05/14/02 RMIUG Meeting Minutes - Network Security in an Unsafe World

Minutes of the May 14th 2002 Meeting of the Rocky Mountain Internet Users Group (RMIUG)

The meeting started at 7:00 pm sharp and about 90 people were in attendance. Dan gave a word of thanks to our new minutes sponsor, ONEWARE (http://www.ONEWARE.com) -- a Colorado-based software company who provides semi-custom web-based applications and is sponsoring the RMIUG meeting minutes.

Dan also thanked MicroStaff (www.microstaff.com) for the ongoing sponsorship of food and beverages. MicroStaff provides Creative and Technical Talent for Web, Interactive Media, Marketing Communications and Software Development projects.

Announcements from the audience: Barry Gingrich announced an Internship Fair on Tuesday, June 4th, see http://www.denverjobsearch.com/internship for details.

Meeting attendees expressed interest in possibly having a RMIUG BBQ some time this summer.

Dan introduced the speakers for tonight's talk: Network Security in an Unsafe World

Trent Hein (trent@atrust.com) and Ned McClain (ned@atrust.com), founders of Applied Trust Engineering, gave a presentation entitled Beyond the Firewall: Completing the Security Model. (the presentation is available on their website)

Trent: What else do you need to be concerned about besides firewalls? (and ....)

Why (do you need to be concerned) now? - Worldwide explosion of internet = produced hackers - Down market business trend = produced more hackers - Strong companies will survive and security is required for strength - Public awareness for security and privacy issues has reached a threshold level

What is security? (besides a firewall) - Vigilance - - Knowledge

Risk management (involves ...) - Methodology and policies - Applied science/forensics - Architecture - Implementation - Operations

Myths of Security:

Myth: We aren't a likely target - we're small, etc. Fact: The statistics do not support this. 90 % of survey respondents reported a breach in the last 12 months.

Myth: 70% of attacks involve insiders. Fact: This is not true today. Only 33% of hackers/attackers are insiders.

Myth: Our company is secure because we have a firewall. Fact: 95% of survey respondents had commercial firewalls in place.

Myth: We have not been broken into, so we are secure. Fact: Most break-ins go undetected for more than six months. People often panic when they first discover it, and think it just happened, but the particular machine had probably been that way for months.

Security = Rodents (analogy for illustration)

Rules for Rodents

1) do not leave food lying around 2) plug holes they use to get in 3) do not provide places that make good mouse nests 4) set traps 5) check traps daily 6) do not use buy and kill poison 7) get a cat!

These Rules can also be applied to Data Network Security

1) do not provide online access to interesting files - i.e., like storing credit card numbers in .txt files on your server. 2) close holes that can be used to gain access - applies to home users, DSL users, etc. Remote access is fine, but not leaving the hole OPEN continuously. 3) don't provide nests for hackers to establish a base, i.e, don't leave open file shares. 4) set traps to detect intrusion - but not so many that you spend 8 hours a day going through log files. 5) monitor the reports that your tools are generating. Don't waste them 6) teach yourself about security. 7) vigilantly look for unusual activity - i.e, is traffic slow today? Why might that be?

Security Guide for busy people:

- make sure you have a packet filtering firewall - educate EVERYONE about security (all users) - not safe to send email in plain text -- it should be encrypted, unless it is something that could be published on the front page. -keep/maintain an incident handling guide

Packet filtering - Essential everywhere. Examples - Checkpoint, PIX, Watchguard

Home users should have a firewall these days. -Zone alarm - personal software firewall. Looks at all packets and applies a specific set of rules. -Personal hardware firewalls - DSL or cable modem - Dlink Linksys (comp USA) Configurable DSL router

User education is very important:

-All users need to be aware of the potential security risk. At home, make sure everyone knows to watch for signs of trouble. -DO NOT give out passwords! -Avoid downloading unverified software. -Corporate users need to be educated, too .... -Information sensitivity - what IS and is not sensitive. What should be encrypted?

Incident handling -Remote access policies and procedures -System hygiene -Encryption usage

Back ups -Regular offline back ups should be mandatory. Online backups like RAID do not provide you with the ability to roll back time required for security forensics -Full system backups must be made and verified at least every 30 days - store in vault. -Most organizations and households do not conform to this, and thus are unprepared for incident management.

If an incident occurs, perform a backup, because ..... It protects user data It captures disk firesystem

Regular back ups establish a baseline for recovering services, and if regular back ups become normal activity, it will not tip the intruder off that someone is onto them.

Ned: What makes a secure firewall?

- At a minimum, a source and destination address and port. - But allowing PC anywhere, for example, does not take into account specific blocking except for certain - IP addresses. So IP addresses should be selectively allowed. Many firewalls do not get that specific.

What ELSE can you do (to be secure)?

