 | | | Registered Member
Online Posts: 1,718 Thanks: 205
Thanked 260 Times in 179 Posts
Last Online: 3 Hours Ago Join Date: Sat Feb 2006 |  Security, Security and Security... -
3rd September 2009
This is a thread about security and nothing but security...
This thread deals with security on the clients, servers, switches, routers and so on.
It discuss Authentication methods, Authorization, Intrusion prevention, Network monitoring, encryption mechanisms and protocols, remote login, Firewalls, etc...
There's nothing called 100 % SECURE and safe network. I among many others learned the hard way (lucky it was a test crm system and not a live one).
Generally, when we watch Hollywood movies, everyone is able to break the firewall in less than 30 seconds. Fortunately, this is not the case, some hacks takes months and months of work and some might get lucky to have a dumb admin at the other end of the cloud.
Below is a logical diagram about how enterprise security look like (this is not for a 2 man band business running a chicken shop, this is enterprise). This is not a design... 
1- Your first step is always your firewall, your hardware firewall that is, such as Cisco PIX or ASA. Without going into details about ASA (since I am no expert with ASA). Firewalls are used to keep intruders out, most firewalls listens to ports on specific IP addresses. They block or allow, incoming or outgoing connections from a source to a destination on a specific port. Of course, there is a big limitation here:
Let us consider the scenario:
Port 80 on your firewall is forwarded to your web server (XYZWEB1) that is running a php website on Apache with Linux or windows. You web server talks to a mysql database sitting on db server (XYZDB1) somewhere on your network but you have not setup authentication for that mysql database or you have left default username/password access enabled.
In this scenario, the firewall is doing its job by mapping port 80 to the web server on the lan, but can you tell what can be done to your data if you have not setup proper authentication? An attacker can download your php files (which usually have 755 rights) read your php codes and using the url, run any query that he likes.
PS: in this scenario, I am assuming authentication is not setup properly, so your db.php looks like this:
<?
$variablename=mysql_connect ("XYZDB1", "username", "") or die ('I cannot connect to the database.');
mysql_select_db ("mysqldatabase");
?>
Generally the fields are hostname, username, password such as
mysql_connect ("XYZDB1", "username", "password")
So now, you know, Firewalls are highly overrated, they are great devices but do not understand the presentation/application layer.
(depending on the vendor, I believe ASA from cisco are now filtering frames for headers but let’s not go there for now)
2- DMZ… DMZ… oh yeah, again, DMZ… in another terms, break your network to pieces. Never, Ever, Ever have your users and your servers on the same subnet or DMZ. Why??? When two machines are running on the same DMZ, they talk over the switch “usually”. That means, they will not route their traffic over your existing routers, NAC policies will not apply, both machines can see each others, talk to each others, sniff traffic (in certain cases), etc… THIS IS DANGEROUS!
Users should not be able to see db servers for example, they should be able to talk to their databases through their web servers (running queries from the web platform) unless the business need is otherwise.
Typically, in an enterprise you have the following DMZs:
A- Presentation: the presentation dmz is the web servers dmz. This dmz contains your bastion servers. Nothing should run other than your “customized” web service. No remote access is allowed to this server unless internally over a vpn tunnel. SSH or RDP should not be allowed what so ever externally, not even on mapped ports. To change settings, you need to login to the server console. If the server is remote (at the data center) you will need to create a vpn tunnel so you can be a local user on the network. Plug and Play is a big no no for presentation servers.
B- Data: the data dmz is the most critical layer. It should not be accessible for users at all (unless running crystal reports). The data dmz contains your databases (sql server, mysql, oracle, ingres, postgres, etc…). Some databases may also consider encryption or hashing or even encrypting their entire hard drive (if performance is not an issue and the data is very sensitive). DB servers should be allowed contact presentation servers with valid/strong authentication.
C- Ldap: This DMZ contains your ldap (active directory, eDirectory, open ldap, etc…). This DMZ is shared by users. Ldap is usually a DNS server, no harm is having both running on the same server as long as it can take it (ldap boxes are usually idle most of the time, they only process authentication requests and authorization requests depending on the ldap architecture so admins prefer to cut the cost down and use ldaps also as file servers since it is on the same DMZ as the user’s one and that would reduce traffic on the routers.
D- Security: Anti virus management tool (not much to talk about there), VPN box (if not integrated with the firewall), Intrusion detection, Token server and CA servers (if your routers are able to take traffic then you would move the CA server from the ldap dmz to the security dmz which would make more sense). Most enterprises use tokens nowadays. I will go about this briefly later on. This DMZ is contactable by the ldap dmz to relay authentication requests and occasionally by users to enroll certificates on their machines, gets updates pushed to local users machines and so on.
3- CA servers… Most enterprises use an internal CA server, you always should have your ldap authenticating with a certificate. Users should be issued certificates to authenticate against their ldap accounts. When using a certificate, password do not travel across the wire in plain text format, they go encrypted. Nevertheless, the delivery of the certificate itself should be done over the lan when dealing with very sensitive data or accounts.
