Saturday, May 21, 2011

Secure Key Algorithms

Public-key cryptography

Public-key cryptography refers to a widely used set of methods for transforming a written message into a form that can be read only by the intended recipient. This cryptographics approach involves the use of asymmetric key algorithms — that is, the non-message information (the public key) needed to transform the message to a secure form is different from the information needed to reverse the process (the private key). The person who anticipates receiving messages first creates both a public key and an associated private key, and publishes the public key. When someone wants to send a secure message to the creator of these keys, the sender encrypts it (transforms it to secure form) using the intended recipient's public key; to decrypt the message, the recipient uses the private key.

Thus, unlike symmetric key algorithms, a public key algorithm does not require a secure initial exchange of one or more secret keys between the sender and receiver. The particular algorithm used for encrypting and decrypting was designed in such a way that, while it is easy for the intended recipient to generate the public and private keys and to decrypt the message using the private key, and while it is easy for the sender to encrypt the message using the public key, it is extremely difficult for anyone to figure out the private key based on their knowledge of the public key.

The use of these keys also allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key.

Public key cryptography is a fundamental and widely used technology around the world. It is the approach which is employed by many cryptographic algorithms and cryptosystems.

How it works

The distinguishing technique used in public key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys—a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but parameters are chosen so that determining the private key from the public key is prohibitively expensive.

In contrast, symmetric-key algorithms, variations of which have been used for thousands of years, use a single secret key—which must be shared and kept private by both sender and receiver—for both encryption and decryption. To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance.

Because symmetric key algorithms are nearly always much less computationally intensive, it is common to exchange a key using a key-exchange algorithm and transmit data using that key and a symmetric-key algorithms.

Saturday, March 26, 2011

Smart Card Security

Data Integrity

This is the function that verifies the characteristics of a document and a transaction. Characteristics of both are inspected and confirmed for content and correct authorization. Data Integrity is achieved with electronic cryptography that assigns a unique identity to data like a fingerprint. Any attempt to change this identity signals the change and flags any tampering.

Authentication

This inspects, then confirms, the proper identity of people involved in a transaction of data or value. In authentication systems, authentication is measured by assessing the mechanisms strength and how many factors are used to confirm the identity. In a PKI system a Digital Signature verifies data at its origination by producing an identity that can be mutually verified by all parties involved in the transaction. A cryptographic hash algorithm produces a Digital Signature.

Non-Repudiation

This eliminates the possibility of a transaction being repudiated, or invalidated by incorporating a Digital Signature that a third party can verify as correct. Similar in concept to registered mail, the recipient of data re-hashes it, verifies the Digital Signature, and compares the two to see that they match.

Authorization and Delegation

Authorization is the processes of allowing access to specific data within a system. Delegation is the utilization of a third party to manage and certify each of the users of your system. (Certificate Authorities).

http://www.smartcardbasics.com/smart_card_images/panel4_trust_lrg.gif

Auditing and Logging

This is the independent examination and recording of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.

Management

Is the oversight and design of the elements and mechanisms discussed above and below. Card management also requires the management of card issuance, replacement and retirement as well as polices that govern a system.

Cryptography / Confidentiality

Confidentiality is the use of encryption to protect information from unauthorized disclosure. Plain text is turned into cipher text via an algorithm, then decrypted back into plain text using the same method.

Cryptography is the method of converting data from a human readable form to a modified form, and then back to its original readable form, to make unauthorized access difficult. Cryptography is used in the following ways:

  • Ensure data privacy, by encrypting data
  • Ensures data integrity, by recognizing if data has been manipulated in an unauthorized way
  • Ensures data uniqueness by checking that data is "original", and not a "copy" of the "original". The sender attaches a unique identifier to the "original" data. This unique identifier is then checked by the receiver of the data.

The original data may be in a human-readable form, such as a text file, or it may be in a computer-readable form, such as a database, spreadsheet or graphics file. The original data is called unencrypted data or plain text.The modified data is called encrypted data or cipher text. The process of converting the unencrypted data is called encryption. The process of converting encrypted data to unencrypted data is called decryption.

