Tag Archive for Security

Keeping The Network Clean

In today’s environment of mobile computing and the increasing integration of consumer electronics with the corporate network, it has become a necessity to plan accordingly in order to mitigate the risk this presents.

Whether it be an iPhone or guest laptop connecting via wireless or using an unused network port, brings new challenges to network administrators who need, not only be aware of what is on their network but also prevent an un-managed device from infecting other devices on the network.

The situation grows in complexity in higher education where the inherent open network environment becomes a juggling act balancing network security and open access. Students do not patch and fail to run current anti-virus.

Network Access Control, which is more commonly referred to by the acronym NAC, is the most hyped term in networking today. It’s also one of the least understood.

Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define & implement a policy that describes how to secure access to a network nodes by devices when they initially attempt to access the network[citation needed]. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed.

The idea behind Network Access Control (NAC) is to implement a set of pre-admission rules and post-admission controls over where users can go and what they can do. Kind of like an in-versed firewall framework on steroids.

What’s important to understand is the Network Access Control (NAC) is not a device or appliance that is dropped in on the network, but rather a structure that needs to be deployed throughout the enterprise network.

The goals that Network Access Control aims to address can be distilled into three categories.

  1. Identity Management – Which includes device registration, authentication and role based access.
  2. Endpoint Compliance – The ability to prevent devices that lack anti-virus, patches or host prevention software from accessing the corporate network to prevent putting other computers at risk.
  3. Policy Enforcement – Provides the ability to enforce company-specific policies in either block, notify or report mode and integration with other solutions to identify and disable unauthorized activities.

Different vendors take different approaches in order to accomplish these goals, were policies are enforced on a pre-admission vs. a post-admission basis, software clients are installed on the users computer vs. scanning those computers in an effort to gather information to automate decision making at the time the policy is enforced, and finally out-of-band vs. in-line solutions.

In 2005 I started experimenting with Network Access Control technology and came across an open-source solution called NetReg.

NetReg is an in-line, pre-admission, client-less Network Access Control solutions. The system sits between the users and the network. Identity management is accomplished by authenticating the user through a website against an LDAP server and storing in a database the username, the IP address assigned and the devices MAC address.

Endpoint compliance is achieved by 2 dynamic DHCP address pools; one for unregistered (unknown hosts) with non-routable IP addresses (network/Internet blocked) and the second for registered (known hosts) with routable IP addresses (network/Internet accessible). A bogus DNS server prevents users from accessing anything but certain websites where a user can download anti-virus and patches for remediation purposes.

Nessus vulnerability scanning software periodically scans devices to determine if these should be quarantined until they have met the established acceptable use policy. If a computer in the unregistered network is found to be non-compliant, it is notified and only when appropriate action has been taken will the computer be assigned a valid routable IP address. If the computer has already been assigned a valid IP address then it is blocked.

Some of the shortfalls of this approach were the inability to determine which patches were missing and firewalled clients are not checked.

Netreg which was originally developed by Southwestern University at Georgetown branched out into several versions and currently the only one being maintained is by Carnegie Mellon here.

Finally is important to note that there is no silver bullet when it comes to security and there are always ways to get around a system. A thought that came to mind was how these products deal with printers, VoIP phones, gaming consoles, etc, when it comes to registration and how by changing one’s MAC address to mimic a VoIP phone or printer vendor would bypass the authentication.

In researching when writing this blog, I came across another open source solutions started in 2007 called PacketFence which I will take a closer look at.

Major Commercial Solutions:

Open Source Solutions:

Sources:

Wikipedia
Gartner Market Scope for NAC 2008

[ad]

Locking Down The Blackberry Network

Early last year India threatened to discontinue Blackberry service if Research In Motion (RIM), the company behind the Blackberry did not allow the Indian Government to monitor the Blackberry network traffic raising serious security concerns. Here are a few articles from PCWorld, InfoWorld, and CNet.

Now president-elect Barack Obama vows to keep his Blackberry despite hacking fears and concerns by the Secret Service.

This will not only be a headache for the Secret Service but its pretty likely that hacking attempts towards the RIM network will increase exponentially.

Generally people just don’t think about the risk that a smart-phone poses, specially if its connected to a Blackberry Enterprise Server. How could my phone be a risk to anyone? Well a smartphone is not just a phone, but rather a miniature computer that is not just capable of making calls but it also an un-metered gateway into the corporate network.

In order to understand what actions to take to protect a smart-phone, in particular the Blackberry you have to understand how it works and how it interacts with the Blackberry Enterprise Server.

