Werner Schmidt
Enterprise Networking and Security Expert

Corporate networks more vulnerable than the Titanic

SingleZone
During assessment reviews, one of the common architectural design flaws I still see quite a lot of is no network DMZ. The Titanic had 16 watertight compartments and it still sunk. We wouldn’t even think of having something as important as a large cruise ship today with a single compartment and yet I run into corporate networks that do exactly that, corporate networks with one security zone. Whether it is a port redirect based NAT (VIP in Juniper Networks terms) or a one to one address NAT (MIP in Juniper Networks terms), the effect is the same. Either a single public port or single public address is allowed to a single target server in the internal network. At first glance, this seems innocent, after all, access is only being explicitly given to a single resource, what can be the harm in that? The problem is that a flow has been allowed from the Untrust (Internet) into the Trust (internal) network. If that server can be breached through a vulnerability, brute force password or just misconfiguration, then it can be used as a beachhead to attack and gain access to other systems in the network. This is referred to as a leapfrog attack. Access is somehow obtained to an accessible system that is then used to leapfrog to other systems not externally accessible, but accessible from the breached system. Since this system is in the internal network and there is no firewall separating it from other devices in the internal network, it can do this relatively unhindered except for whatever endpoint protection may be in place on every single system in the entire network. Telnet, RDP, http, ssh and other methods can be used to access other internal systems.

DMZ design
Now lets take a look at a better design using a DMZ (literally a demilitarized zone). In this case we place exposed public assets in a separate security zone from the internal network. Consider anything in the DMZ a sacrificial system. We then strictly control access with the following session flows:
  • Allow Untrust (Internet) to DMZ
  • Allow Trust (internal network) to Untrust (Internet)
  • Possibly allow Trust to DMZ (optional restrictions)
Now we are protected from breached servers in the DMZ. While leapfrog attacks can be used in a zone, it cannot be used to cross zones where access is denied. This is a fundamental benefit of compartmentalizing access with security zones and policies.

With zone based firewalls and multiple ports, this is a very easy and highly recommended design change. I recommend multiple DMZs and additional segmentation of networks amongst users and servers. The key concept is containment. Limit the exposure of the risk from a cyber threat that enters your network by maximizing segmentation and zoning. Even the smallest
Palo Alto Networks firewall (PA-500) has 8 ports on it. When combined with threat inspection for detecting viruses, spyware and other malware, this becomes a very powerful security gateway.

PA500


SSL VPN or IPSec client?

Remote users are a real challenge to embrace and secure within a corporate network. Can we really extend the internal network into an untrusted or unknown personal residence? There are the details of managed or unmanaged devices on a managed or unmanaged network and what that means from a security perspective. Couple that along with the concerns of lost devices and more and more PDAs and other devices like the Apple iPad, and things can be downright confusing and concerning.

Traditional IPSec clients were always the preference for dealing with remote endpoints which were either desktops or laptops. They were ideal for managed devices across unmanaged networks. The IPSec connection is encrypted for securing the unmanaged network. For the most part, we were used to having managed devices. IT would install a client and an authorized and managed device would be given or sent to the end user.

As users changed, we got more laptops into the mix and access would start happening from unmanaged devices and unmanaged networks. Deploying and provisioning IPSec clients became challenging, along with the need to restrict where these untrusted unmanaged devices could go in our networks. SSL VPN became the solution for dealing with these problems.

Now we have a world of personal devices, large amounts of sensitive data on devices that are prone to being stolen and an intolerance with the users to only use corporate supported and approved devices. We need to be able to support a wide variety of platforms to allow them to connect to our corporate resources while making sure these often unmanaged personal devices meet our security requirements.

We have to look more at the provisioning problem separate from the access problem. The choice is no longer so clear. We need ubiquitous access and we need it to be secure. SSL VPN still offers a lot of choices with granular control, extensive logging and easy provisioning. IPSec clients have also come a long way and we offer two worthy of consideration. We offer Juniper
Pulse for a variety of smart phones. It offers cloud based provisioning and several enterprise features for managing the devices while allowing them to connect as secure VPN clients. We also offer an individual or enterprise based IPSec client (more info soon on the web site, contact me) that works with laptops and phones. It can work with existing AD directory infrastructure and offers a centrally managed desktop firewall application to provide granular access for the endpoint and runs on corporate managed devices (real or virtual).