Data Security Mechanisms and their Respective Algorithms


http://www.smartcardbasics.com/smart_card_images/panel7_dsm_lrg.gif

In order to convert the data, you need to have an encryption algorithm and a key. If the same key is used for both encryption and decryption that key is called a secret key and the algorithm is called a symmetric algorithm. The most well-known symmetric algorithm is DES (Data Encryption Standard).

Symmetrical Encryption

The Data Encryption Standard (DES) was invented by the IBM Corporation in the 1970's. During the process of becoming a standard algorithm, it was modified according to recommendations from the National Security Agency (NSA). The algorithm has been studied by cryptographers for nearly 20 years. During this time, no methods have been published that describe a way to break the algorithm, except for brute-force techniques. DES has a 56-bit key, which offers 256 or 7 x 1016 possible variations. There are a very small numbers of weak keys, but it is easy to test for these keys and they are easy to avoid.

Triple-DES is a method of using DES to provide additional security. Triple-DES can be done with two or with three keys. Since the algorithm performs an encrypt-decrypt-encrypt sequence, this is sometimes called the EDE mode. This diagram shows Triple-DES three-key mode used for encryption:

Symmetric Key (3DES) Encryption

If different keys are used for encryption and decryption, the algorithm is called an asymmetric algorithm. The most well-known asymmetric algorithm is RSA, named after its three inventors (Rivest, Shamir, and Adleman). This algorithm uses two keys, called the private key. These keys are mathematically linked. Here is a diagram that illustrates an asymmetric algorithm:

Asymmetric (Public Key) Encryption

Asymmetric algorithms involve extremely complex mathematics typically involving the factoring of large prime numbers. Asymmetric algorithms are typically stronger than a short key length symmetric algorithm. But because of their complexity they are used in signing a message or a certificate. They not ordinarily used for data transmission encryption.

As the card issuer, you must define all of the parameters for card and data security. There are two methods of using cards for data system security, host-based and card-based. The safest systems employ both methodologies.



Host-Based System Security

A host-based system treats a card as a simple data carrier. Because of this, straight memory cards can be used very cost-effectively for many systems. All protection of the data is done from the host computer. The card data may be encrypted but the transmission to the host can be vulnerable to attack. A common method of increasing the security is to write in the clear (not encrypted) a key that usually contains a date and/or time along with a secret reference to a set of keys on the host. Each time the card is re-written the host can write a reference to the keys. This way each transmission is different. But parts of the keys are in the clear for hackers to analyze. This security can be increased by the use of smart memory cards that employ a password mechanism to prevent unauthorized reading of the data. Unfortunately the passwords can be sniffed in the clear. Access is then possible to the main memory. These methodologies are often used when a network can batch up the data regularly and compare values and card usage and generate a problem card list.

Card-Based System Security

These systems are typically microprocessor based cards. A card, or token-based system treats a card as an active computing device. The Interaction between the host and the card can be a series of steps to determine if the card is authorized to be used in the system. The process also checks if the user can be identified, authenticated and if the card will present the appropriate credentials to conduct a transaction. The card itself can also demand the same from the host before proceeding with a transaction. The access to specific information in the card is controlled by (1) the card's internal Operating System and (2) the preset permissions set by the card issuer regarding the files conditions. The card can be in a standard CR80 form factor or be in a USB dongle or it could be a GSM SIM card.

Threats to Cards and Data Security

Effective security system planning takes into account the need for authorized users to access data reasonably easily, while considering the many threats that this access presents to the integrity and safety of the information. There are basic steps to follow to secure all smart card systems, regardless of type or size.

  • Analysis: Types of data to secure; users, points of contact, transmission. Relative risk/impact of data loss
  • Deployment of your proposed system
  • Road Test: Attempt to hack your system; learn about weak spots, etc.
  • Synthesis: Incorporate road test data, re-deploy
  • Auditing: Periodic security monitoring, checks of system, fine-tuning

When analyzing the threats to your data an organization should look closely at two specific areas: Internal attacks and external attacks. The first and most common compromise of data comes from disgruntled employees. Knowing this, a good system manager separates all back-up data and back-up systems into a separately partitioned and secured space. The introduction of viruses and the attempted formatting of network drives is a typical internal attack behavior. By deploying employee cards that log an employee into the system and record the time, date and machine that the employee is on, a company automatically discourages these type of attacks.


http://www.smartcardbasics.com/smart_card_images/threats_lrg.gif


External attacks are typically aimed at the weakest link in a company's security armor. The first place an external hacker looks at is where they can intercept the transmission of your data. In a smart card-enhanced system this starts with the card.

