Archives for it security

F Secure hittar ny, kritisk sårbarhet i Intels produkter #infosec

Finska F Secure har hittat ytterligare en kritisk sårbarhet i Intels produkter. Denna sårbarhet har inget med de nyligen publicerade #Meltdown och #Spectre utan ligger i Intel Active Management Technology (AMT). 

Om en angripare har fysisk tillgång till datorn kan alla säkerhetsmekanismer kringås som antivirus, diskkryptering och datorn är helt oskyddad mot angriparen som därefter fjärrstyra, avlyssna, kopiera data osv. 

Enligt F Secure är det också förvånansvärt enkelt att utnyttja bristen men konsekvenserna kan vara oerhörda då den här sårbarheten kan påverka miljontals laptops världen över.

Läs mer nedan

https://www.msn.com/en-us/news/technology/finnish-firm-detects-new-intel-security-flaw/ar-AAuBsgI?ocid=News

Mitigation strategies for securing server environments

This is a good start for mitigation planning for various attack scenarios.

I did not compile this list myself and the original can be found here . I might add a few thing in here but is very good strat indeed. Well done
https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm

Den här listan är en väldigt bra början för att planera och förhindra olika typer av attacker och hantera säkerhetsaspekter från olika synvinklar.

För hjälp med frågor som dessa, kontakta mig gärna här

 

backup / restore , Disaster Recovery, IT säkerhet, molntjänster och Syspeace mitigation strategies

MITIGATION STRATEGIES

Mitigation strategies summary

Relative security effectiveness rating Mitigation strategy Potential user resistance Upfront cost (staff, equipment, technical complexity) Ongoing maintenance cost (mainly staff)
Mitigation strategies to prevent malware delivery and execution
Essential Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Medium High Medium
Essential Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Low High High
Essential Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Medium Medium Medium
Essential User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Medium Medium Medium
Excellent Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. Low High Medium
Excellent Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. Medium Medium Medium
Excellent Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. Medium Medium Medium
Excellent Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. Medium Medium Low
Excellent Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Low Low Low
Very good Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high-availability) data. Low Medium Medium
Very good Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. Medium Medium Low
Very good Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Very good Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices. High High Medium
Very good Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Low Low Low
Good User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. Medium High Medium
Limited Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. Low Low Low
Limited TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. Low Low Low
Mitigation strategies to limit the extent of cyber security incidents
Essential Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Medium High Medium
Essential Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Low Medium Medium
Essential Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository. Medium High Medium
Excellent Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. Low Medium Low
Excellent Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. Low High Medium
Excellent Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. Medium Medium Low
Very good Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. Medium Medium Medium
Very good Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. Low Medium Medium
Very good Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. Medium Medium Medium
Very good Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. Medium Medium Medium
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. Low Very
high
Very
high
Very good Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. Low Medium Medium
Very good Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option. Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. Low Very
high
Very
high
Limited Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. Low High Medium
Limited Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. Low High Medium
Mitigation strategies to recover data and system availability
Essential Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Low High High
Very good Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. Low High Medium
Very good System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. Low High Medium
Mitigation strategy specific to preventing malicious insiders
Very good Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. High High High

 

 

For questions or help within these areas, please feel free to contact me here

Sad to see Cyberarms fail

Sad to see Cyberarms fail

konsult inom backup It säkerhet molntjänster återsartsplaner för IT

Today, I had a look at the Cyberarms website since I of course like to see what’s going on out there. I liked some of their ideas and I did see potential in there.

To my surprise they have decided to quit developing Cyberams and also to completely halt their operations apart from licensing renewals.

Their deficit is 250 000 euro so that saddens me of course when any business venture fails.
It’s never just a job for people in my line of work and as a business owner I do know what the owners and CEO and everyone is going through. It’s absolutely horrible with sleepless nights, feeling of failure and everything.
To develop a product and a software, especially for a new kind of thinking in terms of security, and actually getting system administrators, CEOs, CTOs and so on to realize actually that it needs to be in place isn’t easy and it’s very important to keep track of costs and also to know that development is moving forward as expected.
It’s not always a good thing to be some of the first in their field. Especially to try to make it commercially. Having the right people , business plan and everything is crucial.

Still, the need for a good and stable brute force prevention software for Windows Servers is still just as valid and important as ever. If not even more, considering all the private and public cloud solutions that are emerging. For instance, remember, Syspeace was born out of necessity from the Cloud Service rCloud Office at Red Cloud IT in Sweden.

Cyberarms will release their source code to customers with more than 250 licenses so there is always the possibility that it will be developed further but most likely only for the use at those customers inhouse and for their own needs.
To uphold a software and keep developing it when written by someone else can be very time consuming indeed and as a developer you also need to get new ideas from the guys who had the original idea.
Even though the person with the idea isn’t the same one who actually writes the code, that person is still often the one with the vision and ideas for the next level and what it should actually be.

For obvious reasons I am prone to using Syspeace but it still made me sad to see Cyberarms fail.

In the case of Cyberarms, one of the unfortunate miscalculations was that there was a free version that blocked x amount of attacks per day. The rest weren’t blocked.
For some system administrators, that was enough (I don’t really see why that would be enough . I mean , let’s block these three attacks but let these other 50 keep going but .. anyway …. ) so Cyberarms basically gave away a semi-full protection thus not getting the licenses sold needed to be able to further develop the product and to keep marketing and staff and etc.

This was also discussed in the Syspeace team as a possible way to reach out to new customers but we decided to make it a fully functional trial instead since we did see the risk in what happened to Cyberarms would happen to Syspeace too i.e. people only using the free version and being content with the semi-full functionality.

So, as sad I am to see them go, hopefully this might at least have more users and sysadmins to have a look at Syspeace for Windows Server protection. Regardless if it’s RDP, Citrix, SQL, Exchaneg OWA and more. If it’s reachable, people will try to brute force it.
The problem is there and now there’s one less security software to choose from to protect from it.

Juha Jurvanen

How quickly new servers are found and targeted on the Internet

Just a short post on how quickly servers are found on the Internet and how quickly they are attacked with brute force and dictionary attacks.

