Users, whether they be your corporate users, or users who connect from the Internet to resources you host, put their trust in you. This is especially true when it comes to secure connections. When your users see that little lock in their browser window, they come to expect that the connections from their computers to your computer is secured by SSL. Don’t you, as a network admin interested in security, expect the same thing?

I know that I do.

Now, imagine that this trust is broken. The user who believes that his connection to your server does in fact not have a secure connection to your server. Instead, that user is actually connecting to your server through a reverse proxy device that terminates the connection before it reaches your Web server, and then forwards that connection in an unencrypted form to your Web server. In this scenario, the connection is trusted (secure) to the reverse proxy server, but then is untrusted between your reverse proxy server and your Web server.

Why would anyone put together such a solution? In fact, this is a very common setup for secure Web sites accessible over the Internet. This practice is often referred to as “SSL Offloading”. By terminating the secure SSL sessions at the reverse proxy server, they offload the SSL processor overhead from the Web server to the Web proxy, making more processor cycles available to the Web server for providing the information requested by the users.

While SSL offloading sounds nice (at least to the Web server administrator and the person who pays for the Web server hardware), doesn’t it violate the trust your users’ put in you? Doesn’t it violate the trust that your users have that their connections are secure from end to end?

It sure does. Your users trust that the connection is secure from end to end, period. When they see the little lock icon in the browser window, they assume an end to end encrypted session. There are no warnings in the the browser window saying “you have a secure connection to the server’s Web proxy server, but after that, you’re going to have to trust that your information is no longer secured by SSL and hope that the network between the Web proxy server and the Web server you thought you were securely connecting to is free from intruders”.

Of course, no one puts that kind of information on their Web pages. But what would happen if customer’s information is stolen while it is in transit on the unsecured connection between the reverse proxy and the destination Web server? How would you explain that to the court? Do you think the judge would accept your explanation that you didn’t want to scale up your processor or didn’t want to buy an SSL offload card?

For these reasons of trust and liability, I recommend that you never use SSL offloading. The only exception is if you decide to use some type of crossover cable between your reverse Web proxy and the destination Web server, or if you choose to use IPsec between the reverse proxy and Web server. But if you’re going to use IPsec, why not avoid the complexities of IPsec and just let the SSL connection go from end to end? Most sophisticated Web proxy servers will terminate the SSL connection and reinitiate it (like the ISA Firewall’s Web proxy Filter capabilities). So just use SSL all the way, from end to end.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Web Filters are expensive, as anyone who’s ever purchased a Web Filtering solution knows. One way to filter dangerous sites might be to use a DNS service that helps with blocking some of the more egregious sites. This solution is provided by www.opendns.com They provide a free service where you use their DNS servers instead of your ISPs. They then send you to a safe Web page when you or your users attempt to connect to phishing, adult, anonymous proxies and other dangerous sites.

The good news about this solution is that it’s free. No, it’s definitely not an enterprise solution and there can be some problems with using it (such as when you’re a VPN client and need DNS services), but for small businesses and individuals, this could be an ideal solution to filtering out a lot of the dangerous sites out there on the Internet.

Implementing this is easy. Configure the DNS resolvers on your network to use the OpenDNS DNS server as their forwarders.

For more information about OpenDNS, check out:

www.opendns.com

Sorry for the short post tonight, time got ahead of me. I promise a more interesting and insightful posting tomorrow :)

Thanks!

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You’re more likely to do something right when its easy to do. When you were in school (or if you’re in school now), which tests do you make fewer mistakes on? The easy tests or the hard tests? When setting the time on a device, when are you more likely to make a mistake? When you’re setting the time on your watch or on your VCR? When incomes taxes are prepared, where are more mistakes made? On a 1040EZ or on the pages and pages of a Schedule C filing?

Easy leads to fewer mistakes. And the more transparent and understandable a process is, the less likely it will be that you’ll make a mistake. Even hardware device makers, who used to depend on command line management only realized that there were serious configuration errors made on their network gear because of the complexity and lack of transparency provided by the command line interface. Now these network gear makers include a graphical user interface to reduce the number of configuration error incumbent in command line management.

Indeed, its a well-known fact in the firewall world that the vast majority of security breaches due to firewall issues are not from any inherent weaknesses in the firewall itself, but from misconfiguration of the firewall. And the more difficult it is to configure the firewall, the more likely it will be that mistakes will be made, and sometimes those mistakes can have disastrous effects on network security.