Security Architectures

When designing a system a planner should look at the total cost of ownership this includes:

  • Analysis
  • Installation and Deployment
  • Delegated Services
  • Training
  • Management
  • Audits and Upgrades
  • Infrastructure Costs (Software and Hardware)

Over 99% of all U.S.- based financial networks are secured with a Private Key Infrastructure. This is changing over time, based on the sheer volume of transactions managed daily and the hassles that come with private key management. Private Key-based systems make good sense if your expected user base is less than 500,000 participants.

Public Key Systems are typically cost effective only in large volumes or where the value of data is so high that its worth the higher costs associated with this type of deployment. What most people don t realize is that Public Key systems still rely heavily on Private Key encryption for all transmission of data. The Public Key encryption algorithms are only used for non-repudiation and to secure data integrity. Public Key infrastructures as a rule employ every mechanism of data security in a nested and coordinated fashion to insure the highest level of security available today.

Securing Remote Desktop for Windows XP


Remote Desktop, Unsafely

Many people use the Windows XP Professional remote desktop feature to gain easy access to their home PCs. But opening up a connection to an administrator account on your system is very dangerous. Just by opening the port on my firewall I received several logon attempts, from various countries, within a week. Free tools exist that assist hackers with breaking into Windows Remote Desktop connections. Fortunately there are a few simple steps you can take to protect yourself:

Remote Desktop, Safely

Limit users who can log on remotely

First, only allow certain users remote desktop access. Go to the Control Panel, then system, then the Remote tab.

Screen shot showing remote desktop control panel tab

From there, enable "Allow users to connect remotely to this computer." Then, click "Select Remote Users."

Screen shot showing remote desktop screen

Here, add only the users who you want to be able to log in remotely. If you are super-secure, you can set this to a standard user account, and force yourself to run as a normal user. This is a very difficult way to run Windows since many applications assume the user has Administrator rights, so I leave that decision up to you.

Unfortunately for you, that setting didn't do a thing! You will find that you can still log on as any administrator account. To make things complicated, Microsoft defaults to the least secure setting possible while hiding this fact from the user. You will need to go to another location to change the real list. Click Start - Programs - Administrative Tools - Local Security Policy. If you can't find it, you can also do Start - Run - enter "%SystemRoot%\system32\secpol.msc /s" - Ok.

Screen shot showing local security settings

Under Local Policies - User Rights Assignment, there is a line that says "Allow logon through Terminal Services." And just next to it is "Administrators, Remote Desktop Users." Aha! Too bad it didn't show "Administrators" in the other screen. Double-click this setting and remove "Administrators." If you want an administrator to have access, just add them explicitly through the other screen.

Screen shot showing Terminal Services users

Set an account lockout policy

There are already tools that will use brute-force to guess passwords and log-on remotely. You cannot stop this, but it can be minimized by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time. This can make hours or days of guessing become centuries. That makes it infeasable to brute-force into your system.

From the same Local Security Policy screen from before, go to Account Policies - Account Lockout Policy.

Screen shot showing a minimal account lockout policy

Account lockout threshhold: This is the number of failed logon attempts before the user is locked-out. Three is usually sufficient to indicate someone is trying to break in.

Reset account lockout counter after: For a typical home system, set this setting to be the same as the Account Lockout Duration below.

Account lockout duration: This is how long the user will be unable to logon after several failed attempts. Even a few minutes will significantly reduce the possibility of a remote brute-force attack. For a home system, any more than a few minutes can be frustrating. You may come home to find your account is locked-out because of some joker guessing passwords. Adjust the setting to your own tolerance. Setting this value to zero means to lock the account until it is manually unlocked.