On Tuesday morning (this week) , a new server was installed for a new customer. The server became accesible to me on Tuesday afternoon.
On Wednesday I did my stuff on it (securing services , setting up backups and so on) and also installed Syspeace (which I always do btw since it should be a part of every servers baseline security in my opinion).

At 21:37 the first attack came a knocking on the door.

This means that the server had not been accessible for more than 36 hours and was already targeted from an attacker.

The IP address originated from the US this time and I disregarded it since the email alert from Syspeace automatically showed me the username, DNS name and countryu of origin.
Not worth the trouble pursuing in this case. Proably just a part of a botnet but still, it’s interesting to see how quickly it actually happens.

If you want to know if you’re attacked, simply turn logging on you server and have a look.

by Juha Jurvanen – JufCorp

A post in incident management processes when a possible security breach is reported

Here’s a blog entry on incident management.

At Red Cloud IT, there was an alert from the intrusion prevention system called Syspeace that made me aware that an IP address from an east European country was trying to login in to our systems.

Now, in all honesty, usually we let Syspeace automatically take care of these things when it’s an IP address from outside Sweden.
For instance we rarely follow up anything from countries such as Korea or China if we don’t immediately see that the IP address belongs to a Swedish company or the Swedish Government in which case we try to contact them and alert them of a possible security problem.

If it’s one our competitors we actually also alert them, as a professional courtesy and this has happened quite a few times so far actually.

Syspeace saves everything in a local database so we can always go back and report incidents afterwards should we need to investigate something more thoroughly if the attack was from let’s say China or some other country we have no business in.

The thing made us a bit more interested in this specific intrusion attempt was the DNS domain name reported by Syspeace, ***.*******.** (this is automatically reported in the email reports we get when an intrusion attempt is made so it was very easy to see that this differed from the usual background noise on the Internet )

A quick look with a web browser pointed us to the homepage-address of the ******* Parliament and this is where it started to get really interesting.

I followed up more on the IP address and the attacking source address appears to be a Microsoft Exchange 2010 Server that handles the mail for ******* Parliament.
As a service to the IT department handling their IT I wanted to get in contact with them and point out to them they may have been breached, hacked or infected with a virus causing these brute force attempts against our systems. I really don’t believe they would have any interest in
trying to hack us so one of the three previous alternatives is more likely.

First I tried to get contact info from the http://***** site but with no luck.
Second, I called the Swedish organization DataInspektionen to see if they knew whom I could talk to but according to them this was a police matter.

I don’t want to criticize any authority or anything but my general feeling is that if we go to the police, report this and they start working on it will probably take weeks or months before the information actually reaches the people that are the most in need of it, meaning the IT staff at the ****** Parliament.

The reasons why I want them to know this is of course so they can correct it as soon as possible and find out what’s actually happened and do a larger investigation to determine whether any confidential information has been leaked from them.
After all, they are the ******* Parliament so I’d expect they’d want their information secured and I guess it’s also in their job description to keep track of these things.

When I couldn’t find the contact info on the Parliaments home page and I decided not to get in touch with the Swedish Police, I came to think of the ****** Embassy in Sweden.

I “Googled” the ******* Embassy and came to a website called http://***** that actually didn’t feel very official. It feels more like a traveling agency and after reading more carefully on it I found a link stating that the Embassy web address had changed to http://*****/****/sweden .So, I went there and found an email address to use (****.***@***.**) .

I sent an email with the following content.

==== Begin mail
Tue 5/7/2013 10:59

Subject: Hi. Possible security breach in your IT systems at ***.***.**.** (****.******.**) [*****]

Please do not disregard this email as SPAM or a hoax and you are more than welcome to contact me to verify this. My contact information is at the end of this email.

My name is Juha Jurvanen and I’m the CTO and partner of a Cloud Computing company in Sweden called Red Cloud IT

We have various security systems in place in order to protect our customers from intrusion attempts and one them, called Syspeace, gave us three different warnings about unauthorized intrusion attempts from a server or workstation that appears to belong to the ****** Parliament.
The reason for this email is to make you aware you may have a server or workstation on the data network belonging to the Parliament and I believe you will want to look into that since it is most likely infected with a virus that could potentially cause harm or ease drop for data traffic and that would of course be a very serious matter.

Usually, we are under attack from various companies and countries such as Korea or China and we disregard them and simply block them automatically but in this case I deemed it to be more serious since it could imply you have a security breach in your governments IT systems and that is of course far more serious than a company being hacked.

Again: Please do not disregard this email as SPAM or a hoax and you are more than welcome to contact me to verify this. My contact information is at the end of this email.

We have all log files saved for future inquiries should you need them for investigation and we are happy to help you in any way we can since we know IT security is a very serious area.

The Red Cloud IT servers attacked so far are (. I’m sure you can verify this by examining firewall logs in *******. )

**** [DNS Name and IP address of the attacked server]
**** [DNS Name and IP address of the attacked server]
**** [DNS Name and IP address of the attacked server]

Here are the blocked attacks and email alerts from Syspeace

Syspeace Alert from ********, IP ***.***.**.** (****.******.**) [*****] blocked until 2013-05-07 11:03:00
Blocked address ***.***.**.** (****.******.**) [*****] 2013-05-07 11:03:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2013-05-07 09:02:46 *****administrator
2013-05-07 09:02:44 *****administrator
2013-05-07 09:02:42 *****administrator
2013-05-07 09:02:40 *****administrator
2013-05-07 09:02:38 *****administrator

Syspeace Alert from ********, IP ***.***.**.** (****.******.**) [*****] blocked until 2013-05-07 11:34:00
Blocked address ***.***.**.** (****.******.**) [*****] 2013-05-07 11:34:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2013-05-07 09:33:31 *****administrator
2013-05-07 09:33:29 *****administrator
2013-05-07 09:33:28 *****administrator
2013-05-07 09:33:25 *****administrator
2013-05-07 09:33:23 *****administrator

Syspeace Alert from *********, IP ***.***.**.** (****.******.**) [*****] blocked until 2013-05-07 12:28:00
Blocked address ***.***.**.** (****.******.**) [*****] 2013-05-07 12:28:00 Rule used (Winlogon):
Name: Catch All Login
Trigger window: 00:30:00
Occurrences: 5
Lockout time: 02:00:00
Previous observations of this IP address:
2013-05-07 10:27:18 ****administrator
2013-05-07 10:27:17 ****administrator
2013-05-07 10:01:58 ****administrator
2013-05-07 10:01:26 ****administrator
2013-05-07 10:01:23 ****administrator

