bill’s blog

Today, more and more people are using the Internet to conduct business transactions. One thing that is for certain, the Internet is not a private place.

Nefarious individuals can easily read email messages that are sent over the Internet. Additionally, it’s not hard to send an email as someone else and if the receiver of the email is not careful they will assume that it came from the individual whose email address was just spoofed. A second area of concern is the increase of e-commerce web sites. More and more businesses are aware of the consumer spending that happens on the Internet and are setting up websites to cash in on this spending. Any miscreant can set-up a website and abuse consumer trust. How is a consumer to know that they are actually dealing with whom they think they are buying from? Additionally, there is the credit card transaction that is needed for the payment of goods. Most web traffic is sent via clear text. How is my credit card information protected?

Caveat emptor? So how do we safeguard this information? Digital certificates!

Digital certificates ensure three things, one that the entity is really who they say they are, two that the message is kept private through the use of encryption and three that the message has not been tampered with. Digital certificates make use of asymmetrical keys. The security afforded by asymmetric cryptosystems depends on mathematical problems that are difficult to solve, such as factoring large integers into primes (Mactaggart, 2001). Asymmetrical encryption includes a private key and a public key. They are used for the encryption process and they serve a few different roles. First the public key is used to encrypt data that only the corresponding private key can only be decrypted. This process secures the information that is put out on the wire. The private key is used to encrypt data that the owner of the key wishes to share. This process vouches that the information is truly from the individual that sent it. It is for this reason that the appropriate safeguards are put into place to secure the private key. The next thing that is part of a digital certificate is the entity’s information. Entity is used because the information can be an individual, organization or a computer. This is the information that tells the relationship between such things as the user’s name and their email address or a company’s name and where they’re located or a particular computer and it’s associated Fully Qualified Domain Name (FQDN). The last thing that is part of a digital certificate is a trusted third party endorsement. There are various different ways to do this. One of the most common is to use a well-known Certificate Authority (CA) such as Verisign. A CA issues Digital Certificates that contain public key and private key pairs. The CA also attests that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate (Various, 2007).

There are two common uses for digital certificates, one to secure web (or other network) transactions and two to confirm the identity of the entity your dealing with.

SSL or Secure Sockets Layer Certificates serve to combat the problems of sending sensitive data over the Internet. SSL provides your Web site’s users with the assurance of access to a valid, “non-spoofed” site, and it prevents data interception or tampering with sensitive information. Support for SSL is built into all major operating systems, web applications, and server hardware (verisign.com, 2005). This becomes particularly important when dealing with e-commence transaction. Most business transactions on the Internet contain some kind of sensitive information. In the real world things like credit card numbers, social security numbers, bank account numbers are often closely guarded and the individual controls access to this information. As mentioned above the Internet is not private and without encryption your private information can be easily read.

SSL connections make use of both asymmetrical and symmetrical encryption. The first thing that happens in an SSL connection is the client computer makes a network connection with a server that is using SSL certificates. This happens on various different ports depending on which protocol (WEB, POP, SMTP, etc) is being used. The server then passes the client computer its public key. At this step the client needs to determine whether or not to accept this public key. There are various methods to check the validity of the key. It can check that the public key and the server’s FQDM match. It checks to make sure that the key has not been revoke or is expired. It checks the endorsement or issuer of the key and verifies them as a trusted party. Once the trust is established, the client will create a session key. The client takes that key and encrypts it with the server’s public key. It then encrypts that with it’s (the client’s) private key. This is done so that the server knows that the encrypted session key is really coming from the client. The server decrypts the session key and uses the session key to encrypt all data thereafter. The session key is an example of symmetrical encryption, both sides are using the same key to encrypt and decrypt the information.

The use of Digital IDs is designed to combat the misuse of email systems and to assure the email’s recipient that the email is truly from the sender. A Digital ID makes it possible to verify someone’s claim that they have the right to use a given key, helping to prevent people from using phony keys to impersonate other users (nrc.gov, 2000). Digital IDs make use of public/private keys. All for public/private key encryption depends on trust and making sure that the keys are real.

