Planning your Security Assessment

Starting a full security risk assessment in any size of organisation can be extremely daunting if it’s something you’ve never tried before. However before you get too involved in complicated charts, diagrams and long drawn out forms and flowcharts it’s best to take a step back. There’s a simple goal here and that’s to try and assess and address any security risks in your organisation. It’s presumably a subject you will have some opinion and knowledge about so try and focus and don’t turn the exercise into something too complicated with little practical use.

Many people, when questioned as part of a risk assessment will prepare an answer, they will start to look at the nuts and bolts of the system. They’ll give opinions on just how this and that widget is weak, and how someone can get access to them and people documents, and so forth and so on. That’s just a technical evaluation of the system, which might or might not be useful. Whether or not it’s useful will be based on the answer to an essential question. The experienced safety professional will have asked this question before answering the enquirer.  If the system is not being used for it’s intended purpose that’s a completely different issue but it obviously would impact security in certain instance.

For example if company PCs are being used to stream video or route to inappropriate sites to watch ITV Stream abroad whilst at work, this introduces additional risks.  Not only could the integrity of the internal network be affected, the connection will also effect the speed while streaming large amounts of video across the network.  There is no doubt that this behaviour should be flagged if encountered within the assessment although it’s not a primary function of the investigation.

The important question is: What do you mean by secure?  Security is a comparative term. There’s not any absolute scale of unhappiness or level of security. Both conditions, secure and security only make sense when translated as attributes of something you consider precious. Something that’s somehow the risk needs to be secured. How much security does this need? . Well that depends on the value and upon the operational threat. How do you measure the operational threat? . Today you’re getting into the real questions which will lead you to an understanding of what you actually mean by the term secure. Measuring and prioritizing business risk security is utilized to defend things of value.

At a business environment things which have value are usually called assets. If assets are somehow damaged or destroyed, then you may suffer a business impact. The prospective event by which you are able to suffer the harm or destruction is a danger. To prevent threats from crystallising into loss events that have a business impact, you use a coating ol protection to maintain the threats from your assets. When the assets are badly protected then you’ve a vulnerability to the danger. To enhance the security and reduce the vulnerability that you present security controls, which may be either technical or procedural.

The process of identifying commercial assets, recognizing the threats, assessing the degree of business impact that could be suffered if the threats were to crystallize, and analysing the vulnerabilities is known as operational hazard assessment. Implementing suitable controls to put on a balance between usability, security, cost along with other business needs is called operational hazard mitigation Operational hazard assessment and operational hazard mitigation collectively comprise what can be call til operational risk management. Later chapters in this book examine operational risk management and will help you deal with actual incidents such as people trying to watch the BBC abroad on your internal VPN server!  The main thing you will need to comprehend this stage is that hazard management. All about identifying and prioritizing the dangers throughout the hazard assessment l procedure and degrees of control in line with these priorities.

Security and Perfomance – Monitoring User Activity

When analysing your server’s overall performance and functionality one of the key areas to consider is that of user activity.  Looking for unusual user activity is a sensible option in identifying potential system problems or security issues.  When a server log is full of unusual user activity you can often use this information to track down the potential issues very quickly.  For example by analysing these issues from your system logs then you can often identify trends in authentication, security problems and application errors.

Monitoring user access to a system for example will allow you to determine usage trends such as utilization peaks.   Often these can cause many sorts of issues, from authentication problems to very specific application errors.  All of this data will be stored in different logs depending on what systems you are using, certainly most operating systems will record much of this by default.

Using system logs though can be difficult due to the huge amount of information in them. It is often difficult to determine which is relevant to the health and security of your servers.  even benign behaviour can look suspicious to the untrained eye and it is important to use tools to  help filter out some of the information into more readable forms.