Vulnerabilities:

  • Lack of authentication
  • Lack of encryption
  • Lack of mobile code execution controls
  • Difficult to enforce controls
  • Peripheral devices introduce additional vulnerabilities
  • Infrastructure vulnerabilities service specific operating systems, platforms, applications, etc.
  • Small size is prone to theft and loss
  • All devices may not be corporate owned
  • Multiple configurations of the Blackberry Enterprise Server (BES) architecture
  • Limited centralized update mechanisms
  • Limited IT/CIO Control

Sources of Recommended Controls and Security Guidelines:

  • The Vendor (Microsoft, Treo, RIM, etc.)
  • SANS (www.sans.org)
  • NIST has a great publication
  • Other existing guidelines
  • 3rd Party Solutions often fill the gaps

Once the vulnerabilities have been identified we proceed to implement controls and audits.

Controls:

Controls will include policies, standards, practices, procedures, guidelines, awareness, authentication, encryption, and asset management.

Audits:

Once the scope has been defined, allow to review the implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents. Audits also allow the review of configuration and options to ensure that security is not just available but implemented. Additionally configurations pushed down to end devices need to be audited as well.

The infrastructure design and configuration of network components (firewalls, routers, switches, VLANs, etc.) will need to be audited as they play an intricate part of the overall security of the system.

Risk Assessment:

Although this requires additional resources and expertise, its a must in certain environments like corporate or government. A risk assessment will identity security vulnerabilities and provide a 2nd chance to identify all “assets”.

Once this has been completed, validating the risk by performing an “ethical hack” will remove any uncertainty by proving the vulnerabilities identified actually exist.

Conclusion:

Providing documentation on the findings is vital. The documentation required will contain an executive summary, action items and details for system administrators, and a clear and concise report with both the good and the bad findings.

A couple of things that should not fall through the cracks are ensuring that the corrective actions are implementable within the organization and the next audit scheduled.

Sample Policy:

Sample Blackberry Enterprise Server Policy

[ad]

Security Conferences

It is my intention next year to attend at least a couple of security conferences if not more.

Below is a list of the most established and ones I found attractive.

CSI

The largest information security conference on the East Coast is also the only security conference expressly assembling experts to challenge the status quo.

CSI thinks that we should forget about tweaking the status quo. We’re already well into a post-perimeter world but without a consensus on the strategic plan moving forward. It’s time to grapple with the issues and technologies that can radically alter the way security works-now, and in the months and years ahead.

Site Link

Defcon

It’s the largest underground hacker convention in the world!

When: July 31 – August 2, 2009
Where: Riviera Hotel & Casino in Las Vegas, Nevada, USA
Cost: $100 (USD) NB. It’s cash only. (free if you’re a full badge Black Hat attendee)

Site Link

Black Hat

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow’s information security landscape.

When: Various
Where: Las Vegas, Amsterdam, Tokyo, Washington DC
Cost: Varies

Site Link

SecTor

SecTor brings the world’s brightest (and darkest) minds together to identify, discuss, dissect and debate the latest digital threats facing corporations today. Unique to central Canada, SecTor provides an unmatched opportunity for IT Professionals to collaborate with their peers and learn from their mentors. Held at the Metro Toronto Convention Centre in downtown Toronto, SecTor runs two full days. The event features Keynotes from North America’s most respected and trusted experts. Speakers are true security professionals with depth of understanding on topics that matter. SecTor is a must attend event for every IT Professional.

When: October 5-7, 2009
Where: Toronto, Ontario, Canada
Cost: Early Bird: $499, Standard: $749, Full: $999 (CDN)

Site Link

ShmooCon

ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.

When: February 6-8, 2009
Where: Wardman Park Marriott, Washington DC, USA
Cost: From $100-$300

Site Link

Chaos Communication Congress

The Chaos Communication Congress is an international, five-day open-air event for hackers and associated life-forms. The Camp features two conference tracks with interesting lectures, a workshop-track and over 30 villages providing workshops and gettogethers covering a specific topic.

When: December 27th to 30th, 2008
Where: bcc Berliner Congress Center, Berlin, Germany
Cost: 130 € – 1500 €

Site Link

Toorcon

ToorCon is San Diego’s hacker conference bringing together the top security experts to present their new tricks of the trade and have fun in the sunny and beautiful city of San Diego.

When: September 2009
Where: San Diego, California, USA
Cost: From $120-$200

Site Link

HITB Security Conference

The main aim of our conferences is to enable the dissemination, discussion and sharing of network security information. Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, this years conference promises to deliver a look at several new attack methods that have not been seen or discussed in public before.

When: Various
Where: Dubai, Malaysia
Cost: Varies

Site Link

Phreaknic

PhreakNIC is an annual gathering in Nashville, TN, for hackers, makers, security professionals, and general technology enthusiasts. Hours upon hours of both informative and entertaining presentations are given by volunteers and many areas are set up with the intent of encouraging socialization.