Digital ID’s work by hashing the text message you want to send. The hashed message creates what’s called a Message Digest or MD. The MD is then encrypted with the sender’s private key. This creates what is called a Digital Signature for that message. The recipient of the message then decrypts the digital signature using the sender’s public key. The recipient must also hash the text message to get an MD. The unencrypted MD is compared to the MD that the recipient created and if the two match then the message is known to have come from the sender. The use of Public/Private keys relies of the proper protection of the private key. It is assumed that proper measures have been put into place to protect the private key and that only the owner of the private key has access to it.

So how do we know that the keys we are dealing with are valid and trusted? There are two different ways this is done. One is with the use of PKIs or public key infrastructure systems. A PKI contains the certificate storage facilities of a certificate server, but also provides certificate management facilitates (the ability to issue, revoke, store, retrieve, and trust certificates) (pgpi.org, 1999). Examples of well-known PKIs are Commercial CAs such as Verisign or Geotrust. These organizations are trusted because they perform the due diligence to ensure that the certificate that they issue is indeed being given to the rightful owner. The other way is through a Web of Trust. The WOT is a trust model adapted from the original PGP (Pretty Good Privacy) Web of Trust, whereby people certify one another in order to establish a level of trust among people who have never met (thawte.com, 2004). The WOT relies on other individuals to endorse or verify the validity of other members credentials. With this system you trust a much bigger group.

References

Mactaggart, Murdoch, (2001, March 1). Introduction to cryptography, Part 3: Asymmetric cryptography, Retrieved March 7th from http://www-128.ibm.com/developerworks/library/s-crypt03.html

Unknown, (1999). How PGP Works, Retrieved March 9th from http://www.pgpi.org/doc/pgpintro/#p14

Unknown, (2000). NRC- Introduction to Authentication, Retrieved March 11th from http://www.nrc.gov/site-help/e-submittals/faqs/intro-auth.html

Unknown, (2004, July 14). Protect your E-Mail and Join the thawte Web of Trust, Retrieved March 8th from http://www.thawte.com/wot/index.html

Unknown, (2005, May 24). What Every E-Business Should Know about
SSL Security and Consumer Trust, Retrieved March 8th from http://www.verisign.com/static/017444.pdf

Various, (2007, March 6). Certificate authority, Retrieved March 11th from http://en.wikipedia.org/wiki/Certificate_Authority

DNS cache poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not. Soto understand the effect this has… Think about how many time you use google.com in a given day. Let’s say that the DNS server that provides resolution for you has been compromised so that anytime you use google.com it point your machine to evil-google.com. The site acts just like the real thing except that when you do a look up for an online banking site, it redirects you to evil-banking website. One can see how this would be a problem. To exasperate the problem, DNS information is usually cached based on the records TTL. Depending on how long the TTL is, you could be directed to these evil sites for quite some time.
So what to do if you feel that you’re dealing with bad cached data?

To flush the DNS cache on a Linux box:

Start a terminal session and type /etc/rc.d/init.d/nscd restart

To flush the DNS cache on a Microsoft Windows machine:

Open the Command Prompt and type ipconfig /flushdns

I think that the best part about the Code Red Worm was that the major effects could have been avoided. The Code Red Worm took advantage of a known vulnerability with IIS. The icing on the cake is that a patch that could have prevented the problem was released a month earlier. Many IT sys-admins never bothered to update their machine. One could say that the Code Red Worm is still costing companies money. Eager sys-admins are determined never to let this type of thing happen to them again. They wait for Patch Tuesday to arrive, throw patches at vulnerable machines, only to find the broken pieces that we need to fix Wednesday morning because proper testing was performed in the RUSH to prevent disaster! Checking through one’s error logs still form time to time reveal that this worm is still out there trying to exploit un-patched machines

VPN or Virtual Private Networks provide for the secure transfer of data over insecure networks such as the Internet. VPNs can provide for this by setting up encrypted tunnels using various different encryption algorithms. Using L2TP and PPTP tunneling protocols, the VPN server supports encrypted, authenticated IP connections for Mac, Windows and Linux clients, as well as site-to-site VPN using IP tunneling with IPSec encryption (apple.com, 2007). VPNs are most often used for two specific purposes:

1.To allow site to site communications through encrypted tunnels
2.To allow remote user access to protected networks from insecure networks

Additionally, because VPNs are gateways to protected networks they are often set-up as or used in conjuncture with a Firewall. Firewalls deny or allow certain types of network traffic to pass onto the protected network based on administrator define rules.