- Turn off services that you do not absolutely need - Firewalls can be set up to block only certain (IP) addresses and allow everything else, or vice versa, depending on the particular firewall. - Services ON should be restricted to a minimum required access set. - IP address limitations can be set up at the firewall level or also at the application level - (should have several layers). - Can use audit services that are accessible with a tool like nmap (it tries to connect to a series of ports and then reports on services passing through those ports)

Point - re: question asked by attendee - you need to get permission to use any such tool, from your system administrator or whomever, if you are going to use something like that, because it is like trying doors to see if unlocked. Especially if you want to test across the internet and not just on an intranet.

Patches (for security breaches):

-develop and document a patching strategy for your organization -Monitor vendor released patches regularly . Discussion of unicode bug - it has been fixed, but firewalls no good at detecting that. Important to patch servers INSIDE your network, as well as on the outside. So patching the users system is important. -Microsoft not the only one who has released patches with problems - Sun has also. So do you install patches immediately or wait? Do you use a production environment clone to test? Whatever you decide for your organization, but the point is to have a plan. -Ensure priority of patching activity is higher than for routine operations. Management may not appreciate the importance of this in the organization, and it needs to become part of the corporate culture.

Scanning for unpatched vulnerabilities:

Tool - nessus and hfnetcheck - tells you what patches you do not have installed. Every platform has a tool. Nessus checks database of known vulnerabilities. Nessus is free, can be downloaded. Is probably being used by hackers. Very common for these inbound scans to be happening all the time (nessus scans)

Use Encryption on insecure networks-- Unencrypted (information) is vulnerable: (examples) -POP or iMAP email -Non SSL web page logins (anyone with MS Outlook needs to beware of this issue) -Unprotected email and attachments -Chat/IM messages Be aware of insecure networks in addition to the internet, such as: -Public networks (library, Universities) -Wireless networks Use standardized, encryption technologies: -IPSSec -SSL TLS to protect web sessions -MS Outlook encryption or PGP for protecting email messages and attachments

Myth: an ethernet switch will keep packet detection from outside ports. Not true. If administering through a router on a network, use Cisco SSH or something similar.

Incident handling - be prepared! Recovery requires a documented handling plan. This plan defines how to: -Communicate inside and outside the organization -Handle evidence and documentation -Confirm the nature and level of threat -Respond to varying levels/types of threats -Perform system and data backups and recoveries -Use tools to gather digital forensic evidence -Follow up on an incident

Incident handling ledger - Purpose: so the engineer can follow proper procedure/evidence handling, So there is a decision making tool for handling incidents in real time

If you DON'T have an incident handling plan ..... a potential incident is difficult to confirm. Acting on a false positive is worse than taking the time to confirm. Can cause panic, service interruptions. If you have a plan, you have a baseline, and confirmation is much easier.

Deep Thoughts .... -Must have multi-layered defense -Cannot buy one product and be done

Most Fortune 500 companies spent less on security than on coffee.

Dan then introduced Robert Gray (bob@boulderlabs.com), founder of Boulder Labs, and David Clements (David.Clements@Colorado.EDU), partner at Boulder Labs, who gave a presentation on the security of wireless networks.

Robert Gray: Speaking on Wireless NW security with field report from Boulder!

They were shocked at how bad things are. Nothing wrong with wireless, but understand what you are getting into. (this talk is on their website as a PP presentation):

http://www.boulderlabs.com

Message - wireless networks are pervasive, everywhere. It is one thing to acknowledge that you are vulnerable - but just understand that if you or yourco is hacked into, your time or your companys time may be wasted. Center for astrophysics was down for two weeks. The term net citizen is starting to make sense re: individual responsibility.

Wireless cards - 50 or 60 bucks - put one in a laptop and off you go. Does not need a directional antenna. Just turn on public domain tools, and you will see and be on wireless networks. If you put a directional antenna on one, you can range well beyond a couple hundred feet.

Threats - Launching viruses wirelessly as you drive by - a stretch - but still possible.

System administrators are now are looking for unauthorized wireless networks. Winworks have access points, but somebody can be in the parking lot and pick it up. Apple Air ports can literally disable or make obsolete a firewall by coming in the easy way.

Wireless cards - most popular is 802.11b (aka WiFi) -two kinds of attacks occur: -- Active == actively sending packets, testing, probing. Passive == somebody is just listening nearby with a directional antenna. And you have no idea whom.

With a wireless card, he can pick up somebody 10 miles away by line of sight. The manufacturers of the cards and access points have developed WEP -Wired Equivalence Privacy. But flawed due to mistakes inimplementation, because they were not security folks. Lynxis and SMC can crack 40 bit or 104 bit key encryption in about 30 seconds.

