Code Signing – How it Works

How do you think that users and computers can trust all this random software which appears on large public networks?  I am of course referring to the internet and the requirement most of us have to download and run software or apps on a routine basis.  How can we trust that this is legitimate software and not some shell of a program just designed to infect our PC or steal our data?  After all even if we avoid most software, everyone needs to install driver updates and security patches.

The solution generally involves something called code signing which allows companies to assure the quality and content of any file released over the internet.    The software is signed by a certificate and as long as you trust the certificate and it’s issuer then you should  be happy to install the associated software.    Code signing is used by most major distributors in order to ensure the quality of released software online.

Code Signing – the Basics
Coed signing simply adds a small digital signature to a program, an executable file, an active X control, DLL (dynamic link library) or even a simple script or java applet. The crucial fact is that this signature seeks to protect the user of this software in two ways:

Digital signature identified the publisher, ensuring you know exactly who wrote the program before you install it.

Digital signature allows you to determine whether the code you are looking to install is the same as that was released. It also helps to identify what if any changes have been made subsequently.

Obviously if the application is aware of code signing this makes it even simpler to use and more secure. These programs can be configured to interact with signed/unsigned software depending on particular circumstances. One simple example of this are the security zones defined in Internet Explorer. They can be configured to control how each application interacts depending on what zone they are in. There can be different rules for ‘signed’ and ‘unsigned’ applications for instance with obviously more rights assigned to the ‘signed’ applications.

In secure environments you can assume that any ‘unsigned’ application is potentially dangerous and apply restrictions accordingly. Most web browsers have the ability to determine the difference between these applications and assign security rights depending on the status. It should be noted that these will be applied through any sort of connection or access, even a connection from a live VPN to watch the BBC!

This is not restricted to applications that operate through a browser, you can assign and control activity of signed and unsigned applications in other areas too.  Take for instance device drivers, it is arguably even more important that these are validated before being installed.  You can define specific GPO settings in a windows environment to control the operation and the installation of a device driver based on this criteria.

As well as installation it can control how Windows interacts with these drivers too,  although generally for most networks you should not allow installation of an unsigned driver.  This is not always possible though, sometimes application or specialised hardware will need device drivers where the company hasn’t been able to sign the code satisfactorily.   In these instance you should consider carefully before installing and consider the source too. For example if you have downloaded from a reputable site using a high anonymous proxies to  protect your identity then that might be safer than a random download from an insecure site, there is still a risk though.

Preparing PKI in a Windows Active Directory Environment

If you’re installing and implementing internet access for an internal windows based network then there’s two important factors you should consider.  Firstly  it’s important to ensure that your perimeter is protected and access is only allowed through a single point.  This might seem trivial but it’s actually crucial to ensure that the network can be controlled.  Any network which has thousands of individual clients accessing the internet directly and not through a proxy is going to be almost impossible to protect.

The second aspect relates to the overall client and server security – ensure that your windows environment has the Active directory enabled.  This will also allow you to implement the Microsoft Windows PKI.   From Windows 2003 onwards this is already included and PKI is preconfigured in the Windows 2003 schema whether you wist to implement it or not.

If you are considering using Windows PKI then remember although the active directory is a pre-requisite for a straightforward installation, it does not require a domain functional level or even a functioning forest to operate in.   In fact the only configuration you require in the later versions of Windows is to change the Cert Publishers group which is needed in any multi-domain.  This group is pre-populated as a domain local group in each domain in an Active directory forest by default.

This is how PKI is implemented, you can allow any enterprise level certificate authority (CA) the rights to publish certificates to any user object in the current forest or to the  Contact  object in foreign forests.   Remember to enable the relative permissions by adding the CA’s computer account to each domain’s Cert Publisher group.  This is essential as the scope of this group has changed from a global group to a domain local group, but this allows the group to include members of the computer accounts from outside the domain.  This means that you can add computers and user groups for external access by including an external gateway.  For example if you wanted to proxy BBC streams and cache them you could include the proxy server in this group in order to minimize authentication traffic.

You are unable to currently deploy the Windows Server Enterprise CAs in Non- Active Directory environments. This is because the Certificate Authority requires the existence of the AD in order to store configuration information and certificate publishing.  You can install Windows Server PKI in a non-AD environment , however each CA in the PKI hierarchy must be standalone.  This is workable in smaller environments but can be a real challenge to configure communications in large or distributed networks across many network subnets.  Trying to ensure that the right Certificate Authority is assigned across a multinational network is difficult without the Active Directory.  Remember you may have clients and servers requesting authentication from different networks in a UK company you might have a client desktop with an Irish IP address seeking authentication from a London based standalone CA in a different domain.