Med Vänlig hälsning / Regards
Juha Jurvanen
Teknik- & Konsultchef / CTO CIO
Cloud Konsult
Delägare / Partner

* my contact info removed for SPAM reasons*

08-***** http://www.redcloud.se

BESÖKSADRESSER
Järnlundsvägen 31, 120 60 Årsta

Detta e-brev har sitt ursprung hos Red Cloud IT AB (556606-1833) www.redcloud.se. E-brevet och bifogat material kan innehålla konfidentiell/intellektuell egendom/upphovsrättslig information och är endast tillägnad adressaten/erna. Du är förbjuden att kopiera, vidarebefodra, bifoga spara eller på annat använda innehållet om du inte är avsedd mottagare eller ansvarig för innehållets leverans. Om du av
misstag erhållit detta e-brev, vänligen meddela mottagaren och avlägsna brevet. Red Cloud kan övervaka innehållet i e-brev inom nätverket för att säkerställa att policies och procedurer efterföljs. E-brev är känsliga för förändringar och dess integritet kan inte säkerställas. Red Cloud skall inte hållas ansvariga om meddelandet är förändrat, förfalskat eller på annat sätt manipulerat.

This email originates from Red Cloud It AB (swedish company no: 556606-1833) www.redcloud.se. This email and any attachments may contain confidential/intellectual property/copyright information and is only for the use of the addressee(s). You are prohibited from copying, forwarding, disclosing, saving or otherwise using it in any way if you are not the addressee(s) or responsible for delivery. If you receive this email by mistake, please advise the sender and cancel it immediately. Red Cloud may monitor the content of emails within its network to ensure compliance with its policies and procedures. Any email is susceptible to alteration and its integrity cannot be assured. Red Cloud shall not be liable if the message is altered, modified, falsified, or even edited.

============= End of mail

After sending this I thought that I’d also give them a call to verify that it is not a hoax and that it is pretty much for real.
I gave them a phone call and got to an answering machine that actually stated another (??) email address (**.*****@telia.com) so I sent the email

above that address also. Sorry for the mix in English and Swedish but when mailing them in Sweden, I thought Swedish would be appropriate

===== Begin mail
Tue 5/7/2013 11:25

Hej.

Jag försökte nå er tidigare via telefon och lämnade ett meddelande.

Mail adressen ni anger på telefonsvararen är inte densamma som jag mailade till nedan (som står på er hemsida)så jag mailar er på er @****.***-adress också.

MVH /Juha Jurvanen www.redcloud.se *****@redcloud.se 08-55 11 8660

After this, It was simply the mail above so it’s basically a forward.

=== End mail

After this I started investigating even more in Syspeace Access Reports Section to see if this IP Address had tried to attack us earlier and, sure enough it had.

=== Begin mail
Tue 5/7/2013 12:02

En mer noggranna undersökning ger vid handen det torde vara en Exchange 2010 (mailserver alltså) server man når när man går till den webadressen.
Om den blivit hackad så kan det betyda att någon utomstående har tillgång Parlamentets alla mail viket torde ses allvarligt på.
Det kan också vara en arbetsstation “bakom” så det behöver inte vara servern men oavsett så är det absolut en incident för IT säkerhetsavdelning att titta på.

Forskade lite mer kring hur länge den försökt logga in mot våra system och det visar sig den gjort igår kväll. Här kommer en sammanställning från en av servrarna som attackerats, en rapport skapad i Syspeace

FromIPAddress Date Success Origin Account Extra
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-06 21:47 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:14 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 01:15 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:24 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:24 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:24 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 04:25 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:03 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:03 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 07:04 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 09:33 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:01 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:01 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:01 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:27 No Windows ****administrator 10 – Remote interactive
***.***.**.** 2013-05-07 10:27 No Windows ****administrator 10 – Remote interactive

=== End mail

That is basically all of the conversation so far with them, meaning I’ve got no acknowledgment from them so far that they have received this from me nor that they want more information if we have (log files and stuff).

The things that puzzle me in a scenario such as this, considering who they actually are (Parliament and all for a country) , are that how long have they actually had this problem ? How are their incident management routines set up? Shouldn’t a possible data security breach be quite high up on the list of things to take care about?

We’ve actually had few tries even after I sent these emails and phoned their embassy so obviously the problem hasn’t been sorted out yet.

Now, this doesn’t have to mean that it is their mail server that’s been compromised; it could just as well mean that it’s a workstation on that network, using the IP address of the mail server as default gateway. It’s absolutely impossible for me to find out and it’s only possible to get this info on their side and examine firewall logs and so on.

The point is still that if any company or Government for that matter is alerted they have a possible security breach I would imagine that the routines would be

1. Verify the source of the alert (so it’s not an elaborate attempt to gain access to systems)
2. Start investigating of what has happened, fix the breach and secure relevant data
3. Alert the police and start finding the culprit

If there’s any more development in this, I’ll let you guys know

2013-05-08 I had a check andf the attack has stoped. Unfoprtunately7, this doesn’t really tell me whether they actually acknowledged my alert or if it is simply hat the compromised server or workstation was part of a bot-net and it has simply given up and moved along in some predifend brute-force list. I’ve still got no feedback from ******** (yep, I won’t state the country here since I do want to visit it someday. It looks beautiful *grin*)

By Juha Jurvanen @ JufCorp

IE not displaying HTTPS sites – page cannot be found 404

Hi.

Not everything in my everyday life is about Syspeace, sometimes I also do consultancy stuff 🙂

Here’s a weird thing about IE and certificate management  that took me a while to figure out actually.

A customer of mine suddenly couldn’t reach his webmail on his Lotus  Domino server. They don’t really use it very often so he didn’t really know when it stopped working.

After trying to reach the Lotus Domino Webmail both from the Internal LAN and outside the firewall with IE , .. nope. Nothing happened.

