Network Security

Secure Key Algorithms

2011-05-21T01:25:00.000-07:00

Public-key cryptography

Public-key cryptography refers to a widely used set of methods for transforming a written message into a form that can be read only by the intended recipient. This cryptographics approach involves the use of asymmetric key algorithms — that is, the non-message information (the public key) needed to transform the message to a secure form is different from the information needed to reverse the process (the private key). The person who anticipates receiving messages first creates both a public key and an associated private key, and publishes the public key. When someone wants to send a secure message to the creator of these keys, the sender encrypts it (transforms it to secure form) using the intended recipient's public key; to decrypt the message, the recipient uses the private key.

Thus, unlike symmetric key algorithms, a public key algorithm does not require a secure initial exchange of one or more secret keys between the sender and receiver. The particular algorithm used for encrypting and decrypting was designed in such a way that, while it is easy for the intended recipient to generate the public and private keys and to decrypt the message using the private key, and while it is easy for the sender to encrypt the message using the public key, it is extremely difficult for anyone to figure out the private key based on their knowledge of the public key.

The use of these keys also allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key.

Public key cryptography is a fundamental and widely used technology around the world. It is the approach which is employed by many cryptographic algorithms and cryptosystems.

How it works

The distinguishing technique used in public key cryptography is the use of asymmetric key algorithms, where the key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys—a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically, but parameters are chosen so that determining the private key from the public key is prohibitively expensive.

In contrast, symmetric-key algorithms, variations of which have been used for thousands of years, use a single secret key—which must be shared and kept private by both sender and receiver—for both encryption and decryption. To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance.

Because symmetric key algorithms are nearly always much less computationally intensive, it is common to exchange a key using a key-exchange algorithm and transmit data using that key and a symmetric-key algorithms.

Description

The two main branches of public key cryptography are:

Public key encryption: a message encrypted with a recipient's public key cannot be decrypted by anyone except a possessor of the matching private key—presumably, this will be the owner of that key and the person associated with the public key used. This is used for confidentiality.
Digital signatures: a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender had access to the private key (and therefore is likely to be the person associated with the public key used), and the part of the message that has not been tampered with.

An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the key can open the mailbox and read the message.

An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the seal authenticates the sender.

A central problem for use of public-key cryptography is confidence (ideally proof) that a public key is correct, belongs to the person or entity claimed (i.e., is 'authentic'), and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public key infrastructure(PKI), in which one or more third parties, known as certificate authorities , certify ownership of key pairs.

Practical considerations

An analogy which can be used to understand the advantages of an asymmetric system is to imagine two people, Alice and Bob, sending a secret message through the public mail. In this example, Alice wants to send a secret message to Bob, and expects a secret reply from Bob.

With a symmetric key system, Alice first puts the secret message in a box, and locks the box using a padlock to which she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he uses an identical copy of Alice's key (which he has somehow obtained previously, maybe by a face-to-face meeting) to open the box, and reads the message. Bob can then use the same padlock to send his secret reply.

In an asymmetric key system, Bob and Alice have separate padlocks. First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice's open padlock to lock the box before sending it back to her.

The critical advantage in an asymmetric key system is that Bob and Alice never need to send a copy of their keys to each other. This prevents a third party (perhaps, in the example, a corrupt postal worker) from copying a key while it is in transit, allowing said third party to spy on all future messages sent between Alice and Bob. So in the public key scenario, Alice and Bob need not trust the postal service as much. In addition, if Bob were careless and allowed someone else to copy his key, Alice's messages to Bob would be compromised, but Alice's messages to other people would remain secret, since the other people would be providing different padlocks for Alice to use.

In another kind of asymmetric key system, Bob and Alice have separate padlocks. First, Alice puts the secret message in a box, and locks the box using a padlock to which only she has a key. She then sends the box to Bob through regular mail. When Bob receives the box, he adds his own padlock to the box, and sends it back to Alice. When Alice receives the box with the two padlocks, she removes her padlock and sends it back to Bob. When Bob receives the box with only his padlock on it, Bob can then unlock the box with his key and read the message from Alice. Note that in this scheme the order of Decryption is the same as the order of encryption; this is only possible if commutative ciphers are used. A commutative cipher is one in which the order of encryption and decryption is interchangeable, just as the order of multiplication is interchangeable; i.e., A*B*C = A*C*B = C*B*A. A simple XOR with the individual keys is such a commutative cipher. For example, let E₁() and E₂() be two encryption functions and let "M" be the message so if Alice encrypts it using E₁() and sends E₁(M) to Bob. Bob then again encrypts the message as E₂(E₁(M)) and sends it to Alice. Now Alice Decrypts E₂(E₁(M)) using E₁(). She'll now get E₂(M), meaning when she sends this again to Bob, he will be able to decrypt the message using E₂() and get "M". Although none of the keys were ever exchanged, the message "M" may well be a key, e.g., Alice's Public key.

Smart Card Security

2011-03-26T18:33:00.000-07:00

Data Integrity

This is the function that verifies the characteristics of a document and a transaction. Characteristics of both are inspected and confirmed for content and correct authorization. Data Integrity is achieved with electronic cryptography that assigns a unique identity to data like a fingerprint. Any attempt to change this identity signals the change and flags any tampering.

Authentication

This inspects, then confirms, the proper identity of people involved in a transaction of data or value. In authentication systems, authentication is measured by assessing the mechanisms strength and how many factors are used to confirm the identity. In a PKI system a Digital Signature verifies data at its origination by producing an identity that can be mutually verified by all parties involved in the transaction. A cryptographic hash algorithm produces a Digital Signature.

Non-Repudiation

This eliminates the possibility of a transaction being repudiated, or invalidated by incorporating a Digital Signature that a third party can verify as correct. Similar in concept to registered mail, the recipient of data re-hashes it, verifies the Digital Signature, and compares the two to see that they match.

Authorization and Delegation

Authorization is the processes of allowing access to specific data within a system. Delegation is the utilization of a third party to manage and certify each of the users of your system. (Certificate Authorities).

Auditing and Logging

This is the independent examination and recording of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.

Management

Is the oversight and design of the elements and mechanisms discussed above and below. Card management also requires the management of card issuance, replacement and retirement as well as polices that govern a system.

Cryptography / Confidentiality

Confidentiality is the use of encryption to protect information from unauthorized disclosure. Plain text is turned into cipher text via an algorithm, then decrypted back into plain text using the same method.

Cryptography is the method of converting data from a human readable form to a modified form, and then back to its original readable form, to make unauthorized access difficult. Cryptography is used in the following ways:

Ensure data privacy, by encrypting data
Ensures data integrity, by recognizing if data has been manipulated in an unauthorized way
Ensures data uniqueness by checking that data is "original", and not a "copy" of the "original". The sender attaches a unique identifier to the "original" data. This unique identifier is then checked by the receiver of the data.

The original data may be in a human-readable form, such as a text file, or it may be in a computer-readable form, such as a database, spreadsheet or graphics file. The original data is called unencrypted data or plain text.The modified data is called encrypted data or cipher text. The process of converting the unencrypted data is called encryption. The process of converting encrypted data to unencrypted data is called decryption.

Data Security Mechanisms and their Respective Algorithms

In order to convert the data, you need to have an encryption algorithm and a key. If the same key is used for both encryption and decryption that key is called a secret key and the algorithm is called a symmetric algorithm. The most well-known symmetric algorithm is DES (Data Encryption Standard).

The Data Encryption Standard (DES) was invented by the IBM Corporation in the 1970's. During the process of becoming a standard algorithm, it was modified according to recommendations from the National Security Agency (NSA). The algorithm has been studied by cryptographers for nearly 20 years. During this time, no methods have been published that describe a way to break the algorithm, except for brute-force techniques. DES has a 56-bit key, which offers 256 or 7 x 1016 possible variations. There are a very small numbers of weak keys, but it is easy to test for these keys and they are easy to avoid.

Triple-DES is a method of using DES to provide additional security. Triple-DES can be done with two or with three keys. Since the algorithm performs an encrypt-decrypt-encrypt sequence, this is sometimes called the EDE mode. This diagram shows Triple-DES three-key mode used for encryption:

If different keys are used for encryption and decryption, the algorithm is called an asymmetric algorithm. The most well-known asymmetric algorithm is RSA, named after its three inventors (Rivest, Shamir, and Adleman). This algorithm uses two keys, called the private key. These keys are mathematically linked. Here is a diagram that illustrates an asymmetric algorithm:

Asymmetric algorithms involve extremely complex mathematics typically involving the factoring of large prime numbers. Asymmetric algorithms are typically stronger than a short key length symmetric algorithm. But because of their complexity they are used in signing a message or a certificate. They not ordinarily used for data transmission encryption.

As the card issuer, you must define all of the parameters for card and data security. There are two methods of using cards for data system security, host-based and card-based. The safest systems employ both methodologies.

Host-Based System Security

A host-based system treats a card as a simple data carrier. Because of this, straight memory cards can be used very cost-effectively for many systems. All protection of the data is done from the host computer. The card data may be encrypted but the transmission to the host can be vulnerable to attack. A common method of increasing the security is to write in the clear (not encrypted) a key that usually contains a date and/or time along with a secret reference to a set of keys on the host. Each time the card is re-written the host can write a reference to the keys. This way each transmission is different. But parts of the keys are in the clear for hackers to analyze. This security can be increased by the use of smart memory cards that employ a password mechanism to prevent unauthorized reading of the data. Unfortunately the passwords can be sniffed in the clear. Access is then possible to the main memory. These methodologies are often used when a network can batch up the data regularly and compare values and card usage and generate a problem card list.

Card-Based System Security

These systems are typically microprocessor based cards. A card, or token-based system treats a card as an active computing device. The Interaction between the host and the card can be a series of steps to determine if the card is authorized to be used in the system. The process also checks if the user can be identified, authenticated and if the card will present the appropriate credentials to conduct a transaction. The card itself can also demand the same from the host before proceeding with a transaction. The access to specific information in the card is controlled by (1) the card's internal Operating System and (2) the preset permissions set by the card issuer regarding the files conditions. The card can be in a standard CR80 form factor or be in a USB dongle or it could be a GSM SIM card.

Threats to Cards and Data Security

Effective security system planning takes into account the need for authorized users to access data reasonably easily, while considering the many threats that this access presents to the integrity and safety of the information. There are basic steps to follow to secure all smart card systems, regardless of type or size.