 

Securing the Internal Network

Twenty years ago this wasn’t really much of an issue, a simple network, a couple of file servers and if you were luck an email system.   Security was never much of an issue, which was just as well because sometimes there wasn’t much you could do anyway.  If anyone remembers the forerunner of Microsoft Exchange – the Microsoft Mail post offices were installed in open shares and if you started locking them down everything stopped working.   You could make some minor security implementations but most of all you had to be careful that you didn’t leave anything in these open shares.

Of course, Unix, Ultrix and the forerunner of Windows NT all had reasonable levels of security and you could apply decent access controls based on users, groups and domains without too much issue.  It was more the applications that were the issue, security in a digital environment was very much in it’s infancy.  Nowadays of course, everyone takes security much more seriously in this age of data protection, hackers, viruses and cyber criminal attacks all over the place.  It’s still a nightmare to lock down environments though and that’s primarily due to the internet.

IT departments all over the world love the internet, solving issues and fixing problems is made a hundred times easier with a search engine at hand.  However that’s one side of the coin, the other is the fact that access to the internet makes configuration and security much more important and potentially more challenging.  Imagine every single desktop has the capacity to visit, download and distribute any number of malevolent files.   A potential virus outbreak sits on everybody’s desk and when you look at some of the users you could only be scared.

So what sort of methods do we have to minimize the potential chaos to our internal network.  Well first of all there’s something not that technology based, a document which details how people must use their computers and especially the internet.  Making sure that users are educated about the risks to both the network and their employment status is probably the most important step you can take to reduce risk from outside sources.   If they no that they could get fired for downloading or streaming video from sites like the BBC via their company VPN then they’re much likely to do it.

There’s still a need to implement access control lists and secure resources of course but user compliance goes a long way.  Principles like giving user the least amount of permissions makes sense in securing resources.  You can lock down both PCs, browsers and external access through Windows environments and GPO (Group Policy Objects).  Routing all internet access through central points is a sensible option, meaning not only can you control but also monitor internet traffic in both ways.  This is also a useful way of applying a second layer of security as regards Antivirus – scanning before it reaches your desktop solutions.

Most secure environment also put in other common sense steps like not allowing users to plug in their own hardware onto the network.  This sounds a trivial matter but can effectively bypass your whole security infrastructure if a virus ridden laptop is installed on your internal network.    You have no control over what that their hardware is used for, they may be downloading torrents and buying alcohol/drugs from the darkweb when they get home.   Ensuring data security can also be managed by ensuring that no-one uses or takes away data using USB sticks and memory cards.  There are security settings and applications which can manage these devices quite easily now, also using group policy if you’re running a windows environment and have implemented the active directory

No Comments Networking, Protocols, VPNs

Implementing your Internet Security Policy

One of the problems with IT department is that they can often be a little bit detached from the rest of an organisation. Many are even physically separated, perhaps stuck in a separate building or floor which only helps increase the isolation. In many ways it’s not a problem after all, it’s a department which will probably need more space and room for storage of parts, replacements etc. Commonly the IT department will have easy access to server rooms so that they can maintain and support when those remote connections drop.

However one of the issues is that people who work in IT often see the rest of the company through their IT usage and not through their real function. This can be a problem with how people use technology and how it is managed throughout the company.

The classic example is that of internet usage, which over the last decade or so has become one of the main issues to manage in any IT department. First of all there are the technical complexities of allowing company clients to access outside resources. Then there are the potential security risks of viruses, hacking attempts, inappropriate browsing, email security, spam and so on. Access to the internet is now fairly commonplace but it almost always puts a huge strain on both technical and human resources to support.

For example many users will use the internet just as they do at home? Downloading BBC videos like this, visiting shopping sites, hobbies, research and all sorts of things which can impact the local network. It doesn’t take many users streaming video to their PCs to have a huge slowdown on many normal company networks which are rarely configured to cope with this sort of traffic. Yet how do you stop them? Many IT departments I have seen over the years simply block access, a few rules in the firewall will stop all access to a particular site. However this is obviously not the way to do this, a technical solution should not be implemented on it’s own.

A company should have an Internet Usage Policy to cover situations like this. Without stating clearly what employees can or can’t do online leaves the company and Human Resource departments on very thin ice. That user who spends all day streaming from Netflix or visiting porn sites is clearly not doing their job but it’s difficult to discipline without clear guidelines in such a policy or in their terms of employment. Having a proper internet policy is much simpler as it can be adapted quickly, can be referenced from other policies and things like employee guidelines. Also the policy can be directly linked to technical solutions like a proper access control list.