The good news is that we’re finally seeing robust solutions to manage the unmanaged endpoints while giving the kind of security oversight that is required. Whether it’s SSL VPN or IPSec VPN clients, we have solutions available today to choose from.

Learning new technology

Our core values in order are:
  • Integrity
  • Knowledge
  • Communication
  • Passion
  • Success

Concerning knowledge, we’re constantly learning new things and improving on what we already know. We’ve become very adept with Palo Alto Networks which compliments our existing knowledge of Juniper Networks. We also added skills with Aerohive Networks in addition to our Aruba Networks wireless skills.

Lately we’ve been working a virtual appliance of LogLogic that we use internally. LogLogic is a great simple to use and highly effective log monitoring and management solution. It addresses SIM and can uniquely used to feed other SEMs. They also have a SEM component rounding out their SIEM offering and have database (not just Oracle) auditing solutions. LogLogic has very capable and scalable units, but the entry price point had been prohibitive for some of our customers. We’re very excited and pleased with their new offering of a virtual solution with enterprise capability at a lower entry price point. Whether you need it for compliance reasons, network visibility or forensics, this is a great solution to have. We feel it is the best and simplest to deploy and use.

We continue to expand our knowledge in DDI (DNS, DHCP and IP address management).

In regards to assessments, we have created our own software. Now we use best of breed hardware for collections and then our own software and expertise to analyze and report our findings and recommendations. We’ve made this easy and unobtrusive to deploy while focusing on things that matter. You can read more in our
other blog entry.

Altaware Assessment Offering

We have been providing assessment services for a while and gained experience in the process, mainly in terms of what people really need and can make use of. One of the greatest challenges is to be able to deliver a solution that meets our customer’s needs in terms of an assessment. It is like the Goldilocks problem of trying to find something just right.

We’ve created our own integrated combination of best of breed hardware for data collection coupled with our own software enables us to better peruse all the data and then with human review and research to try and find what’s relevant.

Another challenge of existing tools is they seem to spew a lot of information, but it isn’t really from an IT or business perspective. All the tools just spew lots of reports and charts, but what did it really tell you? When I think assessments, as an IT person, I’m concerned with:
  • What are the real observed threats (malware, viruses, spyware, phone home, etc.) and also what direction is this occurring in? Is it server to client and what about client to server? I don’t need to look at all the noise, I want to hone in on what has a high enough severity and bypassed existing controls. Knowing IP addresses or names is nice, but I’m more interested in what users were affected.
  • I need to understand how the users are consuming business resources and how casual or personal use may be conflicting with real business services that your customers may be trying to access. I’d then like to either eliminate the distractions or at least be able to identify and prioritize them accordingly to make sure there are minimal or no conflicts with key business services.
  • I want to make sure that key information assets are not leaving our digital confines. This doesn’t just mean Email, but means a whole lot of different applications that can be used to violate our systems. Whether it’s for compliance or business concerns, we need to know what can be used to harm and bypass our controls. I need to understand not just what device, but what user account was used. That also includes being more aware of encryption and how it might be used to elude our visibility.

So, that’s how we look at assessments now, at least one of our main offerings. We collect data from one or more points in the network, though typically at a gateway location. We analyze the data with our tools and personal knowledge and then we report on the observations and make recommendations on how to mitigate the risk.

Please drop me a personal note or call and lets see when we can schedule this for you. It is priced very aggressively to other offerings and yields more actionable information versus fluff and reams of reports.

Bruce Lee Style Security

The highest technique is to have no technique. My technique is a result of your technique; my movement is a result of your movement.”
– Bruce Lee

I find that quote telling for where we ought to be in security now. We still build walls and people learn how to get around the walls. Worse yet, we use brute force to prevent attacks but with DDoS (Distributed Denial of Service) we can’t always build walls strong enough to sustain an attack.

