RMIUG Meeting Minutes - Network Security
in an Unsafe World
Minutes of the May 14th 2002 Meeting of
the Rocky Mountain Internet Users Group
The meeting started at 7:00 pm sharp and
about 90 people were in attendance. Dan
gave a word of thanks to our new minutes
sponsor, ONEWARE (http://www.ONEWARE.com)
-- a Colorado-based software company who
provides semi-custom web-based applications
and is sponsoring the RMIUG meeting minutes.
Dan also thanked MicroStaff (www.microstaff.com)
for the ongoing sponsorship of food and
beverages. MicroStaff provides Creative
and Technical Talent for Web, Interactive
Media, Marketing Communications and Software
Announcements from the audience: Barry
Gingrich announced an Internship Fair on
Tuesday, June 4th, see http://www.denverjobsearch.com/internship
Meeting attendees expressed interest in
possibly having a RMIUG BBQ some time this
Dan introduced the speakers for tonight's
talk: Network Security in an Unsafe World
Trent Hein (firstname.lastname@example.org)
and Ned McClain (email@example.com),
founders of Applied Trust Engineering, gave
a presentation entitled Beyond the Firewall:
Completing the Security Model. (the presentation
is available on their website)
Trent: What else do you need to be concerned
about besides firewalls? (and ....)
Why (do you need to be concerned) now?
- Worldwide explosion of internet = produced
hackers - Down market business trend = produced
more hackers - Strong companies will survive
and security is required for strength -
Public awareness for security and privacy
issues has reached a threshold level
What is security? (besides a firewall)
- Vigilance - - Knowledge
Risk management (involves ...) - Methodology
and policies - Applied science/forensics
- Architecture - Implementation - Operations
Myths of Security:
Myth: We aren't a likely target - we're
small, etc. Fact: The statistics do not
support this. 90 % of survey respondents
reported a breach in the last 12 months.
Myth: 70% of attacks involve insiders.
Fact: This is not true today. Only 33% of
hackers/attackers are insiders.
Myth: Our company is secure because we
have a firewall. Fact: 95% of survey respondents
had commercial firewalls in place.
Myth: We have not been broken into, so
we are secure. Fact: Most break-ins go undetected
for more than six months. People often panic
when they first discover it, and think it
just happened, but the particular machine
had probably been that way for months.
Security = Rodents (analogy for illustration)
Rules for Rodents
1) do not leave food lying around 2) plug
holes they use to get in 3) do not provide
places that make good mouse nests 4) set
traps 5) check traps daily 6) do not use
buy and kill poison 7) get a cat!
These Rules can also be applied to Data
1) do not provide online access to interesting
files - i.e., like storing credit card numbers
in .txt files on your server. 2) close holes
that can be used to gain access - applies
to home users, DSL users, etc. Remote access
is fine, but not leaving the hole OPEN continuously.
3) don't provide nests for hackers to establish
a base, i.e, don't leave open file shares.
4) set traps to detect intrusion - but not
so many that you spend 8 hours a day going
through log files. 5) monitor the reports
that your tools are generating. Don't waste
them 6) teach yourself about security. 7)
vigilantly look for unusual activity - i.e,
is traffic slow today? Why might that be?
Security Guide for busy people:
- make sure you have a packet filtering
firewall - educate EVERYONE about security
(all users) - not safe to send email in
plain text -- it should be encrypted, unless
it is something that could be published
on the front page. -keep/maintain an incident
Packet filtering - Essential everywhere.
Examples - Checkpoint, PIX, Watchguard
Home users should have a firewall these
days. -Zone alarm - personal software firewall.
Looks at all packets and applies a specific
set of rules. -Personal hardware firewalls
- DSL or cable modem - Dlink Linksys (comp
USA) Configurable DSL router
User education is very important:
-All users need to be aware of the potential
security risk. At home, make sure everyone
knows to watch for signs of trouble. -DO
NOT give out passwords! -Avoid downloading
unverified software. -Corporate users need
to be educated, too .... -Information sensitivity
- what IS and is not sensitive. What should
Incident handling -Remote access policies
and procedures -System hygiene -Encryption
Back ups -Regular offline back ups should
be mandatory. Online backups like RAID do
not provide you with the ability to roll
back time required for security forensics
-Full system backups must be made and verified
at least every 30 days - store in vault.
-Most organizations and households do not
conform to this, and thus are unprepared
for incident management.
If an incident occurs, perform a backup,
because ..... It protects user data It captures
Regular back ups establish a baseline
for recovering services, and if regular
back ups become normal activity, it will
not tip the intruder off that someone is
Ned: What makes a secure firewall?
- At a minimum, a source and destination
address and port. - But allowing PC anywhere,
for example, does not take into account
specific blocking except for certain - IP
addresses. So IP addresses should be selectively
allowed. Many firewalls do not get that
What ELSE can you do (to be secure)?
