bill’s blog

Setting up a VPN (or Virtual Private Networking) does not have to be difficult. In fact using Apple’s OSX, it can be down right easy.  VPNs should never be taken lightly. IT is the door to your protected network. If they’re not set up correctly it could leave you and your network assets at risk. There are two main types of VPNs that on can implement on OSX server, PPTP and L2TP. There are pluses and minuses to each and depending on how you/what you’re looking to support will determine which implementation you will use. It’s interesting to note that neither of the two mentioned VPN protocols provide encryption. They are considered tunneling protocols and thus need to rely on other methods to provide the encryption.

PPTP – Is the older of the two most popular tunneling protocols. It relies on either on either MSCHAP-v2 or EAP-TLS for authentication. Additionally, Apple has built in support for both Kerberos authentication and RADIUS. PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt the data that passes through the tunnel. Originally MPPE was only offered with support for a 40bit key. It was later expanded to a 128bit key!

L2TP – Is the newer comer, its latest version (RFC 3931) having been published in 2005. L2TPv3 makes use of IPSec for securing the connection. This is preformed through the use of pre-shared secrets, symmetrical keys or digital certificates. As with any secure connection the hardest part of maintaining the SA is the managing of the keys used. However, once the first connection is made and security confirmed. The passing of pre-shared secrets, keys or digital certificates becomes trivial.

NOTE: It should be noted that that PPTP and L2TP are not the only players in the VPN game. There is two other methods as well, PPP Over SSL and PPP Over SSH.

Configuring your server

Open Server Admin and select the host you wish to administer. Select VPN and click save.

Figure 1. Services Activation Pane

Turn down the triangle to reveal the VPN configuration pane.

Configuring L2TP Settings

It is as this point that you can decide which tunneling protocol you’re going to support. Setting up the server is pretty simple. Select the check box to enable L2TP. You need to allocate an IP range (remember this is still a point to point connection). Under PPP Authentication select if you want to use the built-in Directory Service plug-ins for user ID and password lookups (you can also chose between MS-CHAPv2 or Kerberos) or point the VPN service to look at a RADIUS server for authentication lookups. Lastly, you need to specify whether you want to use a pre-Share secret or a digital certificate for IPSec Authentication.

Figure 2. L2TP Configuration Pane

Configuring PPTP Settings

If you need to support older VPN clients PPTP may be a better choice for you. Many experts still contend the PPTP is vulnerable to compromise but with anything else strong passwords make for strong security. Depending on the client that you need to support you may need to allow 40bit encryption keys. This should be avoided if at all possible as 40 bit keys are easily cracked.

Figure 3. PPTP Configuration Pane

Configuring Client Information Settings

Lastly, you need to “tell” your clients about the network they have just connected to. This could be done on the client side, and may be desirable is some situations. In a lot of ways this is very similar to setting up a DHCP server.

NOTE: If you are running DHCP on the same subnet, make sure that the allocated IP address ranges do not conflict!

Figure 4. Client Information Settings

NOTE: If no information is added to Network Routing Definitions all traffic is routed through the VPN connection. This may not always be desirable. If bandwidth is a concern, define a network that is private and force all non-private traffic over the client’s Internet connection.

Ports on your Firewall

One thing you must make sure to perform before your VPN will work is to open the required ports on your firewall. Both protocols make use of different ports can it can be confusing which ports are actually needed. Not just on the host (if you’re running IPFW on the host) but on the network perimeter. So what ports are used?

500       UDP      ISAKMP/IKE
1701      UDP      L2TP
1723      TCP      PPTP
4500      UDP      IKE NAT Traversal *

* NOTE: Port 4500 is also used for Back to My Mac (MobileMe, Mac OS X 10.5 or later)

In Mac OSX Server 10.3 the VPN service uses the following:

1.    PPTP uses the IP-GRE protocol (IP protocol 47).
2.    L2TP/IPsec uses the IP-ESP protocol (IP protocol 50, ESP).

Resources:
http://manuals.info.apple.com/en_US/Network_Services_Admin_v10.5.pdf
http://support.apple.com/kb/TS1629

Squid is a popular open-source proxy server. Squid is based on the Harvest Cache Daemon developed in the early 1990’s. It was one of two forks from the code-base after the Harvest project ran to completion (squid-cache.org, 2009). The other fork became Netapp’s Netcache. In most organizations it is configured to perform multiple tasks. Squid is a very complex binary. Its configuration file is nearly 3564 lines long. The configuration is well documented making configuration easier to understand. Let’s explore some…