To manually unlock an account you must logon as another administrator user (preferably one without remote desktop access). Then go to Start - Programs - Administrative Tools - Computer Management - Local Users and Groups. Click on the individual user and uncheck the "account is disabled" check box. You may then log on as that user.

Screen shot showing the 'Account is disabled' checkbox on the user property page

Require Passwords and 128-Bit Encryption

For compatibility with older, weaker, less-secure clients, Windows XP defaults to allowing minimal or no encryption on remote desktop connections. If you are connecting with older software, upgrade it. If you are connecting with the PocketPC Terminal Services Client, then this setting won't work for you since that client does not support high encryption. :-(

Click Start - Run - "%SystemRoot%\system32\gpedit.msc /s" to get to the Group Policy Editor. I don't know how to get there any easier than that, so you might want to add an icon for it to your Administrative Tools.

From here, go to Computer Configuration - Administrative Templates - Windows Components - Terminal Services - Encryption and Security.

Screen shot showing Terminal Services Security settings in the Group Policy

You can change the "Set client connection encryption level" from "Not Configured" to "Enabled" and "High Level" to force the client to use 128-bit security. This protects your passwords as well as anything transmitted during your terminal service session.

Enabling "Always prompt client for password upon connection" prevents the remote user from saving the password on the client computer and avoiding the password prompt. Saving passwords is generally a dangerous setting since the password is now on another computer, and because it allows the user to forget it.

Change the TCP Port

You can move the terminal services port from 3389 to another port by changing the registry key at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

You will then need to specify the port when you connect to your system. Connect with something like "my.computerathome.com:1234" instead of "my.computerathome.com"

IP Address White List

Windows Firewall allows you to limit which IP addresses have access to remote desktop. To do this, open the Control Panel and run Windows Firewall. Select the Exceptions tab and make sure "Remote Desktop" is checked.

Windows Firewall control panel screen shot

Click the "Edit" button and you will see a list of TCP ports. Windows Firewall assumes that Remote Desktop lies on port 3389. If you changed the port number, you will need cancel this screen and instead click "Add Port" and create a entry with the port number you used.

Windows Firewall TCP port screen shot

Click the "Change Scope" button. From this screen, you can limit to the local network, or to a specific set of IP addresses.


Saturday, March 19, 2011

Dual WAN Firewall to Increase Network Security

A peep into Internet World: Security Issues

Corporations of various domains like banking and finance, software engineering, stock market and trading, online shopping, media and entertainment, ecommerce have been computerized and they need Internet connection to control their network.

When a network (let it be LAN, WAN or MAN) is connected to Internet, it is implicit that the system is prone to information theft and security becomes an issue overall. Internet allows internetworking between LANs and WANs enabling remote access and control over the network from remote location. Refer (To see Figure Internet users and Firewall Security) to observe how firewall works in a network.

Internet users and Firewall Security

Anybody can hack your information when the sensitive data traverses across the network, which fuels hacking, cybercrimes and information theft. Data loss is very expensive that it is becoming unbearable to a huge extent at times of business collapse. Preventive measures is on the road to secure information and a new method “Firewall” was established to control network traffic and ‘filtrate’ unauthorized access to interfere into your network. With wan firewall, our hardware drives and files kept away from virus attacks and restrictions for users allowing only authorized users to access and gain control over your network.

Why do we opt for Firewall?

In general, firewall performs ‘filtration’ by eliminating unauthorized entries and avoids virus flow into network as a preventive action. Other options provided for security are:

  • Password encryption
  • Fingerprint identification
  • Digital Signatures
  • PIC (Personal Identification Code)

Firewall in an organization’s WAN setup

Scenario of Single Firewall:

In general, WAN setup in an organization possesses a single firewall to filtrate unauthorized entries by forming two-network structure: external and internal network. Such networks consist three interface layers with respect to ‘De Militarized Zone’ and ISP (Internet Service Provider).

Interface Layers:

  • Layer 1: The external network of the organization connects with ISP on this network layer. (first interface)
  • Layer 2: The internal network forms the next network layer. (second interface)
  • Layer 3: The DMZ zone forms the last network layer forming last network layer.(third interface)

In a communication network, a single firewall handles entire filtration process and controls the Internet traffic between the above-mentioned layers using the implementation of traffic management techniques. Refer (To see Figure Firewall in an organization’s WAN setup) for a firewall implementation in an organization’s network.