Analysis: Types of data to secure; users, points of contact, transmission. Relative risk/impact of data loss
Deployment of your proposed system
Road Test: Attempt to hack your system; learn about weak spots, etc.
Synthesis: Incorporate road test data, re-deploy
Auditing: Periodic security monitoring, checks of system, fine-tuning

When analyzing the threats to your data an organization should look closely at two specific areas: Internal attacks and external attacks. The first and most common compromise of data comes from disgruntled employees. Knowing this, a good system manager separates all back-up data and back-up systems into a separately partitioned and secured space. The introduction of viruses and the attempted formatting of network drives is a typical internal attack behavior. By deploying employee cards that log an employee into the system and record the time, date and machine that the employee is on, a company automatically discourages these type of attacks.

External attacks are typically aimed at the weakest link in a company's security armor. The first place an external hacker looks at is where they can intercept the transmission of your data. In a smart card-enhanced system this starts with the card.

Security Architectures

When designing a system a planner should look at the total cost of ownership this includes:

Analysis
Installation and Deployment
Delegated Services
Training
Management
Audits and Upgrades
Infrastructure Costs (Software and Hardware)

Over 99% of all U.S.- based financial networks are secured with a Private Key Infrastructure. This is changing over time, based on the sheer volume of transactions managed daily and the hassles that come with private key management. Private Key-based systems make good sense if your expected user base is less than 500,000 participants.

Public Key Systems are typically cost effective only in large volumes or where the value of data is so high that its worth the higher costs associated with this type of deployment. What most people don t realize is that Public Key systems still rely heavily on Private Key encryption for all transmission of data. The Public Key encryption algorithms are only used for non-repudiation and to secure data integrity. Public Key infrastructures as a rule employ every mechanism of data security in a nested and coordinated fashion to insure the highest level of security available today.

Securing Remote Desktop for Windows XP

2011-03-26T18:30:00.000-07:00

Remote Desktop, Unsafely

Many people use the Windows XP Professional remote desktop feature to gain easy access to their home PCs. But opening up a connection to an administrator account on your system is very dangerous. Just by opening the port on my firewall I received several logon attempts, from various countries, within a week. Free tools exist that assist hackers with breaking into Windows Remote Desktop connections. Fortunately there are a few simple steps you can take to protect yourself:

Remote Desktop, Safely

Limit users who can log on remotely

First, only allow certain users remote desktop access. Go to the Control Panel, then system, then the Remote tab.

From there, enable "Allow users to connect remotely to this computer." Then, click "Select Remote Users."

Here, add only the users who you want to be able to log in remotely. If you are super-secure, you can set this to a standard user account, and force yourself to run as a normal user. This is a very difficult way to run Windows since many applications assume the user has Administrator rights, so I leave that decision up to you.

Unfortunately for you, that setting didn't do a thing! You will find that you can still log on as any administrator account. To make things complicated, Microsoft defaults to the least secure setting possible while hiding this fact from the user. You will need to go to another location to change the real list. Click Start - Programs - Administrative Tools - Local Security Policy. If you can't find it, you can also do Start - Run - enter "%SystemRoot%\system32\secpol.msc /s" - Ok.

Under Local Policies - User Rights Assignment, there is a line that says "Allow logon through Terminal Services." And just next to it is "Administrators, Remote Desktop Users." Aha! Too bad it didn't show "Administrators" in the other screen. Double-click this setting and remove "Administrators." If you want an administrator to have access, just add them explicitly through the other screen.

Set an account lockout policy

There are already tools that will use brute-force to guess passwords and log-on remotely. You cannot stop this, but it can be minimized by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time. This can make hours or days of guessing become centuries. That makes it infeasable to brute-force into your system.

From the same Local Security Policy screen from before, go to Account Policies - Account Lockout Policy.

Account lockout threshhold: This is the number of failed logon attempts before the user is locked-out. Three is usually sufficient to indicate someone is trying to break in.

Reset account lockout counter after: For a typical home system, set this setting to be the same as the Account Lockout Duration below.

Account lockout duration: This is how long the user will be unable to logon after several failed attempts. Even a few minutes will significantly reduce the possibility of a remote brute-force attack. For a home system, any more than a few minutes can be frustrating. You may come home to find your account is locked-out because of some joker guessing passwords. Adjust the setting to your own tolerance. Setting this value to zero means to lock the account until it is manually unlocked.

To manually unlock an account you must logon as another administrator user (preferably one without remote desktop access). Then go to Start - Programs - Administrative Tools - Computer Management - Local Users and Groups. Click on the individual user and uncheck the "account is disabled" check box. You may then log on as that user.

Require Passwords and 128-Bit Encryption

For compatibility with older, weaker, less-secure clients, Windows XP defaults to allowing minimal or no encryption on remote desktop connections. If you are connecting with older software, upgrade it. If you are connecting with the PocketPC Terminal Services Client, then this setting won't work for you since that client does not support high encryption. :-(

Click Start - Run - "%SystemRoot%\system32\gpedit.msc /s" to get to the Group Policy Editor. I don't know how to get there any easier than that, so you might want to add an icon for it to your Administrative Tools.

From here, go to Computer Configuration - Administrative Templates - Windows Components - Terminal Services - Encryption and Security.

You can change the "Set client connection encryption level" from "Not Configured" to "Enabled" and "High Level" to force the client to use 128-bit security. This protects your passwords as well as anything transmitted during your terminal service session.

Enabling "Always prompt client for password upon connection" prevents the remote user from saving the password on the client computer and avoiding the password prompt. Saving passwords is generally a dangerous setting since the password is now on another computer, and because it allows the user to forget it.

Change the TCP Port

You can move the terminal services port from 3389 to another port by changing the registry key at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

You will then need to specify the port when you connect to your system. Connect with something like "my.computerathome.com:1234" instead of "my.computerathome.com"

IP Address White List

Windows Firewall allows you to limit which IP addresses have access to remote desktop. To do this, open the Control Panel and run Windows Firewall. Select the Exceptions tab and make sure "Remote Desktop" is checked.

Click the "Edit" button and you will see a list of TCP ports. Windows Firewall assumes that Remote Desktop lies on port 3389. If you changed the port number, you will need cancel this screen and instead click "Add Port" and create a entry with the port number you used.

Click the "Change Scope" button. From this screen, you can limit to the local network, or to a specific set of IP addresses.

Dual WAN Firewall to Increase Network Security

2011-03-19T17:55:00.000-07:00

A peep into Internet World: Security Issues

Corporations of various domains like banking and finance, software engineering, stock market and trading, online shopping, media and entertainment, ecommerce have been computerized and they need Internet connection to control their network.

When a network (let it be LAN, WAN or MAN) is connected to Internet, it is implicit that the system is prone to information theft and security becomes an issue overall. Internet allows internetworking between LANs and WANs enabling remote access and control over the network from remote location. Refer (To see Figure Internet users and Firewall Security) to observe how firewall works in a network.

Anybody can hack your information when the sensitive data traverses across the network, which fuels hacking, cybercrimes and information theft. Data loss is very expensive that it is becoming unbearable to a huge extent at times of business collapse. Preventive measures is on the road to secure information and a new method “Firewall” was established to control network traffic and ‘filtrate’ unauthorized access to interfere into your network. With wan firewall, our hardware drives and files kept away from virus attacks and restrictions for users allowing only authorized users to access and gain control over your network.

Why do we opt for Firewall?

In general, firewall performs ‘filtration’ by eliminating unauthorized entries and avoids virus flow into network as a preventive action. Other options provided for security are:

Password encryption
Fingerprint identification
Digital Signatures
PIC (Personal Identification Code)

Scenario of Single Firewall:

In general, WAN setup in an organization possesses a single firewall to filtrate unauthorized entries by forming two-network structure: external and internal network. Such networks consist three interface layers with respect to ‘De Militarized Zone’ and ISP (Internet Service Provider).

Interface Layers:

Layer 1: The external network of the organization connects with ISP on this network layer. (first interface)
Layer 2: The internal network forms the next network layer. (second interface)
Layer 3: The DMZ zone forms the last network layer forming last network layer.(third interface)

In a communication network, a single firewall handles entire filtration process and controls the Internet traffic between the above-mentioned layers using the implementation of traffic management techniques. Refer (To see Figure Firewall in an organization’s WAN setup) for a firewall implementation in an organization’s network.

With the existence of a single firewall, the entire internet traffic takes place between DMZ, external and internal network making it risky as at any point of time the network fails to function (artificial or manmade activities). This scenario necessitates the need of firewall in multiple WANs.

As a preventive act, experts suggest an alternate approach of implementing ‘double firewall’ or ‘dual firewall’ to segregate Internet traffic between the two network layers towards DMZ zone. This is more secure and reduces ‘traffic overload’ and traffic management is on a better scale.

Dual WAN is enabled by connections from two different ISPs connected to their WAN modems (cable modem or DSL type). With the existence of two or multiple connections user can stay connected to internet and each connection acquires a firewall ensuring reliability and security over data transfer and bandwidth optimization (bandwidth increases with multiple internet connections and dual link internetwork modem to ISP connections via two WAN ports)

Configuration:

Configuration of wan firewall is of two types based on their operations:

Front-end firewall: Configuration done in first firewall, termed as ‘primary’ as it is intended to handle traffic for ‘De Militarized Zone’ alone.
Back-end firewall: Configuration done in second firewall, termed as ‘secondary’ between DMZ and internal network. Traffic management handled for DMZ and internal network.

On comparison, front-end firewall has to manage heavy traffic (as they are located in such a way they handle traffic for DMZ traffic) than back-end firewall that is self-explanatory. Refer (To see Figure Dual Firewall in WAN setup) for dual firewall in a network setup.

Firewall Recommendations:

In a network, it is better to use dual firewalls each from different vendors. This becomes effective only when a hacker tries to shatter the primary firewall, the latter firewall can still proceed to work, as it is a tedious task to get through the second firewall. It is highly ‘dangerous’ to fix double wan firewalls from same vendor.

This is a backup activity to handle disasters and attain business process continuity with wide area network optimization and traffic management techniques by implementing two firewalls in a wide area network setup of an organization at an affordable cost (not expensive as to a loss in a business collapse). This is also termed as ‘firewall failover’ as it acts as a ‘backup factor’ over the collapse of first firewall.