Blocking URLs

It is very common for organizations to want to block whole domains not considered to be in keeping with corporate work policies; examples being youtube.com, myspace.com, facebook.com. Controlling which domains are restricted from within SQUID is done through the use of the ‘http_access’ directive. The directive has two flags. Entries take the form of:

http_access allow|deny aclname

The ACL name directive takes the form of:

acl aclname acltype string1

The next thing we need to discuss is the acltype. This is used to determine where the traffic is coming from OR going to. Some common examples being:

src	source ip-address	(192.168.0.1 or 192.168.0.0/24)
dst	destination ip-address	(192.168.0.1 or 192.168.0.0/24)
myip	ip-address	(single IP address)
arp	mac-address	(00:01:23:45:67:89)
srcdomain	source domain name	.foo.com
dstdomain	destination domain name	.foo.com

Additionally, regular expressions can be used to determine source or destination address or name.

So lets put this into practical use. An organization is looking to block all-content from the above mentioned domains. One could apply the following directive:

acl denied_domains dstdomain .youtube.com .myspace.com .facebook.com
http_access deny denied_domains

Content Filter

Sometimes we’re not sure where undesirable content is coming from, so blocking content based domain doesn’t work. For this we need to block the content based on what the organization feels is inappropriate, examples pornography, firearms, drugs, and hacker sites. In this case there are two different types of content that we may want to block. One is actual file types such as MP3, MPEG, AVI, EXE, etc. The other is actual content contained within the html. Let’s take a look at blocking file types.

We already have a mechanism that will prevent content from being passed to the browser… http_access deny aclname. This time we want squid to look outside of the conf file for its configuration. The reason for this is that the list of files we may want to block can become very long. As a side note, this technique can be used by any directive that could grow very long (such as a listing of blocked domains).

acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
http_access deny blockfiles

Now let’s take a look at the contents of /etc/squid/blocks.files.acl.

Last login: Sat Jan 31 16:49:23 on ttys000
endeavour:~ bheese$
\.[Mm][Pp]3$
\.[Mm][Pp][Ee][Gg]$
\.[Aa][Vv][Ii]$
\.[Ee][Xx][Ee]$

NOTE: The urlpath_regex directive is case sensitive that’s why we use upper and lower case letters to spell out the extension we are looking to block. Additionally, the urlpath_regex will only look for a matching pattern after the protocol and hostname in the URL string.

Actual content filtering is done through various methods. The first is squidguard. Squidguard relies on a very large list of sites that contain inappropriate content. While the list is comprehensive… it is still a list and content can get through your proxy out to general population. The nice thing about squid is its ability to interface with of applications/plug-ins. Danguardian is a true web content filter. It filters using multiple methods. These methods include URL and domain filtering, content phrase filtering, PICS filtering, MIME filtering, file extension filtering, POST limiting (dansguardian.org, 2005). A discussion on Dansguardian is outside the score to this article.

Provide user authentication

With this feature an organization can block individuals from actually getting to the web. There are a number of different methods that can allow a user to log into your proxy server. If your organization is small it might be easier just to create a file with user IDs and password. This is done in exactly the same way as apache (or NCSA authentication) using the htpasswd command. At this point one would then need to modify your squid.conf file to read:

authenticate_program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd

This line tells squid to use NCSA authentication and that the list of users and password can be found at /usr/local/squid/etc/passwd. Once again you’ll need to set up the ACL and directive:

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

NOTE: This is the first time we’ve used http_access allow flag. Additionally, it should be noted that all users will be prompted for user IDs and passwords. You may want to set up other ACLs that deny users not on your local subnet. This will keep those users from ever getting to the credential fields.

Password files has it downside though. It doesn’t scale very well and one must remember to constantly update the file. In today’s world, user IDs and passwords can and do get compromised all the time and cannot be counted on as being safe. SO, how do we scale squid? Squid has a few options that can be built into its authentication model. SMB with smb_auth can be used BUT you need to have a working SAMBA installation. You could use squid_radius_auth to tie into a RADIUS installation. BUT my favorite is pam_auth. With this installed you can use any back-end authentication model you wish (that is any that can be tied in with PAM). This allows for a wide variety of options including LDAP and Apple’s OpenDirectory. A great how-to can be found at:

http://www.afp548.com/article.php?story=20040903184124948

Squid is a very solid choice for a proxy server… A little time spent learning the syntax of the config file and you’ll be up and protecting your network in short order.