We could see the “This is not a valid certificate” warning but nothing happened when we clicked “Yes, we know are cheapscates and its a self issued certificate” .. ok.. it doesn’t actually say that but you know what I mean. When trying to reach from other IE installtion , I just got “The page could not be reached” like a network error.

Tried the old tricks with adding it to Trusted sites, decreasing security levels and so on.

I tried from Windows 7, Windows server 2008, 2008 R2, Vista with different IE7, IE8 IE9 and so on .

I tried it  with Google Chrome and .. everything worked fine…hmm..  the plot thickens ..

So, it’s a Internet Explorer problem then (and also the built in browser in at least Samsung Galaxy SII) I reckoned.Checked all the settings, SSL, TLS and so on and everything seemed fine . BTW, in teh Galaxy Sii there was a message about something with bad POST header or something.

Then “it hit me ..uhmm– like a two ton .. heavy thing ” .. (yes, that was a Queensrÿche – reference from the album Empire for all you music lovers out there) . What about the certificate on the Domino server. Didn’t I read something about a security patch for Windows and certificates a while back ?

Sure enough, after looking at the certificate (with Google Chrome, the upper left corner, Click the certificate and check properties) the certificate was only a 512 bit encryoted one which I think is the highest a Domino SelfIssued certificates can have,

So. Here’s the link to Microsoft about the issue and a few tips further down on what to do

http://technet.microsoft.com/en-us/security/advisory/2661254

Workaround / solutions.

If it’s you own website . Buy a valid, bonafide certificate that exceeds 1024 bit encryption. There’s no need to buy anything less than 2048 though.Or , stop using HTTPS (no, please don’t. Once upon a time you wanted it to secure your communications, I’m sure there was o good reason for it and surely nothing’s changed? )

If it’s not you own website, use Google Chrome or uninstall the Windows patch. I’d go for door number 1, use Google Chrome,

You could also fool around in the Windows registry according to this KB

http://support.microsoft.com/kb/2661254

Cheers and happy weekend to everyone.

 