Years ago, I studied some martial arts. It was while my kids were growing up and it looked interesting. I stayed in a while and progressed. At first I was real clumsy, then I started to learn techniques but struggled remembering the sequence. When I eventually left, I was just starting to get to a naturally reactive state. I like this description of cultivation from Bruce Lee.

The Three Stages of Cultivation - The first is the primitive stage. It is a stage of original ignorance in which a person knows nothing about the art of combat. In a fight, he simply blocks and strikes instinctively without a concern for what is right and wrong. Of course, he may not be so-called scientific, but, nevertheless, being himself, his attacks or defenses are fluid. The second stage—the stage of sophistication, or mechanical stage—begins when a person starts his training. He is taught the different ways of blocking, striking, kicking, standing, breathing, and thinking—unquestionably, he has gained the scientific knowledge of combat, but unfortunately his original self and sense of freedom are lost, and his action no longer flows by itself. His mind tends to freeze at different movements for calculations and analysis, and even worse, he might be called “intellectually bound” and maintain himself outside of the actual reality. · The third stage—the stage of artlessness, or spontaneous stage—occurs when, after years of serious and hard practice, the student realizes that after all, kung fu is nothing special. And instead of trying to impose on his mind, he adjusts himself to his opponent like water pressing on an earthen wall. It flows through the slightest crack. There is nothing to try to do but try to be purposeless and formless, like water. All of his classical techniques and standard styles are minimized, if not wiped out, and nothingness prevails. He is no longer confined.

As quoted in The Art of Expressing the Human Body (1998) edited by John R. Little, p.108-109

As I look at the security field, I see the same evolution. Not too long ago, security was in the primitive stage and frankly still is in a lot of organizations. With more robust solutions, we’re closer to the stage of mechanical or sophistication stage, but that’s about as far as we are. We need solutions to be more spontaneous and adaptive that yield, redirect and elude the enemy.

We are starting to see that, but only the early stages. Application firewalls are a great example, we offer industry best solutions for web servers and Oracle servers that are in the sophistication stage. We also now carry what I believe is the first example of spontaneous security for public facing web servers that are adept and react differently to threats based upon the perceived skill of the attacker. These tools assess the quality and skills of the opponent through ever greater challenges and elusion. I’m excited, it’s where I think security needs to go and be. If you have a critical web based application that deals with confidential information, fiscal or health related transactions or just needs to remain up and secure to advanced threats, please give me a call so we can demo the latest advancements in this arena. These are offered as virtual appliance solutions.

Pulse Mobile Security Suite

Pulse is an exciting new offering for mobile device security and access.

We all know the struggle of supporting a variety of PDAs and Smartphones. Especially when they may even be personal devices as well. We also have problems to contend with in terms of how to deal with problems when these devices are lost or stolen and contain sensitive corporate data stored in Email or documents.

Pulse tackles this problem by:
- Helping to secure mobile devices from malicious attacks
- Secure remote access for mobile users
- Connect users via secure VPN to your corporate network
- Tight enforcement controls and granular access to enterprise resources
- Mobile platform device software is no cost to users via respective application stores
- Broad platform support: Apple iOS 4.1, Google Android, RIM BlackBerry, Nokia Symbian, Windows Mobile
- Zero touch provisioning of mobile access for new users
- Deprovisioning lost or stolen devices
- Ability to enforce strong authentication

There’s more to the story and I encourage reading the documents below. Bottom line, if you have mobile corporate users and want to better control and secure the devices, this is the solution for you. If you already have SSL VPN and love the granular control, but want to include the mobile devices as clients along with your role based access, then get this solution. Call us for licensing questions in regards to the Juniper Networks SA SSL VPN.

