Home Blog

VPN Security

0

This article will discuss what is a VPN? Why it’s necessary? What are some good features to have in a VPN? How do you further lockdown your VPN?

What is a VPN? A VPN is a virtual private network whereby you can tunnel or create a virtual private communications channel tunneled over the Internet. It is a way to secure communications over the world wide web, so that you are not completely open and have a secure channel. In short it is a Point to Point connection between a user’s computer and the company’s servers/domain environment.

Why is it necessary? Any corporate network should have a VPN to protect company assets. Remote users can connect virtually from the outside into your corporate network and you are not exposing the company to outside attacks from Network Traffic. It is considered a necessity in most corporate network environments.

What are some good feature to have?

Support for strong authentication, strong encryption algorithms, support for anti-virus software and intrusion detection and prevention tools, strong default security for administration and maintenance ports, digital certificate support, logging and auditing support and the ability to assign addresses to clients on a private network while ensuring all addresses are kept private. A kill switch is also very useful, if for example the VPN connection is lost the Internet Connection is dropped and the applications used are shutdown as a precaution.

How to further lockdown the VPN? Most Layer 7/Next Generation/Application Level Firewalls such as Palo Alto, Fortinet, and Checkpoint have a built in VPN Solution. The advantage of implementing a firewall based VPN is that you can force other security features into the solution. For example you can great a gateway where the users remote machine is scanned to see if it has a software firewall, up to date antivirus with recent scans, up to date Windows and Microsoft Patches on the Operating System and if the machine fails any of these checks they can be blocked from connecting to the VPN Tunnel.

Another way to improve VPN security is through perfect forward secrecy (PFS). If PFS is used, any historical vpn credentials cannot be captured in the event that the long-term secret keys or passwords are compromised.

With PFS, each VPN session uses a different encryption key combination, that way in the worst case scenario where attackers were to compromise one key they cannot hack or intercept the other VPN connections/sessions. L2 Tunneling Protocol with IPSEC using IKEv2 for secure key exchange is is considered the most secure type of implementation. IKEv2 natively supports PFS.

Geo Blocking and its benefits

0

Let’s say your company only does business in Florida or the US-then you may be an ideal candidate for GEO locking at the Firewall Level.

How does this work? You would configure the firewall to block or create an DENY DENY Rule/ACL for all non us countries. You may have to go in occasionally and create an exception for a user let’s say an executive traveling overseas.

These cases are few so the temporary rule can be disabled once they are back and their car is parked next to yours in front of the building.

Geo Blocking limits your attack surface immensely since now you are only dealing with us based or a limited number of countries as true attackers. Another advantage of GEO Blocking is that a good deal of malicious attackers come from APAC or Eastern Bloc countries, by stopping them at the gate, they have no chance of doing harm inside.

GEO Blocking works best in combination with strong perimeter security and defense in depth. By itself it is only slightly useful.

What if they do get in? How can we stop the bleeding? Network Segmentation

0

Network segmentation is highly useful as part of an effective and aggressive defense in depth strategy to protect your network. It’s based on the idea of military strategy and warfare-in the worst case scenario that you have a breach the attackers have very little if any access and you can quickly shut them down.

Think of Russia during world war 2-it was a brutal military strategy but very effective against the Germans. When Germany invaded Russia in the winter of 1941 the Russians had burnt down every last building, all of the animals, all of the plants/trees, and dumped all of the water, destroyed the telegraph lines, in certain areas. Not only was that winter brutal but the attackers had no food, no water, no place to sleep, no lines of communication, It became an empty victory and was an important turning point in the war and the allies.

Network segmentation works at a similar level, if someone gets in the Security Team tries to ensure an empty victory, ideally zero access or a very limited access while they are investigated and kicked out of the network.

Before you can implement Network Segmentation you need to carefully plan out your Network Architecture to segment groups of users into vlans. For example here are some potential vlans-IT, Engineering, Security, Finance, Accounting, HR, Sales, you can segment by geographic location or office site as well.

Once you have created the Vlans you can further complement this by having the systems team restrict the AD Access to groups of users. For example regular users will only have access to certain terminal servers etc.

This along with Segregation of Duties where the rights of users is highly compartmentalized especially for privileged accounts can make your network robust and secure. Your network should be so secure that in the worst case scenario that an attacker gets in he should never have access to a privileged account, especially ROOT, Domain/Enterprise Admin on any system or the network.

Network segmentation/sequestration works if you work it. This also allows for better administration of your assets from a systems and network perspective.

 

Change Management for the Network Security Team

0

All mature networks need a regular change management strategy invoked by a CAB-Change Advisor Board. The Network Security Team is no different.