Enter now Windows Server 2008 Core. Server Core is an installation option that allows you to install Windows Server 2008 with a minimal number of binaries required to get the operating system running. Because only a minimal number of binaries are included in the operating system installation, Server Core can host only a subset of the 17 Server Roles available in Windows Server 2008. There is no graphical interface for managing the Server Core operating system. You must use a local command prompt or RDP into a command prompt environment. For server roles that you install on Server Core, there is the option of remote management through an MMC console.

If you have a chance, try the Server Core installation option. Now try to do very basic configurations like assigning IP addressing information, changing the name of the server, setting the time zone and the data and time and joining a domain. Then try to add Server Role and Role services and then try to add some Server features such as BitLocker. You won’t be able to do it. However, you can refer to this guidance: http://technet2.microsoft.com/windowsserver2008/en...r=true

Now try setting up Server Core by using that guidance. Make it a real installation, complete with real server roles, like File Server with DFS and failover clustering. Now with that experience, try installing Server Core again and install another Server role, such a DHCP and DNS server but without looking at the guidance.. Remember to configure the Windows Firewall for remote management. You didn’t remember all the commands? OK, give it another try while looking. Now try again without looking. Did you get it right? Odds are, probably not.

Server Core is advertised as more secure because of the smaller attack surface. I can’t argue with that. They also advertise it as easier to manage. That is something only a marketing guy who needs a vacation could come up with. What they were trying to say is that Server Core doesn’t need so many updates, since much of the functionality of Windows Server 2008 isn’t available in Server Core, so you don’t need to update binaries that aren’t there. But saying it’s easier to manage could only come from someone who hasn’t tried to manage Server Core.

The question is — will the security advantage of a smaller attack surface outweigh the security risks of a complex and non-transparent configuration and management environment? Will Server Core run into the same issues that hardware firewall vendors ran into with the security breaches related to misconfiguration due to complexity and lack of transparency? No one knows yet, as Windows Server 2008 hasn’t yet been released. One might draw parallels with the Unix environment — where misconfiguration do to CLI management is a very common occurrence. What’s disturbing is that Unix administrators are highly skilled with the command line and have worked with it exclusively for many years. What will be the effects of putting Windows administrators in such an unfriendly and unforgiving environment?

I suggest you keep a close eye on security reports on Server Core installations being compromised due to misconfiguration in the year following Windows Server 2008’s release. Doing it wrong with Server Core is easy — one typo, one wrong command, and the difficulty in reviewing your configuration may well conspire against the advantages of the lower attack surface.

That’s it for today :)

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I was talking to a friend who uses a non-ISA Firewall to protect his network and he was talking about some of the configuration settings on his firewall. He said he was having problems with configuring traffic going through the “trusted” network interface. Just to confirm, I asked him what a “trusted network” was, and he said without hesitation that it was the internal network, in contrast to the Internet, which is an untrusted network.

This got me to thinking how slow change comes in our business. In the 1990s, there was a concept of the untrusted Internet and the trusted internal network. You didn’t trust the Internet because there were millions of people out there just waiting to hack into your network. In contrast, you could trust the internal network, because it was assumed that there weren’t any malicious users or software running on your well managed corporate network. In fact, many firewalls were designed with this concept in mind and didn’t apply stateful packet and application layer inspection on the “trusted” interface.

With 20/20 hindsight, it’s hard to explain why we were so naive about network security in the 1990s. Why would we believe that we could trust the users on our network? Why would we make the assumption that we could trust all the software running on our network? Was this a leftover from the days of non-Internet connected networks, where “sneaker net” and simple LAN-only networking was all that was available? Was it because viruses were rare, and network worms almost non-existent?

Whatever the reason, it’s clear that in the 21st century, the concept of the trusted network needs to be disposed of. There are no trusted networks. There may be variable levels of distrust for one network compared to another, but no network can be trusted. There is too much connectivity between all networks, due to the Internet, to ever consider a network to be a trusted network.

Why is it important to do away with the concept of a trusted network? Because if you believe your network is trusted, you won’t suspect that any potential attackers exist on that network. A good security posture to take is to assume that an attacker is already on your network, and work from there.

What’s one of the most important things you can do in order to deal with the risks of your untrusted corporate network? Encryption. One of the most dangerous aspects of the belief in trusted networks is that data moving over the wire is secure from interception. If you believe that there are no trusted networks, you’ll realize that the data moving over the wire can be intercepted, read, replayed and used against you in an attack.