Benefits of Dual WAN Firewall:

Business security: Business organizations having dual wan firewall avail full benefits by boost up the security level thereby enhancing the network security by protecting the dual wan network with dual firewall
Network Computing: use SPI process (Stateful Packet Inspection) that inspects every packet crossing in its network under its control that safeguards network computations.
Network Security: To achieve network security, packet data that traverse across network has to undergo two major transformations: encryption and decryption. At the sender side, packet is encrypted using various algorithms like triple DES (Data Encryption Standard), AES(Advanced Encryption Standard) using a key to encrypt and pass the ciphered data to destination. At the receiver end, decryption takes place with a match key of the source to reveal original data, thus maintaining privacy using authentication process.
Dual WAN ports: A dual wide area network gigabit router has six ports of which two WAN ports possess 10/100 megabits per second ISP connections (Mbps) and four LAN ports of gigabit power used to connect as a secondary link to the second ISP connection. Such ports enable dual wan gigabit router to handle ‘internet load balancing’
Unified Bandwidth Management: Gigabit power (equals one megabyte of computer information) is suitable for critical networks consuming high bandwidth increasing throughput. UBM is very efficient with FatPipe product ‘QoS’ that guarantees ‘correct bandwidth for mission critical applications’, ‘allocating bandwidth thus reducing bandwidth requirements’ as a whole.
Quality of Service: As the name entails, QoS involves analysis of what kind of service received from the internet service provider. In general, QoS provides same level of bandwidth allocation to all applications with no bandwidth priorities, leading to over provisioning thus making it ineffective. FatPipe QoS device allocates highest priority for mission critical applications and proceed with ten priority levels’
Traffic Optimization: IP network traffic comes under control by prioritization and bandwidth provisioning that is termed as traffic optimization techniques. IP traffic passing through FatPipe QoS undergoes ten priority levels giving granular control over application and associated bandwidth with traffic load balancing to control, shape and optimize real time traffic and maximize utilization of all wan links.
Wide Area Network High Availability: Dual WAN setup ensures high level connectivity to ISP and acts as a load balancer managing IP traffic and bandwidth allocation showing high reliability and efficiency with high grade performance as it the best preventive act for disasters and manmade failures.

Thus with two wide area network firewall, any organization can gain full control and access to Internet meeting daily requirements and transactions done with tight security by blocking hackers entry into a network and curb their access to private business data with permission restriction. A dual wan setup assures you with firewall failover, automatic failover and maintains your network status always ‘UP’!

Today’s business world entirely depends on dual factors that are ‘vital’ for any business. One is technology, which uplifts the trade to a higher range and other is modes of communication for information exchange assisted with data transfer. These serve as crucial factors at any cost, which can very well determine the lifespan of business sector.

Looking deep into the first factor, the organizations’ network should be completely equipped with most appropriate technology (tuning with operational environment) in such a way that their network withstands any disaster making the company prolong on the track of progress amidst tough competitions in market.

Why do organizations need Dual-WAN?

Most of the corporate companies work in multiple locations (let it be local, regional, national and international branches) thus expanding their networks where maintenance of huge networks becomes a massive task to perform. Due to the evolution of Internet in business, communication turned to be simpler and business operations have become trouble-free. Using internet, organizations can form a WAN (Wide Area Network) with shared users irrespective of geographical location. Therefore, business via Internet has become beneficiary on a large scale.

Let us see an example to illustrate the necessity of ‘dual wan’. Assume company X has its LAN interconnected with its scattered branches through Internet or WAN links. This is possible with single ISP (Internet Service Provider) connection, which is a usual scenario.

When the LAN has access to WAN, security over transactions and data protection becomes a question (?) as they are prone to danger due to exposure and anyone can hack the data and information theft can be done on a large scale which may lead to network failure. It is highly unaffordable to bear the loss of communication and information theft.

Is Dual-WAN obligatory?

Sudden crisis arise when network is jammed with IP traffic and users post multiple requests at the same time slice. There is no assurance that the single ISP connection will work always. In such cases ‘Dual WAN’ effectively turns to be the best measure to overcome failures with affordable cost.

As the name implies, Dual-WAN refers to the network encompassing two internet / widea area network connections using one or more routers to work. Dual-WAN links connects your networks via two separate modems or routers (cable modem or DSL modem) for dual ISP connections. Here WAN modem M1 stays in ‘active’ state and WAN modem M2 takes over the operations only when M1 fails. The purpose of Dual WAN is effective and efficient in current scenario and the reason is self-explanatory.

What is so special about two wide area network links?

Two WAN or Internet links related technological complete details are put forth with several striking features of which few require significance to mention:

Automatic failover
Redundancy with Dual WAN links
Virtual Private Network
Increased security
Load balancing
Firewall like functionalities
Traffic Optimization & Acceleration
Unified Bandwidth Management
Business Process Continuity & Disaster Recovery

Web Application Firewall (WAF) Deployments

2011-03-19T17:49:00.000-07:00

1. Simple single-homed Profense implementation

Figure Simple single-homed Profense implementation

This scenario is the easiest to implement, since Profense can be introduced in the already established network without any major reconfigurations. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to the web systems) is using a single Ethernet interface.

Profense is placed on the same network (DMZ) with the web systems web1 and web2) it is protecting.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.0.2.

The web systems’ default gateway is unaltered and is still the router with IP address 192.168.0.1.

2. Firewalled single-homed Profense implementation

Figure Firewall’ed single-homed Profense implementation

This scenario requires an extra interface in the firewall since Profense is deployed in a DMZ-segment separated from the segment in which the web servers are placed. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to web systems) is using a single Ethernet interface.

A separate network segment (subnet 2) is configured between Profense and the firewall.

Outbound traffic from Profense to web systems is again inspected by the firewall and sent to the web systems on subnet 3.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

3. Firewalled Profense implementation with a fail-over/backup Profense

Figure Profense implementation with a fail-over/backup Profense

In this scenario Profense is deployed in a high avalibility configuration with an extra Profense (backup) used for fail-over. A dedicated network or crossover cable is used to connect the Profense cluster and a separate interface is used for synchronization of various information between the active and the backup Profense. Inbound and outbound traffic share the same interface.

The two Profense systems share a virtual (VIP) IP address 192.168.1.12.

In case the active Profense system fails or looses the connectivity, the backup will take over the VIP and start handling the requests from clients.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

4. Dual-homed performance optimized Profense implementation

Figure Dual-homed performance optimized Profense implementation

In this scenario Profense is configured in a dual-homed setup with separation of inbound and outbound web traffic. 2 Ethernet interfaces are utilized. Client requests are terminated in VLAN2 and responses from web systems are terminated in VLAN3. This setup (or similar) potentially provides greater performance (since 2 interfaces are used) and security.

A separate network segment (VLAN2) is configured between Profense and the layer 3 switch.

Outbound traffic (downstream) from Profense is sent to web systems via VLAN3.

The layer 3 switch is configured only to allow traffic on the necessary ports (typically 80/tcp for HTTP and 443/tcp for HTTPS to pass from Profense to the web systems.

The web systems’ default gateway is the layer 3 switch with IP address 192.168.0.1.

Firewall Implementation Diagramatically

2011-03-19T17:43:00.000-07:00

Wireless Intrusion Prevention System

2011-03-06T02:02:00.000-08:00

In computing, a wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

The primary purpose of a WIPS is to prevent unauthorized network access to local area networks and other information assets by wireless devices. These systems are typically implemented as an overlay to an existing Wireless Lans infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructure has integrated WIPS capabilities.Large organizations with many employees are particularly vulnerable to security breachescaused by rogue access points. If an employee (trusted entity) in a location brings in an easily available wireless routers, the entire network can be exposed to anyone within range of the signals.

Intrusion detection

A wireless intrusion detection system (WIDS) monitors the for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio sprctrum used by Wireless Lan's and immediately alerts a system administrator addess whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices. Rogue devices can spoof MAC address of an authorized network device as their own. New research uses fingerprinting approach to weed out devices with spoofed MAC addresses. The idea is to compare the unique signatures exhibited by the signals emitted by each wireless device against the known signatures of pre-authorized, known wireless devices

Intrusion prevention

In addition to intrusion detection, a WIPS also includes features that prevent against the threat automatically. For automatic prevention, it is required that the WIPS is able to accurately detect and automatically classify a threat.

The following types of threats can be prevented by a good WIPS: – WIPS should understand the difference between Rogue AP and External (neighbor’s) AP

Mis-configured AP
Client Mis-association
Unauthorized association
Man in the middle attack
Ad-hoc Networks
Mac-Spoofing
Honeypot
Denial of Service (DOS) Attack

Implementation

WIPS configurations consist of three components:

Sensors — These devices contain antennas and radios that scan the wireless spectrum for packets and are installed throughout areas to be protected
Server — The WIPS server centrally analyzes packets captured by sensors
Console — The console provides the primary user interface into the system for administration and reporting

A simple intrusion detection system can be a single computer, connected to a wireless signal processing device, and antennas placed throughout the facility. For huge organizations, a Multi Network Controller provides central control of multiple WIPS servers, while for SOHO or SMB customers, all the functionality of WIPS is available in single box.

In a WIPS implementation, users first define the operating wireless policies in the WIPS. The WIPS sensors then analyze the traffic in the air and send this information to WIPS server. The WIPS server correlates the information validates it against the defined policies and classifies if it is a threat. The administrator of the WIPS is then notified of the threat, or, if a policy has been set accordingly, the WIPS takes automatic protection measures.

WIPS is configured as either a network implementation or a hosted implementation.

Network & Host Implementation

In a network WIPS implementation, Server, Sensors and the Console are all placed inside a private network and are not accessible from the internet.Sensors communicate with the Server over a private network using a private port. Since the Server resides on the private network, users can access the Console only from within the private network.A network implementation is suitable for organizations where all locations are within the private network.

n a hosted WIPS implementation, Sensors are installed inside a private network. However, the Server is hosted in secure data center and is accessible on the internet. Users can access the WIPS Console from anywhere on the internet. A hosted WIPS implementation is as secure as a network implementation because the data flow is encrypted between Sensors and Server, as well as between Server and Console. A hosted WIPS implementation requires very little configuration because the Sensors are programmed to automatically look for the Server on the internet over a secure SSL connection.