For example if you see a particular user having authentication problems every week or so, then it is likely that they are just having problems remembering their passwords.   However if you see a user repeatedly failing authentication over a shorter period of time, it may illustrate some other issues.  For example if the user is trying to access the external network using a German proxy server then there would be an authentication problem as the server would not be trusted.

Looking at issues like this can help determine user activity that causes a security breach.  Obviously it is important to be aware of the current security infrastructure in order to interpret the results in these logs correctly.   Most operating systems like Unix and Windows allow you to configure the reports to record different levels of information ranging from brief to verbose.

If you do set logs to record verbose information it is advisable to use some sort of program to help analyse the information efficiently.  There are many different applications which can allow you to do this, although some of them can be quite expensive.  There are simpler and cheaper options though, for example the Microsoft Log Parser is a free tool which allows you to run queries against event data in a variety of formats.

Log parser is particularly useful for analysing security events, which are obviously the key priority for most IT departments in the current climate.    These security and user authentication logs are the best way to determine whether any unusual activity is happening on your network.  For example anyone using an stealth VPN or IP Cloaker like this one, will be very difficult to detect by looking at raw data from the wire.  However it is very likely some user authentication errors will be thrown up from using an external server like this.  For instance most networks restrict access to predetermined users or ip address ranges and these errors can flag up behaviour very quickly.

No Comments Networking, Protocols, VPNs

Code Signing – How it Works

How do you think that users and computers can trust all this random software which appears on large public networks?  I am of course referring to the internet and the requirement most of us have to download and run software or apps on a routine basis.  How can we trust that this is legitimate software and not some shell of a program just designed to infect our PC or steal our data?  After all even if we avoid most software, everyone needs to install driver updates and security patches.

The solution generally involves something called code signing which allows companies to assure the quality and content of any file released over the internet.    The software is signed by a certificate and as long as you trust the certificate and it’s issuer then you should  be happy to install the associated software.    Code signing is used by most major distributors in order to ensure the quality of released software online.

Code Signing – the Basics
Coed signing simply adds a small digital signature to a program, an executable file, an active X control, DLL (dynamic link library) or even a simple script or java applet. The crucial fact is that this signature seeks to protect the user of this software in two ways:

Digital signature identified the publisher, ensuring you know exactly who wrote the program before you install it.

Digital signature allows you to determine whether the code you are looking to install is the same as that was released. It also helps to identify what if any changes have been made subsequently.

Obviously if the application is aware of code signing this makes it even simpler to use and more secure. These programs can be configured to interact with signed/unsigned software depending on particular circumstances. One simple example of this are the security zones defined in Internet Explorer. They can be configured to control how each application interacts depending on what zone they are in. There can be different rules for ‘signed’ and ‘unsigned’ applications for instance with obviously more rights assigned to the ‘signed’ applications.

In secure environments you can assume that any ‘unsigned’ application is potentially dangerous and apply restrictions accordingly. Most web browsers have the ability to determine the difference between these applications and assign security rights depending on the status. It should be noted that these will be applied through any sort of connection or access, even a connection from a live VPN to watch the BBC!

This is not restricted to applications that operate through a browser, you can assign and control activity of signed and unsigned applications in other areas too.  Take for instance device drivers, it is arguably even more important that these are validated before being installed.  You can define specific GPO settings in a windows environment to control the operation and the installation of a device driver based on this criteria.

As well as installation it can control how Windows interacts with these drivers too,  although generally for most networks you should not allow installation of an unsigned driver.  This is not always possible though, sometimes application or specialised hardware will need device drivers where the company hasn’t been able to sign the code satisfactorily.   In these instance you should consider carefully before installing and consider the source too. For example if you have downloaded from a reputable site using a high anonymous proxies to  protect your identity then that might be safer than a random download from an insecure site, there is still a risk though.

Preparing PKI in a Windows Active Directory Environment

If you’re installing and implementing internet access for an internal windows based network then there’s two important factors you should consider.  Firstly  it’s important to ensure that your perimeter is protected and access is only allowed through a single point.  This might seem trivial but it’s actually crucial to ensure that the network can be controlled.  Any network which has thousands of individual clients accessing the internet directly and not through a proxy is going to be almost impossible to protect.

