to carry traffic from a different network protocol

– to provide total protection of the encapsulated packet, including address information

139

Tunneling (cnt’d)

Payload IP header New IP header

payload of the new IP packet

140

2 operation modes of IPsec (both for AH & ESP)

TCP header

Data/ message

IP header

TCP header

Data/ message

New IP header

IPsec header

IP header

Data/ message

IPsec header

IP header

Original IP packet

Transport mode protected packet

Tunnel mode protected packet

TCP header

141

Use of the modes

• transport mode

– for end to end security

• tunnel mode

– for end to end security, but mainly for gateway to gateway security (a gateway is an intermediate system s.a. a router or a firewall)

host A

host B

host A

host B

gate way

gate way

142

ESP

• ESP is a protocol header inserted into an IP packet to provide the following services: – data confidentiality – limited traffic flow confidentiality – connectionless data integrity – data origin authentication – optionally, counter replying

• modes of operation – transport mode (to be inserted between an IP header and an upper

layer protocol header s.a. TCP or UDP header) – tunnel mode (to encapsulate an entire IP datagram)

143

ESP protected IP packet

ESP trailer

ESP header

IP header

protected data

encrypted

authenticated

ESP Auth.

144

ESP Protected data

TCP header

Data/ message

IP header

Data/ message

Transport mode protected data

Tunnel mode protected data

TCP header

145

ESP protected IP packet (cnt’d)

protected data

SPI (security parameters index)

IP header

sequence #

IV (initialization vector)

pad pad length next header

authenticator/ICV

en

crypted

auth

en

ticated

ESP header

ESP trailer

ESP Auth. (integrity checking value ICV) 146

ESP: integral part of IPv6

protected data

SPI (security parameters index)

IP header

sequence #

IV (initialization vector)

pad pad length next header

authenticator/ICV

en

crypted

auth

en

ticated

ESP header

destination options

extension headers

ESP trailer

ESP Auth.

147

Algorithms for ESP

• encryption – mandatory: DES-CBC

– optional: CAST, RC5, IDEA, 3DES, AES, …

• authentication – mandatory keyed hash

• HMAC-SHA-96, HMAC-MD5-96

– optional: DES-MAC

• (does not have digital signature currently)

148

AH

• AH is a protocol that provides every service ESP provides except confidentiality, namely: – connectionless data integrity

– data origin authentication

– optionally, counter replying

• modes of operation – transport mode (to be inserted between an IP header and

an upper layer protocol header s.a. TCP or UDP header)

– tunnel mode (to encapsulate an entire IP datagram)

149

AH authenticated IP packet

AH header

IP header

protected data

authenticated (except mutable fields)

SPI (security parameters index)

sequence #

authenticator/ICV

reserved payload length next header

150

AH: integral part of IPv6

AH header

IP header

protected data

authenticated (except mutable fields)

ext. headers

dest. options

151

AH Protected data (same as ESP)

TCP header

Data/ message

IP header

Data/ message

Transport mode protected data

Tunnel mode protected data

TCP header

152

A B

Gateway Gateway

New IP Header

AH or ESP Header

TCP

Data

Orig IP Header

Encrypted tunnel

Tunnel Mode

153

Algorithms for AH

• authentication

– mandatory keyed hash • HMAC-SHA-96, HMAC-MD5-96

– optional: DES-MAC

• no public key based digital signature currently

154

ESP or AH?

• AH protects IP header itself whereas ESP only protects everything beyond the ESP header

• AH friendly to export control? • AH designed by IPv6 guys and ESP did not really

care about IPv6, just make it work • Modified TF-ESP works with firewall and NAT

(copy ports etc. info in clear text) • In AH, MAC before data, in ESP MAC after data

(efficiency for data delivery) 155

IKE

• For AH or ESP to protect IP packets, a Security Association (SA) must be first established between two communicating parties

• This is done dynamically by using IKE. IKE negotiates SAs on behalf of IPsec and populates entries in the relevant Security Association Database (SADB).