Resources:

Unknown, (2009, January 22), squid: Optimizing Web Delivery, Retrieved on January 31, 2009 from http://www.squid-cache.org/Intro/

Unknown, (2005, December 8), DansGuardian – True Web Content Filtering for All, Retrieved on February 1, 2009 from http://dansguardian.org/?page=introduction

CIA

There are many things in daily life that depend on something to work. A car needs gas. A light bulb needs electricity. And we all need air to breathe. Computers can be simple like a calculator or more complex like the Cray super-computer. Most of our computing needs usually fall somewhere between the two. Most of us rely on the Internet on a daily basis, whether it is for checking the latest sports scores or researching term papers. What most people don’t think about is what’s involved with protecting the resources out on the Internet.

In computing terms CIA stands for:

Confidentiality
Integrity
Availability

These three things make up the basic stepping-stones when it comes to securing data stored on a shared resource (of which the Internet is). Without these three things the Internet would be useless. Let’s take a look for example at an online banking operation. How do these three objects relate to its operation?

Confidentiality is about making sure data is only accessed by individuals that have been granted permission to access it. (Keeping data Private). In the online banking scenario, many banks (and other security minded websites) provide an image that is displayed after you enter your user ID. This image is selected by you when setting up you online account. If you don’t see your image then you might think twice about entering your password. Many phishers are adept at making their sites look authentic. Underpinning the goal of confidentiality are authentication methods like user-IDs and passwords; that uniquely identify a data system’s users (Miami.edu, 2006). Ultimately, one needs to insure that not only are you providing the right credentials to access the data but that the resource is actually ‘who’ you think it is!

One other area that needs to be examined with regard to confidentiality is the use of secure transmissions. HTTP transmits data in clear text. This is problematic in two areas:

1. Passing of your credentials in the clear. This is especially troublesome as any one that can sniff the network could grab those credentials and use it to manipulate your funds.
2. In terms of privacy, if encryption is not used during the transfer of data anyone sniffing the network can look into your private records. Again this is something that is not desirable.

SSL goes a long way to providing this security. SSL (or Secure Socket Layer) enables the data that you pass between the bank and your browser to be encrypted.

It terms of Integrity, this is making sure that the data remains intact and changes to the data can only be made by authorized personnel. There is the notion that an asset should be trusted; that is, there is an expectation that an asset will only be modified in appropriate ways by appropriate people (purdue.edu, 2004). Data is only useful if it can be relied upon as accurate. System administrators need to insure that the data has not been tampered with. Accidental or intentional manipulate of data is a very bad thing. This is where things such as ACLs (or Access Control Lists) and other permission models come into play. ACLs can be used to control access to file-systems or more importantly databases.

In addition to who has access to the data one needs to check that the data that is being captured is accurate. Error checking must be an intracle part of data entry (garbage in… garbage out). Without this functionality, one could easily see a situation where an online banking user could pay a bill with funds that they don’t have (or vice versa… they want to pay a bill and the bank’s data is not currently reflecting yesterday’s deposit). There is another aspect on integrity that needs to be discussed and that is the validity of the data should something actually happen to it. Accidents happen, whether on purpose or not. Ultimately, what is of utmost importance is that the data can be restored back to its trusted state.

Availability is making sure that the data remains accessible. Data is no good if you can’t get at it. This is the first thing that network/system administrators learn. Your servers need to stay up all the time. In the banking industry, because this data needs to be accessed whenever the customer needs access, system administrators need to this in terms of high availability. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades (Wikipedia.org, 2009). In today’s fast paced world of Internet banking, banks without this would soon find that if its customers were unable to get to their money, they would be without customers.

Computer/network security is a moving target. Vectors of attack change on a daily basis. One can only plan their defenses based on the known. What information do we have today? However, using the above-mentioned criteria, network administrators can apply what is known about attacks, and how valuable their data is to properly plan defenses for the future.

Resources:

Purdue University (2004, Feb. 23), RASC: Confidentiality, Integrity and Availability (CIA), retrieved on January 19, 2009 from www.itap.purdue.edu/security/files/documents/RASCCIAv13.pdf

Unknown, (2006, April 24), Confidentiality, Integrity, Availability (CIA), retrieved on January 19, 2009 from http://privacy.med.miami.edu/glossary/xd_confidentiality_integrity_availability.htm

Various, (2009, January 20), Information security, retrieved on January 19, 2009 from, http://en.wikipedia.org/wiki/Information_security#Integrity