So what can you do? The answer is actually quite simple. You can use IPSec with ESP AES encryption to secure all data moving over the network. Or, at least use IPSec with ESP AES encryption for all communications between clients and servers that contain sensitive information. It’s quite easily to set up IPsec policies of this kind using Windows Vista and Windows Server 2008 - the nightmare of the Windows 2000/2003 IPSec policy wizard is (almost) gone and IPsec policies are no-brainers to set up now.

IPsec is good for securing traffic that moves between clients and servers on your network, but what about protecting information that moves between your network and the Internet? In that case, you’ll have to either secure the session stream using SSL/TLS technologies (such as HTTPS, SMTPS, POP3S, IMAP4S, etc), or encrypt the data in the application stream (S/MIME for email, encrypted archives, Rights Management, password-protected, encrypted office docs using AES256-bit encryption, etc).

Bottom line: Don’t assume that you can trust your network. Assume that you can’t trust your network and take steps at encrypting as much data as possible that runs over your network.

For more information about IPSec, check out:

http://technet.microsoft.com/en-us/network/bb531150.aspx

http://www.microsoft.com/technet/community/columns...4.mspx

http://www.microsoft.com/technet/community/columns...5.mspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Microsoft is getting big into the virtualization game. While most Microsoft network admins are aware of Virtual Server 2005 R2 and Virtual PC, Microsoft has several other virtualization products that are currently available or in the works. However, before getting to Microsoft’s virtualization offerings, it’s worth thinking about the types of virtualization products that are available.

Most of us think of virtualization as operating system virtualization. Examples of products that provide operating system virtualization are Virtual Server 2005 R2, Virtual PC, VMware workstation and server (including ESX server) and the upcoming Hyper-V, which will be server virtualization included in Windows Server 2008.

But there are other types of virtualization. These are:

• Presentation Virtualization
• Application Virtualization

Presentation virtualization is where a desktop environment running on one machine is presented to another machine. Remote Desktop and Terminal Services are examples of presentation virtualization. Application virtualization is where individual applications actually run on another computer and are streamed to another computer. Examples of application virtualization include Microsoft SoftGrid and Windows Server 2008 Terminal Services RemoteApp.

Application virtualization is an important security advance. Why? Because of the risks of full presentation virtualization. Think about it. When you allow remote access to a full Remote Desktop or Terminal Services session, you’re allowing access to a full featured desktop platform and everything that a full desktop platform can do. What if can intruder is able to gain access to a FULL DESKTOP environment and take advantage of everything that a full desktop environment can do? It would be a security nightmare. Think of how easy it would be for an attacker to gain whatever information he wanted if he had full control of a desktop within your network.

Now you might say “well, we require authentication and authorization and users aren’t allowed to run as admin”. That’s true, but think about how easy it is to get user passwords or smart cards. Theft takes care of the smart card problem, and social engineering can take care of both the smart card and PIN or password issue. Once the attack gains access to these credentials, it’s party time for the attacker, and it’s your network hosting the attacker’s party.

This is why I never allow full presentation virtualization (Remote Desktop or Terminal Server) to average users. They don’t need it, so they don’t get it. However, they do need access to data. How do you provide this access? Use a VPN server with strong firewall access controls (like what you can do with an ISA Firewall VPN server) or use an SSL VPN gateway, like the Microsoft IAG.

Or — use the upcoming Windows Server 2008 Terminal Server RemoteApps or SoftGrid. Both of these provide users access to applications they need to do their work, and can also provide them with access to the information they need to use with those applications. Remember, the Holy Grail is least privilege. If users need remote access to applications, then give them access to the applications. But don’t give them any more than that.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I was having lunch with an old friend of mine who does a lot of small and micro-business work. He was telling me about several real estate offices who recently discovered the magic of Virtual Private Networking. Seems that once the employees of these real estate offices learned that they could get files from home over the VPN connection, they rarely come into work. This isn’t such a bad thing, as most of the agents were much more productive working from home, as this made it easier for them to be on the road with clients.

Working with VPNs is nothing new to me. As a network security guy, I’ve been using VPN technology since I got into the business in the early 1990s. Given my great familiarity with VPNs, I asked my friend what he was doing to secure the network from the VPN users. What types of access controls was he placing on the VPN connections to protect the network from the unmanaged clients connecting to the real estate office’s network?