Consider this scenario, your company just hired a new CFO and he was issued a new laptop. If your CFO goes onto the CA server website and downloads the certificate, anyone on the lan with access beyond the router can actually listen to his session from the url hit till the end of download and get the CFO’s private key. The most efficient method of delivering a certificate or a private key is still the old fashioned way… Manually… stick it on a USB key and install it manually at the targeted machine
4- Intrusion detection… the big kahuna of real time security. This should always be on the security DMZ, not outside the firewall, never accessible to users but within a security DMZ that contains the A-V management tool, the PKI or OTP server etc…
Intrusion detection works “mostly” on logs, one example is Snort. Snort was mainly developed for Linux (now supports windows but please do not ask me about it as I have not set it up for windows). Snort does something similar to tail –f /var/log/messages and once it identifies 3 false authentication requests for an SSH session (for example) from an IP address, it automatically bans it. The ban is set on the network layer, meaning the IP address will not be able to access any service running on any server protected by that intrusion detection system.
5- Authentication mechanisms: Kerberos, NTLM, NT authentication are methods of the past… authentication has changed dramatically in the past few years to be much more secured and efficient. The most known tokens authentication protocols are OTP and PKI.
OTP: One time password protocol. Widely used in the banking industry. The most reliable authentication and the oldest of them all. It uses a hardware token (most of the time it’s a hardware token, sometimes it’s a software token loaded on a phone or sent by sms) to generate a 4 or 6 digits password that changes every 60 seconds (some vendors like rsa and vasco have algorithm that changes by button press + 60 seconds which complicates the seed greatly but let us not worry about that). Most OTP servers use challenge response with the ldap to process authentication requests.
PKI: relatively new and very expensive. It uses a usb based token that can have a built-in certificate (private key). It is used for authentication, signing emails, etc… not popular at all as it is expensive and has lots of glitches but works well with SSO (single sign on).
6- Syslog servers: The Syslog server is one of the very useful tools to trace back network activity. As it’s name the syslog server is a machine that logs everything about everyone J. It gathers logs from all servers, switches, routers and users machines (if configured to do so). 2 major rules for using a syslog server:
1- Secure it’s location physically. Tampering with logs is Hacker’s delight.
2- USE AN NTP for all your servers and machines. It will make no sense having a syslog without an NTP, imagine tracing a login attempt from a router port at 6:21 pm and figuring out that your server is 7 minutes away (few hundreds log lines away from the original attempy).
Few rules to always be aware of:
1-Security is not always expensive, most of the solutions we deploy in enterprises are open source and work actually pretty well
2-Security is INVERSLY PROPORTIONAL to performance. The more you tighten up your security, the slower your machines/network will get. Consider the scenario of a simple cisco 1600 series router, the larger the access list is, the slower the router gets.
3-Encryption is not a toy, if your not familiar with it, do not do it. I’ve witnessed so many dramas with people encrypting their entire hard drives and losing their private keys. Before you encrypt, get familiar with your environment and the encryption tool.
4- Access rights and File systems privileges are just as equal to every other aspect but its about midnight and i have to wake up at 5 30, so let's talk later about this lol
I will post later about encryption and protocols... I believe we had a moderator that was interested in encryption, so help is appreciated :)
If you find mistakes, please excuse me, am sleepy :)
Looking forward to hear your replies | | |  | | The Following 3 Users Say Thank You to Mar1K For This Useful Post: | | | Registered Member
Offline Posts: 72 Thanks: 83
Thanked 13 Times in 12 Posts
Last Online: 10 Hours Ago Join Date: Fri Jul 2009 |
3rd September 2009
Mark,
Security is not always about authentication, intrusion detection, firewall, etc. Sometimes is on the architecture level. For exemple, your netwrok is very unsecure because you have one firewall and one router ---> single point of failure.
In addition, you have not to forget DRP (Disaster Recovery Plan) or BCP.
As for the DMZ and the different technologies to be used, each enterprise must take into account its business neesds in addition to the regulatory requirements.
For the hacking staff, believe me that in a couple of days you can enter any network. If you operate from the inside, it could be easier. I work on pen testing mission and normally we succeed in a couple of days.
Finaly, the physical security is also very important (AC, electricity, etc.). the security is not only limited to IT equipment. Imagine that your data center turned off due to an electricity problem, a firewall can not help you !
Regards, | | | | | Registered Member
Online Posts: 1,718 Thanks: 205
Thanked 260 Times in 179 Posts
Last Online: 3 Hours Ago Join Date: Sat Feb 2006 |
4th September 2009
Quote:
Originally Posted by Salmoun  Mark,
Security is not always about authentication, intrusion detection, firewall, etc. Sometimes is on the architecture level. For exemple, your netwrok is very unsecure because you have one firewall and one router ---> single point of failure. | Redundancy is not about security, redundancy is high availability Quote: |
In addition, you have not to forget DRP (Disaster Recovery Plan) or BCP.
| Backup and DR is not about security, it's about business continuity. As of ISO9001 i think and by LAW, if you are a financial company, you must have a DR plan and test it on a quarterly basis. this is not security, this is your entire business :) Quote: |
As for the DMZ and the different technologies to be used, each enterprise must take into account its business neesds in addition to the regulatory requirements.
| True, but in general, you would never mix your environments, this was an idea for new techies. not for experts. I do not suggest more than 4 subnets at anytime. Traffic can be a bit** to the routers. Again, it's a business driven decision but that is the general rule Quote: |
For the hacking staff, believe me that in a couple of days you can enter any network. If you operate from the inside, it could be easier. I work on pen testing mission and normally we succeed in a couple of days.