If guidelines are in place, you mostly won’t have to spend time chasing and blocking video and media sites individually like Netflix or the BBC iPlayer. If employees know that they are not able to use these sites and the reasons behind them generally the problem is resolved first. There may be issues with more technical users who attempt to circumvent or hide their activities perhaps using an online IP changer but there people are easier to deal with if they are directly contravening company policies.

No Comments Networking, News, Protocols

Issues on Blocking VPN Access from Networks

People love using VPNs for a variety of reasons but if you’re the administrator of any network they can be a real problem. Of course, the primary function of a VPN is security and if users simply used the VPN to encrypt and secure their data then that would be fine. However in reality what you’ll really find is users connecting through a VPN in order to bypass blocks or access sites normally restricted by your network rules. Using a VPN service watch UK TV is a common issue in our US/European network.

The problem is that these sites and activities are blocked for a reason. Having twenty people streaming the latest episode of ‘Strictly’ over the companies network uses the same bandwidth as about a 100 ordinary users simply working. It doesn’t matter that the traffic is being carried over the VPN it still uses our own bandwidth to deliver to the client. So it’s hardly surprising that we need to restrict the use of these VPN clients and the issues they cause. Here’s an example of what people can use these VPN services to do and the problems we can have in blocking them –

As you can see in this particular VPN service called Identity Cloaker there are lots of configuration options which can be used to hide the use of the service. Most of the recommended measures rely on blocking the standard footprints of a VPN service, but as you can see when you are able to switch outgoing ports and create a non-standard configuration it becomes much harder.

There is little in the data you can pick up on so those content filters are pretty much useless. The problem here is that most VPNs are encrypted so that even the destination address is encrypted (although obviously not the IP address). It’s simple to block the web based proxies and VPN services simply by restricting access to their URLs but these clients are much more difficult.

As you can see most services usually have the option to switch between hundreds of different IP addresses even doing so automatically. This is another way you can identify a simple proxy or VPN looking for consistent traffic patterns and single IP addresses. Filtering access to a VPN service which automatically switches server and IP address every few minutes is extremely difficult. Unless they do something with a distinct pattern and very heavy usage like anonymous torrenting then any footprint is almost impossible to detect.

Most administrators usually adopt an attitude of blocking the simplest VPN access and leaving it at that. The reality is that a technical user who is using a sophisticated VPN service like Identity Cloaker is going to be very difficult to stop. You should rely on enforcing User policies within the network and stressing the penalties if people are found using such services.

One other method to consider is ensuring that most users are not able to install or configure the VPN clients on their local laptops or computers. These can normally enforced very easily particularly in Windows environments. Simply configure local user policy and apply restrictive Group Policy settings to remove admin access to users. Unfortunately programs like Identity Cloaker also come with a ‘lite’ version which don’t need installing and can be run directly from a single executable. It can even be run from a memory stick and still interact with the network stack on the local computer.

Network Layer Switches

Network switches play a critical role in the performance of local area networks. They may be used in private networks like the intranet and extranet, segmenting the networks into more manageable sections. The resulting networks are known as HFC, please see the glossary for definitions. Setting up a sizable computer network can be an intimidating undertaking and one needs an in-depth understanding of the role of every networking device to construct an efficient network. Thus, it’s accountable for setting up the essential network for transferring data from 1 user to other. In truth, it is the largest SDH-based transport network on earth. It establishes a relation to the device by choosing the essential service or application.

Packet routing is extremely essential task in order to prevent congestion. When a data packet would like to reach a specific destination, it must traverse through these networks. The file transfer protocol supplies a way to move data efficiently from 1 machine to another. Routing protocols transmit information concerning the network. Most routing protocols do not consist of layer two information that’s necessary to set up a VCC connection. It’s an unreliable, connectionless protocol for applications which do not want TCP’s sequencing on flow control and want to provide their own. In large, complex networks servers need access to this sort of throughput – imagine the strain on something like Netflix IP servers broadcasting video to millions.

Every computer online or a local network becomes assigned an exceptional address commonly called Internet Protocol address or simply the IP address. It is not just a vast array of computers, connected to each other. You may also browse the internet for articles, discussions and suggestions. Optical communication links and networks are crucial for the online backbone along with for interconnects utilised in data centres and high-performance computing systems.

While doing this, it must manage problems like network congestion, switching issues, etc.. It can help you comprehend the working of a network in an easy and quick method. Many times, once an application would like to communicate with a different application, then there must be communication between these associated processes. Working of the web is based on a collection of protocols. To have the ability to find that massive network to work and get our LANs to act jointly there has to be a routing protocol that enables it. It uses TCP at the transport layer again to find out the reliability.