My friend was sort of surprised to hear this. He figured that VPNs were security technologies, so there was really nothing else that needed to be done. ACK! I explained to him that while VPNs provide privacy, they don’t do a whole lot for security. I explained to him that VPN connections are especially dangerous because users are using their own computers, such as home computers that teenagers and other security risks use, and that any security issues on these VPN client computers can be easily spread to the real estate offices’ networks.

He wanted to know what he could do. The first and most important thing is to use a VPN server that allows you to control what users can access when connected to the network. What is it they need to do when they connect? Read pages on an internal Web server? Get files from a specific network share? RDP into their own computers? Determine what the users need and give them permission to only access the information they need. This is known as the principle of least privilege.

The second thing he needs to do is use a mechanism that tests the client computer’s health before that comes is allowed to connect. Does the VPN client computer have the Windows Firewall enabled? Does the VPN client computer have the most recently security updates installed? Does the VPN client computer have AV and AS software installed, and if so, does the AV and AS software have their latest updates installed? By requiring the VPN client machines to have minimum security configurations installed and enabled, you can go a long way at protecting the office network against spread of virus and worm infections from unmanaged VPN client computers.

So how to you do this with Microsoft technologies? The ISA Firewall is also a VPN server. You can easily configure least privilege using an ISA Firewall VPN server. In addition, the ISA Firewall performs stateful packet and application layer inspection for further security. The ISA Firewall also includes a remote access quarantine function that allows you to block connections from machines that don’t meet your client health requirements.

In the future, you can replace the ISA Firewall’s remote access quarantine function with Network Access Protection. NAP is a more sophisticated method of controlling access for non-compliant computers. NAP requires a Windows Server 2008 infrastructure and Windows XP SP3 or Windows Vista clients.

The take home message for small businesses is that you need to enforce some control over the connections made by VPN clients. The security problems these home workers have on their own home computers will soon be yours if you don’t make sure to enforce least privilege and enforce system health requirements before allowing VPN clients to connect.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I was talking to my wife, Deb Shinder (security MVP) about Vista security and asked her about a rumor regarding “back doors” in Vista’s BitLocker whole volume encryption feature. She told me that this is only a reckless rumor that has no basis in fact. There are no back doors in Vista’s BitLocker disk encryption feature. None, not any.

Well, that seems like good news to me. If I lose my laptop, I can rest assured that no scumbag is going to be able to access my email or the super secret PowerPoint presentations I create for large companies and governments. There is no back door and it doesn’t matter that the bad guys have physical access to the disk.

How can this be a bad thing. For my own data, it’s not a bad thing. But technology doesn’t know who’s a good guy and who’s a bad guy. What if some terrorist had valuable information on his hard disk that could allow law enforcement to stop a major attack, but that information was protected by BitLocker? Law enforcement might see rumors on the Web that there was a back door and ask Microsoft for the keys. They’ll be sad to find that there is no back door and that there’s no way they’ll be able to get the information they need without the cooperation of the criminal.

Does that mean that Microsoft should not release BitLocker? Of course not. There are already many disk encryption products on the market today that you can buy from third parties. Microsoft isn’t doing anything new here, except that they’re including it with some versions of the Vista operating system. I’ve heard some people in the law enforcement community say that MS should not release BitLocker to the general community.

Of course, I think they’re wrong. However, keep in mind that if you don’t provide law enforcement with your keys when asked, that may be just enough to give them probable cause to arrest you, even if you didn’t do anything wrong. And if you’re at a border, keep in mind that you don’t have any Constitutional Rights (if you’re a US citizen) against unreasonable Search and Seizure. No, it’s not a Patriot Act thing — it’s always been that way.

If you want to know more about BitLocker, check out http://technet.microsoft.com/en-us/windowsvista/aa...5.aspx

BTW — the RTM version of BitLocker allows you to only encrypt the Vista boot volume. When Vista SP1 is installed, you’ll be able to encrypt any volume. When Windows Server 2008 is released, you’ll be able to encrypt any volume using BitLocker.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Yesterday I talked about the myth of the “software firewall” and how the term “software firewall” is misused to communicate what is actually known as a host-based firewall. The term “software firewall” is a network newbie term, and relates to misconceptions and lack of understand of how things work. Of course, if you’re a reader of this security blog, you now know the that all firewalls run on software and that they are correctly categorized as network and host-based firewalls.