With the existence of a single firewall, the entire internet traffic takes place between DMZ, external and internal network making it risky as at any point of time the network fails to function (artificial or manmade activities). This scenario necessitates the need of firewall in multiple WANs.

As a preventive act, experts suggest an alternate approach of implementing ‘double firewall’ or ‘dual firewall’ to segregate Internet traffic between the two network layers towards DMZ zone. This is more secure and reduces ‘traffic overload’ and traffic management is on a better scale.

Dual WAN is enabled by connections from two different ISPs connected to their WAN modems (cable modem or DSL type). With the existence of two or multiple connections user can stay connected to internet and each connection acquires a firewall ensuring reliability and security over data transfer and bandwidth optimization (bandwidth increases with multiple internet connections and dual link internetwork modem to ISP connections via two WAN ports)

Configuration:

Configuration of wan firewall is of two types based on their operations:

  • Front-end firewall: Configuration done in first firewall, termed as ‘primary’ as it is intended to handle traffic for ‘De Militarized Zone’ alone.
  • Back-end firewall: Configuration done in second firewall, termed as ‘secondary’ between DMZ and internal network. Traffic management handled for DMZ and internal network.

On comparison, front-end firewall has to manage heavy traffic (as they are located in such a way they handle traffic for DMZ traffic) than back-end firewall that is self-explanatory. Refer (To see Figure Dual Firewall in WAN setup) for dual firewall in a network setup.

Dual Firewall in WAN setup

Firewall Recommendations:

In a network, it is better to use dual firewalls each from different vendors. This becomes effective only when a hacker tries to shatter the primary firewall, the latter firewall can still proceed to work, as it is a tedious task to get through the second firewall. It is highly ‘dangerous’ to fix double wan firewalls from same vendor.

This is a backup activity to handle disasters and attain business process continuity with wide area network optimization and traffic management techniques by implementing two firewalls in a wide area network setup of an organization at an affordable cost (not expensive as to a loss in a business collapse). This is also termed as ‘firewall failover’ as it acts as a ‘backup factor’ over the collapse of first firewall.

Benefits of Dual WAN Firewall:

  • Business security: Business organizations having dual wan firewall avail full benefits by boost up the security level thereby enhancing the network security by protecting the dual wan network with dual firewall
  • Network Computing: use SPI process (Stateful Packet Inspection) that inspects every packet crossing in its network under its control that safeguards network computations.
  • Network Security: To achieve network security, packet data that traverse across network has to undergo two major transformations: encryption and decryption. At the sender side, packet is encrypted using various algorithms like triple DES (Data Encryption Standard), AES(Advanced Encryption Standard) using a key to encrypt and pass the ciphered data to destination. At the receiver end, decryption takes place with a match key of the source to reveal original data, thus maintaining privacy using authentication process.
  • Dual WAN ports: A dual wide area network gigabit router has six ports of which two WAN ports possess 10/100 megabits per second ISP connections (Mbps) and four LAN ports of gigabit power used to connect as a secondary link to the second ISP connection. Such ports enable dual wan gigabit router to handle ‘internet load balancing’
  • Unified Bandwidth Management: Gigabit power (equals one megabyte of computer information) is suitable for critical networks consuming high bandwidth increasing throughput. UBM is very efficient with FatPipe product ‘QoS’ that guarantees ‘correct bandwidth for mission critical applications’, ‘allocating bandwidth thus reducing bandwidth requirements’ as a whole.
  • Quality of Service: As the name entails, QoS involves analysis of what kind of service received from the internet service provider. In general, QoS provides same level of bandwidth allocation to all applications with no bandwidth priorities, leading to over provisioning thus making it ineffective. FatPipe QoS device allocates highest priority for mission critical applications and proceed with ten priority levels’
  • Traffic Optimization: IP network traffic comes under control by prioritization and bandwidth provisioning that is termed as traffic optimization techniques. IP traffic passing through FatPipe QoS undergoes ten priority levels giving granular control over application and associated bandwidth with traffic load balancing to control, shape and optimize real time traffic and maximize utilization of all wan links.
  • Wide Area Network High Availability: Dual WAN setup ensures high level connectivity to ISP and acts as a load balancer managing IP traffic and bandwidth allocation showing high reliability and efficiency with high grade performance as it the best preventive act for disasters and manmade failures.

