Blogs

Connecting to Cloud Providers High-Level Network Architecture

More than 70 percent of Internet Traffic passes through Data Center Alley in Loudoun County. Ashburn, Virginia has the largest data center footprint in the world. It makes sense to lease or collocate your data center here. Almost all cloud providers (Azure, Amazon AWS, Google, Office 365, etc.) have presence in these data centers. Being collocated locally can take advantage of direct connect services to any of these Cloud providers. Ashburn Consulting can help you design a Hybrid Cloud On Prem Architecture for your future Infrastructure.

AzureCloudConnect

VTC Video Conferencing Rules for Palo Alto Firewall

If you have a Cisco Telepresence VCS Expressway or a legacy Tandberg Border Controller or even an MCU behind a Palo Alto Firewall there are several Application based objects needed to be in your Outbound and Inbound Security policy.

  • rtp-base
  • rtcp
  • h.225
  • h.245
  • h.323
  • sip
  • rtp

Normally the logs will show which ports are being denied by the clean up rule. Depending on the type of Firewall, you might need to create an object with a certain udp range. There are also cases where a VTC endpoint is configured to use static ports that’s out of range from the standard protocols and applications built in. Making VTC sessions work behind a newly deployed Firewall can be challenging at first. Simple trial and error and gathering firewall connection logs is key. I’d be careful allowing a big range of ports though to Inbound Firewall rules.

Security Today

Security Today is extremely complex and yet simple to bypass for a willing mind with enough time and computer power to exploit vulnerabilities that may or may not be accounted for per your internal security or IT operations team.

The multi-layered threat, with many mutations within the attack surface, has increased significantly from the Virus age to nowadays application-focused threats. With this in mind we ought to think that the tools protecting us at the endpoint and through our network security devices should have enhanced accordantly, but they have not. We live in a time where awareness is our best way to prepare for most cyber attacks.

The main players today are no longer interested on simply affecting your infrastructure performance with a DDoS attack for example. Today these are attacks targeted to delay specific areas in your organization with the intent to lower your customer’s confidence in the services provided by slowing down your key production services.  These targets could be  a call center with SaaS based applications or an old, large and fully protected physical infrastructure with security controls and mitigation processes in place.  There is an opportunity to have these controls be more adaptive to the threat and more dynamic in reporting and mitigation controls.

As per our attackers, let us establish that if we understand the principles of the Intrusion Kill Chain, the attackers must be successful on every one of the 7 steps on the Kill Chain, we, as security professionals, need to address just one of these 7 phases, that’s good news but we must be aware of all the threats, and vulnerabilities in order to be successful protecting against one of these phases, and to effectively thwart the attack.  The attacker, however, needing to be successful in every one of them to compromise an organization’s data structure, may loose interested against a well protected organization because of the increase in time and costs for their attack to be profitable.

For years, we thought that a port based, fully stateful, and packet based firewall would protect us against most of these threats, and whatever wouldn’t be caught by them, we could easily find on IPS/IDS devices inline or surrounding our main security points. Using extended log servers with behavioral analyses were a good composition for our defense against the “threat attack-surface”. Much of this approach has changed but some principals continue to be just an item on a checklist necessary to deploy a “secure basis” in several organization’s compartments.

Software attack surface

Increasingly, the software development community understands that more needs to be done to properly develop software that is not only efficient, but is also secure.

More is being invested on new web applications that are mission-critical touching several data compartments, and yet some basic security concepts are not being applied at the development phase of these web applications.

Most of the known attacks these days are using the same old techniques such as URL injection and Cross-Site-Scripting (XSS).

For some poorly developed applications, a non-parameterized query is all that is needed for a successful attack to pass through at least one of the 7 kill chain phases. Many other code vulnerabilities have been cataloged, and a common security guideline exists today for these application developers to follow (OWASP top 10)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

If all corporations and organizations start adopting the OWASP guidelines, they would have increased security awareness and the gain would be to increase the cost of creating or pursuing exploits on these systems.  As we increase the cost to the attackers, we reduce their ability to continue their exploits on our applications.