Any scheduled or even emergency changes, should be documented and approved by the CAB. In the case of emergency changes or upgrades, the correct procedures need to be followed and all stakeholders advised on a predetermined or reasonable time frame.

For regular scheduled changes the CAB can review the reason for the change, what is changing, who will be performing the change, who will be notified and any rollback procedures including scripts thoroughly documented before implementation. Various Security Standards such as NIST, COSO, PCI mention regular change management.

The Security Team as the gatekeepers many teams, needs to make sure that they are following their own rules. This can prevent any issues in the change implementation as any affected stakeholders from other teams will be able to voice any concerns and their needs addressed before the change is to occur.

While not considered “attractive” and may even be boring to some, regular change management can greatly enhance the security posture of the Network Security Operations Team and of the company. Documenting, getting the right approvals and following the procedures correctly will make the firm more secure and compliant.

Patching and updating of Network Devices

0

Most mature security programs monitor the monthly patching of all client hosts and servers. Every single month all machines weather client or server weather windows or Linux should be fully patched at the OS level. Additionally applications such as Office, Adobe Flash, Adobe Reader, and Java should be patched monthly as well as they represent well known harbingers of malware, historically. This should be followed up by monthly vulnerability scans and follow up vulnerability remediation scans. For the patching there are many good options, WSUS, SCCM, Solar Winds, ManageEngine, IVANTI. For the vulnerability scanning the industry standards are: Nessus, Qualys, Nexpose.

Patching of Security Appliances and Network devices however is a little trickier. The Security team must use good judgement based on best practices and an intimate knowledge of their own environment when performing or recommending patching. That being said there are some general guidelines which may be useful. Security appliances and Network Devices including Firewalls should be patched immediately for any critical or security vulnerabilities. Most Firewalls and AV Servers handle the updating of the attack signatures and antivirus definitions automatically.

Upgrades to Network or Security Devices should be carefully planned and you may want to wait one or two versions before updating unless again the update is critical or involves a  security vulnerability. You should probably never wait 6 months to patch a system, unless of course in the unlikely event that there are no vendor patches available in that time frame, again a very unlikely scenario as most vendors from Microsoft and even Linux comes out with patches monthly and many security vendors release several patches a year, sometimes it’s hard to keep up but it is necessary for any security operations team.

Patch, patch, and always patch. This should be the mantra for all mature networks. These patches though need to be thoroughly tested and vetted first, especially if they involve a Network or Security Appliance, a Server and in particular SQL. Client machines also need to have the patches tested first.

 

Many well-known breaches occur because of a failure to patch for a known vulnerability. It is a very basic security control included in all standards weather NIST, ISO, COBOL, COSO, PCI, HIPPA-Hi-Tech, SOX, GLBA all of them mention regularly updating the systems on your network. Because it is such a basic and powerfully effective control it is critical that it be implemented in order to improve your security posture.

 

In order to keep your network fully protected don’t ignore or forget to patch those very devices that connect and protect your domain. At the very least you should be aware of what patches are available for all of the machines on your network. Patch, patch and always be patching.

Host Level IDS/IPS Devices

0

Host Level IDS-Intrusion Detection Systems or IPS Intrusion Detection and Prevention Systems are a very powerful way to protect your network.

An IDS and IPS looks at network traffic and irregularities. They can be signature based meaning they can identify known attack signatures already in the wild or heuristic/behavioral based. The behavioral based devices provide a great many false positives while the signature based are almost 100% accurate.

An IPS can block the traffic while an IDS simply alert on potentially malicious activity why not just implement an IPS and both detect and block traffic like a firewall? The reason is that an IPS in order to work effectively must be inline and if it inspecting traffic deeply this could cause either 2 things or a combination of them, slow traffic meaning unhappy users and/or the need for a faster pipe increasing costs to the business. Also an IPS especially if it is heuristic based can block legitimate traffic as well, this is not good.

A host level IPS/IDS works typically by installing an agent on each host to be monitored and looks at the activity of that machine, it can also function based on signatures or behavior patterns. Many small to midsized networks have not implemented this due to the high level of false positives for heuristic IPS/IDS’s and the potential blocking of network traffic on an Host based IPS.

 

Also because it requires and agent installed on the machine it can lead to performance issues and can frustrate users. If you are using a behavioral based IDS/IPS a have not tweaked it you will probably get bombarded with false positives causing your security team to not be able to respond to most of them and leading to alert fatigue so that they are not focusing on real threats to the network. Also you will have to hire many more engineers for monitoring if you don’t tweak these correctly.

 

Either and IDS or IPS may work depending on your environment and should be an important part of any security program. Most major vendors have good options, the one you choose will depend on your budget and the functionality that you seek.