That discussion made me think of another common network newbie error — again an error made because popular radio and print “computer writers” advocate it — disabling SSID broadcasting for wireless access points.

Did you know that turning off SSID broadcasting is actually in violation of the design specifications for IEEE 802.11? That’s right. You’re actually breaking the rules of the 802.11abgn protocols when you turn it off.

OK, suppose you don’t care if you’re breaking the rules of the protocol. The fact is that that you’re not really protecting yourself by disabling SSID broadcasting. The reason for this is, even though you may enable encryption on your wireless connections to the WAP, there are still unencrypted frames transmitted that include the WAP’s SSID. Any half-talented hacker can install a network sniffer that can read these encrypted frames and find out the SSID of your WAP.

Along the same lines, forget about MAC address control. It never ceases to amazing me how often people advocate MAC address control, whether it’s for firewall access or WAP access. It’s very easy to change the MAC address of a computer. And the same hacker with the sniffer that finds out the SSID of your WAP will also be able to find out the MAC addresses of the machines that are connecting to your WAP.

Whether its a WAP or a Firewall, the only way to secure access is to use authentication and a strong encryption protocol. That’s where WPA2 comes in. Windows XP, Windows Vista, Windows 2003 and Windows 2008 allow support WPA2. You can use WPAv2 with a long pre-shared key (WPA2-PSK) or you can use certificate authentication if you have a RADIUS server in place.

For a very nice discussion of these issues, check out http://technet.microsoft.com/en-us/library/bb726942.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I was reading a thread on a well known Windows mailing list and found that people were having a hard time communicating about firewalls, since some of the people participating in the conversation were using incorrect firewall terminology.

The problem was that one of newbs was asking about a “software” firewall and wanted to know what was the best “software” firewall. The problem with this question is that all firewalls are software firewalls. Without software, the hardware doesn’t know what to do and thus doesn’t work. So, in reality, all firewalls are software firewalls.

Some people refer to firewalls that have no hard disk as “hardware” firewalls, but even that definition is starting to wear thin. Many firewalls that were formerly considered to be “hardware” firewalls now have hard disks or solid state memory to hold their software. The term hardware firewall seems to be migrating toward something that is closer to “appliance” firewall, where the firewall appliance is actually a single purpose device, with an operating system that is dedicated to support that firewall server that runs on the core operating system.

A more accurate way to categorize firewalls is classify them as Network Firewalls or Host Firewalls.

Network Firewalls are designed to control network traffic for multiple hosts. Network Firewalls are inline devices that allow, deny, log and report on the traffic moving through them. Some Network Firewalls have their major strengths are sophisticated routers with some security built in (such as the Cisco PIX or ASA) and some Network Firewalls focus more on security than on sophisticated routing capabilities (such as the Microsoft ISA Firewall).

Host based firewalls are firewalls that are installed on the host operating system and are designed to protect the host that the host based firewall is installed on. The Windows XP and Windows Vista firewalls are examples of host based firewalls. Some popular radio hosts make the mistake of calling host based firewalls “software” firewalls, and this has caused a lot of network newbies problems if or when they enter the world of corporate IT.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

If you spend much time with regulatory compliance projects (and who isn’t these days?), you’ve likely run into the COBIT guidelines. If not, COBIT stands for Control Objectives for Information and related Technologies. The guidelines, processes and procedures outline by the COBIT framework are the core of almost all regulatory compliance assessments. While not a Microsoft publication and not focused on Microsoft infrastructures, you’ll find that Microsoft’s catalog of security and management products will enable you to meet your IT governance goals set forth by COBIT.

The COBIT Focus newsletter includes a number of excellent articles by experts in the COBIT framework. Some the articles in the Vol. 1 2008 newsletter include:

• New Publication From ITGI: IT Control Objectives for Basel II, by Urs Fischer
• Make “MyCOBIT” Your COBIT, by Steve Reznik
• COBIT Education Takes Off, by Brian Childers
• COBIT: The Metaframework for Compliance, by Buck Kulkarni
• COBIT and IT Governance Case Study: Jefferson Wells Ensures Effective IT Control for Sarbanes-Oxley Review
• Extending COBIT for IT Innovation Governance, by Eva Šimková
• Mapping ITIL v3 to COBIT, by Jimmy Heschl
• ISACA South Africa Chapter Holds COBIT Event Alongside Annual Conference

Download the newsletter for free at www.isaca.org/cobitnewsletter

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)