If you have a relatively new mobile handset, then it’s most inclined to be equipped with an integrated web browser. It selects device and execute a service discovery to look for available services or applications. Bluetooth devices operate in a variety of about ten meters. It functions as an intermediary between wireless and wired devices which are part of a network. Aside from the computers themselves, there are numerous intermediary devices which make data transfer possible. It can also allow a network to detect, reroute or simply block specific types of transport presumably it is how the BBC has blocked VPNs like this story details.

Window flow control mechanisms weren’t modeled, so as to extend the reach of the study to congestion collapse regions. After you prepare the export feature, NetFlow information is exported whenever a flow expires. The principal use of the router is to ascertain the very best network path in a complicated network. The third main purpose of LAN switches is Layer two loop avoidance. Besides this, the gateway functionality has to be enabled. Each P-NET module also has to have a service channel that may identify unknown participants.

Computer Security: Phishing

Out of all the weapons available to a cyber criminal, phishing is probably one of the most widely used. It is generally described as a random, un-targeted attack with the intention of tricking someone into revealing confidential information by replying to an email, clicking a link or filling in a bogus webpage. Most of the popular phishing attacks rely on an element of social engineering. That is deceiving people into gaining access rather than directly hacking into a target system.

Usually the main delivery mechanism is via email and using modern mailing systems they can target millions of email addresses at one time. There are many variations of the phishing attacks ranging from installing keyloggers, duplicate websites or similar. The intent is always to steal personal information such as username, passwords and account numbers.

It is fairly common for these phishing emails to include attachments or links that can install various types of malware onto the victims computer in order to steal their information too.

Quick Summary of Phishing Attacks

There are as explained lots of different types of Phishing attacks and their popularity changes quite regularly.

Email Phishing – is probably the most well known and centers around mass distributions of emails, they are very random and usually rely on volume to succeed.

Spear Phishing – is a more targeted term for phishing which follows the basic premises. However they are usually more sophisticated and tailored towards a certain type of user or organisation.

Man in the Middle (MiTM) attacks involve the attacker positioning themselves between a legitimate website or company and the end user, the goal is to record any information sent. It\’s normally one of the most difficult to operate but also to detect as the transactions are normally legitimate but simply intercepted.

There are many other methods available to capture information with things like keyloggers and screen capture programs popular too, the ideas are always to simply gain passwords or other personal information.

Some other variants include pharming which is even less targeted than phishing just installing malicious code onto servers to redirects any user to fake websites. There are various methods of doing this including several involving DNS like modifying a users host file to redirect them without their knowledge. A particularly sinister version of pharming is known as DNS (Domain Name System) poisoning where users are directed to fraudulent websites without the need for corruption of the personal host file.  Others use legitimate or at least semi-legitimate services to trick people to using them.  One of the more popular methods was to put free proxy servers out on the internet for people to bypass region blocks, these were then used to steal peoples credentials as they were using them.   This explains the method of region lock bypass using a proxy to watch the BBC although the example used in the post was a commercial service.

Malware Phishing – Is the process of download malware on a users’ device either through an attachment in an email, a downloadable web file or exploiting software vulnerabilities.

Further Reading – Security Information and UK VPN trial

What Is VPN?

The remote server would access the request, then authenticate through something like a username and password. The tunnel would be established and used to transfer data between the client and server.

If you want to emulate a point to point link, the data must be wrapped with a header – this is normally called encapsulation. This header should provide essential routing information which enables the data to traverse the public network and reach it\’s intended endpoint. In order to keep the link private on this open network all the data would normally be encrypted. Without this route information the data would never reach it\’s intended destination. The encryption ensures that all data is kept confidential. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.

One of the most important uses of remote access VPN connections is that it allows workers to connect back to their office or home by using the shared infrastructure of a public network such as the internet. At the users point, the VPN establishes an invisible connection between the client and the organisation’s servers. There is normally no need to specify and aspects of the shared network as long as it is capable of transporting traffic, the VPN tunnel controls all other aspects.   This does mean it’s very difficult to block these VPN connections as the BBC is discovering.

These connections are also known as router to router connections which are established between two fixed points. They are normally setup between distinct offices or based again using the public network of the internet. The link will operate in a similar way to a dedicated wide area network link, however at a fraction of the costs of a dedicated line. Many companies use these increasingly in order to establish fixed connections without the expense of WAN connections. It should be noted that these VPN connections operate over the data link layer of the OSI model.

