WAN Security & VPN Kaman Ng TEL660 19 Jan 2006
Need for Security? • Online Trading • Etrade, Schwab, TDWaterhouse, Fidelity, Ameritrade • Online Banking • Commerce Bank, Citibank, HSBC • Online Purchases • Ebay, BestBuy.com, BarnesandNobles.com • Online Information • Telephone Acct, Medical Acct, Utility Acct • Remote Access • Home Office, Mobile workers, Temporary branch offices
Security Threats Five Types of Risks • Data exposure in transit and storage • Application-level attacks • Mismanagement of encryption techniques • Inattention to access and identity risks • Misconfigurations by security administrators
Intrusion Attacks and Virus • Intrusion by hackers • Unauthorized access into Government sites, Telcos, Large Tech Corporations • Email Virus • Attachments to emails which scans user phonebook to further replicate and infect other users • Worm Virus • Small piece of software that uses computer networks and security holes to replicate itself • Trojan Horse • A virus that disguises itself and appears to the user as a normal computer program. • Denial of Service (DoS) attacks • Render a computer or network incapable of providing normal services. Generating high volume of traffic that all network resources are consumed. Main purposes are to cause outages and corruption/deletion of data.
History of WAN attacks Around Christmas time in 1987, the first major WAN virus appeared and was immediately dubbed the Christmas virus. The Christmas Virus was a REXX (CMS) script that drew a Christmas tree on the user's screen. Meanwhile, it would look in the user's NAMES file and find the addresses of other network users. Once these addresses were found, the virus would send copies of itself to this users. This virus bought VNET, IBM's internal network, to its knees.
History of WAN attacks Sometime around 6 PM EST on November 2, 1988 the most famous computer worm in history was introduced into the Internet by Robert Morris, the son of a famous computer security analyst working for the NSA. The worm spread like wildfire infecting hundreds if not thousands of computers in a matter of hours. The only computers that were suspectable were Sun 3 systems and VAXes running BSD 4.3 Unix. Many sites cut themselves off the network to protect themselves against the worm. Full Internet connectivity was not restored for weeks after this.
Internet Intrusions • SPAM • Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. This is a form of electronic junk mail. Most spam is commercial advertising, however there are SPAM created with the intention to slow down and cause outages to email systems/servers or flood organizational networks. • POPUPs • Irritating popup windows with advertisement messages or website re-directions. They intrude your browser session and slow down your internet access. • SpyWare / Adware • Spyware and Adware is software made by publishers that allow them to snoop on your browsing activity, invade your privacy and track your browsing activities. Your personal information can be sold to other parties without your knowledge or consent. Your default homepage and settings can be hijacked so you can't change them.
Top Network Security Risks • Un-patched servers • While most IT departments would claim that they are diligent about applying patches as soon as they are available, this risk has to be taken very seriously as even large companies (Microsoft for example) have failed to patch all servers in a timely manner, leading to disruption of internal network traffic by Worms like Code Red and its variants. • Un-patched client software • Many common and freely available internet client applications, in particular Internet Explorer, Outlook Express, and Outlook contain security vulnerabilities that may be exploited by a large number of variations on Worm or Viral code.
Top Network Security Risks • Insecure peer to peer file sharing • Individual user’s computers often have file and printer sharing turned on, allowing files to be copied directly between computers within an office or from the internet. Even when these features are turned off. Internet users share files using web applications like peer-to-peer programs such as: Kazaa, Morpheus, WinMX and LimeWire. • Insecure passwords • Network IDs and passwords that are safeguarded. Passwords that are not strong passwords with symbols, numbers and mixed case alphas.
Top Network Security Risks • Home Personal Computers • Exposing personal information to the internet. Accessing corporate networks from less secure home PCs. Mixing personal use with risks to corporate network. • Laptops • Prone to lack of security. Targets for theft because of its mobility. The portable nature of laptops leads them to often be connected to a multitude of network environments, (including client’s networks) and often require the use of one or more different dial-up internet connections in addition to connection to the corporate network.
SANS/FBI Top Twenty • In 2001, the Security Administration, Networking, and Security (SANS) Institute published a list of the top 20 security flaws. • In Verizon, a tech team was established to scan and ensure all networked servers are compliant and pass the SANS audit.
CERT It is the first computer security incident response team. CERT is an organization devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limiting damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures. CERT is located at the Software Engineering Institute (SEI), a federally funded research and development center (FFRDC) operated by Carnegie Mellon University.
CERT Email Alert CERT NOTIFICATION The Verizon Security - Computer Intrusion Response Team (CIRT) requests your immediate action to the following security advisory if it adversely affects the network/system you support. Email any questions or concerns to email@example.com. Please see below for the CIAC BULLETIN Q-090 Vulnerability in Graphics Rendering Engine. A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. This HIGH-risk vulnerability can be mitigated by downloading and installing the updates listed in Microsoft Security Bulletin MS06-001 (912919). The URL for this bulletin is http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
CIRT Notification Subject: CIAC BULLETIN Q-090 Vulnerability in Graphics Rendering Engine _________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability __________________________________________________________ INFORMATION BULLETIN Vulnerability in Graphics Rendering Engine [Microsoft Security Bulletin MS06-001 (912919)] January 5, 2006 20:00 GMT Number Q-090 ____________________________________________________________________________ PROBLEM: A remote code execution vulneraiblity exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. PLATFORM: Affected Software: * Microsoft Windows 2000 Service Pack 4 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 * Microsoft Windows XP Professional x64 Edition * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 * Microsoft Windows Server 2003 for Itanium-based Systems and * Microsoft Windows Server 2003 with SP1 for Itanium-based Systems * Microsoft Windows Server 2003 x64 Edition * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems. DAMAGE: An attacker who successfully exploited this vulnerability could take complete control of an affected system. SOLUTION: Download and install updates indicated in the Microsoft Bulletin.