Thus with two wide area network firewall, any organization can gain full control and access to Internet meeting daily requirements and transactions done with tight security by blocking hackers entry into a network and curb their access to private business data with permission restriction. A dual wan setup assures you with firewall failover, automatic failover and maintains your network status always ‘UP’!

Today’s business world entirely depends on dual factors that are ‘vital’ for any business. One is technology, which uplifts the trade to a higher range and other is modes of communication for information exchange assisted with data transfer. These serve as crucial factors at any cost, which can very well determine the lifespan of business sector.

Looking deep into the first factor, the organizations’ network should be completely equipped with most appropriate technology (tuning with operational environment) in such a way that their network withstands any disaster making the company prolong on the track of progress amidst tough competitions in market.

Why do organizations need Dual-WAN?

Most of the corporate companies work in multiple locations (let it be local, regional, national and international branches) thus expanding their networks where maintenance of huge networks becomes a massive task to perform. Due to the evolution of Internet in business, communication turned to be simpler and business operations have become trouble-free. Using internet, organizations can form a WAN (Wide Area Network) with shared users irrespective of geographical location. Therefore, business via Internet has become beneficiary on a large scale.

Let us see an example to illustrate the necessity of ‘dual wan’. Assume company X has its LAN interconnected with its scattered branches through Internet or WAN links. This is possible with single ISP (Internet Service Provider) connection, which is a usual scenario.

When the LAN has access to WAN, security over transactions and data protection becomes a question (?) as they are prone to danger due to exposure and anyone can hack the data and information theft can be done on a large scale which may lead to network failure. It is highly unaffordable to bear the loss of communication and information theft.

Is Dual-WAN obligatory?

Sudden crisis arise when network is jammed with IP traffic and users post multiple requests at the same time slice. There is no assurance that the single ISP connection will work always. In such cases ‘Dual WAN’ effectively turns to be the best measure to overcome failures with affordable cost.

As the name implies, Dual-WAN refers to the network encompassing two internet / widea area network connections using one or more routers to work. Dual-WAN links connects your networks via two separate modems or routers (cable modem or DSL modem) for dual ISP connections. Here WAN modem M1 stays in ‘active’ state and WAN modem M2 takes over the operations only when M1 fails. The purpose of Dual WAN is effective and efficient in current scenario and the reason is self-explanatory.

What is so special about two wide area network links?

Two WAN or Internet links related technological complete details are put forth with several striking features of which few require significance to mention:

  • Automatic failover
  • Redundancy with Dual WAN links
  • Virtual Private Network
  • Increased security
  • Load balancing
  • Firewall like functionalities
  • Traffic Optimization & Acceleration
  • Unified Bandwidth Management
  • Business Process Continuity & Disaster Recovery

Web Application Firewall (WAF) Deployments

1. Simple single-homed Profense implementation


Simple single-homed Profense implementation

Figure Simple single-homed Profense implementation

This scenario is the easiest to implement, since Profense can be introduced in the already established network without any major reconfigurations. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to the web systems) is using a single Ethernet interface.

Profense is placed on the same network (DMZ) with the web systems web1 and web2) it is protecting.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.0.2.

The web systems’ default gateway is unaltered and is still the router with IP address 192.168.0.1.

2. Firewalled single-homed Profense implementation

Firewalled single-homed Profense implementation

Figure Firewall’ed single-homed Profense implementation

This scenario requires an extra interface in the firewall since Profense is deployed in a DMZ-segment separated from the segment in which the web servers are placed. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to web systems) is using a single Ethernet interface.

A separate network segment (subnet 2) is configured between Profense and the firewall.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.10.