>>> Download Datasheet Junos Pulse Security Suite
>>> Download white paper on securing the Mobile Enterprise

Security - An Application View

Last month I was lamenting that there had to be a better way to take a look at a different security stack model and imagining a security stack with solutions that:
  • Allows a company to whitelist appropriate behavior and applications
  • Determines a threat by sandboxing attachments and checking what the behavior is
  • Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
  • Use profiling techniques to log individual attackers and threats
  • Log events from above for legal or compliance concerns

I’ll be building upon this discussion next month as well. This month we’ll touch upon whitelisting appropriate behavior and applications. Whitelisting has been around for quite a while and keeps making a comeback. We’re all used to blacklisting, which is a process where we list those things (sites, applications, users, resources, etc.) we wish to blacklist or block. With blacklisting, that which is not blocked is allowed. Whitelisting is a process where allowed things are listed, that which is not on the allowed list just isn’t allowed. This can pertain to web sites, usernames, desktop applications, firewall ports, etc.

For now we’ll focus on the firewall. In the old days, ports used to represent applications. Port 25 (smtp) was Email, port 23 (telnet) was terminal access (mainframes or minicomputers), port 22 (ftp) was file transfer, etc. Port 80 was just for web browsing. Now however, 80% of all traffic is port 80 and a large percentage of it is encrypted. Web browsing is defined as just that, web browsing (think cnn.com, weather.com, wikipedia.com, etc.). It’s where you use a web browser to look at general text and some static pictures to get information. It might be a support site, might be a vendor site, etc. Classical browsing would not include web 2.0 applications. Web 2.0 applications are full fledged applications that happen to run over port 80 versus older ports or client/server applications. In the past we would run Quickbooks as a local application, now that can be run across the web or in a cloud. SalesForce is the classical example of a web 2.0 application. With web 2.0 applications, now you can transfer files, listen to audio, watch streaming video and use proxies or encryption to avoid detection. Now we need to focus more on the characteristics of what is occurring on port 80 and 443 (and the other ports still too!) to determine our security posture. These days, entertainment in various forms consumes massive amounts of corporate bandwidth. Web application characteristics include:
  • Is it capable of being evasive (port hopping, encryption, etc.)?
  • Is it using or able to use excessive bandwidth?
  • Is it prone to misuse?
  • Can it be used to transfer files?
  • Can it tunnel other applications?
  • Is it used by malware?
  • Does it have vulnerabilities?
  • Is it widely used?

We might also want to factor in potential risk by application as well.

Lets look at some examples of each (all lowercase for simplicity):
  • Evasive - azureus, bittorrent, gnutella, logmein, skype, youtube
  • Excessive bandwidth - bittorrent, emule, ftp, gnutella, google-docs-uploading, kazaa, xunlei, vimeo, youtube
  • Prone to misuse - ftp, guntella, hamachi, hopster, kazaa, smtp, skype, vnc, webdav
  • Transfers Files - bittorrent, ftp, gnutella, google-docs, hamachi, logmein, wevdav
  • Tunnels other apps - hopster, irc, kazaa, logmein, socks, vnc
  • Used by malware - bittorrent, hamachi, http-tunnel, skype, vnc, xunlei, youtube
  • Vulnerabilities - Many applications have known vulnerabilities. Short list: ftp, irc, logmein, nntp, vnc, youtube, webdav
  • Widely used - Many applications are used extensivley

Try applipedia (
http://ww2.paloaltonetworks.com/applipedia/) to explore applications. Following is a page of what that looks like. This is the same application that is used by Palo Alto Networks when setting application use policies:



So, where does this leave us? We should no longer think that opening up just port 80 and 443 from trust to untrust is adequate. Furtermore, adding URL filtering does very little in terms of application control. URL filtering cannot address any P2P (Peer to Peer) application threats because the other end(s) are unknown by their nature in that they are just end user desktops not known URLs in almost all cases.

Recommendations:
  1. We should whitelist by actual applications
  2. We should whitelist by users and/or groups
  3. We should implement QoS to further protect and prioritize key corporate resources
  4. We should still look for threats on approved applications (we shouldn’t bother scanning disallowed applications)
  5. We still probably want to allow classical web browsing, but should apply URL filtering
  6. We should strongly consider decrypting traffic in certain cases and not decrypting in certain category destinations (e.g. banking, healthcare)

This is just the first touch on a lengthy subject. Future articles will explore deeper how to properly detect malware and protect against it. I’ll also be discussing other approaches to protecting public web servers from outside threats.