CERT Vulnerabilities Vulnerabilities reported • 1995-1999 • 1995 - 171 1996 - 345 • 1997 - 311 1998 - 262 • 1999 - 417 • 2000-2005 • 2000 – 1,090 2001 – 2,437 • 2002 – 4,129 2003 – 3,784 • 2004 – 3,780 2005 – 5,990 • Total vulnerabilities reported (1995-2005): 22,716
Corporate Security Solutions and Policies • Education on protecting computer assets and data assets. • Policies on acceptable use of computer equipment and corporate data. • Policies on remote access • Policies on information protection • Policies on Perimeter security • Policies on Host/Device security • Policies on user account/password policy Corporate policies aimed to be flexible enough to balance the level of productivity and openness against the level of security control. If policies are too restrictive, people either find ways to circumvent them or won’t enforce them.
Corporate Solution: ID Security • Automated enforcement of ID and password polices • 3 failed attempts on logging into the corporate domain locks out ID. Automatic reset in 15 minutes. Maximun 3 automatic resets. After that, required to call Help Desk Support. • Domain and system passwords must be changed monthly. Must be more than 6 characters consisting of at least 1 number, mixed case alphas and at least 1 symbol or special character.
Corporate Solution : the internet • Proxy servers monitoring activity and control of traffic between corporate network and the internet. • Use of Firewalls and NAT between corporate network and the internet. • Operating System policies on XP operating system enforcing restrictions on access to certain internet sites and certain browsing functions like file sharing and video/music streaming. • Operating System policies restricting administrator rights from daily users to corporate desktops. • Port restrictions enforced on desktop applications.
Corporate Solution : Patch Management • SANs Top 20 compliance • CERT and internal CIRT alerts for vulnerability awareness • Centralized automatic software distribution system: Marimba SWD • VSA –Verizon Security Agent on each desktop/laptop/corporate connected PC equipment.
Corporate Solution : Spyware, Virus, Popups Symantec Antivirus Lavasoft Ad-Aware Microsoft Security Update Scanner services
Encryption Computers use cryptography to scramble ordinary text into ciphertext (encryption). • Confidentiality • Only the intended receiver can read the information • Integrity • Information cannot be altered in storage or transit between sender and intended receiver • Non-repudiation • The senders of information cannot, at a later stage, deny their intentions in the creation nor deny transmission of the information. • Authentication • The sender and receiver can confirm each other’s identity and the origin/destination of the infomration.
Symmetric Key Encryption The sender and receiver of a message share a single key to encrypt and decrypt the message.
Private Key Encryption The sender and receiver uses a single secret key that is known only to the two people that exhange messages. Risk is if the private key is lost, the data is essentailly lost because it cannot be decrypted.
Public Key Encryption A public key is use by the sender and a private key is use by the receiver. Digital signature is used to ensure original content of message has not been modified. To decode the message, the receiver must use both the public key and its own private key. The key in public key encryption uses a hash algorithm. Public keys using 128bit numbers have 2128 possible combinations, making them extremely difficult to crack.
Virtual Private Networks (VPNs) • VPN is a private data network that runs through a public telecommunications network or the Internet. • Privacy is maintained through the use of tunneling protocol. VPN uses a private tunnel, or pathway, through the Internet and into the private corporate network. • Data is encrypted before it is passed between VPN sites to protect against eavesdropping and tampering with data by hackers and unauthorized personnel.
VPN Equipment • Security Gateways • Security Policy servers • Certificate Authority servers • Router • Firewall or • Multiple Functions device in router
VPN Protocols VPNs rely on tunneling to create a private network that reaches across the Internet. Essentially, tunneling is the process of placing an entire packet within another packet and sending it over a network. The protocol of the outer packet is understood by the network and both points, called tunnel interfaces, where the packet enters and exits the network. • Carrier protocol • The protocol used by the network that the information is traveling over. • Encapsulating protocol • The protocol (PPTP, L2F, L2TP, IPSec, GRE) that is wrapped around the original data • Passenger protocol • The original data (IPX, NetBeui, IP) being carried
VPN : Remote Users 20,000 Verizon corporate users part-time or full-time remote users. We utilitize VPN for security and transparency.
VPN : Remote Users RSA Securid Card with Nortel VPN Client software Six digit dynamic Two digit unique
Advantages of Well a Designed VPN • Extend geographic connectivity • Improve security • Reduce operational costs versus traditional WAN • Reduce transit time and transportation costs for remote users • Improve productivity • Simplify network topology • Provide global networking opportunities • Provide telecommuter support • Provide broadband networking compatibility • Provide faster ROI (return on investment) than traditional WAN
Resources and References • Wide Area Networks ( Carol Trivedi) • www.sans.org (SysAdmin, Audit, Network, Security) • www.cert.org (CERT Coordination Center) • www.spam.abuse.net (Barracuda Networks sponsored) • www.cisco.com (Cisco Corporation) • www.rsasecurity.com (RSA Security) • www.symantec.com (Symantec Corp) • Verizon Information Technology • Verizon Enterprise Solutions (Verizon Communications)