For a large organization with locations that are not a part of a private network, a hosted WIPS implementation simplifies deployment significantly because Sensors connect to the Server over the internet without requiring any special configuration. Additionally, the Console can be accessed securely from anywhere on the internet.

Hosted WIPS implementations are often offered in an on-demand, subscription-based Software as a service model. Hosted implementations are particularly cost-effective for organizations looking to fulfill only the minimum scanning requirements of PCI DSS.

Why Should I Secure My Wireless Network Using Encryption?

2011-03-06T01:59:00.001-08:00

All computer security measures slow down, rather than stop, would be hackers. If a network takes longer to crack, the hope is that the hackers will give up and go elsewhere. Wireless networks without encryption make eavesdropping a cinch.

What Can Be Done to Secure a Wireless Network?

The two primary areas of concern are eavesdropping and unauthorized access. Encryption algorithms such as WEP and WPA protect against eavesdropping by scrambling data sent over the wireless connection so that only network hosts that have the network shared key or certificates can decrypt the information. WEP and WPA also support authentication in that hosts attempting to connect to the wireless network are denied access unless they can provide the network pre-shared key or authorized certificate.

WEP (Wireless Equivalent Privacy) is the oldest of the wireless encryption standards. WEP depends upon a relatively weak security algorithm using RC4 encryption and shared security keys that are trivial to break. Free applications are available for download on the Internet that can crack WEP encryption in minutes (with no advanced computer skills required). WEP should be considered a last resort for wireless security. If your wireless network only supports WEP encryption, upgrade the wireless hardware and software to equipment that supports the stronger encryption algorithms below.

WPA-PSK (WiFi Protected Access with Pre-Shared Key) provides slightly better security than WEP. WPA-PSK also employs a pre-shared key similar to WEP and still uses the RC4 algorithm for encryption. However WPA improves upon WEP through the use of the TKIP algorithm that generates new keys periodically and also detects tampering when packets have been altered. The theory behind WPA security is that if keys used to secure the network are changed often enough, then by the time the key is cracked, the key has already been replaced by a new key, invalidating the cracked key. So is WPA secure? Not really, as I will explain in a moment.

WPA2-PSK improves upon WPA-PSK by employing the AES encryption algorithm rather than relying upon RC4. AES (Advanced Encryption System) uses the Rijndael encryption algorithm that yet to be cracked outside a lab in real-world networks. WPA2-PSK is highly recommended over the aforementioned algorithms simply because it uses AES.

So what’s the catch? A combination of basic Linux skills and 802.11 wireless network protocol knowledge is all that a hacker needs to access to your wireless network without cracking an encryption algorithms. They can overwhelm the wireless AP/router with a flood of packets so that wireless network hosts lose connection to the AP. When the hosts attempt to associate with the AP again, they capture the four packets sent during host authentication and then use downloaded password cracking software to reveal the passphrase.

Countermeasures

First, always use a complex pass phrase. Include upper case and lower case letters, numbers and special characters in the pass phrase.

Next, the pass phrase should be as long as possible. Using the full 63 character space for WPA is best however if you must keep it simple, make sure it is at least 12 or more characters.

The pass phrase should not employ easy to remember mnemonics such as placing the same numbers before and after a word as there are password crackers designed to break such pass phrases.

Enable MAC address filtering and statically assign IP addresses to MAC addresses if your network (like most) uses DHCP to dynamically assign IP addresses. In addition, configure the DHCP scope to include only IP addresses statically assigned to a network host.

Employ IEEE 802.1x and/or directory server authentication in addition to a wireless encryption protocol. Wireless network clients would be required to associate with a wireless AP and then authenticate with the directory servers before access is granted.

Remember that each security measure takes time for would be hackers to crack. If it takes too long, they will move on to the next target.

Secure Network Devices

2010-07-19T16:11:00.000-07:00

It's important to remember that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around (rather than through ) your front door (or, firewall). Just as castles weren't built with moats only in the front, your network needs to be protected at all of its entry points.

Secure Modems; Dial-Back Systems

If modem access is to be provided, this should be guarded carefully. The terminal server , or network device that provides dial-up access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong -- not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully.

There are some remote access systems that have the feature of a two-part procedure to establish a connection. The first part is the remote user dialing into the system, and providing the correct userid and password. The system will then drop the connection, and call the authenticated user back at a known telephone number. Once the remote user's system answers that call, the connection is established, and the user is on the network. This works well for folks working at home, but can be problematic for users wishing to dial in from hotel rooms and such when on business trips.

Other possibilities include one-time password schemes, where the user enters his userid, and is presented with a ``challenge,'' a string of between six and eight numbers. He types this challenge into a small device that he carries with him that looks like a calculator. He then presses enter, and a ``response'' is displayed on the LCD screen. The user types the response, and if all is correct, he login will proceed. These are useful devices for solving the problem of good passwords, without requiring dial-back access. However, these have their own problems, as they require the user to carry them, and they must be tracked, much like building and office keys.

No doubt many other schemes exist. Take a look at your options, and find out how what the vendors have to offer will help you enforce your security policy effectively.

Crypto-Capable Routers

A feature that is being built into some routers is the ability to use session encryption between specified routers. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around, these are advantageous for providing connectivity between two sites, such that there can be secure routes.

Virtual Private Networks

Given the ubiquity of the Internet, and the considerable expense in private leased lines, many organizations have been building VPNs (Virtual Private Networks). Traditionally, for an organization to provide connectivity between a main office and a satellite one, an expensive data line had to be leased in order to provide direct connectivity between the two offices. Now, a solution that is often more economical is to provide both offices connectivity to the Internet. Then, using the Internet as the medium, the two offices can communicate.

The danger in doing this, of course, is that there is no privacy on this channel, and it's difficult to provide the other office access to ``internal'' resources without providing those resources to everyone on the Internet.

VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. The session between them, although going over the Internet, is private (because the link is encrypted), and the link is convenient, because each can see each others' internal resources without showing them off to the entire world.

A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If you have need to connect several offices together, this might very well be the best way to do it.

Conclusions

Security is a very difficult topic. Everyone has a different idea of what ``security'' is, and what levels of risk are acceptable. The key for building a secure network is to define what security means to your organization . Once that has been defined, everything that goes on with the network can be evaluated with respect to that policy. Projects and systems can then be broken down into their components, and it becomes much simpler to decide whether what is proposed will conflict with your security policies and practices.

Many people pay great amounts of lip service to security, but do not want to be bothered with it when it gets in their way. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him. Users who find security policies and systems too restrictive will find ways around them. It's important to get their feedback to understand what can be improved, and it's important to let them know why what's been done has been, the sorts of risks that are deemed unacceptable, and what has been done to minimize the organization's exposure to them.

Security is everybody's business, and only with everyone's cooperation, an intelligent policy, and consistent practices, will it be achievable.

DATA ENCRYPTION

2010-01-16T16:45:00.000-08:00

Data Encryption is a process in which plaintext data is converted into ciphertext so that it cannot be read. More generally known as “encryption,” this process can be accomplished in a wide variety of ways, and with varying degrees of success. Some of the best data encryption can last for centuries, while other types of decryption can be broken in minutes or even seconds by people who are skilled at such tasks. In the digital age, people rely heavily on data encryption on a daily basis. Chances are high that you have received or sent encrypted data at some point today, even if you did not directly perform the encryption or decryption of the data.

n this process, a perfectly ordinary piece of plaintext which can be read by anyone is converted so that it can only be read by someone with a key. One of the simplest forms of data encryption is a simple alphabetic substitution, in which the letters of the alphabet are scrambled to create a key. One could decide, for example, to shift the letters of the alphabet by five places so that “E” stands for “A,” “F” for “B” and so forth for a simple key, or the letters could be assigned at random to make a piece of text more difficult to decipher without the key.

An alphabetic substitution is usually fairly easy to break; in fact, many major newspapers have a simple substitution on their puzzles page for people to solve. More complex methods of data encryption can be used to make a code more challenging to break. With complex codes, people can try to use brute force to crack the encryption, and they may eventually succeed, but it will take a long time. Many methods of encryption focus on keeping the key secure, and allowing the encrypted data to be freely seen, under the argument that once encrypted, the data is harmless, as long as people cannot obtain the key.

There are a number of reasons to need to encrypt data, most of which rely on shielding data from the eyes of other people. Banks, for example, send encrypted data about their clients back and forth, while governments rely on encryption to get secure messages to overseas embassies. Most email programs offer data encryption while sending and receiving so that emails cannot be read by third parties, as do sites which handle personal information like addresses and credit card numbers.

Some encryption protocols are standardized so that people can easily communicate with each other, while in other cases, a key may be developed specifically for use by particular people, and the key is not standardized to make it harder to crack. Personalized keys were once the only way to encrypt data, until shared key encryption allowed people to exchange information about a key across an open network without disclosing the contents of the key itself.

Benefits of Data Encryption

For large commercial organizations, data security is not only a corporation option, it's the law. Losing sensitive data by way of natural disasters or physical theft can have severe consequences on a company, possibly crippling the entire organization. While there are many different security mechanisms, data encryption is perhaps the most effective in regard to protecting confidential information.

Virtual attack - This could be an industry rival that learns to bypass security and gains access to competitive data. It could also be a malicious attack that purposely corrupts data.

Physical attack - Perhaps a disgruntled employee is seeking ways to damage the company by stealing files or purposely destroying data.

Most corporations implement multiple forms of security by using hardware solutions such as routers and firewalls. These devices protect essential data by keeping external threats out of the network. Unfortunately, intruders will employ numerous attacks, specifically targeted at your information. When attackers find a way to penetrate your first line of defense, data encryption steps up and helps to ensure that your secrets can't be viewed.

Encryption has changed drastically over the years, going from a military solution to widespread public use. Whether it's hardware or software-based, this method is fast, easy to use and most important, secure. Here some of the key benefits this solution offers:

Power: The best in data encryption is based on global standards, able to mitigate potential corruption without flaw. Many solutions are large enough to ensure that an entire organization is in full compliance with security policies. Data encryption allows a corporation to achieve military-level security with easy and affordable solutions.

Flexibility: Data encryption can protect your sensitive information whether it's stored on a desktop or laptop computer, a PDA, removable storage media, an email server or even the corporate network. This allows you to securely access important data from the office, on the road or at home. If the device is lost or stolen, the information will be protected by the data encryption mechanism.