The Rule of All

There’s a lot of talk now about application firewalls and it’s all the rage. That’s great. There is a greater awareness now for the real risk of applications masquerading as web browsing. These applications can be evasive, consume enormous amounts of bandwidth and be used to steal information. That’s just a short list. Web based applications are used to bypass corporate policies by making them more accessible to users.

However, not all solutions are the same. I get approached quite often by yet another manufacturer claiming to have this functionality. They are not all the same, in fact I still only believe in one solution out there.
See a video of the reporting features that I made.

Lets take a simple look to help understand the dilemma. Lets start with WebEx. Is all WebEx traffic the same and can we classify the
application based upon the URL or domain alone? Definitely not, a user might be browsing to www.webex.com to learn about the product and is just using a browser to read information. Lets now assume a WebEx session has started, now is it bad? Well, it depends. There could be chat, that chat could include pasted private information, there might be screen sharing, there might even be remote control (keyboard and mouse). The problem with this scenario is to make proper decisions we need to be able to have greater granular visibility/control and deal with the mode shifting. Once there is a mode shift, it’s a different potential threat posture.

YouTube, another great example. Appropriate or not? Could be personal, could be business, might be videos, has many other threats too.

Facebook, the classic example. It could nowadays be a corporate Facebook page being accessed for work reasons, could be just a read only view of a site, someone might be posting information that is sensitive to the company or using work time for personal posts. Facebook chat has numerous risks and is extremely prevalent. Facebook apps include time consuming items such as Farmville and Mafia Wars. These are
not turn based games, people can have their virtual characters injured while they are at work and not attending to their game or not harvesting their crops. These games demand continuous attention. There are now countless games and applications available. Can you really just use URL categorization?

The problem is that a device cannot
bolt on application visibility. It’s slow, time consuming and must be enabled and active all the time and be the first consideration a firewall or security device makes, not a downstream decision. For performance reasons, there should be only one scan at the data.

So, here’s the rule of Alls which I heartily agree with Palo Alto Networks (PAN) on:
  • All App-IDs are always on: Every one of the App-IDs are always enabled. They are not optional, there is no need to enable a series of signatures to look for an application.
  • Always the first action taken: App-ID traffic classification is always the first action taken when traffic hits the Palo Alto Networks next-generation firewall. Like all firewalls, the PAN device uses a default deny all approach. Policies are enabled to begin allowing traffic, at which time, all App-IDs begin to classify traffic without any additional configuration efforts.
  • All of the traffic: App-ID is always classifying all of the traffic – not just a subset of the traffic (like HTTP for IPS signatures). All App-IDs are looking at all of the traffic passing through the device, business applications, consumer applications, network protocols, and everything in between. There is no need to configure App-ID to look at a specific subset of traffic. It automatically looks at all of it. It should be able to decrypt traffic if desired.
  • All ports: App-ID is always looking at every port. Again, there is no need to configure App-ID to look for an application on a non-standard port. It is automatic.
  • All versions, all OSes: App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent signatures that need to be enabled to try and control this application.
  • All classification techniques: Each App-ID is not just an IPS-like signature. Every App-ID will automatically use up to four different traffic classification mechanisms to determine the exact identity of the application. There is no need to apply specific settings for a specific application, App-ID systematically applies the appropriate mechanism.


Schedule a demo or possible on-site evaluation or application visibility report with us to see the difference that Palo Alto Networks makes.
Watch a brief video I made of a live Palo Alto Networks firewall and how to address the five Ws (Who, What, Where, When and Why).

Security - A better way

Security today is flawed. It’s all based upon “negative” signatures. In other words, signatures of things that are known bad. This has many flaws, not the least of which are:
  • Zero day. How do you know it’s bad until it has already done damage somewhere?
  • Can we really create signatures in a world of large botnets and polymorphic threats?
  • Just because it isn’t recognized as bad, does it mean it’s good?
  • It usually only works for threats from the outside trying to come in. After it’s in already, the approach is meaningless for the most part.
  • Can you really tell “intentions” without observing actions?
  • We ought to really only allow things we want (positive or white list model) and then make sure the allowed applications aren’t misused.