Juha Jurvanen –

www.jufcorp.com

Securing server environments – part II – Networking

Juha Jurvanen’s thoughts on server security 
Second blog post about securing your server operations. Once, again, it’s not the gospel of all security issues but I guess it’s a start and possible checklist to use.
Now, if we are more or less satisfied with  the physical aspect of the data center it’s time to start thinking about the network design and firewalls.
Depending on your needs, say if you have various branch offices or if all your server and users are in the same location, the network design will vary.
First of all, make sure you have a decent firewall. It doesn’t have to be that expensive and you can even use some free  Linux distribution (such as Smoothwall) and set up a small server  to act a as the firewall. There are people out there stating that with IPv6 maybe firewalls will be unnecessary  but I highly doubt that. I have no idea how they’ve come to that conclusion so I’ll just leave it at that. Firewall will be around for a long time.
Just don’t use an old workstation because usually , you can’t set up RAD5 functionality on the disk volumes and you really want that because hard drives will eventually fail on that server also.
You could also have a firewall that’s actually installed on a DVD / CD ROM thus disabling the ability for any attacker  that has gained control to be able to modify the rules. The drawback is that if you want to reconfigure, you need to create a new DVDCD each time to have get the new rules in there.
You also want to have an extra power supply for redundancy  but that’s about it what you need to get a decent firewall up & running .
There are of course quite a few appliances out there with firewalls pre installed but that’s what they basically, small server with some kind of software to allow / deny network traffic on specific port.
The actual firewall rules aren’t that complicated to set and think through really, now days the GUI in the firewall software is usually quite self explanatory and even if you use the more high end firewalls such as Clavister or Firewall 1 and so on , it doesn’t take that long to understand them really.
You decide  which hosts (servers) on the inside of the firewall that should be reachable from the outside world basically and on what ports. Usually on TCP since UDP isn’t really used for communications  over the internet.  The difference  between two (TCP versus UDP)  is that a TCP connection is controlled and verified with a acknowledgment that it has reached to intended server that the server and the host/user trying to reach a service is actually communicating while UDP is basically the host/workstation sending off a network packet and hoping for the best that it reaches it’s destination without any response from the intended server.
Setting up the firewall rules should consist of a few things. Best practice is usually to have a DMZ (Demilitarized Zone ) where you basically put your server that should be reachable from the Internet (commonly this is mail servers, web servers, VPN (Virtual Private Network) servers and FTP (File Transfer Protocol) servers.
The rules are the set up so that the server on the DMZ are only allowed to communicate with the servers behind the firewall only the specific ports decided by you.
Unfortunately, some servers do require quite a few ports to be opened from the DMZ such as Microsoft Exchange server that need to validate with the Domain Controllers and stuff. .
There’s no law saying you actually must have a DMZ but the idea behind it is that if one of the servers on the DMZ would be hacked, the attacker wouldn’t reach the other servers . I’m not that convinced really. Once a hacker gains access to any  of your serves, I’m fairly convinced  that you used the same passwords you use on the server behind firewall somewhere in on the server thus giving the information on how to log in to rest of the system. People are people.
You just need to try as hard as possible not to have your servers hacked. I’ll get back to that topic further down the line in my little blog series.
So, regardless of if you decide to use a DMZ or not, you still not have backups of you servers and sometimes, setting servers on the DMZ can cause a bit of hassle on how to create good  backups.
One case I remember was, a large Swedish website that  took backups of their system to a local hard drive on the server on the DMZ with a script.
Usually, all kinds of scripts and backups need to have administrative rights and if your are using a scripts, most likely you’ll put the administrator / root password in the script file.
This is what they did and sure enough, someone found the script on the server from the Internet and they could gain access to the server simply by using the passwords in the script..
If I recall correctly, the script file was even indexed by Google actually so you should actually be a bit careful with what you allow Google and search engines to see on your servers. We’ll get back to that also further down the line.
Needless to say, once they were hacked they thought things through a bit more.
I’d say the having a backup server behind the firewall and pulling the backup from it with some kind of backup agents is a better solution instead of the server sending data to a behind the firewall.
Another  solution  is to have a look at some kind of online backup solution and thus sending the data outside your data center automatically, such as SunGard’s Vytal Vault, The  Online Backup Company or any of the online backup service providers really. Just take your pick
Just make sure that you use a good encryption password and that the backup services don’t require you to run them as a user. It’s better to be able to start the with a local system service that can’t be used for logins. If you have a backup software that requires user credentials, cerate a specific user for them and name the user something not that obvious as for instance “backup” Just create a user such as John Smith , a regular Joe and grant him only the necessary rights.
Have your servers on a backbone network by themselves and your workstations on anther, thus giving the servers the network bandwidth they need to communicate with each other and not being bothered with unnecessary broadcast traffic from your workstations,
Make sure all of your network cards in your servers are set to use maximum speed. Don’t trust the auto negotiation . Configure the specifically to use for instance 1 Gbit FULL Duplex and to use big frames (15000 packets size, just make sure that both your serevrs and switches support this ) .
If you have the configuration  ability also consider using teamed network thus teaming two (or more) network cards . The idea is that you get higher performance and should one of the network cards fail, the other ones would still be running and providing service to your users.  An easy way to create redundancy.
Speaking of redundancy, you should also use a number of switches and if possible, buy switches with two power supplies and the ability create redundant networks. You might also want to consider to configure your switch  ports to use 1 Gbits FULL Duplex with large frames , if supported and to have the switches monitored  with SNMP to a specific monitoring server.
Don’t use “public” as a SNMP community, name it something else and also be sure that SNMP traffic isn’t broadcasted all over the place, Have it sent to a dedicated monitoring service. NSMP is not a very secure protocol
Always have at least one spare switch in your data center, and if possible , a spare , pre confgured firewall. The more expensive firewalls also have the ability two cerate failovers and stuff but if you’re looking to create a fairly cost efficient networking environment, you probably won’t have that in your arsenal.
When it comes to the firewall rules, a few tips that might useful.
Decide for instance which server from he inside should be able to make DNS queries and have all of you workstations use that server as their DNS server. The drawback is of course that should that DNS server fail for some reason, no one will able to reach anything really but the upside is that you reduce the traffic through the firewall and gain better performance and a far better control of the network traffic for your workstations and get an easy and cheap way of blocking or redirecting traffic for your workstations to websites you don’t want them to visit.
In a Windows environment , you could also create a proxy setting and have all traffic flow through it and giving an excellent control of all traffic. Have a look at this link on how to accomplish that
http://www.tomshardware.co.uk/forum/194827-36-restrict-internet-access-group-policy
Some firewall administrator also block all kinds of outbound traffic to the outside world that isn’t explicitly required. This can be an administrative nightmare but in theory it would tighten your security and blocking for instance trojans  trying to communicate but now days, quite a the trojans do use standard ports so I’m not sure one really gains that much with such a configuration. Of curse some trojans would be blocked so it can’t hurt but there is always the risk of getting more administrative work if something need to be opened for a new software.
Never allow firewall administration from the outside world and you should even consider only to allow firewall administration from a specific workstation or even just localy. on the firewall.
Don’t have your firewall answering to PING traffic.
If your firewall has different settings for blocking port scans or SYN flooding  and so on, use them. They are there for a reason.
If you really want to think about network traffic and security, you might even consider setting up a network perimeter system such as SNORT .
It’s not that difficult really but it does require some skill and separate hardware  and the downside can be various performance issues
Here’s a link to a SNORT cheatsheet by Tim Kiery at Comparitech when looking at SNORT that I got as a tip by email tthe other day.
VPN is still widely used for letting youTr users connect to your internal resources and from time to time they work great. Unfortunately , performance is often an issue, DNS handling and sometimes, also licensing costs. Nowadays , there are other kinds of solutions such as Sharepoint server, RD Web and cloud solutions that actually (yes, I know, basically I am a Windows guy ) .
If you still want VPN and keep your costs down you could have a look at OpenVPN for instance. Iäve used at few customer sites and it works and it pretty fast really.
Wireless networks and access to networks should also be considered carefully.
  1. A few pointers, use WPA2 and do not use the EasySetup features that only require a simple PIN code. WEP and WPA are too easy to decrypt and the EasySetup features are basically only 8 numbers that an attacker needs to guess and two of them are just control numbers so  there’ actually only a 6 digit code to crack. That’s done in only a few hours.
  2. Hide the broadcast name. It can still be found but what you can’t see is more difficult to find, right ?
  3. You should separate the WiFi access from the rest of the network also and not have mobile phones on the same networks as servers and workstations.
  4. In 99,9 % of the times you allow WifI access to your end user mobile phones it’s to give them the ability to reach Internet services and not to reach anything  on your corporate network. If it’s for laptop access, have a separate WiFI network for them and one for mobile phones. It’s not that expensive to set up but it does give your laptop users all the bandwidth for work, not for Spotify.
  5. If you really want to restrict network access, most switches and wireless routers have the ability to set up MAC address for filtering and access but the downside is of course it’s an administrative nightmare if you many devices  and users. If you enable those features you’ll have to keep track of each MAC address on your network which can be time consuming. It does tighten your securiy of course.
  6. For external guests you should also have a separate  guest network that has no connection with your server  networks or the workstations network . Remember, even if the salesperson or consultant seems reliable , you have absolutely no way of know if their computers has been infected with a virus or if they are up to no good.
  7. Don’t have computers in the reception connected to the corporate network such as guest access systems. There  is absolutely no need for external visitors to be able to browse your internal network.
  8. If you have any kind of guest access system , make sure it is kiosk modes with no way to break out the application shell that you’ve decided for the guests. Plug all USB contacts and any other types of input mechanisms.
  9. Don’t have all of the network sockets plugged in just because of laziness. If some one plugs in a laptop or computer and you haven’t been informed about, they shouldn’t be able to start surfing or browsing your network unless you say so. Of course, there are always ways around that , for instance just borrow that ethernet cable from that other PC and son but it does make it a bit more difficult anyway.
  10. Always have a good monitoring software running and checking your network for new devices. If you start seeing devices with MAC addresses with 00-00-00-BE-50-00-DE-AD .. well. its too late . you’re toast. Personally I favor SpiceWorks but there are lots of monitoring software solutions out there. Take your pick. Basically, you need to have a clue of what’s going on your network  and , even mores so. You need to know why. You need to monitor bandwidth usage and also have monitoring points on your network , both from internal point and from external.
// Juha “Juffe” Jurvanen
Senior consultant in backup, IT security, server operations and cloud