| I disagree, users do not have physical access to servers, shutting down power will take off the entire network (if not redundant power supply is available such as backup generator). With a good admin and good design for the back end, even users from the inside will find a hell lot of trouble trying to access restricted company resources. Quote: |
Finaly, the physical security is also very important (AC, electricity, etc.). the security is not only limited to IT equipment. Imagine that your data center turned off due to an electricity problem, a firewall can not help you !
| Again, this is about high availability and not security, different story there. If the data center fails power, not just the firewall goes down, the entire network goes down and the data center would be liable to pay damages :)
I hope that clears it | | | | | Registered Member
Offline Posts: 330 Thanks: 1
Thanked 44 Times in 37 Posts
Last Online: 13 Hours Ago Join Date: Sun Jun 2006 |
4th September 2009
Sorry for criticism :-) Here i go: Quote:
Originally Posted by Mar1K 1- Your first step is always your firewall, your hardware firewall that is, such as Cisco PIX or ASA. Without going into details about ASA (since I am no expert with ASA). Firewalls are used to keep intruders out, most firewalls listens to ports on specific IP addresses. They block or allow, incoming or outgoing connections from a source to a destination on a specific port. Of course, there is a big limitation here: | There is NO hardware firewall. All of them SOFTWARE firewall. It is common mistake. Many models Cisco PIX contain Celeron x86 processor inside, just trick is in nice box and their own software. Quote: |
In this scenario, the firewall is doing its job by mapping port 80 to the web server on the lan, but can you tell what can be done to your data if you have not setup proper authentication? An attacker can download your php files (which usually have 755 rights) read your php codes and using the url, run any query that he likes.
| On proper web-server setup, php and other scripts is offloaded to separate server over fastcgi. Quote: |
So now, you know, Firewalls are highly overrated, they are great devices but do not understand the presentation/application layer.
| There is L7 firewalls, DPI (deep packet inspection). But this is not main job for them. Btw it is faulty to setup mysql authentication in critical application over password. PKI/TLS with proper cryptoprocessor(smartcard for example) is answer to question. Quote: |
2- DMZ… DMZ… oh yeah, again, DMZ… in another terms, break your network to pieces. Never, Ever, Ever have your users and your servers on the same subnet or DMZ. Why??? When two machines are running on the same DMZ, they talk over the switch “usually”. That means, they will not route their traffic over your existing routers, NAC policies will not apply, both machines can see each others, talk to each others, sniff traffic (in certain cases), etc… THIS IS DANGEROUS!
| It is not DMZ. Just setup proper ACL, port security and other features, and in proper network, even in one segment - noone can sniff anything. ARP/IP spoofing another technologies is useful only on non-manageable L2 switches or misconfigured manageable switches. Quote: |
Users should not be able to see db servers for example, they should be able to talk to their databases through their web servers (running queries from the web platform) unless the business need is otherwise.
| That's right. But actually it is easy to secure this even from db server directly. But sure complete isolation is better. Quote: |
A- Presentation: the presentation dmz is the web servers dmz. This dmz contains your bastion servers. Nothing should run other than your “customized” web service. No remote access is allowed to this server unless internally over a vpn tunnel. SSH or RDP should not be allowed what so ever externally, not even on mapped ports. To change settings, you need to login to the server console. If the server is remote (at the data center) you will need to create a vpn tunnel so you can be a local user on the network. Plug and Play is a big no no for presentation servers.
| Thats wrong. RDP is not secure, it is right. But SSH by themself can do VPN. With proper smartcard key authentication, security policies, and TPM module(even if gateway is hacked - hacker cannot run unsigned binaries) it is enough secure. Quote: |
B- Data: the data dmz is the most critical layer. It should not be accessible for users at all (unless running crystal reports). The data dmz contains your databases (sql server, mysql, oracle, ingres, postgres, etc…). Some databases may also consider encryption or hashing or even encrypting their entire hard drive (if performance is not an issue and the data is very sensitive). DB servers should be allowed contact presentation servers with valid/strong authentication.
| Total nonsense. Why to have database if you don't care about performance? Keep it in plaintext file then. Security can be done on hardware level at the end (encryption) and performance will not be affected. Quote: |
C- Ldap: This DMZ contains your ldap (active directory, eDirectory, open ldap, etc…). This DMZ is shared by users. Ldap is usually a DNS server, no harm is having both running on the same server as long as it can take it (ldap boxes are usually idle most of the time, they only process authentication requests and authorization requests depending on the ldap architecture so admins prefer to cut the cost down and use ldaps also as file servers since it is on the same DMZ as the user’s one and that would reduce traffic on the routers.
| LDAP it is Micro$oftish way of managing users permissions. And not most secure. Better to call it "identity management DMZ". Quote:
3- CA servers… Most enterprises use an internal CA server, you always should have your ldap authenticating with a certificate. Users should be issued certificates to authenticate against their ldap accounts. When using a certificate, password do not travel across the wire in plain text format, they go encrypted. Nevertheless, the delivery of the certificate itself should be done over the lan when dealing with very sensitive data or accounts.