Transparency: It wouldn't be a good idea to employ any security measure that negatively impacts your business. An efficient data encryption solution enables your business to flow at a normal pace, silently securing crucial data in the background. Some of the best options are those running effectively without the user even being aware.

There are many benefits of data encryption as this solution provides solid protection in the event of a security breach. Not only does it offer peace of mind, it also frees up resources normally used by your perimeter defenses. Every security measure you set in place is important yet inefficient if confidential data itself is not protected.

Data Security:An Overview

2010-01-16T16:31:00.000-08:00

What is Data Security?

In simple terms, data security is the practice of keeping data protected from corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data.

Hardware based Mechanisms for Protecting Data

Software based security solutions encrypt the data to prevent data from being stolen. However, a malicious program or a hacker may corrupt the data in order to make it unrecoverable or unusable. Similarly, encrypted operating systems can be corrupted by a malicious program or a hacker, making the system unusable. Hardware-based security solutions can prevent read and write access to data and hence offers very strong protection against tampering and unauthorized access.

Hardware based or assisted computer security offers an alternative to software-only computer security. Security tokens such as those using PKCS#11 may be more secure due to the physical access required in order to be compromised. Access is enabled only when the token is connected and correct PIN is entered. However, dongles can be used by anyone who can gain physical access to it. Newer technologies in hardware based security solves this problem offering fool proof security for data.

Working of Hardware based security: A hardware device allows a user to login, logout and to set different privilege levels by doing manual actions. The device uses biometric technology to prevent malicious users from logging in, logging out, and changing privilege levels. The current state of a user of the device is read by controllers in peripheral devices such as harddisks. Illegal access by a malicious user or a malicious program is interrupted based on the current state of a user by harddisk and DVD controllers making illegal access to data impossible. Hardware based access control is more secure than protection provided by the operating systems as operating systems are vulnerable to malicious attacks by viruses and hackers. The data on harddisks can be corrupted after a malicious access is obtained. With hardware based protection, software cannot manipulate the user privilege levels, it is impossible for a hacker or a malicious program to gain access to secure data protected by hardware or perform unauthorized privileged operations. The hardware protects the operating system image and file system privileges from being tampered. Therefore, a completely secure system can be created using a combination of hardware based security and secure system administration policies

Encryption

Encryption has become a critical security feature for thriving networks and active home users alike. This security mechanism uses mathematical schemes and algorithms to scramble data into unreadable text. It can only by decoded or decrypted by the party that possesses the associated key.

(FDE) Full-disk encryption offers some of the best protection available. This technology enables you to encrypt every piece of data on a disk or hard disk drive. Full disk encryption is even more powerful when hardware solutions are used in conjunction with software components. This combination is often referred to as end-based or end-point full disk encryption.

Strong User Authentication

Authentication is another part of data security that we encounter with everyday computer usage. Just think about when you log into your email or blog account. That single sign-on process is a form authentication that allows you to log into applications, files, folders and even an entire computer system. Once logged in, you have various given privileges until logging out. Some systems will cancel a session if your machine has been idle for a certain amount of time, requiring that you prove authentication once again to re-enter.

The single sign-on scheme is also implemented into strong user authentication systems. However, it requires individuals to login using multiple factors of authentication. This may include a password, a one-time password, a smart card or even a fingerprint.

Backup Solutions

Data security wouldn't be complete without a solution to backup your critical information. Though it may appear secure while confined away in a machine, there is always a chance that your data can be compromised. You could suddenly be hit with a malware infection where a virus destroys all of your files. Someone could enter your computer and thieve data by sliding through a security hole in the operating system. Perhaps it was an inside job that caused your business to lose those sensitive reports. If all else fails, a reliable backup solution will allow you to restore your data instead of starting completely from scratch.

SPYWARE-1

2009-07-15T23:46:00.000-07:00

Spyware is a type of malware that is installed surreptitiously on personal computers to collect information about users, their computer or browsing habits without their informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web Browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices for computers, especially those running Microsoft Windows. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer. The US Federal Trade Comission has placed on the Internet a page of advice to consumers about how to lower the risk of spyware infection, including a list of "do's" and "don'ts.

Examples of spyware

These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Clariaare collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

CoolWebSearch
Internet Optimizer
HuntBar Or Adware. Websearch
Movieland
Zango
Zlob Trojan

Spyware, adware and tracking

The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.

Most adware is spyware in a different sense than "advertising-supported software," for a different reason: it displays advertisements related to what it finds from spying on you. Gator Software from Claria Corporation(formerly GATOR) and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements

Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.Com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be considered malicious in nature. People are profiting from misleading adware, sometimes known as scareware, such as Antivirus 2009.

Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the 'parent' program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, recent test results show that bundled software (WhenUSave) is ignored by popular anti-spyware program Ad-Aware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client. To address this dilemma, the Anti-Spyware condition has been working on building consensus within the anti-spyware industry as to what is and isn't acceptable software behavior.

Spyware, virus and worm

Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware—by design—exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements, theft of personal information (including financial information such as credit card numbers), monitoring of Web-browsing activity for marketing purposes, and routing of HTTP requests to advertising sites.

However, spyware can be dropped as a payload by a worm.

All About Malwares

2009-07-13T03:42:00.000-07:00

Types Of Malware

the term malware attempts to define the entire new emerging class of malicious software. Wikipedia has a pretty good definition of malware:

" Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, and other malicious and unwanted software.

The important thing to know about malware is that increasingly financial harm is the #1 objective.

How is malware different from spyware?

Under the hood, there is not difference although many will say that it is more closely identified with spyware. Malware intendes on hurting you (your computer), it's not a joke written by bored college kids, or pranksters.

Purposes of Malware are to...

steal your identity by collecting personal information off of your computer
take over your PC to direct it to websites so the malware writer can get paid for advertising
steal your financial web site passwords
gather information about you in order to target you for other scams that involve phone, e-mail or regular mail
take over your PC to use the processing power to attack others or send SPAM
extort money from you in return for "releasing" your computer back to you

Who is sending out malware?

The malware writer is usually a professional software developers with formal education. They are usually backed by traditional crime organizations and work full time developing malware. The most vicious groups operate out of eastern Europe and Africa because it is unlikely they get prosecuted. Many people believe that local governments turn a blind eye to the activity and share in the profits.

How does Malware work?

2009-07-13T03:40:00.000-07:00

How does Malware work?

Malware can attack multiple ways. The technology (spyware, trojan, rootkit) and the attack vector (fake software, e-mail attachments, direct hacking) has remained the same.

It's the intent that is different, malware always has some type of fraud behind the purpose of distribution.

Some examples of how malware works

Trojan Horse

You download a cool calculator program and install it. The calculator works fine. In a few days you start to have problems with your computer and when you search on the internet you start to get annoying pop-ups. Then you start to get popups at random when you are not searching the internet. The malicious pop-up program was most likely hidden away inside the calculator program. The installation also may have implanted itself inside programs that already existed on your computer. This makes it difficult to remove.

Rootkit in e-mail attachment
Your friend sends you a funny video, when you double click on it you get a security warning, but you want to see it so you click OK to get past the warning. However nothing happened, you think nothing of it..maybe it was a bad copy.
Later you talk to your friend however he says he didn't send you a video. Something did happen in the background when you clicked on the video, malware was installed. There is no way to know the intent behind it. You may not notice anything, your computer could be used as a bot net drone to attack web sites or other computers.

Spyware in "drive by download"

You click on a link in search results and immediately get pop-ups. You close the pages but get weird errors. You think nothing harmful could have come of it, you simply "drove by" the website. You didn't install anything. However your computer had a software flaw that let the website install spyware without your permission. You didn't get a warning because it was a flaw in the programming of the web browser. You now have spyware resident on your system. What you type in web forms, login pages, chat and what sites you visit could all be sent to the hacker's website.

Internet Confidentiality & Privacy

2008-12-13T05:11:00.000-08:00

The Internet provides little assurance of privacy or confidentiality. The use of firewalls, anonymizers, and encryption can help mitigate the risks. Major considerations to keep in mind are discussed below.

Silent communications. There are thousands of rogue actors and infected computers probing machines across the Internet at any given second. These bad apples are almost certainly trying to get control of your machine through any security fault or unpatched module they can find. Fortunately, their communications are fairly straightforward to trap, since by definition they are unsolicited -- it is easy to tell the difference between a packet from a web site you just accessed from a probe from some site you never heard of before. The technological solution to this threat is called a "firewall", a program that monitors all communications and traps all illicit packets. Most operating systems now come with a firewall preinstalled. However, some, such as the Windows firewall, only block suspect incoming communications, leaving completely open access to the Internet from your machine. This is a barn-door sized hole that is eagerly used by almost every program you have on your computer to contact the home company for all sorts of reasons ranging from automatic checking for updates to transmission of usage metric data for their own proprietary purposes. The solution to this is a third party firewall protects both incoming and outgoing communications. The free version of ZoneAlarm is widely used.

Surfing leaves tracks. There is little privacy or confidentiality on the Internet. Web sites can your surfing on their site by IP address track and related system information, including system names and Internet network addresses that often uniquely identify your computer. Search engines generally record your queries together with your computer identification, building up a profile of your interests over time. To minimize these threats, you can turn your default browser settings to exclude cookies, since they can be used to build up detailed profiles of your surfing patterns over time (advertising sites with presence on many sites can even use cookies to track your surfing patterns across different sites). You can also use networked or single-pont anonymizers to obscure all your computer's local identifying information and obtain the maximum available Internet privacy.

Posting is public. When you post anything to a public Internet newsgroup, mailing list, or chat room, you generally give up the rights to the content and any expectation of privacy or confidentiality. In most countries, anything you post to a public space can be saved, archived, duplicated, distributed, and published, even years later, by anyone in the same way as a photograph taken in a public space like a city park. If you have ever posted anything to the newsgroups, you might find it interesting to search them now for the email address you used at the time, which is one reason you should disguise youe email address when posting to the Usenet.

Personal data is cross-referenced. If you give a site personal data like an email address, home address, phone number, birth date, or credit card number, be aware that the information can be easily cross referenced by a range of large service companies to assemble a detailed database of your buying habits, surfing patterns, and interests. And it usually is. If you do give a site personal information, it is a good idea to first read their Internet privacy policy to see how confidential they promise to keep it.