By Juha Jurvanen @ JufCorp

Securing your server environment – part 1 – Physical environment

Securing your server environment – part 1 – Physical environment

Juha Jurvanen’s thoughts on server security 
This blog post is intended only as a basic guide to security. It is not intended to be the gospel of security since, let’s be honest, there is no such thing as absolute security.
As an example, in Sweden there was a case where a computer was locked in a vault, with no network access whatsoever and only a few people had access to it and still, it leaked information to foreign countries. Absolute computer security is a myth. That said, system administrators can still do a lot to make more difficult to access data and prevent DDOS attacks on their system
Let’s start off with physical aspects .
Where is your server actually located and who has physical access to it? 
Once you gain physical access to a sever, there are numerous way of accessing the data. The root password or Active Directory Domain Administrator password or NDS Admin password can be easily reset with a USB stick and booting the server. Have look a at for instance HIren’s Boot CD, Burglar for NDS or just play around with Google and search for terms such as “Reset administrator password”, “decrypt password” and so on .
You’ll be amazed when you realize how easy it actually is. Personally, I almost at all times carry with me some USB stick that I enables me to boot up any system and “have my way with it”
So, we need to secure the server from outside access. The data center must be protected with card keys, cameras and access control. We need to who and why they are in the data center in the first place.
For instance, a janitor or cleaning staff tends to have complete access due to what they do. Many companies hire outside help to get these kinds of jobs done.
If I wanted to gain access to server, I would try to infiltrate one of those subcontractors to get a job as a let’s say janitor, and try to gain access to the data center somehow and from there, I can basically do what ever I wanted with the servers.
Maybe my goal wouldn’t be to steal data but to kill the data operations by corrupting the filesystems on the servers, switch disks on RAID systems or just put small holes in all the networks cables to cause network errors, trigger an EMP in the data center and so on .
There would be numerous ways to disrupt the data operations, once i gained access to the data center or servers room.

If I’m out to steal data, I would probably not target the servers themselves but instead I’d start looking for backup tapes or backup disks. Far too many companies have their backups in the same location as the servers themselves and since the backups usually are not encrypted , I’d go for stealing a complete backup set, go home and start doing a scan of the tapes to figure out what backup software was used and then do a complete restore of it all.
The backups are most likely to contain the data I’m after, although probably a maximum of 24 hours old but from them I can gain access to all kinds of information about the operations and crack administrative passwords for the server systems and so on . In the comfort of my own data center. or my couch.

This way would of require some skill of Disaster Recovery scenarios and how to get data back from backups but I’m fairly sure I’m not he only one in the world who has the expertise in those matters.
Backups are always a weak point from several aspects.
You need to know who has access to them , at all times.
If you are company that for instance have your backups shipped to another location on a daily basis or weekly, you need to know that people handling them haven’t been compromised. It wouldn’t take that long for anyone with the proper skills do clone your tapes or disks en route to their destination and you would have no way of telling they’d been cloned. In that scenario, all of your critical data would be in the wild, without you actually knowing it.
If you are using any kind of online backup service, remember to choose your encryption password wisely and be extremely restrictive with who has the password. A lot of backup software do not let you change the encryption password without doing the first backup all over again, thus doubling your usage of space and your costs.
Still , I highly recommend you use an encryption password for several reasons.
If you don’t use it, it’s just pure laziness and fear of administrative hassle and that’s just not an excuse. The risk of people at your online backup provider being able to access your data is of course also an obvious risk. Do you know these people and how could you be absolutely certain that they aren’t poking around in your data and maybe giving it to your competitors?
If you are thinking about online backups there are a few very essential questions you should ask yourself but we’ll get back to that later in another post.
Do not use the same encryption password as you have for Root / Administrator / Admin . That´s just crazy talk. Use a password generator to create a unique password. This is also very much valid for tape backups or backups on NAS / disk. Always encrypt your backups with password and be very, very restrictive with who has the password.
If an employee quits your company or an outside consultant quits his project and he / she has had knowledge of the password, change it.
If you’re doing a planned Disaster Recovery test for instance, change the administrative passwords right after the DR test , thus not enabling anyone to reuse what they’ve found out during the test
During the actual DR test, you should be there and be the one that actually types in the encryption password for the backups, not any outside technicians or consultants , not even the online backup service provider or your Disaster Recovery Service Provider. You , and you alone should be the one that has those passwords.
I’ll will return to backup questions and stuff regarding DR plans and so further down the line in some upcoming blog post
So, the conclusion is, always know who and why people are in proximity of your servers and NEVER let anyone be there alone without supervision and here’s a few more pointers.
  1. Always have you data center locked and secured from unauthorized access, If you have the means, also have it secured against an EMP attack from the outside. Of course, I haven’t even touched the subjects but be sure your data center has all the necessary fire prevention/extinction equipment in place, UPS backups and , if possible, also an outside source for generating current in case the UPS or battery runs out of current. There should also be a system in place for protecting you servers against spikes in current. Be sure to know where water pipes are running in the building so you don’t place your server directly underneath one. Don’t keep cardboard or any other kind of flammable materials in the data center. Be sure to take them with you when you’ve set up a new server or switched disks. Don’t be lazy. The cost of laziness can be extreme. 
  2. In the data center, always have your servers locked in cabinets that requires keys and access card to gain physical access to keyboards and stuff. Also remember to protect the cabling and the back of the servers! Never have a server logged on the console. Be sure to have all cabling to the and from the firewall and the internet access secured. 
  3. If you’re “expecting company” i.e. external consultant and so on, be sure to think abut NOT having different kinds of network maps, administrative passwords and different kinds of information in plain sight for anyone to see. I’ve seen it hundreds of times, the IT department having their entire IT operations and information of their systems on white boards or on print on documents next to their workstations. 
  4. Sure , it makes their lives easier but as one might gather, it also makes the life of the attacker easier. Knowledge is a powerful weapon, especially when it comes to data protection 
  5. Don’t have software laying around in the data center with software keys and stuff on them . All it takes is a mobile phone for someone to coy your license keys thus possibly putting you in an awkard situation having to explain to Microsoftfor instance how come that your Volume License keys are a bit too easy to find on Piratebay, thus putting you n the risk of your licenses becoming invalid and bringing your server operations to a halt , or at least a shoer disruption. 
  6. Know where your backups are, at all times. Have them encrypted. If using online backup services, be sure to use an encryption key and , if possible, be sure to have restrictions on the online backup service providers end on to and from where backups and restores are allowed 
  7. Do not allow mobile phones in the data center due to the risk of people photographing your equipment or software license keys or using the mobile phones to copy data via USB cables and stuff. 
  8. If you are sharing a data center with others, there is no need for you to have your company logo or anything revealing the servers are yours. Keep it as anonymous as possible. There is also no need for you to tell anyone where your servers are physically located (although it can be fairly easy for anyone to fin out using traceroute commands and so on ), 
  9. Be sure to have a Disaster Recover Plan (DRP ) / Business Continuity Plan (BCP) if your site is compromised or an accident should occur. Also in this case, treats the secondary DR location as mission critical data. 
  10. Once again, do not underestimate the powers of social engineering. Although it’s not hacking in the usual sense, it’s merely  acting but it can still be as harmful as I’m trying to point out here
So, there’s a few tips anyway and that’s just the start really. It’s not a complete recipe for securing your physical environment and I’m sure I’ve missed out loads of stuff but it’s start anyways.
I hope you you liked this post and I’d love to hear you thoughts on it and if you want me to write a few others on the matters of securing your server  operations, I was thinking in the lines of brute force protection, change management, 0day attacks, certificate management , password policies,  protecting web servers and so on , You get the picture :-)  
// Juha “Juffe” Jurvanen
Senior consultant in backup, IT security, server operations and cloud