The above is a short list, but lets take a look at a different security stack model. Lets imagine a security stack with solutions that:
  • Allow a company to whitelist appropriate behavior and applications
  • Determines a threat by sandboxing attachments and checking what the behavior is
  • Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
  • Use profiling techniques to log individual attackers and threats
  • Log events from above for legal or compliance concerns

This is a very different way, far simpler as it turns out. Negative based models fall short, create numerous false positives (barking dogs) and don’t protect against sophisticated cybercrime and corporate espionage. We have to start looking at what threats are actually attempting to do or their actions. It’s the only way to assess their damage potential.
Sandboxing is a way to take files, run them through multiple virtual machines and see without question what the file is attempting to do or not do. For instance, is it attempting to alter a Windows registry? Is it attempting to access files? If it is altering the system, it’s a threat. Honeypots are ways to detect activity, basically they are like motion detectors. If you detect motion inside a closet that houses your valuables and nobody should be there, there’s a problem. Furthermore, if you give that threat greater and greater challenges and they continue to break through the various more challenging honeypots, you now have a capable and determined threat, action is required and it’s just a matter of time.

At
Altaware, we offer all the standard existing infrastructure based solutions, but we also offer solutions for the more discerning and demanding customers that want to go beyond compliance and into the world of true security.

Are we secure?

Data security is an interesting field. It seems like we have all these solutions and yet breaches seem to be occurring at more rampant levels. Simple things like Web 2.0 actually manage to defeat almost all security measures and kids can defeat most corporate systems, so, how secure are we?

Lets look at the typical security stack in a company:
  • Perimeter firewall
  • Some kind of virus/malware solution (desktop or server or Email)
  • IDS / IDP (Intrusion Detection or Prevention Systems)
  • URL filtering or other UTM (Unified Threat Management)
  • Perhaps some logging
  • Perhaps a proxy
  • Perhaps a web application firewall (good possibility it isn’t actively enabled)

It’s really pitiful in some regards. In general, the whole stack seems to work on making us secure by looking for and denying bad stuff. This leads us into a very dangerous analogy! That which is not bad, must be good. It seems like a border checkpoint that relies on some manual do not enter (think no fly) list and some self-answered security questions.

The firewall is the worst of them all. It seems to be a fancy bridge/router to connect two Ethernet wires. The security model is essentialy self declaration of the packets. For instance, are you web traffic? Yes, I’m port 80. Okay then, come on through. No need to be stopped or inspected. Really, port 80 is just web browsing? Not anymore, it’s file transfers, it’s bandwidth robbing, it’s data leakage, it’s phone home, it’s everything now. Firewalls are useless, about all they do now is slow down legitimate traffic. Firewalls don’t address the intent, actions or characteristics of the data. Is the data being used to evade security, transfer data, used for excessive bandwidth, used to tunnel other applications, used by malware, prone to vulnerabilities, etc. We also can’t tell who is using it. We just see IP addresses in ever larger generally dynamic (
DHCP) networks where we might eventually figure out what device if we look soon enough while an address lease is still active. However, depending on the device, we still don’t know who the actual user is. So, the firewalls tend to not know anything about the actual applications, data, users, characteristics, threats borne in the content and they slow traffic down, wonderful.

OK, but we can layer on IDS/IDP, proxies, URL filtering, A/V scanning, DLP and lots of other magic boxes. We create a sprawl of technology and devices to learn and try to correlate. I won’t even get into the management or problematic performance and context awareness. I hate the underlying principle: “It must be good if it isn’t bad.” Wow, that’s messed up! We should be judging good and bad based upon characteristics and actions. It’s not who the user is and their previous reputation, rather, what are they doing now? The problem isn’t just using bad applications or bad sites, it’s also making sure threats don’t exist on approved sites and applications. It’s a mentality from mail servers. We have the approved corporate mail servers, but of course we still have to inspect content for threats. So, what makes much more sense is disallowing applications and sites that are inappropriate and then making sure approved sites, URLs and applications (e.g. Facebook) are not used in inappropriate manners or to propagate threats (e.g.
Koobface).

There has to be a better way, I know there is.