Tap, tap. Without speculating on who or why, Internet communications interception is technically easy to do at any of the perhaps five and twenty-five routers through which your packets are switched on the way to their destination. Software taps are easy to add. Direct physical interception through tapping into copper network cable near a house or in a switching station is straightforward with inexpensive equipment, and enables an eavesdropper to copy all of the traffic that passes over the line. Radio frequency interception of the traffic on copper lines is possible. Tapping into fiber optic line is more difficult, usually requiring a high angle bend to get a bit of light leakage, but is also technically possible.Encryption is the only sure solution.

Governments can do anything. Many national governments are large enough with enough resources that they can and do intercept Internet communications. However, because of the volume of information if for no other reason, you can be reasonably assured that no-one is taking the time to look at your specific Internet packets unless you are connected to an investigation.

The bottom line is that you have little privacy or confidentiality on the Internet, and unless your communications are encrypted and/or anonymized, you should assume they can be read by others. At the same time you need to make a realistic threat assessment depending on what you are doing -- how much do you (or others) really care?

About Firewalls

2008-12-02T07:20:00.000-08:00

Introduction to Internet Firewalls

Firewalls are an excellent tool for securing a network. A firewall is system designed to prevent unauthorized access to or from a private network and basically limits access to a network from another network. Firewall that can be implemented in hardware or software, or a combination of both either denies or allows outgoing traffic known as egress filtering or incoming traffic known as ingress filtering.

In an organizational setup, firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. A firewall should be the first line of defense in protecting the availability, integrity, and confidentiality of data in the computing environment. While a company may use packet-filtering routers for perimeter defense and host-based firewalls as an additional line of defense, in the home environment, the personal firewall plays a key role by defending the network and individual host perimeters.

Firewall software monitors your computer for suspicious activity while you are online.ï¿½ Inbound intruders are stopped before they can get in, sensitive information and Trojan Horses are stopped before they can get out.ï¿½ Furthermore, a record of the attack is created, including the IP address where the attack came from.ï¿½ This can help the IP provider figure out where the attack is coming from so they can track down the hackers. Overall, it is important to be smart about hackers, realizing that you are vulnerable to their attacks is an important first step.ï¿½ Somebody who really wants into your computer may still find a way to do it, but the point here is to make it as difficult as possible for him or her, and to send those who are just looking for the opportunity on to an easier target.

Firewall is defined as a system designed to prevent unauthorized access to or from a private network. Firewalls can be integrated in both hardware and software. All messages communicating with the intranet pass through the firewall. The firewall inspects and blocks all messages that do not meet the security stipulations.

The fundamental principle is to give the administrator a single point where the preferred policies can be enforced. This single point of control allows the administrator to conceal characteristics of a private network and protect it.

Uses of Firewall

Protect the system from the hackers from logging into machines on network.
Provide a single access point from where security and audit can be imposed.
Act as an effective phone tap and tracing tool.
Provide an important logging and auditing function
Provide information about the nature of traffic and the number of attempts made to break into it.

Firewall Loopholes

Firewalls cannot protect from attacks that do not go through the firewall. The prerequisite for a firewall to work is it must be a part of a consistent overall organizational security architecture.

A firewall can't protect the network against a traitor in the network environment. Although an industrial spy might export information through your firewall, the traitor just as likely to export it through a telephone, FAX machine, or floppy disk. Firewalls also cannot protect against social engineering.

Lastly, firewalls cannot protect against tunneling over most application protocols to trojaned or poorly written clients. Tunneling bad things over HTTP, SMTP, and other protocols is widely used.

Functionality of Firewalls

1. Packet Filtering: For each packet received, the packet filters gives permit/denial decision. The filtering rules are based on the packet header information. This information consists of the IP source address, the IP destination address, the encapsulated protocol, the TCP/UDP source port, the TCP/UDP destination port, and the ICMP message type.

2. Application level gateway: Application level gateway is a proxy that is installed on the gateway for each desired application. It does not allow direct exchange of packets. If a particular application does not have a proxy on the gateway, the service is not forwarded across the firewall.

3. Circuit level gateway: Circuit level gateway is a specific function that can be performed by an application level gateway. It does not perform any additional packet processing or filtering. It copies bytes back and forth between the inside and connection. It is often used for outgoing connections.

Basic Types of Firewalls

There are two types of firewalls:

Network layer
Application layer

Network layer firewalls

These firewalls use the source, destination addresses and ports in individual IP packets in making their decisions. A simple router is not able to make decisions about nature and destination of a packet. The distinguishing characteristic about network layer firewalls is they route traffic directly though them. They are very fast and tend to be very transparent to users.

Application layer firewalls

They are hosts running proxy servers. They permit no traffic directly between networks, and perform intricate logging and auditing of traffic passing through them. Modern application layer firewalls are completely transparent.

The network layer firewalls are becoming increasingly conscious of the information going through them. At the same time, application layer firewalls are becoming increasingly transparent. The end result is going to be a fast packet-screening system that logs and audits information as it passes through.

Personal Firewalls

Personal firewalls are meant for providing protection to desktop PCs and small networks connected to the Internet. A personal firewall is a software program used to guard and protect a computer or a network while they are connected to the Internet. Generally, home and small networks use personal firewalls because they are relatively inexpensive and are usually easy to install. A personal firewall enforces the security policies of a computer or a network by intercepting and examining the data transportation (data packets) over the network. Security mechanism of a personal firewall works in two ways. Either it allows all the data packets to enter the network except those meeting a specified criteria (restricted ones) or it deny all the data packets from entering except those that are allowed. However, it is recommended by experts that denying all data packets except the allowed ones is better for the security of a network.

While simple personal firewall solutions are administered by users themselves, in a small network they are administered by a central security management system to implement a network wide security policy. The primary aim of a personal firewall is to close any loopholes that remain in a network and in known virus scanners so as to provide full protection to the computers in the network. When a data packet moves out of the network, it carries along with it the IP address of the system/network. Personal firewalls, with the help of NAT (network address translation), substitutes a fake IP address inside the outgoing Internet data packets so that the original IP address can't be traced.

Features and Benefits

In recent years, broadband and other faster Internet connections have become widely available which has lead to the need for software firewalls that could be implemented and maintained by average users. Currently, there are many software vendors competing for the home and small networks market and are trying to package as many features as possible into their products. Below is the list and explanation of some of the main features that personal firewall vendors offer.

Inbound and Outbound Packet Filtering: Filtering the incoming data packets according to the security policies (created by the users or administrator) is the main function of a firewall. Data packets can be filtered using any of their attributes such as protocol, source address and port number and destination address and port number. Filtering the outgoing packets is an equally important feature of personal firewalls.

Stealth Mode: Before attempting to penetrate a system protected by a personal firewall, an intruder usually tries to identify the target system and create a footprint of it. They may also scan it for open ports and information such as OS type and application versions. If an intruder is unable to find the system, then he would not be able to penetrate it. Stealth mode does not mean that the machine's IP address is invisible, but it makes the machine's most vulnerable entry points invisible to tools that intruders use to seek out targets. They essentially block any port that is not in use.

Support Custom Rules: This feature allows the user to customize the security policy other than the values that come with the personal firewall. A user can write a security policy to block data packets by IP address, port number, or protocol or can define custom ports and protocols to use applications such as video conferencing and Voice over IP.

Ad Blocking: This feature blocks unwanted advertisements from displaying in the users Web browser. There are several different types of ads used by Web sites. These include pop-up ads, animated ads, skyscraper ads, and banner ads. Some personal firewalls allow the user to change the filtering rules for the different type of ads.

Content filtering: Also referred to as "parental control", this feature gives the ability to block Web sites because of its content. Filtering can be based upon a database listing these sites, a user created list of sites, or a list of keywords found in web pages.

Cookie Control: A cookie is a small text file that a Web site places on a computer that can contain personal information such as name, address, phone number, password, etc. They can be last for the duration of the current Internet session or they can be persistent and reside on the computer indefinitely. There is also another type of cookie called a third-party cookie that can be placed on a computer to record information about the users Internet surfing habits. The cookie control feature allows the user to block these cookies from being placed on the computer. Some vendors allow the user to distinguish between the types of cookies being blocked.

Mobile Code Protection: Mobile code is active or executable code that is embedded in Web pages or HTML Email such as Java applets, ActiveX controls, and plug-ins. Mobile code can sometimes be malicious with the ability to copy files, steal passwords, copy files, and wipe out hard drives. This feature blocks the mobile code from executing and gives and alert asking the user if they want the code to execute.

Intrusion Detection: From the aspect of a home and small office user, intrusion detection is the process of monitoring the events occurring with in the computer system or network and analyzes them for signs of intrusion. If an intruder gets past the firewall, this feature give an alert to the user that something suspicious is going on.

Intruder Tracking: When an intrusion threat is detected, this feature identifies the source of the intrusion attempt. Some firewalls even display a map showing the approximate geographic location of the intruder.

Logging: This feature creates a log file that lists the data packet transmissions that were blocked by the firewall. Information in this log file includes whether the transmission was inbound or outbound, date and time that the block occurred, Source IP address and port number, destination IP address and port number, and transport protocol, such as TCP, UDP, ICMP, or IGMP.

Email Checking: Email attachments can contain attachments with viruses, worms, and other malicious code. Only certain types of attachments can contain malicious code. These attachments can be identified by their filename extensions. This feature checks incoming email for attachments with file extensions that could be malicious. An alert is usually given and the attachment is quarantined.

Application Authentication: A major threat to a computer system is a Trojan horse. It is easy to download malicious software without knowing it. Some Trojan horse applications can take on the same name, size, and directory structure as a program that is permitted to access the Internet. To combat this problem, a hashing algorithm is used to create a digital signature each time a program is executed and compares to the previously stored digital signature of that same program. If the digital signatures are not equal, then the user is alerted. Some firewall software even includes the components associated with a program's main executable file, such as DLL files, in the digital signature.

Internet Connection Sharing (ICS) Support: Internet Connection Sharing software is used when multiple computers on home and small networks connect to the Internet through one computer called a gateway that is connected to the Internet. This feature allows the firewall software to work in conjunction with ICS software to filter data packets flowing through the gateway computer.

Choosing a Firewall for Home and Small Office

There are certain key criteria that should be considered when selecting personal software firewalls for home and small networks. The user should identify the criteria that are important to them and then find a personal firewall product that best meets the criteria. Some of the key criteria can be:

Effectiveness of security protection - Efficiency of the firewall products to protect against intrusion, Trojans, controlling outbound traffic, and denial of service.