| It is even not like this. With PKI system you have password only to get access your smartcard processor. Then processor will do negotiation with certificate server, and will do both side authentication. It is a bit complicated here to explain that. But no password involved in this... password usually used only for accessing smartcard. Sometimes password changed(or added to) biometric information. Quote: |
Consider this scenario, your company just hired a new CFO and he was issued a new laptop. If your CFO goes onto the CA server website and downloads the certificate, anyone on the lan with access beyond the router can actually listen to his session from the url hit till the end of download and get the CFO’s private key. The most efficient method of delivering a certificate or a private key is still the old fashioned way… Manually… stick it on a USB key and install it manually at the targeted machine
| Proper way is not USB Token, proper way is smartcard reader. Quote: |
Intrusion detection works “mostly” on logs, one example is Snort. Snort was mainly developed for Linux (now supports windows but please do not ask me about it as I have not set it up for windows). Snort does something similar to tail –f /var/log/messages and once it identifies 3 false authentication requests for an SSH session (for example) from an IP address, it automatically bans it. The ban is set on the network layer, meaning the IP address will not be able to access any service running on any server protected by that intrusion detection system.
| Snort doesn't check logs. Snort checks mainly network traffic, and check it for specific signatures of exploits, bruteforce attempts and etc. It is good to set it up on mirrored port on switch . Quote:
5- Authentication mechanisms: Kerberos, NTLM, NT authentication are methods of the past… authentication has changed dramatically in the past few years to be much more secured and efficient. The most known tokens authentication protocols are OTP and PKI.
OTP: One time password protocol. Widely used in the banking industry. The most reliable authentication and the oldest of them all. It uses a hardware token (most of the time it’s a hardware token, sometimes it’s a software token loaded on a phone or sent by sms) to generate a 4 or 6 digits password that changes every 60 seconds (some vendors like rsa and vasco have algorithm that changes by button press + 60 seconds which complicates the seed greatly but let us not worry about that). Most OTP servers use challenge response with the ldap to process authentication requests.
| OTP is VERY insecure, since it is based on flawed (recently) MD5. Quote: |
PKI: relatively new and very expensive. It uses a usb based token that can have a built-in certificate (private key). It is used for authentication, signing emails, etc… not popular at all as it is expensive and has lots of glitches but works well with SSO (single sign on).
| It doesn't have glitches and it is VERY well know. But it is not easy in setup like simple passwords, it needs hardware and knowledge.
Open your cellular. Your SIM card in fact - smartcard. You have satellite "pay" TV card? It is smartcard also. Thats simpliest example. Quote:
6- Syslog servers: The Syslog server is one of the very useful tools to trace back network activity. As it’s name the syslog server is a machine that logs everything about everyone J. It gathers logs from all servers, switches, routers and users machines (if configured to do so). 2 major rules for using a syslog server:
1- Secure it’s location physically. Tampering with logs is Hacker’s delight.
2- USE AN NTP for all your servers and machines. It will make no sense having a syslog without an NTP, imagine tracing a login attempt from a router port at 6:21 pm and figuring out that your server is 7 minutes away (few hundreds log lines away from the original attempy).
| syslog is not secure. It needs some modifications to become secure. | | | | | Registered Member
Offline Posts: 330 Thanks: 1
Thanked 44 Times in 37 Posts
Last Online: 13 Hours Ago Join Date: Sun Jun 2006 |
4th September 2009
Update: OTP, depends on type can be secure, if it won't use MD5. But "most known" OTP is not secure anymore. | | | | | Registered Member
Online Posts: 1,718 Thanks: 205
Thanked 260 Times in 179 Posts
Last Online: 3 Hours Ago Join Date: Sat Feb 2006 |
5th September 2009
Thank you for the reply, I will get back on each one. Quote:
Originally Posted by nuclearcat Sorry for criticism :-) Here i go:
There is NO hardware firewall. All of them SOFTWARE firewall. It is common mistake. Many models Cisco PIX contain Celeron x86 processor inside, just trick is in nice box and their own software. | Even Juniper adopts x86 architecture. That does not mean the package is not called a hardware firewall. in another term, an appliance. Quote: |
On proper web-server setup, php and other scripts is offloaded to separate server over fastcgi.
| not true, you would be executing your scripts off the lan, it's called a bastion server for a reason. Quote: |
There is L7 firewalls, DPI (deep packet inspection). But this is not main job for them. Btw it is faulty to setup mysql authentication in critical application over password. PKI/TLS with proper cryptoprocessor(smartcard for example) is answer to question.
| I did not go into details about "smart" firewalls, i did not say that i can't go into details about it 
As for setting up authentication for mysql, its true, you can use a certificate if your business requires pki authentication Quote: |
It is not DMZ. Just setup proper ACL, port security and other features, and in proper network, even in one segment - noone can sniff anything. ARP/IP spoofing another technologies is useful only on non-manageable L2 switches or misconfigured manageable switches.
| That was an example and not valid in all cases (sniffing), i have mentioned that it could be a threat. By design and default security 101 is breaking your network into more than one DMZ. this makes manageability easier. Quote: |
That's right. But actually it is easy to secure this even from db server directly. But sure complete isolation is better.
| True... Quote: |
Thats wrong. RDP is not secure, it is right. But SSH by themself can do VPN. With proper smartcard key authentication, security policies, and TPM module(even if gateway is hacked - hacker cannot run unsigned binaries) it is enough secure.
| Wrong, Wrong and Wrong... Even Novell admitted that RDP is much much better than VNC and SSH. RDP was built on ITU-T. Originially it ran without any encryption what so ever. now, RDP has been tighten up.