 

 

 

 

Network Level IDS/IPS Devices

0

Network level and Host Level IDS-Intrusion Detection Systems or IPS Intrusion Detection and Prevention Systems are a very powerful way to protect your network. Many Level 7/Next generation/Application Level Firewalls such as Palo Alto, Fortinet, Checkpoint can provide deep packets inspection, analyses session level traffic, filter on applications and work as an IPS/IDS as well.

An IDS and IPS looks at network traffic and irregularities. They can be signature based meaning they can identify known attack signatures already in the wild or heuristic/behavioral based. The behavioral based devices provide a great many false positives while the signature based are almost 100% accurate.

If an IPS can block the traffic while an IDS simply alert on potentially malicious activity why not just implement an IPS and both detect and block traffic like a firewall? The reason is that an IPS in order to work effectively must be inline and if it inspecting traffic deeply this could cause either 2 things or a combination of them, slow traffic meaning unhappy users and/or the need for a faster pipe increasing costs to the business. Also an IPS especially if it is heuristic based can block legitimate traffic as well, this is not good.

An IDS can used a spanned port on a switch and requires less overhead, also it will not block legitimate or any traffic for that matter. If you have a small to midsized organization and can aggressively follow up on the alerts from the IDS this may be a good option.

 

Either and IDS or IPS may work depending on your environment and should be an important part of any security program. Most major vendors have good options, the one you choose will depend on your budget and the functionality that you seek.

 

Types of Firewalls

0

There are 3 main types of firewalls used on corporate networks. These are: Packet Filtering Firewalls, Application level Firewalls, Stateful Multilayer Inspection Firewalls. There also exists Circuit Level Firewalls but these are not commonly used, they work at the session layer. Each of these types of firewalls has certain advantages and disadvantage, which one you need depends on your specific environment, what type of risk you are comfortable with given your budget and or business constraints and what type of speed your user/business are comfortable with as implementing a very high security firewall which does extensive analysis of each incoming and outgoing packet will probably require a much faster pipe which means additional costs.

 

Let’s start with Packet Filtering Firewalls, these are common on very small networks. They filter based on rules or acls. These ACL’s or access control lists are defined based on IP address, Protocol type or other characteristics of the TCP/IP Packet on ingress or egress to the internet. Their main advantage is speed, they carry a very light overheard. The main disadvantage is that they do not support complex rules, also they only work at the network layer of the OSI model so they cannot block or allow based on application type.

Application Level Firewalls filter based on specific applications. They operate at layer 7 of the OSI Model and can work well in many networks. For example let’s say you wanted to block Facebook or Drop Box on other types of firewalls this would be difficult as these applications use many different ports many of which may not even be documented. Blocking traffic at the application level then becomes useful.

Stateful Multilayer Inspection Firewalls combine the above types of firewalls. They can filter packets based on rules or acls, or type of application, they can also make decisions to forward or block packets based on the TCP/IP Session traffic. major disadvantage is the cost associated with them.

 

Why Is Perimeter Security so important?

0

This short article will focus on Network and Perimeter Security and the reason it’s so important. First, it’s important to emphasize that will Network Perimeter security is important defense in depth in necessary to truly secure a network. You don’t want to put all your eggs in one basket. If you think that by having a good firewall you are secure, you should think again, and then hire some experts to help you implement a solid defense in depth strategy tailored to your environment.

The first entry point into a network from the OUTSIDE is from the Firewalls or Perimeter Defenses. I am emphasizing outside, because some studies have shown that up to 80% of breaches involve some insider activity weather malicious or not, a default password on a router or appliance, a noncomplex admin password or a default admin user name, are some examples. At the same time, you can’t just leave the gates to the city wide open, you need to block probably quite a bit of activity if you have even a small to medium sized organization.

The perimeter is where you would for example block incoming traffic such as that having malformed TCP/IP Packets which could potentially be DDOS types of patterns, or grunt, jumbo frames or other malicious activity that you don’t want coming in.

The more traffic you block the safer you are but with a caveat, if you block everything people won’t be able to work, and the company will be out of business which means you haven’t done a good job. If you must allow certain traffic, for example web traffic from an APAC or Eastern Bloc Country you can setup compensating controls, such as only allow it from an authorized VPN connection from a corporate device and a domain user. Additionally, you could setup 2 factor or even Multifactor Authentication. There are further controls which can be helpful.

The VPN traffic could be restricted to only certain VLANS, not the whole network, so that if the account was compromised the attacker would only have a very limited access to the domain. Segregation of duties would also help especially if this was a privileged account as any compromise of the account would not have ROOT or Enterprise Admin access to the entire Domain.

The important thing to do is to block as much as you can while allowing business to flow and keeping the business happy. External traffic should definitely not be allowed on an internal server, especially a Domain Controller. This also applies to Security Appliances and Network Devices themselves.