Effectiveness of intrusion detection - How effectively the firewall software alerts when the system is being attacked?

Effectiveness of reaction - Does the software package have the ability of discovering the identity of the attacker and how well does it block attacks?

Cost - Price of the firewall and setting up costs could be an important criterion for small organizations.

Basic Of Data And Message Security

2008-11-28T05:27:00.000-08:00

Server Side Security

On the server side transport security is enabled by simply switching a non-secure socket implementation with the GSISocket implementation. In addition to this change some code was added to propagate authentication information and message protection settings to the relevant security handlers, in particular the authorization and security policy handlers.

Client Side Security

On the client side transport security is similarly enabled by switching a non-secure socket implementation with the GSISocket implementation and registering a protocol handler for HTTPS that uses the secure socket implementation. In practice this means that any messages targeted at a HTTPS endpoint will, irregardless of any stub properties, be authenticated and protected. It also means that any messages sent to a HTTP endpoint will not be secured, again irregardless of any stub properties. Stub properties are only used to communicate the desired message protection level, i.e. either integrity only or integrity and privacy.

Message Level Security

Server Side Security

This section aims to describe the message flow and processing that occurs for a security-enabled service. The figure below shows the JAX-RPC handlers that are involved in security related message processing on a server.

GT4 provides two mechanisms, GSI Secure Conversation and GSI Secure Message security, for authentication and secure communication.

In the GSI Secure Conversation approach the client establishes a context with the server before sending any data. This context serves to authenticate the client identity to the server and to establish a shared secret using a collocated GSI Secure Conversation Service. Once the context establishment is complete the client can securely invoke an operation on the service by signing or encrypting outgoing messages using the shared secret captured in the context.

The GSI Secure Message approach differs in that no context is established before invoking an operation. The client simply uses existing keying material, such as an X509 to secure messages and authenticate itself to the service.

Securing of messages in the GSI Secure Conversation approach, i.e. using a shared secret, requires less computational effort than using existing keying material in the GSI Secure Message approach. This allows the client to trade off the extra step of establishing a context to enable more computationally efficient messages protection once that context has been established.

Message Processing

When a message arrives from the client the SOAP engine invokes several security related handlers.

The first of these handlers, the WS-Security handler, searches the message for any WS-Security headers. From these headers it extracts any keying material, which can be either in the form of an X509 certificate and associated certificate chain or a reference to a previously established secure conversation session. It also checks any signatures and/or decrypts elements in the SOAP body. The handler then populates a peer JAAS subject object with principals and any associated keying material whose veracity was ascertained during the signature checking or decryption step.

The next handler that gets invoked, the security policy handler, checks that incoming messages fulfill any security requirements the service may have. These requirements are specified, on a per-operation basis, as part of a security descriptor during service deployment. The security policy handler will also identify the correct JAAS subject to associate with the current thread of execution. Generally this means choosing between the peer subject populated by the WS-Security handler, the subject associated with the hosting environment and the subject associated with the service itself. The actual association is done by the pivot handler, a non-security handler not shown in the figure that handles the details of delivering the message to the service.

The security policy handler is followed by an authorization handler. This handler verifies that the principal established by the WS-Security handler is authorized to invoke the service. The type of authorization that is performed is specified as part of a deployment descriptor.

Once the message has passed the authorization handler it is finally handed off to the actual service for processing (discounting any non security related handlers, which are outside the scope of this document). Replies from the service back to the client are processed by two outbound handlers: the GSI Secure Conversation message handler and the GSI Secure Message handler. The GSI Secure Conversation message handler deals with encrypting and signing messages using a previously established security context, whereas the GSI Secure Message handler deals with messages by signing or encrypting the messages using X509 certificates. The operations that are actually performed depend on the message properties associated with the message by the inbound handlers, i.e. outbound messages will have the same security attributes as inbound messages. That being said, a service has the option of modifying the message properties if so desired. These handlers are identical to the client side handlers described in the following section.

Client Side Security

This section describes the security related message processing for Java-based GT4 clients. In contrast to the server side, where security is specified via deployment descriptors, client side security configuration is handled by the application. This means that a client side application has to explicitly pass information to the client side handlers on what type of security to use. This is also true for the case of services acting as clients. The below figure shows the JAX-RPC handlers that are involved in security related message processing on a server.

Mwssage Processing

The client side application can specify the use of either the GSI Secure Conversation security approach or the GSI Secure Message security approach. It does this by setting a per message property that is processed by the client side security handlers.

There are three outbound client side security handlers:

The secure conversation service handler is only operational if GSI Secure Conversation mode is in use. It establishes a security session with a secure conversation service collocated with the service with which the client aims to communicate. When the client sends the initial message to the service with a property indicating that session based security is required, this handler intercepts the message and establishes a security session. It will also authorize the service by comparing the service's principal/subject obtained during session establishment with a value provided by the client application. Once the session has been established the handler passes on the original message for further processing.

The next handler in the chain, the secure message handler, is only operational if GSI Secure Message mode is in use. It signs and/or encrypts messages using X.509 credentials.

The third outbound handler is operational only if GSI Secure Conversation mode is in use. It handles signing and/or encryption of messages using a security session established by the first handler.

The client side inbound handler (the WS-Security client handler) deals with verifying and decrypting any signed and/or encrypted incoming messages. In the case of GSI Secure Message operation it will also authorize the remote side in a similar fashion to the outbound secure conversation service handler.

Network Design Services

2008-11-28T05:22:00.000-08:00

Introduction

A Secure Network Design Service is a clean slate network architecture project concentrating on network security. Secure-Bytes technical consultants join the client's architecture team to provide strategic network security recommendations. The engagement addresses network segmentation, firewall selection, access control policies and appropriate technology identification and selection based on business needs. These services addresses security issues proactively, it is essential to consider secure architecture before implementing a network design and is invaluable for designing and implementing a network with comprehensive security architecture.

Design Services

Following are some of the Architecture designing services offered by Secure Bytes:

Anti-Virus Protection Architecture Designing
Business Continuity Architecture Designing
Directory Services Architecture Designing
Firewall Architecture Designing Service
IDS Architecture Designing Service
Perimeter Defense Designing Service
Routers Architecture Designing Service
Secure AID Architecture Designing Service
VPN Architecture Designing Service
Wireless Network Architecture Designing Service
Wired Network Architecture Designing Service
Remote Access Architecture Designing Service
Secure E-Commerce Architecture Designing Service
Enterprise Backup Architecture Designing Service

Key Benefits

Secure-Bytes facilitate the organization in following ways:

Identifying and Eliminating Risks before problems arises.
Identifying potential architecture problem areas and providing the recommendations

Network security

2008-11-23T03:38:00.000-08:00

Network security consists of the provisions made in an underlying computer network infrastructure, polices adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and consistent and continuous monitoring and measurement of its effectiveness (or lack) combined together.

Comparison with computer security

Securing network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense. Computer security is more like providing means to protect a single PC against outside intrusion. The former is better and practical to protect the civilians from getting exposed to the attacks. The preventive measures attempt to secure the access to individual computers--the network itself--thereby protecting the computers and other shared resources such as printers, network-attached storage connected by the network. Attacks could be stopped at their entry points before they spread. As opposed to this, in computer security the measures taken are focused on securing individual computer hosts. A computer host whose security is compromised is likely to infect other hosts connected to a potentially unsecured network. A computer host's security is vulnerable to users with higher access privileges to those hosts.

Attributes of a secure network

Network security starts from authenticating any user, most likely a username and a password. Once authenticated, a stateful firewall enforces access policies such as what services are allowed to be accessed by the network users. Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspecious network traffic for contents, volume and amamolies to protect the network from attacks such as denial of service. Communication between two hosts using the network could be encrypted to maintain privacy. Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.
Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot.

Security management

Security Management for networks is different for all kinds of situations. A small home or an office would only require basic security while large businesses will require high maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.

Data security

2008-09-07T03:22:00.000-07:00

Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data.

Data Security Technologies

Full Disk Encryption

Full Disk Encryption to disk encryption technology that encrypts all of the data on the disk or a hard disk drive. Full Disk Encryption typically takes form in either software or hardware. Full Disk Encryption often referred to as "FDE," and the combination of hardware and software full disk encryption is often referred to as "end-point full disk encryption," or "end-based full disk encryption."

Strong User Authentication

Single Sign-On refers to authentication allowing users to log onto programs, files, folders, and computers once and without being requested to do so again. Single Sign-On technology typically is adopted within a "strong user authentication" sense. That is, users are asked to sign-on with multiple factors of authentication. For example:passwords,smart cards,finger prints,one time password..

International Laws and Standards

International Laws

In the UK, Data Encryption Ac tis used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.

International Standards

The International Standard ISO/ICE 17999 covers data security under the topic of information security and one of its cardinal principles is that all stored information, i.e. data, should be owned so that it is clear whose responsibility it is to protect and control access to that data.

The Trusted Computing Group is an organization that helps standardize computing security technologies.

Wireless Security

2008-07-26T19:06:00.000-07:00

Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.

Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues.^[1] Hackers have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks.

The risks to users of wireless technology have increased as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. However, there are a great number of security risks associated with the current wireless protocols and encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level.^[2] Cracking methods have become much more sophisticated and innovative with wireless. Cracking has also become much easier and more accessible with easy-to-use Windows-based and Linux-based tools being made available on the web at no charge.

Some organizations that have no wireless access points installed do not feel that they need to address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that were planned to be purchased in 2005 were equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and break in through the wireless card on a laptop and gain access to the wired network.

Types of unauthorized access

Accidental association

Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. When a user turns on a computer and it latches on to a wireless access point from a neighboring company’s overlapping network, the user may not even know that this has occurred. However, it is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.

Malicious association

“Malicious associations” are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer 2 level.

Ad-hoc networks

Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer-to-peer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.

Non-traditional networks

Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk. Even barcode readers, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.

Identity theft (MAC spoofing)

Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires,^[3] and the cracker can easily get around that hurdle.

Man-in-the-middle attacks

A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the cracker’s soft AP. Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.

Denial of service

A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).

Network injection

In a network injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.