- Turn off services that you do not absolutely
need - Firewalls can be set up to block
only certain (IP) addresses and allow everything
else, or vice versa, depending on the particular
firewall. - Services ON should be restricted
to a minimum required access set. - IP address
limitations can be set up at the firewall
level or also at the application level -
(should have several layers). - Can use
audit services that are accessible with
a tool like nmap (it tries to connect to
a series of ports and then reports on services
passing through those ports)
Point - re: question asked by attendee
- you need to get permission to use any
such tool, from your system administrator
or whomever, if you are going to use something
like that, because it is like trying doors
to see if unlocked. Especially if you want
to test across the internet and not just
on an intranet.
Patches (for security breaches):
-develop and document a patching strategy
for your organization -Monitor vendor released
patches regularly . Discussion of unicode
bug - it has been fixed, but firewalls no
good at detecting that. Important to patch
servers INSIDE your network, as well as
on the outside. So patching the users system
is important. -Microsoft not the only one
who has released patches with problems -
Sun has also. So do you install patches
immediately or wait? Do you use a production
environment clone to test? Whatever you
decide for your organization, but the point
is to have a plan. -Ensure priority of patching
activity is higher than for routine operations.
Management may not appreciate the importance
of this in the organization, and it needs
to become part of the corporate culture.
Scanning for unpatched vulnerabilities:
Tool - nessus and hfnetcheck - tells you
what patches you do not have installed.
Every platform has a tool. Nessus checks
database of known vulnerabilities. Nessus
is free, can be downloaded. Is probably
being used by hackers. Very common for these
inbound scans to be happening all the time
Use Encryption on insecure networks--
Unencrypted (information) is vulnerable:
(examples) -POP or iMAP email -Non SSL web
page logins (anyone with MS Outlook needs
to beware of this issue) -Unprotected email
and attachments -Chat/IM messages Be aware
of insecure networks in addition to the
internet, such as: -Public networks (library,
Universities) -Wireless networks Use standardized,
encryption technologies: -IPSSec -SSL TLS
to protect web sessions -MS Outlook encryption
or PGP for protecting email messages and
Myth: an ethernet switch will keep packet
detection from outside ports. Not true.
If administering through a router on a network,
use Cisco SSH or something similar.
Incident handling - be prepared! Recovery
requires a documented handling plan. This
plan defines how to: -Communicate inside
and outside the organization -Handle evidence
and documentation -Confirm the nature and
level of threat -Respond to varying levels/types
of threats -Perform system and data backups
and recoveries -Use tools to gather digital
forensic evidence -Follow up on an incident
Incident handling ledger - Purpose: so
the engineer can follow proper procedure/evidence
handling, So there is a decision making
tool for handling incidents in real time
If you DON'T have an incident handling
plan ..... a potential incident is difficult
to confirm. Acting on a false positive is
worse than taking the time to confirm. Can
cause panic, service interruptions. If you
have a plan, you have a baseline, and confirmation
is much easier.
Deep Thoughts .... -Must have multi-layered
defense -Cannot buy one product and be done
Most Fortune 500 companies spent less
on security than on coffee.
Dan then introduced Robert Gray (firstname.lastname@example.org),
founder of Boulder Labs, and David Clements
partner at Boulder Labs, who gave a presentation
on the security of wireless networks.
Robert Gray: Speaking on Wireless NW security
with field report from Boulder!
They were shocked at how bad things are.
Nothing wrong with wireless, but understand
what you are getting into. (this talk is
on their website as a PP presentation):
Message - wireless networks are pervasive,
everywhere. It is one thing to acknowledge
that you are vulnerable - but just understand
that if you or yourco is hacked into, your
time or your companys time may be wasted.
Center for astrophysics was down for two
weeks. The term net citizen is starting
to make sense re: individual responsibility.
Wireless cards - 50 or 60 bucks - put
one in a laptop and off you go. Does not
need a directional antenna. Just turn on
public domain tools, and you will see and
be on wireless networks. If you put a directional
antenna on one, you can range well beyond
a couple hundred feet.
Threats - Launching viruses wirelessly
as you drive by - a stretch - but still
System administrators are now are looking
for unauthorized wireless networks. Winworks
have access points, but somebody can be
in the parking lot and pick it up. Apple
Air ports can literally disable or make
obsolete a firewall by coming in the easy
Wireless cards - most popular is 802.11b
(aka WiFi) -two kinds of attacks occur:
-- Active == actively sending packets, testing,
probing. Passive == somebody is just listening
nearby with a directional antenna. And you
have no idea whom.
With a wireless card, he can pick up somebody
10 miles away by line of sight. The manufacturers
of the cards and access points have developed
WEP -Wired Equivalence Privacy. But flawed
due to mistakes inimplementation, because
they were not security folks. Lynxis and
SMC can crack 40 bit or 104 bit key encryption
in about 30 seconds.