To prove my point, download the latest ISOs for SuSE Linux Enterprise Server 11. Notice the RDP support introduced to SuSe now (by NOVELL). Quote: |
Total nonsense. Why to have database if you don't care about performance? Keep it in plaintext file then. Security can be done on hardware level at the end (encryption) and performance will not be affected.
| I did not say all databases get entire hard drives encrypted. Let me give you an example. Out of all our customers, 1 financial enterprise "out of about 5000 customers" runs a fully encrypted box. That box holds every single credit purchase for their end users. It's one of the largest banks here and THIS IS A REQUIREMENT.
They are still on Oracle 9i, simply because it is too much of a hassle to upgrade.
Typically, 99% of customers, do not require encryption, i hope that clears it :) Quote: |
LDAP it is Micro$oftish way of managing users permissions. And not most secure. Better to call it "identity management DMZ".
| Not True, eDirectory existed ages before Microsoft AD, eDirectory also managed users permissions but the problem is you have to work everything manually... I hate that :)
Besides, most modern enterprises (out of experience), run AD as their ldap. Quote: |
It is even not like this. With PKI system you have password only to get access your smartcard processor. Then processor will do negotiation with certificate server, and will do both side authentication. It is a bit complicated here to explain that. But no password involved in this... password usually used only for accessing smartcard. Sometimes password changed(or added to) biometric information.
| with PKI, you do not even need a password, I am ready to go through in here. I run PKI authentication on my test lab in the office. It depends on how you set it up.
You can use challenge response mechanism, you can use TLS or CA + password, or you can use CA authentication alone (that is dangerous also, this depends on IT team response if the token gets lost and so many other factors). Quote: |
Proper way is not USB Token, proper way is smartcard reader.
| ????? Get out of the cave man  Quote: |
Snort doesn't check logs. Snort checks mainly network traffic, and check it for specific signatures of exploits, bruteforce attempts and etc. It is good to set it up on mirrored port on switch .
| I am running it Quote: |
OTP is VERY insecure, since it is based on flawed (recently) MD5.
| MD5??? with OTP? MD5 is ancient... 3DES, AES is the way to go now... Quote:
It doesn't have glitches and it is VERY well know. But it is not easy in setup like simple passwords, it needs hardware and knowledge.
Open your cellular. Your SIM card in fact - smartcard. You have satellite "pay" TV card? It is smartcard also. Thats simpliest example.
| I know what is a smartcard and what's not...
This statement is vendor related. Take safenet as an example, PKI is much easier to setup than OTP, if you go RSA/Vasco, OTP is much easier
HSBC, National bank of australia, Commonwealth bank, etc... all run OTP authentication. IT is the MOST secure protocol at the moment, this is not my statement, this is vendors/banking industry leaders/xyz statement. Card readers are dead, when you say USB is not the way to go, you have to be aware that card readers are actually connected to a USB port lol Quote: |
syslog is not secure. It needs some modifications to become secure.
| You should be careful about those statements... syslog is not secure? syslog is not a security protocol, it's a logging protocol...
Again, happy to debate with you any of the upper points as long as we are talking facts. | | | | | Registered Member
Offline Posts: 330 Thanks: 1
Thanked 44 Times in 37 Posts
Last Online: 13 Hours Ago Join Date: Sun Jun 2006 |
5th September 2009
Quote:
Originally Posted by Mar1K Even Juniper adopts x86 architecture. That does not mean the package is not called a hardware firewall. in another term, an appliance. | Well, then i can do also "hardware" firewall. Juniper by the way have something more "hardware" than PIX, but mostly for routing. Usually it is some ASIC that will do operations that need very high performance. Some implementations do filter in ASIC or FPGA. Quote:
Wrong, Wrong and Wrong... Even Novell admitted that RDP is much much better than VNC and SSH. RDP was built on ITU-T. Originially it ran without any encryption what so ever. now, RDP has been tighten up.
To prove my point, download the latest ISOs for SuSE Linux Enterprise Server 11. Notice the RDP support introduced to SuSe now (by NOVELL).
| RDP is a GUI toy. Till version 6.0 they was subject of MiM attack. And design doesn't had security in mind as first target. It uses RC4 as encryption and weaker... RC4 well known to be weak, look to WEP. After 6.0 as i know they use TLS, but noone know what ciphers they use. Definitely i wont trust such technology.
SSH can do tunnels, port forwarding, secure file copy, and sure X forwarding for GUI. It can verify calling and called points by public keys, supports smardcards, multiple encryption ciphers. It is more transport, than anything else, and that what is required on gateway. Sure over it you can run RDP also. But you cannot run SSH over RDP (except than window with putty open :-D ). It is also very suitable for low-speed links. Quote: |
Typically, 99% of customers, do not require encryption, i hope that clears it :)
| I disagree. Information leak critical even for home user. If there is seamless way to encrypt data - it should be done. At least put password on HDD, it is supported by MOST hdd's, and enough for simple security breach cases. Quote:
Not True, eDirectory existed ages before Microsoft AD, eDirectory also managed users permissions but the problem is you have to work everything manually... I hate that :)
Besides, most modern enterprises (out of experience), run AD as their ldap.
| Well, i had hassle also before AD with LDAP, but i don't like it at all. Most of small/middle businesses can use something simplier and easier to maintain. Quote: |
with PKI, you do not even need a password, I am ready to go through in here. I run PKI authentication on my test lab in the office. It depends on how you set it up.
| Key/smartcard should be always protected by upper layer. Smartcard always can be lost. Quote: |
You can use challenge response mechanism, you can use TLS or CA + password, or you can use CA authentication alone (that is dangerous also, this depends on IT team response if the token gets lost and so many other factors).