The second aspect relates to the overall client and server security – ensure that your windows environment has the Active directory enabled.  This will also allow you to implement the Microsoft Windows PKI.   From Windows 2003 onwards this is already included and PKI is preconfigured in the Windows 2003 schema whether you wist to implement it or not.

If you are considering using Windows PKI then remember although the active directory is a pre-requisite for a straightforward installation, it does not require a domain functional level or even a functioning forest to operate in.   In fact the only configuration you require in the later versions of Windows is to change the Cert Publishers group which is needed in any multi-domain.  This group is pre-populated as a domain local group in each domain in an Active directory forest by default.

This is how PKI is implemented, you can allow any enterprise level certificate authority (CA) the rights to publish certificates to any user object in the current forest or to the  Contact  object in foreign forests.   Remember to enable the relative permissions by adding the CA’s computer account to each domain’s Cert Publisher group.  This is essential as the scope of this group has changed from a global group to a domain local group, but this allows the group to include members of the computer accounts from outside the domain.  This means that you can add computers and user groups for external access by including an external gateway.  For example if you wanted to proxy BBC streams and cache them you could include the proxy server in this group in order to minimize authentication traffic.

You are unable to currently deploy the Windows Server Enterprise CAs in Non- Active Directory environments. This is because the Certificate Authority requires the existence of the AD in order to store configuration information and certificate publishing.  You can install Windows Server PKI in a non-AD environment , however each CA in the PKI hierarchy must be standalone.  This is workable in smaller environments but can be a real challenge to configure communications in large or distributed networks across many network subnets.  Trying to ensure that the right Certificate Authority is assigned across a multinational network is difficult without the Active Directory.  Remember you may have clients and servers requesting authentication from different networks in a UK company you might have a client desktop with an Irish IP address seeking authentication from a London based standalone CA in a different domain.

 

Securing the Internal Network

Twenty years ago this wasn’t really much of an issue, a simple network, a couple of file servers and if you were luck an email system.   Security was never much of an issue, which was just as well because sometimes there wasn’t much you could do anyway.  If anyone remembers the forerunner of Microsoft Exchange – the Microsoft Mail post offices were installed in open shares and if you started locking them down everything stopped working.   You could make some minor security implementations but most of all you had to be careful that you didn’t leave anything in these open shares.

Of course, Unix, Ultrix and the forerunner of Windows NT all had reasonable levels of security and you could apply decent access controls based on users, groups and domains without too much issue.  It was more the applications that were the issue, security in a digital environment was very much in it’s infancy.  Nowadays of course, everyone takes security much more seriously in this age of data protection, hackers, viruses and cyber criminal attacks all over the place.  It’s still a nightmare to lock down environments though and that’s primarily due to the internet.

IT departments all over the world love the internet, solving issues and fixing problems is made a hundred times easier with a search engine at hand.  However that’s one side of the coin, the other is the fact that access to the internet makes configuration and security much more important and potentially more challenging.  Imagine every single desktop has the capacity to visit, download and distribute any number of malevolent files.   A potential virus outbreak sits on everybody’s desk and when you look at some of the users you could only be scared.

So what sort of methods do we have to minimize the potential chaos to our internal network.  Well first of all there’s something not that technology based, a document which details how people must use their computers and especially the internet.  Making sure that users are educated about the risks to both the network and their employment status is probably the most important step you can take to reduce risk from outside sources.   If they no that they could get fired for downloading or streaming video from sites like the BBC via their company VPN then they’re much likely to do it.