Penetration tests and application validation procedures are always important, but if developers were more aware of the risks and knowledgeable about the Kill chain, I believe they could embed more security “snippets” to their core code and enforce security postures from within their application.

A good starting point would be if developers would disable the amount of code running in the background during core data access tasks.

Reducing the amount of features enabled to users with high privilege access to core data, and disabling these features completely to users with low privileged credentials could be another good approach. Finally, would be interesting if, as part of a common guideline, developers would limit their own code to access data or perform network tasks if the application is made aware of a vulnerability being exploited on their own system at that specific time, some self security boundaries check from within their applications acknowledging other security devices.

Some developers already use the defense-in-depth architecture model and collaborate with Next-Gen security devices that exchange information via XML or an API capable of providing them (developers and their code) with valuable application analysis during run-time.

Network attack surface

Probably the busiest attack surface, and the most popular, is the network attack vector. Even with all standards and RFCs in place and mitigations to all published CVEs (https://cve.mitre.org/cve/), or endpoint IOC databases (http://www.openioc.org/), there are still a lot going on into a TCP packet that needs to be inspected and sometimes blocked.

We have VPNs, SSH connections, and a series of tunnels such as a point to point (PPtP) that are still not enough to contain the threats encapsulated on a TCP/UDP packet and sent through our networks. Not every user wants to be aware of the attack surface or even security in general. Not all Network Engineers and Security Engineers are willing to keep processes and security controls in check. We have created dual factor authentication, and then we created Single Sign On (SSO) and the combination of the 2 make a very secure and complex password portal.  This helps to increase the password difficult level and there are Domain administrators applying changes every other 6 months but besides all that, some users are careless to eyes dropping, social phishing and other security key capture techniques used by attackers today.

Many organizations do not enforce job (position) rotation, separation of duties (SoD), or mandatory vacations, as they should according to several standards for detective and administrative controls.  These organization’s financial departments are made well known of high costs of these risks, and rather use another administrative security control, they transfer or accept the risk to partially patch the problem.  This approach could be effective when a well-balanced finance and security department are in place, communicate, constantly update the risk environment and exchange security controls updates as needed. But this is not always the case and often leads these organizations to take misguided risks which cannot be transferred (to a insurance company for instance) and have to be absorbed by the corporation.  The company’s reputation should never be an asset never available for gambling and CSOs and CISOs are often misinformed, not on the risks, but on how they are measuring them and how other departments are electing to mitigate or accept risk.  Another detective administrative control that’s not always, or as frequently as it should be applied: The security reviews and audits.

The Network Surface is constantly and dynamically changing.  Security controls and user awareness should be as present as common as Human Resources training in place on all these corporations or organizations today.

Human attack surface

To stress why training and security awareness is important is becoming redundant. This  should be “second nature” to all users and be made paramount to them how important their data, their jobs, and their own physical safety security are. Today, employees on all levels, especially those in high profile organizations, need to be protected from external groups that are aiming at their organizations.  These attackers are investing in diverse network intrusion tactics as well as kidnapping, temporarily hijacking devices, and copying user activity from their devices from their own homes.   This can be done by following an unsuspecting user to their home,  shadowing their network services while in their houses whether wired or wireless.  It is much easier to tap on their cable provider egress than break their SSL key or IPSEC tunnels from the internet.

Many groups copy or tap into user’s home service providers and are able to gather credentials and valuable paths for real data, even if the user does not have high privileged access, to a user connecting to a non-segmented network.  For instance, a Pivot Attack would be easier from the user’s remote location than to infiltrate through the corporation’s secure inbound from the public networks.

Installing software, to later be used as a pivot attack source, into that organization is a common practice, but finding the proper people within the targeted organization is key to follow their email threats and work activity. That is enough to open several doors within the organization that other group members can exploit later with a serious agenda and a profitable contract at hand.

So, back to my initial point, in my opinion, security today is relevant, if we all don’t agree on being aware of the risks we are exposed, or we are involuntarily promoting to our employers, and generally some employees think that “its NOT our business”.   I would say: Think again, maybe it is NOW our business!

The security of your job, and your company’s data, reputation and its clients, is everyone’s responsibility, even (if not mostly) when employees are not at their work place.