You can obviously perform deep packet inspection on all traffic before allowing it in. Certain applications which in the past have proven to be problematic on corporate networks due their origination of phishing traffic or malware can also be blocked like Facebook. If you have a Network Level DLP System you can also block drop box traffic but this can very easily be handled as well by a Layer 7 or Application Level Firewall, however the DLP is very beneficial as it has increased functionality and is a dedicated appliance.

The perimeter controls what comes into the network and what traffic can be allowed out and as such is a critical piece to the entire Defense in Depth Architecture of a solid security program. Perimeter security must be complemented and is not an all powerful solution in and of itself. Don’t be fooled into thinking that a strong firewall by itself will keep you safe, having a strong firewall and build multiple layers of security and you will be have a strong security posture.

How Parents can monitor and Protect their children’s online activities

0

There’s an old English saying that an ounce of prevention is worth more than a pound of cure. Risk avoidance or prevention, protecting your children from harm is far better than finding out something happened and the painful consequences of having to deal with the trauma afterword.

Monitoring your sons’ and daughter’s online activities can prevent most of the harm from beginning in the first place as well as certain preventive technical controls which can block some of this activity from occurring. Below are some bullet points of what can be done to monitor and protect your children’s online activities. If you are unsure of how to install these technical controls find a local tech that can help.

1. Never permit your children to use the computer alone, especially in their room, they should be in the living/family room/kitchen some wide-open space were you and your spouse if you are together can monitor their activity. This is especially critical when they are very young.

2. Never allow your children root or administrator access to the computer they use. This will prevent them from downloading and installing files or software that can get them into trouble.

3.Use a good and commercial antivirus not a free product. Many times, this free antivirus software’s come with adware, tracking cookies to monitor your online activity and then try to sell you stuff, or worse yet malware.

4. Keep the antivirus up to date and run regular automated scans, at least once per week.

5. Most antivirus come with parental controls, go ahead and configure them.

6. Most browsers also come with parental controls which limit what type of content can be viewed or downloaded online, these should be configured as well.

7. Make sure that you have the online username and password of your children’s online accounts and check their chats. You should not question or ask them about every single chat as they will become anxious and create new accounts that you are unaware of.

Remember at the end of the day they are children, but if you see something alarming you need to discuss it with them openly. If your spouse is available both of you should talk and discuss it with your sons and daughters openly.

8. If your children refuse to give you access to their online account, make sure that you ground them no TV, internet, going out etc until they change their mind. Be sure that if you tell them that you will do this that you go ahead and keep your word and ground them, otherwise the next round you will have little if any credibility with them.

9. Hold them accountable, let them know that you are monitoring their activities and that you are protecting their interests and that if you see something questionable you will ask them about it.

10. Spend time with them online, watching the news online, etc, since you and they will be using the computer in an open space make sure that you talk with them and ask them what they saw that was interesting or new online? What did you learn today? How was your day?

11. Talk to your children and let them know that you genuinely care, love them and want to be involved in their lives. Don’t fall into the trap of the computer or TV Set raising your kids. If you do you will wake up one day to a big nightmare.

12. Keep your operating system fully patched with the latest updates.

13. Keep all applications including office fully updated.

14. Install a web proxy or web filter on their computer. If you know how to do this great! If not again ask a local tech. I realize that this may be beyond the resources of some but if you follow all the other recommendations above you will be in a strong position to keep your children safe online.

15. Tracking your child through their phone. Install software to track their online activities and to locate them. Also, I know what I am going to propose next is a little extreme, but children should not have a cell phone until they turn 18. Just avoid the problems altogether.

I realize that this is easier said than done and that at least by the 2nd year of high school most children will have a cell phone, but it’s worth mentioning.

16. Children and social media. Be sure that they understand the risks of posing too much information or private information online. Explain that if they post something too controversial it could hurt their chances of getting into the college of their choice or finding a job once they graduate.

17. Cyber bullying. Make sure that your sons or daughters realize that they should not bully or allow anyone to bully them. If either of this happens there will be consequences.

18. Social engineering through children. Make sure that your children learn to be discrete and not share personal information about themselves or anyone else online or offline. A good person is one that can be trusted to hold confidences. Make sure that you teach them to be trustworthy and not blabber everything online. The internet is not a replacement for a diary or a confession.

19. Are they tracking your children? By monitoring your sons or daughter’s online activities you can monitor and prevent this from happening in the first place. Remember an ounce of prevention is worth more than a pound of cure.

Top Story

HOT NEWS

Show HN: Appsites – Beautiful websites for mobile

Happy Sunday from Software Expand! In this week's edition of Feedback Loop, we talk about the future of Windows Phone, whether it makes sense...