Caffe Latte attack

The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client.^[4] By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.^[5]

Counteracting risks

Risks from crackers are sure to remain with us for any foreseeable future. The challenge for IT personnel will be to keep one step ahead of crackers. Members of the IT field need to keep learning about the types of attacks and what counter measures are available.

Counteracting security risks

There are many technologies available to counteract wireless network intrusion, but currently no method is absolutely secure. The best strategy may be to combine a number of security measures.

Possible steps towards securing a wireless network include:

All wireless LAN devices need to be secured
All users of the wireless network need to be educated in wireless network security
All wireless networks need to be actively monitored for weaknesses and breaches

MAC ID filtering

Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, it must be remembered that MAC IDs over a network can be faked. Cracking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.

Static IP addressing

Disabling at least the IP Address assignment function of the network's DHCP server, with the IP addresses of the various network devices then set by hand, will also make it more difficult for a casual or unsophisticated intruder to log onto the network. This is especially effective if the subnet size is also reduced from a standard default setting to what is absolutely necessary and if permitted but unused IP addresses are blocked by the access point's firewall. In this case, where no unused IP addresses are available, a new user can log on without detection using TCP/IP only if he or she stages a successful Man in the Middle Attack using appropriate software.

Intoduction Of Various Networks

2008-03-23T19:30:00.000-07:00

In the last decade, the number of computers in use has exploded. For quite some time now, computers have been a crucial element in how we entertain and educate ourselves, and most importantly, how we do business. It seems obvious in retrospect that a natural result of the explosive growth in computer use would be an even more explosive (although delayed) growth in the desire and need for computers to talk with each other. The growth of this industry has been driven by two separate forces which until recently have had different goals and end products. The first factor has been research interests and laboratories; these groups have always needed to share files, email and other information across wide areas. The research labs developed several protocols and methods for this data transfer, most notably TCP/IP. Business interests are the second factor in network growth. For quite some time, businesses were primarily interested in sharing data within an office or campus environment, this led to the development of various protocols suited specifically to this task.

Within the last five years, businesses have begun to need to share data across wide areas. This has prompted efforts to convert principally LAN-based protocols into WAN-friendly protocols. The result has spawned an entire industry of consultants who know how to manipulate routers, gateways and networks to force principally broadcast protocols across point-to-point links (two very different methods of transmitting packets across networks). Recently (within the last 2 or 3 years) more and more companies have realized that they need to settle on a common networking protocol. Frequently the protocol of choice has been TCP/IP, which is also the primary protocol run on the Internet. The emerging ubiquitousness of TCP/IP allows companies to interconnect with each other via private networks as well as through public networks.

This is a very rosy picture: businesses, governments and individuals communicating with each other across the world. While reality is rapidly approaching this utopian picture, several relatively minor issues have changed status from low priority to extreme importance. Security is probably the most well known of these problems. When businesses send private information across the net, they place a high value on it getting to its destination intact and without being intercepted by someone other than the intended recipient. Individuals sending private communications obviously desire secure communications. Finally, connecting a system to a network can open the system itself up to attacks. If a system is compromised, the risk of data loss is high.

It can be useful to break network security into two general classes:

methods used to secure data as it transits a network
methods which regulate what packets may transit the network

While both significantly effect the traffic going to and from a site, their objectives are quite different.

Transit Security

Currently, there are no systems in wide use that will keep data secure as it transits a public network. Several methods are available to encrypt traffic between a few coordinated sites. Unfortunately, none of the current solutions scale particularly well. Two general approaches dominate this area:

Virtual Private Networks: This is the concept of creating a private network by using TCP/IP to provide the lower levels of a second TCP/IP stack. This can be a confusing concept, and is best understood by comparing it to the way TCP/IP is normally implemented. In a nutshell, IP traffic is sent across various forms of physical networks. Each system that connects to the physical network implements a standard for sending IP messages across that link. Standards for IP transmission across various types of links exist, the most common are for Ethernet and Point to Point links (PPP and SLIP). Once an IP packet is received, it is passed up to higher layers of the TCP/IP stack as appropriate (UDP, TCP and eventually the application). When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. There are a number of ways to accomplish this which tradeoff between abstraction and efficiency. The advantage this gives you in terms of secure data transfer is only a single step further away. Because a VPN gives you complete control over the physical layer, it is entirely within the network designers power to encrypt the connection at the physical (virtual) layer. By doing this, all traffic of any sort over the VPN will be encrypted, whether it be at the application layer (such as Mail or News) or at the lowest layers of the stack (IP, ICMP). The primary advantages of VPNs are: they allow private address space (you can have more machines on a network), and they allow the packet encryption/translation overhead to be done on dedicated systems, decreasing the load placed on production machines.

Packet Level Encryption: Another approach is to encrypt traffic at a higher layer in the TCP/IP stack. Several methods exist for the secure authentication and encryption of telnet and rlogin sessions (Kerberos, S/Key and DESlogin) which are examples of encryption at the highest level of the stack (the application layer). The advantages to encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is eliminated, inter-operability with current applications is not affected, and it is much easier to compile a client program that supports application layer encryption than to build a VPN. It is possible to encrypt traffic at essentially any of the layers in the IP stack. Particularly promising is encryption that is done at the TCP level which provides fairly transparent encryption to most network applications.

It is important to note that both of these methods can have performance impacts on the hosts that implement the protocols, and on the networks which connect those hosts. The relatively simple act of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption can be a very CPU-intensive process and encrypted packets may need to be padded to uniform length to guarantee the robustness of some algorithms. Further, both methods have impacts on other areas (security related and otherwise- such as address allocation, fault tolerance and load balancing) that need to be considered before any choice is made as to which is best for a particular case.

Traffic Regulation

The most common form of network security on the Internet today is to closely regulate which types of packets can move between networks. If a packet which may do something malicious to a remote host never gets there, the remote host will be unaffected. Traffic regulation provides this screen between hosts and remote sites. This typically happens at three basic areas of the network: routers, firewalls and hosts. Each provides similar service at different points in the network. In fact the line between them is somewhat ill-defined and arbitrary. In this article, I will use the following definitions:

Router traffic regulation: Any traffic regulation that occurs on a router or terminal server (hosts whose primary purpose is to forward the packets of other hosts) and is based on packet characteristics. This does not include application gateways but does include address translation.
Firewall traffic regulation: Traffic regulation or filtering that is performed via application gateways or proxies.

Host traffic regulation: Traffic regulation that is performed at the destination of a packet. Hosts are playing a smaller and smaller role in traffic regulation with the advent of filtering routers and firewalls.

Filters and access lists

Regulating which packets can go between two sites is a fairly simple concept on the surface- it shouldn't be and isn't difficult for any router or firewall to decide simply not to forward all packets from a particular site. Unfortunately, the reason most people connect to the Internet is so that they may exchange packets with remote sites. Developing a plan that allows the right packets through at the right time and denies the malicious packets is a thorny task which is far beyond this article's scope. A few basic techniques are worth discussing, however.

Restricting access in, but not out: Almost all packets (besides those at the lowest levels which deal with network reachability) are sent to destination sockets of either UDP or TCP. Typically, packets from remote hosts will attempt to reach one of what are known as the well known ports. These ports are monitored by applications which provide services such as Mail Transfer and Delivery, Usenet News, the time, Domain Name Service, and various login protocols. It is trivial for modern routers or firewalls only to allow these types of packets through to the specific machine that provides a given service. Attempts to send any other type of packet will not be forwarded. This protects the internal hosts, but still allows all packets to get out. Unfortunately this isn't the panacea that it might seem.
The problem of returning packets: Let's pretend that you don't want to let remote users log into your systems unless they use a secure, encrypting application such as S/Key. However, you are willing to allow your users to attempt to connect to remote sites with telnet or ftp. At first glance, this looks simple: you merely restrict remote connections to one type of packet and allow any type of outgoing connection. Unfortunately, due to the nature of interactive protocols, they must negotiate a unique port number to use once a connection is established. If they didn't, at any given time, there could only be one of each type of interactive session between any given two machines. This results in a dilemma: all of a sudden, a remote site is going to try to send packets destined for a seemingly random port. Normally, these packets would be dropped. However, modern routers and firewalls now support the ability to dynamically open a small window for these packets to pass through if packets have been recently transmitted from an internal host to the external host on the same port. This allows connections that are initiated internally to connect, yet still denies external connection attempts unless they are desired.
Dynamic route filters: A relatively recent technique is the ability to dynamically add entire sets of route filters for a remote site when a particular set of circumstances occur. With these techniques, it is possible to have a router automatically detect suspicious activity (such as ISS or SATAN) and deny a machine or entire site access for a short time. In many cases this will thwart any sort of automated attack on a site.

Filters and access lists are typically placed on all three types of systems, although they are most common on routers.

Address Translation: Another advancement has been to have a router modify outgoing packets to contain their own IP number. This prevents an external site from knowing any information about the internal network, it also allows for certain tricks to be played which provide for a tremendous number of additional internal hosts with a small allocated address space. The router maintains a table which maps an external IP number and socket with an internal number and socket. Whenever an internal packet is destined for the outside, it is simply forwarded with the routers IP number in the source field of the IP header. When an external packet arrives, it is analyzed for its destination port and re-mapped before it is sent on to the internal host. The procedure does have its pitfalls; checksums have to be recalculated because they are based in part on IP numbers, and some upper layer protocols encode/depend on the IP number. These protocols will not work through simple address translation routers.

Application gateways and proxies: The primary difference between firewalls and routers is that firewalls actually run applications. These applications frequently include mail daemons, ftp servers and web servers. Firewalls also usually run what are known as application gateways or proxies. These are best described as programs which understand a protocol's syntax, but do not implement any of the functionality of the protocol. Rather, after verifying that a message from an external site is appropriate, they send the message on to the real daemon which processes the data. This provides security for those applications that are particularly susceptible to interactive attacks. One advantage of using a firewall for these services is that it makes it very easy to monitor all activity, and very easy to quickly control what gets in and out of a network.

Conclusion

There are two basic types of network security, transit security and traffic regulation, which when combined can help guarantee that the right information is securely delivered to the right place. It should be apparent that there is also a need for ensuring that the hosts that receive the information will properly process it, this raises the entire specter of host security: a wide area which varies tremendously for each type of system. With the growth in business use of the Internet, network security is rapidly becoming crucial to the development of the Internet. Soon, security will be an integral part of our day to day use of the Internet and other networks.