Securing server environments – part II – Networking

Juha Jurvanen’s thoughts on server security 

Second blog post about securing your server operations. Once, again, it’s not the gospel of all security issues but I guess it’s a start and possible checklist to use.

Now, if we are more or less satisfied with  the physical aspect of the data center it’s time to start thinking about the network design and firewalls.

Depending on your needs, say if you have various branch offices or if all your server and users are in the same location, the network design will vary.

First of all, make sure you have a decent firewall. It doesn’t have to be that expensive and you can even use some free  Linux distribution (such as Smoothwall) and set up a small server  to act a as the firewall. There are people out there stating that with IPv6 maybe firewalls will be unnecessary  but I highly doubt that. I have no idea how they’ve come to that conclusion so I’ll just leave it at that. Firewall will be around for a long time.

Just don’t use an old workstation because usually , you can’t set up RAD5 functionality on the disk volumes and you really want that because hard drives will eventually fail on that server also.

You could also have a firewall that’s actually installed on a DVD / CD ROM thus disabling the ability for any attacker  that has gained control to be able to modify the rules. The drawback is that if you want to reconfigure, you need to create a new DVDCD each time to have get the new rules in there.

You also want to have an extra power supply for redundancy  but that’s about it what you need to get a decent firewall up & running .

There are of course quite a few appliances out there with firewalls pre installed but that’s what they basically, small server with some kind of software to allow / deny network traffic on specific port.

The actual firewall rules aren’t that complicated to set and think through really, now days the GUI in the firewall software is usually quite self explanatory and even if you use the more high end firewalls such as Clavister or Firewall 1 and so on , it doesn’t take that long to understand them really.

You decide  which hosts (servers) on the inside of the firewall that should be reachable from the outside world basically and on what ports. Usually on TCP since UDP isn’t really used for communications  over the internet.  The difference  between two (TCP versus UDP)  is that a TCP connection is controlled and verified with a acknowledgment that it has reached to intended server that the server and the host/user trying to reach a service is actually communicating while UDP is basically the host/workstation sending off a network packet and hoping for the best that it reaches it’s destination without any response from the intended server.

Setting up the firewall rules should consist of a few things. Best practice is usually to have a DMZ (Demilitarized Zone ) where you basically put your server that should be reachable from the Internet (commonly this is mail servers, web servers, VPN (Virtual Private Network) servers and FTP (File Transfer Protocol) servers.

The rules are the set up so that the server on the DMZ are only allowed to communicate with the servers behind the firewall only the specific ports decided by you.

Unfortunately, some servers do require quite a few ports to be opened from the DMZ such as Microsoft Exchange server that need to validate with the Domain Controllers and stuff. .

There’s no law saying you actually must have a DMZ but the idea behind it is that if one of the servers on the DMZ would be hacked, the attacker wouldn’t reach the other servers . I’m not that convinced really. Once a hacker gains access to any  of your serves, I’m fairly convinced  that you used the same passwords you use on the server behind firewall somewhere in on the server thus giving the information on how to log in to rest of the system. People are people.

You just need to try as hard as possible not to have your servers hacked. I’ll get back to that topic further down the line in my little blog series.

So, regardless of if you decide to use a DMZ or not, you still not have backups of you servers and sometimes, setting servers on the DMZ can cause a bit of hassle on how to create good  backups.

One case I remember was, a large Swedish website that  took backups of their system to a local hard drive on the server on the DMZ with a script.

Usually, all kinds of scripts and backups need to have administrative rights and if your are using a scripts, most likely you’ll put the administrator / root password in the script file.

This is what they did and sure enough, someone found the script on the server from the Internet and they could gain access to the server simply by using the passwords in the script..

If I recall correctly, the script file was even indexed by Google actually so you should actually be a bit careful with what you allow Google and search engines to see on your servers. We’ll get back to that also further down the line.

Needless to say, once they were hacked they thought things through a bit more.

I’d say the having a backup server behind the firewall and pulling the backup from it with some kind of backup agents is a better solution instead of the server sending data to a behind the firewall.

Another  solution  is to have a look at some kind of online backup solution and thus sending the data outside your data center automatically, such as SunGard’s Vytal Vault, The  Online Backup Company or any of the online backup service providers really. Just take your pick

Just make sure that you use a good encryption password and that the backup services don’t require you to run them as a user. It’s better to be able to start the with a local system service that can’t be used for logins. If you have a backup software that requires user credentials, cerate a specific user for them and name the user something not that obvious as for instance “backup” Just create a user such as John Smith , a regular Joe and grant him only the necessary rights.