Message - 40 bit encryption does not do
you much good. 104 bit key encryption not
easily cracked, in contrast, but it still
can be. To use these, just pretend there
are 8 to 20 hops along the way, and use
precautions accordingly, then you will be
fine. So lay your security on top of it,
that is key.
(list of types of WEP attacks)
WEP security goals - -Confidentiality
-Access control -Data integrity - can packets
be trusted, altered ? But they do not work.
Cannot trust them, must take extra precautions
in order to prevent wireless hacking.
What has Wireless community done to catalog
Wardriving Tools -Stumbling tools: -Netstumbler.com
- -Dstumbler (BSD)
Capture and Crack utilities -Airsnort
(linux) -Bsd - airtools (BSD) (see Powerpoint
at Boulder Labs website for URLS)
Interesting observation - only 30 - 40
% of wireless networks they detected are
even bothering to turn ON encryption.
The tools have recently reached the maturity
/simplicity level where almost anyone can
Bob Gray (again):
How can you use wireless in a secure fashion?
-Treat 802.11b as external (i.e, outside
the firewall) -802.1x -Cisco, Agere have
complete solutions -Secure services - layer
your own security on top = SSL, SSH, IMAP/S
-IPSEC (secure IP protocol) -Use 104-bit
keys and change them frequently - i.e.,
at least buy the 104 bit gold cards and
change keys frequently.
the talks, the speakers sat as a panel to
take questions from attendees:
Q - how do you develop a simple contingency
plan ? A - Google, (search) incident handling
- (look for templates, many out there).
Q - if all servers on one LAN? A - need
individual internal intrusion detection.
There are lots of intrusion detection systems.
But the internal systems are very popular.
Need to centralize logging, and you need
to look at the log files. On almost a daily
basis. Which is easier with high tech firewalls
than with network intrusion systems.
Q - what types of regular maintenance
should you do at home? A - Packet filtering
firewall- need it. Determine what the trade
off is - you can reinstall if you do regular
backups at home. Patching, have a basic
firewall, and watching for unusual behavior.
Also watch the MAC address.
Q - on push towards net citizenship; when
do you think it will happen? A - not soon
enough. Vendors are currently NOT responsible,
for problems with their software - unlike
a drug company! Vendors will probably be
accountable first, then perhaps users will
become more so.
Q - nmap scan - what are they? Did not
recognize - ? A - Unix, Solaris, etc ....Can
run a lot off them right off the shelf.
But some (especially Windows desktops) you
cannot turn them off and have your machine
work normally, so the only answer is to
have a firewall.
Q - what about http protocol tools? Do
they have value for home users? A - Yes
- Microsoft Security Advisor, and others
(Shields up, for one).
Q - do you tell them (wireless companies)
that they are wide open? A - We have not
done that to companies ... but we have received
responses from people in Boulder. Some are
upset, and some are open and looking for
input or help.
Q - cell phones - WAP - how secure? A
- Not sure. But in GENERAL, people not doing
stock stuff using WAP yet because not secure
enough for basic retail.
Q - security of VLANs? A - Depends on
how configured. Cisco VLAN is considered
by some to be as secure as actual hardware
LAN. (point added: it also depends on exactly
what you mean by VLAN, it can mean slightly
different things depending on context).
Q - is there a lot of bleed over from
[router] switch to switch? A - Yes, even
with Cisco. Arp flooding - firewall vendors
- when it fails, it stops traffic.
Q - back up software - is any of it cross
platform? A - Not really. Or not for under
6 digits. [Reference to Amanda as not having
full system back up].
Q - what about poorly developed applications?
A - Products to detect application intrusions
are only recently being developed. [SQL
tool given as example]. Security ROI /development
of good practices from the start is becoming
Q - Have MS products improved in security?
A - no.
Q - for large wireless networks, does
CDMA help obscure the signals/traffic? A
- Not really.
Q - Guesstimate on 802.11I arrival? A
- no bidirectional authentication is available
yet. Cicso stuff does have bidirectional
authentication and seems to have solved
Q - what type of skill level of threat
(in hackers) is happening now, and where
will it go? A - go to CGI and download report
- but the low level of skill [of hackers]
is shocking. There are 50,000 infected code
red computers TODAY. And this has been known
for months. In the computer world it only
takes the time to hack that it takes to
Q - for Ned and Trent - what is the customer
mix? A - less than 20% of clients come to
them in a panic. But there are a lot who
mess around with Norton [antivirus software],
etc., and not DO anything, so never see
them. They do not approach it pro-actively.
RMIUG minutes submitted by Elizabeth Cline,
Cline Enterprises, (email@example.com).
Elizabeth is a former research scientist
with fifteen years experience in technical
writing. She is currently seeking work writing,
editing, or developing online help systems
in Information Technology or academia.
appreciates the sponsorship of MicroStaff
and ONEWARE (http://www.ONEWARE.com)