Challenges/Decisions in setting up a VPN:

Properly implementing a VPN takes some advanced planning. Picking the right solution is not a trivial matter. Often determining the right solution is based on ease of use, economics, or a specific requirement. VPNs can be either software based or dedicated hardware solutions. Let explore the two.

Software based: Linux-based VPN & IPFW – It is often much cheaper to install than dedicated hardware based solutions however; the learning curve is much higher. Knowledge of how to set up VPNs, NAT, IPFW and the OS itself is required and while the hardware and OS may be cheap, user education is not. Much greater care in needed to configure your devices. However, once configured correctly it can be a much more versatile solution. This solution requires a computer with two NIC cards, and much greater care must be given to configuring the computer.

Hardware based: Sonicwall – Designed from the bottom up with VPNs in mind. Very often hardware-based solutions are point and click. Which if the manufacturer didn’t think things through correctly can lead to insecure situations. The fact that they are dedicated solutions often means they are a lot less flexible. The feature sets cannot be modified until the manufacturer decides to implement requested features. The up side to dedicated solutions is they are designed for one purpose. Modern OS’s are a trade-off. They try to be all things for all users. With dedicated hardware the OS and IP stack is optimized for networking.

One other aspect to keep in mind is how other people will be accessing your VPN from remote locations. Passwords are very often the weakest link. Shoulder surfing and password guessing are often high on the list of ways passwords are compromised. The use of one-time passwords can be used to offset the above. Both CryptoCard and RSA SecureID offer solutions for one-time passwords however they required additional configuration.

Corporate Subnetting & NATs

NAT or Network Address Translation allows for the use of one public IP address to be shared by many internal computers. While this is somewhat simplified it basically means that a company with a large number of computers can hide behind the NAT server. NAT services were not originally designed with security in mind. The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space (en.wikipedia.org, 2007). The use of private IP addresses allows a network administrator to plan how a network will be laid out rather than being forced to deal with a limited number of IP addresses that an ISP may hand out. There are a number of benefits that NAT provides:

1.Allows for growth (can use any number of subnetted network schemes)
2.Ease of managing your own network (less routing tables to maintain)
3.Security through obscurity (many hosts are hidden behind one IP address)

IPFW – Firewall Policies/Rules

As mentioned earlier, VPNs are often used in conjuncture with a firewall. While the lines are often blurred between the two, they do offer much different services to the network administrator. To protect your network applications, the firewall service scans incoming IP packets and rejects or accepts them based on the set of filters you create (apple.com, 2007). Depending on how sophisticated the device is it will look at which port the packet is destined for, the actual content, and patterns of traffic. Deep packet inspection technology scans against multiple application types and protocols, ensuring your network is protected from both internal and external attacks and application vulnerabilities (sonicwall.com, 2007). Firewalls are devices that are configured to allow or deny traffic IP based traffic onto the network that you are trying to protect. Firewalls work both ways. They can be set to deny traffic out onto the Internet. They can also be set to deny traffic out to the Internet. Many administrators deny all traffic onto the protected network and then only allow certain traffic to enter.

References:

Unknown (2007). SonicWALL, Inc. – Network Protection, Retrieved March 5, 2007 from http://sonicwall.com/us/products/solutions/81.html

Unknown (2007). Apple – Mac OS X Server – Networking and VPN, Retrieved March 5, 2007 from http://www.apple.com/server/macosx/features/networkingvpn.html

Unknown (2007). Apple – Mac OS X Server – Apple – Mac OS X Server – Technical Specifications, Retrieved March 3, 2007 from http://www.apple.com/server/macosx/specs.html

Various (2007, February 26). Network address translation – Wikipedia, the free encyclopedia, Retrieved March 3, 2007 from http://en.wikipedia.org/wiki/Network_address_translation