| There is revocation list for this. Quote: |
????? Get out of the cave man | USB tokens can embed smartcard, and there is USB smartcard readers. But prefferable way attached smartcard reader and user with standard smartcard. Quote: |
I am running it | I run it before it was sold even to commercials :-) Quote: |
MD5??? with OTP? MD5 is ancient... 3DES, AES is the way to go now...
| Sadly a lot of software using MD5. Don't mix a things, AES/3DES block encryption ciphers. MD5 is hashing(digest) algo. Sure digests built based on block ciphers, but thats not the same. More reasonable alternative looks like SHA* family. Quote: |
HSBC, National bank of australia, Commonwealth bank, etc... all run OTP authentication. IT is the MOST secure protocol at the moment, this is not my statement, this is vendors/banking industry leaders/xyz statement. Card readers are dead, when you say USB is not the way to go, you have to be aware that card readers are actually connected to a USB port lol
| Credit card was "security by obscurity". They knew that, but they use that for millions, because it is cheap. It is more stupidity of managers(or they have in mind to harm customers?) in banks to continue to use that. I am not sure which card my boss uses, but it is smartcard. From business point of view - if you use OTP, ATM machine needs only software modification to support it. Sometimes it is possible even to run on "old" ATM if OTP done over SMS or etc. If you use smartcard chip - it needs heavy hardware and software modification. Thats why banks prefer OTP. Interfacing and "old" machines... they are still creating workarounds, than proper solution.
Regarding USB, it doesn't matter how it is cardreader connected, RS232, over GPIO, or USB... More important - it is standard. USB tokens often have each one his own drivers and etc. Since i am working on embedded solutions - sometimes it is a hell to support this zoo. Quote: |
You should be careful about those statements... syslog is not secure? syslog is not a security protocol, it's a logging protocol...
| Plaintext udp packets. What can be worse?
No integrity verification, and no verification even about dropped packets, Just break connection with syslog server, do ur nasty things with server, and syslog will not notice that. I had real experience when hackers tried to break communication with syslog server by DDoS on syslog port with spoofed ip of logged server. Logs was filled by garbage messages. | | | | | Registered Member
Online Posts: 1,718 Thanks: 205
Thanked 260 Times in 179 Posts
Last Online: 3 Hours Ago Join Date: Sat Feb 2006 |
6th September 2009
Quote:
Originally Posted by nuclearcat Well, then i can do also "hardware" firewall. Juniper by the way have something more "hardware" than PIX, but mostly for routing. Usually it is some ASIC that will do operations that need very high performance. Some implementations do filter in ASIC or FPGA. | I totally agree, everybody can bundle a 1U rack mount appliance and call it hardware firewall. Cisco's power is not the hardware, never was, never will be, there success was the IOS (although old versions got hacked and wacked lol) until something called juniper appeared. Heck put a customized Linux kernel on a 1U DL320 G5 and print a tag and you can call it Playstation firewall Quote: |
RDP is a GUI toy. Till version 6.0 they was subject of MiM attack. And design doesn't had security in mind as first target. It uses RC4 as encryption and weaker... RC4 well known to be weak, look to WEP. After 6.0 as i know they use TLS, but noone know what ciphers they use. Definitely i wont trust such technology.
| Ra7 tza3ilneh mennak hon... HMAC rings a bell? I am a Linux person, but when microshi* does something right, i do not try to bash, I take advantage of it. don't forget, RDP is not their protocol, it's ITU-T which was open source and still 
PS: I said getting better, not that they are the most secure tool. to use terminal services, you might wanna consider vpn, again, it's cost vs security, etc... Quote: |
SSH can do tunnels, port forwarding, secure file copy, and sure X forwarding for GUI. It can verify calling and called points by public keys, supports smardcards, multiple encryption ciphers. It is more transport, than anything else, and that what is required on gateway. Sure over it you can run RDP also. But you cannot run SSH over RDP (except than window with putty open :-D ). It is also very suitable for low-speed links.
| My favorite tool is call Nx Machine I totally agree here, WinSCP is a great tool... all over SSH, I totally agree there, but that does not mean RDP is not secure. It is getting better... Quote: |
I disagree. Information leak critical even for home user. If there is seamless way to encrypt data - it should be done. At least put password on HDD, it is supported by MOST hdd's, and enough for simple security breach cases.
| Bitlocker? lol (joking). I lost track, where were we? Oh yeah, Information leak is critical for everyone, but does that mean customers require encryption? NO, they want their performance, it's called productivity. They prefer to secure their data with other methods (such as the ones we mentioned before). Very few customers are actually willing to spend on the hardware grunt to get performance with encrypted drives. Quote: |
Well, i had hassle also before AD with LDAP, but i don't like it at all. Most of small/middle businesses can use something simplier and easier to maintain.
| AD and DNS on a windows box :( Most small business can not afford the services of a Linux guru. that's the sad cycle. Quote:
Key/smartcard should be always protected by upper layer. Smartcard always can be lost.