There’s still a need to implement access control lists and secure resources of course but user compliance goes a long way.  Principles like giving user the least amount of permissions makes sense in securing resources.  You can lock down both PCs, browsers and external access through Windows environments and GPO (Group Policy Objects).  Routing all internet access through central points is a sensible option, meaning not only can you control but also monitor internet traffic in both ways.  This is also a useful way of applying a second layer of security as regards Antivirus – scanning before it reaches your desktop solutions.

Most secure environment also put in other common sense steps like not allowing users to plug in their own hardware onto the network.  This sounds a trivial matter but can effectively bypass your whole security infrastructure if a virus ridden laptop is installed on your internal network.    You have no control over what that their hardware is used for, they may be downloading torrents and buying alcohol/drugs from the darkweb when they get home.   Ensuring data security can also be managed by ensuring that no-one uses or takes away data using USB sticks and memory cards.  There are security settings and applications which can manage these devices quite easily now, also using group policy if you’re running a windows environment and have implemented the active directory

No Comments Networking, Protocols, VPNs

Issues on Blocking VPN Access from Networks

People love using VPNs for a variety of reasons but if you’re the administrator of any network they can be a real problem. Of course, the primary function of a VPN is security and if users simply used the VPN to encrypt and secure their data then that would be fine. However in reality what you’ll really find is users connecting through a VPN in order to bypass blocks or access sites normally restricted by your network rules. Using a VPN service watch UK TV is a common issue in our US/European network.

The problem is that these sites and activities are blocked for a reason. Having twenty people streaming the latest episode of ‘Strictly’ over the companies network uses the same bandwidth as about a 100 ordinary users simply working. It doesn’t matter that the traffic is being carried over the VPN it still uses our own bandwidth to deliver to the client. So it’s hardly surprising that we need to restrict the use of these VPN clients and the issues they cause. Here’s an example of what people can use these VPN services to do and the problems we can have in blocking them –

As you can see in this particular VPN service called Identity Cloaker there are lots of configuration options which can be used to hide the use of the service. Most of the recommended measures rely on blocking the standard footprints of a VPN service, but as you can see when you are able to switch outgoing ports and create a non-standard configuration it becomes much harder.

There is little in the data you can pick up on so those content filters are pretty much useless. The problem here is that most VPNs are encrypted so that even the destination address is encrypted (although obviously not the IP address). It’s simple to block the web based proxies and VPN services simply by restricting access to their URLs but these clients are much more difficult.

As you can see most services usually have the option to switch between hundreds of different IP addresses even doing so automatically. This is another way you can identify a simple proxy or VPN looking for consistent traffic patterns and single IP addresses. Filtering access to a VPN service which automatically switches server and IP address every few minutes is extremely difficult. Unless they do something with a distinct pattern and very heavy usage like anonymous torrenting then any footprint is almost impossible to detect.

Most administrators usually adopt an attitude of blocking the simplest VPN access and leaving it at that. The reality is that a technical user who is using a sophisticated VPN service like Identity Cloaker is going to be very difficult to stop. You should rely on enforcing User policies within the network and stressing the penalties if people are found using such services.

One other method to consider is ensuring that most users are not able to install or configure the VPN clients on their local laptops or computers. These can normally enforced very easily particularly in Windows environments. Simply configure local user policy and apply restrictive Group Policy settings to remove admin access to users. Unfortunately programs like Identity Cloaker also come with a ‘lite’ version which don’t need installing and can be run directly from a single executable. It can even be run from a memory stick and still interact with the network stack on the local computer.

What Is VPN?

The remote server would access the request, then authenticate through something like a username and password. The tunnel would be established and used to transfer data between the client and server.

If you want to emulate a point to point link, the data must be wrapped with a header – this is normally called encapsulation. This header should provide essential routing information which enables the data to traverse the public network and reach it\’s intended endpoint. In order to keep the link private on this open network all the data would normally be encrypted. Without this route information the data would never reach it\’s intended destination. The encryption ensures that all data is kept confidential. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.