Outbound traffic from Profense to web systems is again inspected by the firewall and sent to the web systems on subnet 3.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

3. Firewalled Profense implementation with a fail-over/backup Profense

Firewalled Profense implementation with a fail-over/backup Profense

Figure Profense implementation with a fail-over/backup Profense

In this scenario Profense is deployed in a high avalibility configuration with an extra Profense (backup) used for fail-over. A dedicated network or crossover cable is used to connect the Profense cluster and a separate interface is used for synchronization of various information between the active and the backup Profense. Inbound and outbound traffic share the same interface.

The two Profense systems share a virtual (VIP) IP address 192.168.1.12.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s VIP address 192.168.1.12.

In case the active Profense system fails or looses the connectivity, the backup will take over the VIP and start handling the requests from clients.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

4. Dual-homed performance optimized Profense implementation


. Dual-homed performance optimized Profense implementation

Figure Dual-homed performance optimized Profense implementation

In this scenario Profense is configured in a dual-homed setup with separation of inbound and outbound web traffic. 2 Ethernet interfaces are utilized. Client requests are terminated in VLAN2 and responses from web systems are terminated in VLAN3. This setup (or similar) potentially provides greater performance (since 2 interfaces are used) and security.

A separate network segment (VLAN2) is configured between Profense and the layer 3 switch.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.9.

Outbound traffic (downstream) from Profense is sent to web systems via VLAN3.

The layer 3 switch is configured only to allow traffic on the necessary ports (typically 80/tcp for HTTP and 443/tcp for HTTPS to pass from Profense to the web systems.

The web systems’ default gateway is the layer 3 switch with IP address 192.168.0.1.

Firewall Implementation Diagramatically






Firewall in an organization’s WAN setup











Sunday, March 6, 2011

Wireless Intrusion Prevention System

In computing, a wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

The primary purpose of a WIPS is to prevent unauthorized network access to local area networks and other information assets by wireless devices. These systems are typically implemented as an overlay to an existing Wireless Lans infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructure has integrated WIPS capabilities.Large organizations with many employees are particularly vulnerable to security breaches caused by rogue access points. If an employee (trusted entity) in a location brings in an easily available wireless routers, the entire network can be exposed to anyone within range of the signals.

Intrusion detection

A wireless intrusion detection system (WIDS) monitors the for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio sprctrum used by Wireless Lan's and immediately alerts a system administrator addess whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices. Rogue devices can spoof MAC address of an authorized network device as their own. New research uses fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices

Intrusion prevention


In addition to intrusion detection, a WIPS also includes features that prevent against the threat automatically. For automatic prevention, it is required that the WIPS is able to accurately detect and automatically classify a threat.

The following types of threats can be prevented by a good WIPS: – WIPS should understand the difference between Rogue AP and External (neighbor’s) AP

  • Mis-configured AP
  • Client Mis-association
  • Unauthorized association
  • Man in the middle attack
  • Ad-hoc Networks
  • Mac-Spoofing
  • Honeypot
  • Denial of Service (DOS) Attack
Implementation

WIPS configurations consist of three components:
  • Sensors — These devices contain antennas and radios that scan the wireless spectrum for packets and are installed throughout areas to be protected
  • Server — The WIPS server centrally analyzes packets captured by sensors
  • Console — The console provides the primary user interface into the system for administration and reporting

A simple intrusion detection system can be a single computer, connected to a wireless signal processing device, and antennas placed throughout the facility. For huge organizations, a Multi Network Controller provides central control of multiple WIPS servers, while for SOHO or SMB customers, all the functionality of WIPS is available in single box.

In a WIPS implementation, users first define the operating wireless policies in the WIPS. The WIPS sensors then analyze the traffic in the air and send this information to WIPS server. The WIPS server correlates the information validates it against the defined policies and classifies if it is a threat. The administrator of the WIPS is then notified of the threat, or, if a policy has been set accordingly, the WIPS takes automatic protection measures.

WIPS is configured as either a network implementation or a hosted implementation.