There is revocation list for this.
| That applies to all token authentication... Quote: |
USB tokens can embed smartcard, and there is USB smartcard readers. But prefferable way attached smartcard reader and user with standard smartcard.
| The endless debate about token authentication lol, I am a fan of OTP, though USB PKI devices can hold storage encrypted by a private key loaded on the token itself (that is tamper proofed, can not be exported, etc...) PKI embeded in USB (with a driver loaded for anywhere deployment) is the future, but it is far far away from perfect... actually, it's cr*py at the moment lol. Quote: |
I run it before it was sold even to commercials :-)
| Good for u... I will post some config "soon" Quote: |
Sadly a lot of software using MD5. Don't mix a things, AES/3DES block encryption ciphers. MD5 is hashing(digest) algo. Sure digests built based on block ciphers, but thats not the same. More reasonable alternative looks like SHA* family.
| I am not mixing things, keys are generated with triple des or aes usually, not MD5, it's very well known and weak. Quote: |
Credit card was "security by obscurity". They knew that, but they use that for millions, because it is cheap. It is more stupidity of managers(or they have in mind to harm customers?) in banks to continue to use that. I am not sure which card my boss uses, but it is smartcard. From business point of view - if you use OTP, ATM machine needs only software modification to support it. Sometimes it is possible even to run on "old" ATM if OTP done over SMS or etc. If you use smartcard chip - it needs heavy hardware and software modification. Thats why banks prefer OTP. Interfacing and "old" machines... they are still creating workarounds, than proper solution.
| You got the point wrong, you should re-read what i said before, i was not talking about credit cards, i was talking about a big financial institution protecting their db. I was talking about their internal infrastructure for internal usage, Nothing about public usage. Quote: |
Regarding USB, it doesn't matter how it is cardreader connected, RS232, over GPIO, or USB... More important - it is standard. USB tokens often have each one his own drivers and etc. Since i am working on embedded solutions - sometimes it is a hell to support this zoo.
| Wow, your infrastructure needs some update... I hope your not using com ports still lol, our machines don't even have that interface loool
It's a jungle out there Quote: |
Plaintext udp packets. What can be worse?
| TLS support rings a bell? ng-syslog rings a bell? Quote: |
No integrity verification, and no verification even about dropped packets, Just break connection with syslog server, do ur nasty things with server, and syslog will not notice that. I had real experience when hackers tried to break communication with syslog server by DDoS on syslog port with spoofed ip of logged server. Logs was filled by garbage messages.
| That means you had no monitoring system running, if ipchains or nagios smells denial of service, nagios will ring every bell in the company lol. it will get 10 admins on the network tracing the bastards
Again, no system is perfect and there's nothing called 100 % secure, it's what you make of it and security is most of the time by obscurity, do you agree there? | | | | | Registered Member
Offline Posts: 330 Thanks: 1
Thanked 44 Times in 37 Posts
Last Online: 13 Hours Ago Join Date: Sun Jun 2006 |
6th September 2009
Quote:
Originally Posted by Mar1K Ra7 tza3ilneh mennak hon... HMAC rings a bell? I am a Linux person, but when microshi* does something right, i do not try to bash, I take advantage of it. don't forget, RDP is not their protocol, it's ITU-T which was open source and still | It was developed in mind with ITU standard. It is not ITU. T.128 actually very generic and approved in 1998.
HMAC is not PKI. Just integrity verification... will do fine if someone try to join in the middle of session. But, just place another windoze with similar desktop look at beginning, that will bypass your traffic and will let hacker to see all ur passwords that you will enter over keyboard. You will notice too late, that you are logging in to wrong box.
I trust only to hosts with keys, and if someone push fake host in the middle, i want to know about that easy way. SSH alert about that immediately and by default. Quote: |
PS: I said getting better, not that they are the most secure tool. to use terminal services, you might wanna consider vpn, again, it's cost vs security, etc...
| VPN is different also. Quote: |
Bitlocker? lol (joking). I lost track, where were we? Oh yeah, Information leak is critical for everyone, but does that mean customers require encryption? NO, they want their performance, it's called productivity. They prefer to secure their data with other methods (such as the ones we mentioned before). Very few customers are actually willing to spend on the hardware grunt to get performance with encrypted drives.
| Check for start ATA security features. But it is definitely security by obscurity, if good tech with tools come to that.
Next there is few HDD's manufactured with AES encryption embedded. Quote: |
AD and DNS on a windows box :( Most small business can not afford the services of a Linux guru. that's the sad cycle.
| Question is WHY they need AD? Proper system need one time setup, if it is not overcomplicated and well designed. Maybe if system have "outside" access it needs security updates, but most of them can be automatic. And maybe new "branch of system" updates yearly.
About small business and Linux guru... well, for pilot test i switch my boss to Ubuntu. He is quite happy, and after few days of explaining things (adapting to new mail client and etc) he request help much less, than other people who use Windoze. Just he use his software as it is supposed to be used, and dont want to make from computer something else than working tool. He is quite happy about it also, that it is much more secure than Windows. Quote: |
Wow, your infrastructure needs some update... I hope your not using com ports still lol, our machines don't even have that interface loool
| PC's - no, but a lot of hardware still is ok to use it. RS-485(sure it is different thingy) i am using, for example, most of "non-IP" manageable telecom equipment using it. Almost ALL embedded hardware have serial console in mind, and most of them don't have USB. Over GPIO you can implement easily RS-232, but not other "fancy and new" protocols. Quote: |
TLS support rings a bell? ng-syslog rings a bell?
| TLS two way creature. Syslog should be one way. Quote: |
That means you had no monitoring system running, if ipchains or nagios smells denial of service, nagios will ring every bell in the company lol. it will get 10 admins on the network tracing the bastards | Well designed attack lasts not more than 10 minutes. Admins need that time to logon to their pc's and finish drinking coffee. If it happens at night, i dont know person who can wake-up (even he is on duty and awake, night is boring stuff... ) and have fresh mind in less than 10 minutes. Quote: |
Again, no system is perfect and there's nothing called 100 % secure, it's what you make of it and security is most of the time by obscurity, do you agree there?
| In reality when i am in hurry or limited by situation - yes.