When: October 2009
Where: Nashville, Tennessee, USA
Cost: $25

Site Link

SANS

SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats – the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices. They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.

When: Various
Where: Various
Cost: Varies

Site Link

Techno Security Conference

TheTrainingCo. is both new and old. As a corporation, it is the culmination of a dream that we have been sharing with people for the past decade. In that sense, it is new. We officially opened our doors in early 1999.
We are old in that the experiences of our senior staff are almost unmatched in their knowledge of the subjects being addressed at our conferences and speaking engagements. Every bit of that hard earned knowledge came as a result of years of highly specialized work and contact with thousands of people. Our two senior members alone bring more than one half of a century of pioneering efforts in the fields of Techno-Security and Cyber-Crime Prevention.

When: May 31 – June 3, 2009
Where: Myrtle Beach, SC, USA
Cost: $895

Site Link

CEIC Conference

CEIC offers lectures and hands-on labs delivered by industry-leading experts, which gives attendees the opportunity to learn the latest techniques and methodologies in computer forensics, eDiscovery, incident response and enterprise investigations.

When: May 17-20, 2009
Where: Loews Royal Pacific Resort, Universal Orlando, USA
Cost: $895

Site Link

IntrusionWorld Conference

The IntrusionWorld Conference & Expo is the forum for business and corporate executives, Industry, government, legal and academic experts that aim to present the state-of-the-art of the practice, emerging technologies in intrusion prevention. Peer-to-peer groups will help us understand the trends and confront the challenges inherent in today’s intrusion prevention technologies, products, systems implementation and risk management. Field practitioners will exchange best practices and lessons learned. Participants will share ideas and expand business and professional contacts during lunch roundtables, workshops, receptions and other activities.

When: May , 2009
Where: Baltimore, MD, USA
Cost: $875

Site Link

The Last Hope

We all knew these days would come. The Last HOPE is the seventh Hackers On Planet Earth conference.

When: July, 2009
Where: Hotel PennSylvania, New York, USA
Cost: $

Site Link

RSA Security Conference

In information security, you’re trained to expect the unexpected. Changes occur in a nanosecond. Stay on top by staying one step ahead — attend RSA® Conference 2008!
Join us for the most comprehensive forum in information security. Come learn about the latest trends and technologies, get access to new best practices, and gain insight into the practical and pragmatic perspectives on the most business critical issues facing you today.
Connect and collaborate. Build your professional network. And mingle with 17,000 of the industry’s best and brightest.

When: April 20-24, 2009
Where: Moscone Center, San Francisco, California, USA
Cost: From $1495 – $3295

Site Link

Info Security Canada

When it comes to your critical information – it’s not a question of if it’s at risk, it’s a question of when. Stay in front of the fast, ever changing information security curve, at Infosecurity Canada 2008, your first and best line of defense.

When: June, 2009
Where: Toronto, Ontario, Canada
Cost: TBD

Site Link

[ad]

Secure Internet Browsing

Just read an article over at Internet News – Which Top Apps Have the Most Security Holes? and to my surprise Firefox was right up there on first place.

I consider myself a pretty safe Internet surfer, doing the obvious and making sure that I do not visit a website that could put my PC at risk.

A long time ago when I started to use Firefox and became a fan hooked on add-ins and tabbed browsing, I decided to continue to use Internet Explorer exclusively for banking. On the Firefox side I also take preventative measures including a couple of add-ins which I think are critical. The first is Adblock Plus and the second is NoScript.

This practice makes even more sense now, although I constantly make sure that I keep up with security updates.

For enterprises, the fact spells trouble — especially since many of these apps slip in without IT knowing. Additionally, the news comes as businesses face growing security threats, punctuated by a slew of recent data breaches, while also contending sharply reduced spending on IT projects.

What is surprising is that Microsoft showed up at number 10 with only Microsoft Windows Live Messenger. I have to say that Microsoft has done a superb job and mastered patch deployment and as long as you have an Internet connection and automatic updates turned on you’re half way there.

Additional measures I have decided not to take is to privatize my Internet browsing. A couple of popular practices are to tunnel your browsing through your home Internet connection in order to prevent your employer from snooping or blocking web traffic and the other is to anonymize the traffic either by going through a proxy or using a product that will rotate source IP addresses every time a connection is made (onion routing), making it virtually impossible to analyze the traffic.

Unfortunately I believe that once you get online, there is really no way to cover your tracks. There is nothing that isn’t traceable and if someone wants to find you bad enough they will so keep it legal.

[ad]