One of the most important uses of remote access VPN connections is that it allows workers to connect back to their office or home by using the shared infrastructure of a public network such as the internet. At the users point, the VPN establishes an invisible connection between the client and the organisation’s servers. There is normally no need to specify and aspects of the shared network as long as it is capable of transporting traffic, the VPN tunnel controls all other aspects.   This does mean it’s very difficult to block these VPN connections as the BBC is discovering.

These connections are also known as router to router connections which are established between two fixed points. They are normally setup between distinct offices or based again using the public network of the internet. The link will operate in a similar way to a dedicated wide area network link, however at a fraction of the costs of a dedicated line. Many companies use these increasingly in order to establish fixed connections without the expense of WAN connections. It should be noted that these VPN connections operate over the data link layer of the OSI model.

One of the problems many network administrators find is that users on networks can set up their own VPN connections.  These can be very difficult to detect and allow a direct tunnels into a corporate network especially as they are often used for trivial issues such as obtaining an IP address for Netflix.  Needless to say having users stream encrypted videos streams to their desktops is not good for network performance or security.

Remember a site to site connection will establish a link between two distinct private networks. The VPN server will ensure that a reliable route is always available between the two VPN endpoints. One of the routers will take the role of the VPN client, by requesting the connection. The second server will authenticate and then reciprocate the request in order for the tunnel to be authenticated at each end. In these site to site connections, the packets which are sent across the routers will typically not be created on the routers but clients connected to these respective devices.

 

PPP (Point to Point Protocol)

For those of us who grew up with a selection of cables, leads and analogue modems PPP was quite a common protocol.  It was developed across the internet community to both encapsulate and transmit IP data across all sorts of links but initially serial point to point ones.  The other popular scheme which to some extent where often interchangeable was SLIP (Serial Link Internet Protocol).    Although SLIP was the original of these two protocols, there is little doubt that PPP was more common mainly because it offered the ability to interconnect with other protocols.  The main advantage of this was the ability to work with IPX which enabled it to function in Novell networks for example.

PPP is extremely adaptable and allowed connections from routers and hosts between each other.  In it’s earliest guise though it was most commonly used to enable internet connections over telephone dial up lines.  Most modem software would offer the user the choice to connect via either SLIP or PPP however the latter was normally the default.

Using PPP the home user would dial into a server run by their ISP using the telephone line.    After the modem has established the connection, the PPP session would allow user authentication to check the account.  This part of the process would also assign an IP address to the user’s computer. This address is essential to communicate across the internet and essential to access any of the internet.  In fact all web based activities from browsing a page to watching UK TV in USA need a valid IP address assigned to your computer or device.

When this exchange has taken place the user’s computer is effectively an extension of the ISP’s IP network in the same way as it might be connected using an ethernet cable plugged into a port.   The serial port and modem have exactly the same functionality as any other network card plugged into the network.

In order to encapsulate high level protocol data and transmit them then PPP has to use a simple framing method.  Using this method PPP can support data transmission using a physical cable in asynchronous and synchronous modes.   This obviously operates over the physical layer and needs serial communication protocols to transmit too.  The data link layer is managed on the same frame structure using HDLC, it uses a Link Control Protocol to establish and manage the links when established.   This is also responsible for encapsulation methods and packet sizes, also the compression methods that might be available.

The other important function is of course user authentication primarily using simple usernames and passwords. LCP is able to verify or reject packets based on any of these criteria and can manage the configuration options.  A network control protocol is used to further manage the type of protocol configuration and the data being transferred between the two hosts.  Remember there is no client/server model both ends of the connection are considered equal and the protocol is responsible for managing the connection not either of the two connection end points.