But some projects was done really well. | | | | | Registered Member
Online Posts: 1,718 Thanks: 205
Thanked 260 Times in 179 Posts
Last Online: 3 Hours Ago Join Date: Sat Feb 2006 |
7th September 2009
Quote:
Originally Posted by nuclearcat It was developed in mind with ITU standard. It is not ITU. T.128 actually very generic and approved in 1998.
HMAC is not PKI. Just integrity verification... will do fine if someone try to join in the middle of session. But, just place another windoze with similar desktop look at beginning, that will bypass your traffic and will let hacker to see all ur passwords that you will enter over keyboard. You will notice too late, that you are logging in to wrong box.
I trust only to hosts with keys, and if someone push fake host in the middle, i want to know about that easy way. SSH alert about that immediately and by default. | HMAC based TLS, means... Terminal Services uses TLS (SSL) certificates based on HMAC. So there's a certificate encrypting the entire session. man in the middle would see gibrish
as for decrypting the session, I don't think so, Here is the RFC for TLS ( RFC 2246 - The TLS Protocol Version 1.0), RC4 is an option but not mandatory, 3DES is supported. 3DES is the industry standard now (moving on to AES). Heck, it even supports 3des40 lol. So generate your own certificate and set your encryption level to high and enjoy a full secured session and waste your entire bandwidth on one single session
From another view, i like the approach of trusting your own keys, so why not use PKI based terminal servies sessions? Better, why not use PKI tokens or cardreaders if you want, to authenticate your session or fully encrypt your session, i like this approach. Quote:
Check for start ATA security features. But it is definitely security by obscurity, if good tech with tools come to that.
Next there is few HDD's manufactured with AES encryption embedded.
| Or you can use 3rd party appliances, (fiber attached stuff), what matters is encryption can be done at the hardware level without leaking the data outside. So we do agree here? Quote: |
Question is WHY they need AD? Proper system need one time setup, if it is not overcomplicated and well designed. Maybe if system have "outside" access it needs security updates, but most of them can be automatic.
| I will have to admit, it simplifies alot of IT management issues, especially with the group policy stuff, don't get me wrong, i hate the idea of having a windows box in production environment but AD as ldap is not that bad (of course if DNS works, which often, does not lol) Quote: |
About small business and Linux guru... well, for pilot test i switch my boss to Ubuntu. He is quite happy, and after few days of explaining things (adapting to new mail client and etc) he request help much less, than other people who use Windoze. Just he use his software as it is supposed to be used, and dont want to make from computer something else than working tool. He is quite happy about it also, that it is much more secure than Windows.
| Linux is a great back end OS, but XP still conquers the user's end. especially in enterprise. it's not about usability since Linux is becoming user friendly bit by bit, it's about application support.
Can you find a linux version of IFS? Crystal report? MYOB? and a zillion other business application? the problem is not Linux itself, it's application support. We are running a massive marketing campain called Green, the color of success that should be launched this month (which i will be on road in all states) trying to bring customers into SuSE Linux Enterprise Desktop. Still, i do not see Linux in general conquering more than 10 % of the enterprise end user market. It is a fact that we are living with it and working on changing it. First, we need to change the mentality of big ISV (independent software developers) and get them to support Linux then we will talk about further steps. Trust me, Novell is spending Millions on this. Quote: |
PC's - no, but a lot of hardware still is ok to use it. RS-485(sure it is different thingy) i am using, for example, most of "non-IP" manageable telecom equipment using it. Almost ALL embedded hardware have serial console in mind, and most of them don't have USB. Over GPIO you can implement easily RS-232, but not other "fancy and new" protocols.
| again, i do not wish to drift off topic, but my PABX has a USB interface man my phone has one, my router(s) heck, even watches have USB support lol... BUY NEW EQUIPMENTS (that is the key word lol) Quote: |
TLS two way creature. Syslog should be one way.
| Network layer can take care of that Quote: |
Well designed attack lasts not more than 10 minutes. Admins need that time to logon to their pc's and finish drinking coffee. If it happens at night, i dont know person who can wake-up (even he is on duty and awake, night is boring stuff... ) and have fresh mind in less than 10 minutes.
| Well designed attacks take months of preparation, every security specialist knows that, by the time you prepare your attack, your victim should be well aware and waiting for the incriminating evidence. If you were not aware, got breached, could not protect your logs and kept traces on your routers, switches, boxes and so on, you deserve to be breach. am i right? Quote:
In reality when i am in hurry or limited by situation - yes.
But some projects was done really well.
| Read Kevin Mitnick's (the most famous hacker ever) book: The art of intrusion. (I am happy to email it to who ever who wants to read it).
If you plan your project, you can do really well, but you can never be 100 % secure... Never... The penthagon learned the hard way... This guy even hacked the white house apache box lol
Technology does not protect you from "Social" engineering what do you think? | | | | | |
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | Search this Thread | | | |
| 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | |
|