Have your servers on a backbone network by themselves and your workstations on anther, thus giving the servers the network bandwidth they need to communicate with each other and not being bothered with unnecessary broadcast traffic from your workstations,

Make sure all of your network cards in your servers are set to use maximum speed. Don’t trust the auto negotiation . Configure the specifically to use for instance 1 Gbit FULL Duplex and to use big frames (15000 packets size, just make sure that both your serevrs and switches support this ) .
If you have the configuration  ability also consider using teamed network thus teaming two (or more) network cards . The idea is that you get higher performance and should one of the network cards fail, the other ones would still be running and providing service to your users.  An easy way to create redundancy.

Speaking of redundancy, you should also use a number of switches and if possible, buy switches with two power supplies and the ability create redundant networks. You might also want to consider to configure your switch  ports to use 1 Gbits FULL Duplex with large frames , if supported and to have the switches monitored  with SNMP to a specific monitoring server.

Don’t use “public” as a SNMP community, name it something else and also be sure that SNMP traffic isn’t broadcasted all over the place, Have it sent to a dedicated monitoring service. NSMP is not a very secure protocol

Always have at least one spare switch in your data center, and if possible , a spare , pre confgured firewall. The more expensive firewalls also have the ability two cerate failovers and stuff but if you’re looking to create a fairly cost efficient networking environment, you probably won’t have that in your arsenal.

When it comes to the firewall rules, a few tips that might useful.

Decide for instance which server from he inside should be able to make DNS queries and have all of you workstations use that server as their DNS server. The drawback is of course that should that DNS server fail for some reason, no one will able to reach anything really but the upside is that you reduce the traffic through the firewall and gain better performance and a far better control of the network traffic for your workstations and get an easy and cheap way of blocking or redirecting traffic for your workstations to websites you don’t want them to visit.

In a Windows environment , you could also create a proxy setting and have all traffic flow through it and giving an excellent control of all traffic. Have a look at this link on how to accomplish that

http://www.tomshardware.co.uk/forum/194827-36-restrict-internet-access-group-policy

Some firewall administrator also block all kinds of outbound traffic to the outside world that isn’t explicitly required. This can be an administrative nightmare but in theory it would tighten your security and blocking for instance trojans  trying to communicate but now days, quite a the trojans do use standard ports so I’m not sure one really gains that much with such a configuration. Of curse some trojans would be blocked so it can’t hurt but there is always the risk of getting more administrative work if something need to be opened for a new software.

Never allow firewall administration from the outside world and you should even consider only to allow firewall administration from a specific workstation or even just localy. on the firewall.

Don’t have your firewall answering to PING traffic.

If your firewall has different settings for blocking port scans or SYN flooding  and so on, use them. They are there for a reason.

If you really want to think about network traffic and security, you might even consider setting up a network perimeter system such as SNORT . It’s not that difficult really but it does require some skill and separate hardware  and the downside can be various performance issues.

VPN is still widely used for letting your users connect to your internal resources and from time to time they work great. Unfortunately , performance is often an issue, DNS handling and sometimes, also licensing costs. Now days , there are other kinds of solutions such as Sharepoint server, RD Web and cloud solutions that actually (yes, I know, basically I am a Windows guy ) .

If you still want VPN and keep your costs down you could have a look at OpenVPN for instance. Iäve used at few customer sites and it works and it pretty fast really.

Wireless networks and access to networks should also be considered carefully.

  1. A few pointers, use WPA2 and do not use the EasySetup features that only require a simple PIN code. WEP and WPA are too easy to decrypt and the EasySetup features are basically only 8 numbers that an attacker needs to guess and two of them are just control numbers so  there’ actually only a 6 digit code to crack. That’s done in only a few hours.
  2. Hide the broadcast name. It can still be found but what you can’t see is more difficult to find, right ?
  3. You should separate the WiFi access from the rest of the network also and not have mobile phones on the same networks as servers and workstations.
  4. In 99,9 % of the times you allow WifI access to your end user mobile phones it’s to give them the ability to reach Internet services and not to reach anything  on your corporate network. If it’s for laptop access, have a separate WiFI network for them and one for mobile phones. It’s not that expensive to set up but it does give your laptop users all the bandwidth for work, not for Spotify.
  5. If you really want to restrict network access, most switches and wireless routers have the ability to set up MAC address for filtering and access but the downside is of course it’s an administrative nightmare if you many devices  and users. If you enable those features you’ll have to keep track of each MAC address on your network which can be time consuming. It does tighten your securiy of course.
  6. For external guests you should also have a separate  guest network that has no connection with your server  networks or the workstations network . Remember, even if the salesperson or consultant seems reliable , you have absolutely no way of know if their computers has been infected with a virus or if they are up to no good.
  7. Don’t have computers in the reception connected to the corporate network such as guest access systems. There  is absolutely no need for external visitors to be able to browse your internal network.
  8. If you have any kind of guest access system , make sure it is kiosk modes with no way to break out the application shell that you’ve decided for the guests. Plug all USB contacts and any other types of input mechanisms.
  9. Don’t have all of the network sockets plugged in just because of laziness. If some one plugs in a laptop or computer and you haven’t been informed about, they shouldn’t be able to start surfing or browsing your network unless you say so. Of course, there are always ways around that , for instance just borrow that ethernet cable from that other PC and son but it does make it a bit more difficult anyway.
  10. Always have a good monitoring software running and checking your network for new devices. If you start seeing devices with MAD addresses with 00-00-00-BE-50-00-DE-AD .. well. its too late . you’re toast. Personally I favor SpiceWorks but there are lots of monitoring software solutions out there. Take your pick. Basically, you need to have a clue of what’s going on your network  and , even mores so. You need to know why. You need to monitor bandwidth usage and also have monitoring points on your network , both from internal point and from external.

// Juha “Juffe” Jurvanen

http://www.jufcorp.com

Senior consultant in backup, IT security, server operations and cloud