 

Next Generation Firewall Overview with Glimpse of Application Identification

“I am not an advocate for frequent changes in laws and constitutions, but laws and institutions must go hand in hand with the progress of the human mind. As that becomes more developed, more enlightened, as new discoveries are made, new truths discovered and manners and opinions change, with the change of circumstances, institutions must advance also to keep pace with the times. We might as well require a man to wear still the coat which fitted him when a boy as a civilized society to remain ever under the regimen of their barbarous ancestors.”

-Excerpted from a letter from Thomas Jefferson , July 12, 1816

Interestingly, Thomas Jefferson’s quote could not be more appropriate when assessing todays state in IT Network Security. When people hear IT Network Security one of the first devices that come to mind is a firewall. Early firewalls started out as not much more than an extended access list. As security requirements grew Stateful packet inspect was introduced by Check Point Software to address several security issues with most notably being certain types of man in the middle attacks (MITM). As stateful inspection began to take off many network engineers found difficulties in implementation among some issues asymmetric routing became an issue that required engineers to control network paths with a fine tooth comb to confirm forward and reverse traffic were taking the same route back and forth or it would be dropped due to stateful inspection. Part of the reason for this introduction was to reduce the capability for a man in the middle attack to be intercepting traffic and sending it back without the end user being aware their network traffic had been compromised.

Fast forward back to the present and Next Generation Firewalls (NGFW) and layer 7 inspection are introducing a new evolution in IT security whose functionality is critical to todays’ IT security landscape. With many vendors introducing their own take on layer 7 inspection the importance of this new upgrade in capabilities is more apparent than ever akin to when stateful packet inspect was originally introduced. Most firewalls previously are port based in the sense that port 80 and 443 may be open outbound to allow web and ssl traffic.

With that knowledge a malicious user could exploit this port based firewall by running any application over these ports even though they were originally designed with the intent for web browsing and ssl traffic. A malicious user could run any application they desired over open ports without any restriction including unwanted chat and bit torrent clients up to and including applications like nmap without the restriction of being blocked by a firewall without another security applicance on the network capable of application inspection.

NGFW’s enable network security engineers to not only restrict ports but also applications and ports, they do this by inspecting IP packets for what data is inside the packet header beyond the traditional source/destination and port. This visibility into traffic is critical to enabling an engineer the capability to not only restrict port but also only allow web-browsing over port 80 or only ssl traffic over 443, and disabling any traffic that does not have web-browsing requests or ssl in the IP headers and blocking a malicious users ability to run other applications like torrents or nmap over that port or even save bandwidth by stopping applications like youtube google-hangouts, facetime, minecraft and other applications that may be unwanted on the network.  In figure 1, in addition to source/destination you see a user viewing youtube over port 443 which is traditionally open, the functionality of this firewall will enable a Network Security Engineer to only allow ssl and web-browsing while blocking youtube. It is important to note that encrypted ssl traffic can be decrypted however that will be touch on in a separate article.

app-id-youtube

This new capacity requires specific configurations to implement correctly. During migrations many engineers lacking knowledge of why some traffic may stop working due to new application layer rules may cause openings in security to increase usability by removing some of the application layer configurations. This trade off is not using this new technology and functionality correctly and is effectively putting a child’s coat on an adult, it does not fit according to how the IT security landscape has evolved. Implementing this technology is critical to providing secure and trusted network traffic transactions and assist in disabling a malicious users ability to abuse legacy firewall functionality.

ICMP Security

This is a draft guide to handling ICMP securely.

Guide Analysis to Handling ICMP protocol

Summary:

This guide is an attempt to help answer common questions related to the handling of ICMP protocol in a secure and effective manner. Comments and feedback is always welcomed. This article is meant to cover the major area in which there may be questions on how to handle ICMP and what specifically should we allow in each particular condition which will also allow for effective risk mitigation. If you need specifics on ICMP codes with in each ICMP type please refer to the reference URLs below.