 

 

 

BBC Blocking VPNs – http://www.iplayerabroad.com/2017/04/07/bbc-iplayer-blocking-vpn-2017/

No Comments Networking, Protocols, VPNs

Do I Need a Residential or Datacenter IP Address

For many people, there is a very strong requirement to mask their true identity and location online.  IT might be for privacy reasons, perhaps to keep safe or you simply don’t want anyone to log everything you do online.  There are other reasons, using multiple accounts on websites, IP bans for whatever reason or simple region locking – no you can’t watch Hulu on your holidays in Europe. The solution usually now revolves around hiding your IP address using a VPN or proxy as a minimum.

Yet the choice doesn’t end there, proxies are pretty much useless now for privacy and security.  They’re easily detected when you logon and to be honest of very little use anymore.   VPN services are much better, yet even here it’s becoming more complicated to access media sites for example.   The problem is that it’s not the technology that is now the issue but the originating IP address. These are actually classified into two distinct groups – residential and commercial which can both be detected by most websites.

 

A residential IP address is one that appears to come from a domestic account assigned from an ISP. It’s by far the most discrete and secure address to use if you want to keep completely private. Unfortunately these IP addresses are difficult to obtain in any numbers and also tend to be very expensive. Bottom line is the majority of people for whatever reason who are hiding their true IP address do it by using commercial addresses and not residential ones.

Most security systems can easily detect whether you are using a commercial or residential vpn service provider, how they use that information is a little more unsure. So at the bottom of the pile for security and privacy are the datacentre proxy servers which add no encryption layer and are tagged with commercial IP addresses.

Do I really need a residential VPN IP Address? Well that depends on what you are trying to achieve, for running multiple accounts on things like craigslist and Itunes – residential is best. If you want to try and access the US version of Netflix like this, then you’ll definitely need a residential address. Netflix last year filtered out all commercial addresses which means that very few of the VPNs work anymore, and you can’t watch Netflix at work either.

If you just want to mask your real IP address then a commercial VPN is normally enough. The security is fine and no-one can detect your true location, although they can determine you’re not a home user if they check. People who need to switch IPs for multiple accounts and using dedicated tools will probably be best advised to investigate the residential IP options.

Using a Syslog Server

Most networks of any size need to have some sort of system for storing and managing their log files.  Most network devices produce logs and many of them can contain lots of useful information.  However without a way of analysing and reporting this data then it can simply become another system administration chore with little or no benefit.

One of  the oldest methods of centralising these system messages and logs is by using a syslog server.  Syslog messaging was originally used on UNIX system for the logs produced by network devices, applications and operating systems.  Most modern network devices can be configured to generate Syslog messages which can be picked up by a server.  These messages are normally generated and then transmitted using UDP to a server running a Syslog daemon that can accept the messages.

Over the years more and more devices have been created which cab support and generate Syslog messages.  Despite being fairly old technology many firms have started to move away from specialized technology towards simply using a central Syslog server to receive, store and archive messages generated from network devices.   These servers can also be used to create automatic notifications if specific critical events are generated – for example if an important default gateway becomes unresponsive.  This means that IT support personnel can be made aware of potential issues quickly and often before it affects users directly or at least minimize downtime.

Although there are many other methods of receiving and sending system messages across a network using Syslog has many advantages.  For a start it works directly with many reporting technologies and almost all network devices will support the Syslog message format.   This is very important because as soon as you have multiple logging formats and messaging you’re faced with  the prospect of installing multiple system log servers.  This creates a hierarchy which can be difficult to support especially for network support staff who need access to all logs in order to troubleshoot issues.

For example if you have a RAS (Remote Access Server) which is configured to use a different system messaging system from other devices in your network you could miss vital pieces of information.  In addition, problems in these servers can be missed and so important devices can suffer longer periods of downtime.    Many remote users rely on having access through a good VPN service when travelling in order to connect back from remote networks.

If you do have different devices which don’t support the Syslog standard and aren’t able to get rid of them there are some other options.  You can use software like Microsoft’s Log Parser program which can convert many formats into a log message that Syslog can understand.

James Hawkings

Author of a Polskie Proxy

 

No Comments Networking, VPNs