Message - 40 bit encryption does not do you much good. 104 bit key encryption not easily cracked, in contrast, but it still can be. To use these, just pretend there are 8 to 20 hops along the way, and use precautions accordingly, then you will be fine. So lay your security on top of it, that is key.

(list of types of WEP attacks)

WEP security goals - -Confidentiality -Access control -Data integrity - can packets be trusted, altered ? But they do not work. Cannot trust them, must take extra precautions in order to prevent wireless hacking.

David Clements:

What has Wireless community done to catalog hacking?

Wardriving Tools -Stumbling tools: -Netstumbler.com - -Dstumbler (BSD)

Capture and Crack utilities -Airsnort (linux) -Bsd - airtools (BSD) (see Powerpoint at Boulder Labs website for URLS)

Interesting observation - only 30 - 40 % of wireless networks they detected are even bothering to turn ON encryption.

The tools have recently reached the maturity /simplicity level where almost anyone can use them.

Bob Gray (again):

How can you use wireless in a secure fashion?

-Treat 802.11b as external (i.e, outside the firewall) -802.1x -Cisco, Agere have complete solutions -Secure services - layer your own security on top = SSL, SSH, IMAP/S -IPSEC (secure IP protocol) -Use 104-bit keys and change them frequently - i.e., at least buy the 104 bit gold cards and change keys frequently.

________________________________ After the talks, the speakers sat as a panel to take questions from attendees:

Q - how do you develop a simple contingency plan ? A - Google, (search) incident handling - (look for templates, many out there).

Q - if all servers on one LAN? A - need individual internal intrusion detection. There are lots of intrusion detection systems. But the internal systems are very popular. Need to centralize logging, and you need to look at the log files. On almost a daily basis. Which is easier with high tech firewalls than with network intrusion systems.

Q - what types of regular maintenance should you do at home? A - Packet filtering firewall- need it. Determine what the trade off is - you can reinstall if you do regular backups at home. Patching, have a basic firewall, and watching for unusual behavior. Also watch the MAC address.

Q - on push towards net citizenship; when do you think it will happen? A - not soon enough. Vendors are currently NOT responsible, for problems with their software - unlike a drug company! Vendors will probably be accountable first, then perhaps users will become more so.

Q - nmap scan - what are they? Did not recognize - ? A - Unix, Solaris, etc ....Can run a lot off them right off the shelf. But some (especially Windows desktops) you cannot turn them off and have your machine work normally, so the only answer is to have a firewall.

Q - what about http protocol tools? Do they have value for home users? A - Yes - Microsoft Security Advisor, and others (Shields up, for one).

Q - do you tell them (wireless companies) that they are wide open? A - We have not done that to companies ... but we have received responses from people in Boulder. Some are upset, and some are open and looking for input or help.

Q - cell phones - WAP - how secure? A - Not sure. But in GENERAL, people not doing stock stuff using WAP yet because not secure enough for basic retail.

Q - security of VLANs? A - Depends on how configured. Cisco VLAN is considered by some to be as secure as actual hardware LAN. (point added: it also depends on exactly what you mean by VLAN, it can mean slightly different things depending on context).

Q - is there a lot of bleed over from [router] switch to switch? A - Yes, even with Cisco. Arp flooding - firewall vendors - when it fails, it stops traffic.

Q - back up software - is any of it cross platform? A - Not really. Or not for under 6 digits. [Reference to Amanda as not having full system back up].

Q - what about poorly developed applications? A - Products to detect application intrusions are only recently being developed. [SQL tool given as example]. Security ROI /development of good practices from the start is becoming more prevalent.

Q - Have MS products improved in security? A - no.

Q - for large wireless networks, does CDMA help obscure the signals/traffic? A - Not really.

Q - Guesstimate on 802.11I arrival? A - no bidirectional authentication is available yet. Cicso stuff does have bidirectional authentication and seems to have solved WEP deficiencies.

Q - what type of skill level of threat (in hackers) is happening now, and where will it go? A - go to CGI and download report - but the low level of skill [of hackers] is shocking. There are 50,000 infected code red computers TODAY. And this has been known for months. In the computer world it only takes the time to hack that it takes to download.

Q - for Ned and Trent - what is the customer mix? A - less than 20% of clients come to them in a panic. But there are a lot who mess around with Norton [antivirus software], etc., and not DO anything, so never see them. They do not approach it pro-actively.

___________________

RMIUG minutes submitted by Elizabeth Cline, Cline Enterprises, (phdski@aol.com). Elizabeth is a former research scientist with fifteen years experience in technical writing. She is currently seeking work writing, editing, or developing online help systems in Information Technology or academia.

RMIUG (http://www.rmiug.org/) appreciates the sponsorship of MicroStaff (http://www.microstaff.com) and ONEWARE (http://www.ONEWARE.com)