Network & Host Implementation

In a network WIPS implementation, Server, Sensors and the Console are all placed inside a private network and are not accessible from the internet.Sensors communicate with the Server over a private network using a private port. Since the Server resides on the private network, users can access the Console only from within the private network.A network implementation is suitable for organizations where all locations are within the private network.

n a hosted WIPS implementation, Sensors are installed inside a private network. However, the Server is hosted in secure data center and is accessible on the internet. Users can access the WIPS Console from anywhere on the internet. A hosted WIPS implementation is as secure as a network implementation because the data flow is encrypted between Sensors and Server, as well as between Server and Console. A hosted WIPS implementation requires very little configuration because the Sensors are programmed to automatically look for the Server on the internet over a secure SSL connection.

For a large organization with locations that are not a part of a private network, a hosted WIPS implementation simplifies deployment significantly because Sensors connect to the Server over the internet without requiring any special configuration. Additionally, the Console can be accessed securely from anywhere on the internet.

Hosted WIPS implementations are often offered in an on-demand, subscription-based Software as a service model. Hosted implementations are particularly cost-effective for organizations looking to fulfill only the minimum scanning requirements of PCI DSS.

Why Should I Secure My Wireless Network Using Encryption?

All computer security measures slow down, rather than stop, would be hackers. If a network takes longer to crack, the hope is that the hackers will give up and go elsewhere. Wireless networks without encryption make eavesdropping a cinch.

What Can Be Done to Secure a Wireless Network?

The two primary areas of concern are eavesdropping and unauthorized access. Encryption algorithms such as WEP and WPA protect against eavesdropping by scrambling data sent over the wireless connection so that only network hosts that have the network shared key or certificates can decrypt the information. WEP and WPA also support authentication in that hosts attempting to connect to the wireless network are denied access unless they can provide the network pre-shared key or authorized certificate.

WEP (Wireless Equivalent Privacy) is the oldest of the wireless encryption standards. WEP depends upon a relatively weak security algorithm using RC4 encryption and shared security keys that are trivial to break. Free applications are available for download on the Internet that can crack WEP encryption in minutes (with no advanced computer skills required). WEP should be considered a last resort for wireless security. If your wireless network only supports WEP encryption, upgrade the wireless hardware and software to equipment that supports the stronger encryption algorithms below.

WPA-PSK (WiFi Protected Access with Pre-Shared Key) provides slightly better security than WEP. WPA-PSK also employs a pre-shared key similar to WEP and still uses the RC4 algorithm for encryption. However WPA improves upon WEP through the use of the TKIP algorithm that generates new keys periodically and also detects tampering when packets have been altered. The theory behind WPA security is that if keys used to secure the network are changed often enough, then by the time the key is cracked, the key has already been replaced by a new key, invalidating the cracked key. So is WPA secure? Not really, as I will explain in a moment.

WPA2-PSK improves upon WPA-PSK by employing the AES encryption algorithm rather than relying upon RC4. AES (Advanced Encryption System) uses the Rijndael encryption algorithm that yet to be cracked outside a lab in real-world networks. WPA2-PSK is highly recommended over the aforementioned algorithms simply because it uses AES.

So what’s the catch? A combination of basic Linux skills and 802.11 wireless network protocol knowledge is all that a hacker needs to access to your wireless network without cracking an encryption algorithms. They can overwhelm the wireless AP/router with a flood of packets so that wireless network hosts lose connection to the AP. When the hosts attempt to associate with the AP again, they capture the four packets sent during host authentication and then use downloaded password cracking software to reveal the passphrase.

Countermeasures

First, always use a complex pass phrase. Include upper case and lower case letters, numbers and special characters in the pass phrase.

Next, the pass phrase should be as long as possible. Using the full 63 character space for WPA is best however if you must keep it simple, make sure it is at least 12 or more characters.

The pass phrase should not employ easy to remember mnemonics such as placing the same numbers before and after a word as there are password crackers designed to break such pass phrases.

Enable MAC address filtering and statically assign IP addresses to MAC addresses if your network (like most) uses DHCP to dynamically assign IP addresses. In addition, configure the DHCP scope to include only IP addresses statically assigned to a network host.

Employ IEEE 802.1x and/or directory server authentication in addition to a wireless encryption protocol. Wireless network clients would be required to associate with a wireless AP and then authenticate with the directory servers before access is granted.

Remember that each security measure takes time for would be hackers to crack. If it takes too long, they will move on to the next target.