156

Security association (SA)

• A container to store information on

– all the security parameters required

– Can be viewed as a generalization of shared secret “keys”

– Can also be viewed a secure channel/connection built on top of the shared keys

• for one-way/unidirectional secure communications between two hosts (except IKE SA)

– (need 2 SAs for two-way communications)

157

Data in an SA

1. Mode of the authentication alg. for AH, and keys to the alg.

2. Mode of the encryption alg. for ESP, and keys to the alg.

3. Presence & size of crypto synch for the encryption alg.

4. How to authenticate (what protocol, algorithms and keys)

5. How to secure data (what protocol, algorithms and keys )

6. How often to change/refresh keys

7. How to authenticate in ESP (alg. mode., transform, and keys)

8. Lifetimes of keys

9. Lifetime of the SA itself

10. Source address of the SA

158

2 phases in IKE

• Purpose of Phase 1

– To establish an IKE SA (also called ISAKMP SA) between the 2 IKE peers. This IKE SA is subsequently used in Phase 2 to establish, in a secure way, general purpose SAs for all IPsec security services

• Purpose of Phase 2

– To negotiate & establish, in a quick way, IPsec SAs required for various security services, by the use of the IKE SA established in Phase 1

159

Modes in IKE

• 2 modes for Phase 1 – Main mode (mandatory)

• Being able to protect identities

– Aggressive mode (optional) • Using only 3 message flows rather than 6

• 1 mode for Phase 2 – Quick mode

• Other modes – Informational modes – New group mode for new Diffie-Hellman groups

160

Phase 1 main mode (6 messages)

Responder Initiator Offer proposal with multiple transforms

Accept one

DH pub key & additional data

DH pub key plus additional data

ID & authenticator

ID & authenticator

161

Phase 1 aggressive mode (3 messages)

Responder Initiator Offer proposal with multiple transforms, DH pub key, ID, additional data

Return proposal with a single transform, DH pub key, ID, authentication data, additional data

Authentication data

162

Phase 2 quick mode (3 messages)

Responder Initiator ISAKMP header for quick mode, (HASH1, SA with multiple transforms, Noncei, DH pub key of initiator (optional, for PFS only), IDi, IDr ) key-SKEYID-e

ISAKMP header for quick mode, (HASH2, SA with single transform, Noncer, DH pub key of responder (optional, for PFS only), IDi, IDr ) key-SKEYID-e

ISAKMP header for quick mode, ( HASH3 ) key-SKEYID-e

Note: HASHi acts as an authenticator

163

Efficiency of IKE

A single IKE SA in Phase 1

Phase 2 negotiation 1 Phase 2 negotiation n ……

IPsec SA1 IPsec SAt … IPsec SA1 IPsec SAs … …

Multiple Phase 2 negotiations

IPsec SA bundle

IPsec SA bundle 164

E/D Network

encrypted hash value

E/D

initiator

pre-shared secret

Responder

encrypted hash value

HASHI HASHI

HASHR HASHR

165

IKE Phase I: Pre-Shared Key

sign Network

HASHI

signature

of HASH-I

HASH-R

sign

OK

initiator Responder signature

of HASH-I

HASH-R

OK HASHR

responder initiator

initiator private key

responder private key

verify

verify

166

IKE Phase I: Digital Signature

encrypt Network

NONCEI

encrypted

NONCE-I

NONCE-R

encrypt

initiator Responder encrypted

NONCE-I

NONCE-R

NONCER

responder initiator

initiator private key

reponder private key

decrypt

decrypt

NONCER

NONCEI

167

IKE Phase I: Public Key Encryption

Transport adjacency

host A

gate Way 1

SA 1 (ESP transport)

SA 2 (AH transport)

host B

gate Way 2 Internet

168

Iterated tunnelling (1)

host A

gate Way 1

SA 1 (tunnel)

SA 2 (tunnel)

host B

gate Way 2

Both end-points for the SAs are the same

Internet

169

Iterated tunnelling (2)

host A

gate Way 1

SA 1 (tunnel)

SA 2 (tunnel)

host B

gate Way 2

one end-point for the SAs is the same

Internet

170

Iterated tunnelling (3)

host A

gate Way 1

SA 1 (tunnel)

SA 2 (tunnel)

host B

gate Way 2

neither end-point for the SAs is the same

Internet

171

Is it for IPsec?

If so, which policy

entry to select?

…

SPD

(Policy)

…

SA Database IP Packet

Outbound packet (on A)

A B

SPI & IPsec

Packet

Send to B

Determine the SA and its

SPI

IPsec processing

172

Outbound Processing

Use SPI to

index the SAD

…

SA Database

Original IP Packet

SPI & Packet

Inbound packet (on B) A B

From A

…

SPD

(Policy)

Was packet properly

secured?

“un-process”

173

Inbound Processing