Major ICMP Protocol Types:

– 0: Echo Reply

– 3: Destination Unreachable

– 4: Source Quench

– 5: Redirect (change a route)

– 8: Echo Request

– 9: Router Advertisement

– 10: Router Solicitation

– 11: Time Exceeded for a Datagram

– 12: Parameter Problem on a Datagram

– 13: Timestamp Request

– 14: Timestamp Reply

– 17: Address Mask Request

– 18: Address Mask Reply

Areas of Affect:

Perimeter

Outbound: Echo Reply (0), Echo Request (8) (For Troubleshooting)

Deny Type: All except (TTL Exceed (11) & (Type 3, Code 4) From Limited External Testing Devices.

Interior (Corporate Network)

Internal Deny:  Should be handled on a case by case basis, however when permissible squelch Redirect (5), Router Advertisement (9), Router Solicitation (10), Timestamp Request (13), Timestamp Reply (14). Address Mask Request (17), and Address Mask Reply (18). The usefulness of the ICMP message types are deprecated by DHCP and NTP.

Internal Allow: Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)

Remote Access & Site to Site VPN

VPN Allow: Echo Reply (0), Destination Unreachable (3, Code 4), and Echo Request (8).

VPN Deny: Everything Else

Intranet to Intranet / Partner to Partner

Intranet to Intranet Allow:  Echo Reply (0), Destination Unreachable (3 Code 4), Echo Request (8), Time Exceeded (11)

Intranet to Intranet Deny: Everything Else

References:

PMTU

http://www.tcpipguide.com/free/t_IPDatagramSizetheMaximumTransmissionUnitMTUandFrag-4.htm

ICMP

http://www.tcpipguide.com/free/t_ICMPv4TimestampRequestandTimestampReplyMessages-3.htm

University of Syracuse ICMP Lecture Notes

Great SMTP DNS and Troubleshooting tool

mxtoolbox

Go to http://www.mxtoolbox.com

This test will list MX records for a domain in priority order. The MX lookup is done directly against the domain’s authoritative name server, so changes to MX Records should show up instantly. You can click Diagnostics , which will connect to the mail server, verify reverse DNS records, perform a simple Open Relay check and measure response time performance. You may also check each MX record (IP Address) against 147 DNS based blacklists . (Commonly called RBLs, DNSBLs)

ABOUT BLACKLIST CHECK

This test will check a mail server IP address against 147 DNS based email blacklists. (Commonly called Realtime blacklist, DNSBL or RBL).  If your mail server has been blacklisted, some email you send may not be delivered.  Email blacklists are a common way of reducing spam. If you don’t know your mail server’s address, start with a MX Lookup.   Or, just send an email to ping@mxtoolbox.com

ABOUT SMTP DIAGNOSTICS

This test will connect to a mail server via SMTP, perform a simple Open Relay Test and verify the server has a reverse DNS (PTR) record.  It will also measure the response times for the mail server.  If you don’t know your mail server’s address, start with a MX Lookup.

ABOUT EMAIL HEADERS and Analyzer

This tool will make email headers human readable by parsing them according to RFC 822.  Email headers are present on every email you receive via the Internet and can provide valuable diagnostic information like hop delays, anti-spam results and more. If you need help getting copies of your email headers, just read this tutorial.

ABOUT SPF RECORDS

Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf.  The goal is to reduce the amount of spam and fraud by making it much harder for malicious senders to disguise their identity.

ABOUT DNS LOOKUP

This test will list DNS records for a domain in priority order. The DNS lookup is done directly against the domain’s authoritative name server, so changes to DNS Records should show up instantly. By default, the DNS lookup tool will return an IP address if you give it a name (e.g. www.example.com) If you give it an IP address it will return a hostname based on the reverse DNS lookup.

INC 5000 list of fast growing Companies

[frame style=”modern” image_path=”http://www.simplesignal.com/blog/images/2013/08/inc-5000.jpg” link_to_page=”” target=”” float=”” lightbox=”#” lightbox_group=”” size=”three_col_large”]

Ashburn Consulting has made the Inc. 5000 list of the fast growing companies in the nation!  This is a tremendous accomplishment and I couldn’t be any more proud of each and every one of you that has made this a reality!  We thank all of our dedicated and talented employees for their commitment to excellence to make AC what it has become today!   Grateful, Jim Burris

http://www.inc.com/profile/ashburn-consulting