One of the problems many network administrators find is that users on networks can set up their own VPN connections.  These can be very difficult to detect and allow a direct tunnels into a corporate network especially as they are often used for trivial issues such as obtaining an IP address for Netflix.  Needless to say having users stream encrypted videos streams to their desktops is not good for network performance or security.

Remember a site to site connection will establish a link between two distinct private networks. The VPN server will ensure that a reliable route is always available between the two VPN endpoints. One of the routers will take the role of the VPN client, by requesting the connection. The second server will authenticate and then reciprocate the request in order for the tunnel to be authenticated at each end. In these site to site connections, the packets which are sent across the routers will typically not be created on the routers but clients connected to these respective devices.

 

OSI ( Open Systems Interconnection) Model

In the early 1980s the International Organization for Standardization started work on a set of protocols designed to promote open network environments.  These were essential to allow the multi-vendor computer systems to all talk to each other using internationally accepted communication protocols.   These standards and protocols eventually developed into the OSI reference model.

The protocols defined in each layer of the model have different responsibilities but generally these fall into two specific categories.

  • Communicating with the same level protocol layer on another computer.
  • Providing services to one layer above it.

This peer level communication offers a method in which each layer can exchange messages or other forms of data.  The model is the same whether you’re routing through a US IP address to Netflix to a secure communication link to an application server.  For instance, the transport protocol is able to send a transmission requesting a pause to a peer computer in the sending computer.  It’s able to do this not using a direct connection but by placing a message in the packet where it is managed by the layer below.   All lower layers must provide this service to the layer above them taking messages and passing them down to the lowest level of the protocol stack.    At this point they can be transmitted across the physical link to the remote destination.

It is important to remember that the OSI is merely a reference model in that it provides a general description of what services should be provided at which layer.  The OSI model itself does not provide any specifics of the standard protocols.  In fact you’ll often find the OSI model used to define all sorts of other protocols including TCP/IP for example.   The Internet Protocol was often described as a network layer protocol, purely because it performs the same functions that are defined in the network layer of the OSI reference model.

The ISO did create some protocols that followed the OSI model, however these were never widely adopted and you’ll be lucky to find them in use anywhere.  The main reason for this was the popularity of a rival communication suite – TCP/IP.

Further Reading:

BBC Block VPN services – http://www.iplayerabroad.com/2016/07/20/bbc-vpn-block-real/

No Comments Networking, Protocols

PPP (Point to Point Protocol)

For those of us who grew up with a selection of cables, leads and analogue modems PPP was quite a common protocol.  It was developed across the internet community to both encapsulate and transmit IP data across all sorts of links but initially serial point to point ones.  The other popular scheme which to some extent where often interchangeable was SLIP (Serial Link Internet Protocol).    Although SLIP was the original of these two protocols, there is little doubt that PPP was more common mainly because it offered the ability to interconnect with other protocols.  The main advantage of this was the ability to work with IPX which enabled it to function in Novell networks for example.

PPP is extremely adaptable and allowed connections from routers and hosts between each other.  In it’s earliest guise though it was most commonly used to enable internet connections over telephone dial up lines.  Most modem software would offer the user the choice to connect via either SLIP or PPP however the latter was normally the default.

Using PPP the home user would dial into a server run by their ISP using the telephone line.    After the modem has established the connection, the PPP session would allow user authentication to check the account.  This part of the process would also assign an IP address to the user’s computer. This address is essential to communicate across the internet and essential to access any of the internet.  In fact all web based activities from browsing a page to watching UK TV in USA need a valid IP address assigned to your computer or device.

When this exchange has taken place the user’s computer is effectively an extension of the ISP’s IP network in the same way as it might be connected using an ethernet cable plugged into a port.   The serial port and modem have exactly the same functionality as any other network card plugged into the network.

In order to encapsulate high level protocol data and transmit them then PPP has to use a simple framing method.  Using this method PPP can support data transmission using a physical cable in asynchronous and synchronous modes.   This obviously operates over the physical layer and needs serial communication protocols to transmit too.  The data link layer is managed on the same frame structure using HDLC, it uses a Link Control Protocol to establish and manage the links when established.   This is also responsible for encapsulation methods and packet sizes, also the compression methods that might be available.

The other important function is of course user authentication primarily using simple usernames and passwords. LCP is able to verify or reject packets based on any of these criteria and can manage the configuration options.  A network control protocol is used to further manage the type of protocol configuration and the data being transferred between the two hosts.  Remember there is no client/server model both ends of the connection are considered equal and the protocol is responsible for managing the connection not either of the two connection end points.

 

 

 

BBC Blocking VPNs – http://www.iplayerabroad.com/2017/04/07/bbc-iplayer-blocking-vpn-2017/

No Comments Networking, Protocols, VPNs