How to address Master Data Management (MDM) challenges for security management?

October 16th, 2011

Master data management (MDM) has been very challenging for enterprises, especially for large organizations who have many existing data warehouses, data marts, and operational data stores, with constantly integration or divesture of business, applications, and network environments.  Without effective MDM solution, same data may be collected in different format in different way from different systems, and later distributed to many different operation units, which in turn complicates the data inconsistency and reconciliation issue with data being used in variety of systems, and causes issue of inconsistent management reporting and decision-making.

MDM makes the whole organization able to identify reliable data sources, collect and store data with consistency, distribute and share the master data with integrity through the enterprise systems.    For enterprise security management, the most important aspects include asset management, vulnerability management, configuration management, identify and authentication management, information governance, among the others.   An effective MDM requires enterprise architecture to enable and enforce the consistent data for all the enterprise applications and environment.  It requires the logic data model to be defined and maintained through the information life cycle and distributed consistently for any change.  Logic data models need to define data dimensions, and each dimension defines required attributes with consistent data definition.   For distribution, systems can provide SOAP web service or REST SOA interface through enterprise service bus (ESB) to provide real-time data distribution, but in many cases, data dump is commonly used due to its simplicity.

Asset inventory should include static assets inventory system that serves as standard control list, and dynamic assets discovery to verify the discrepancy of live environment and rogue devices.   Considering the inventory tools may be limited to collect certain data fields in vendor specific format, it is preferable to normalize the data with NIST common platform enumeration (CPE) for system and application representation, or at least normalize the application name, product name, OS and application version and patch notation.  Same concept goes for business, organization, location, and people contact info.  It needs to be noted that hosts may be multi-homes, with one host having multiple interface and potentially have multiple DNS hostnames if registered with DNS.  This requires one more layer of modeling for multi-homed network devices.  A well maintained DNS system will also help identify single host for multiple interface IPs.  Countermeasure modeling is an important aspect of vulnerability and risk management, as it will help prioritize the risk remediation effort, and reduce un-necessary resource-intensive patching instances so that true risk can be remediated first. 

Logical data model design tools help with modeling process, most known products are Sybase PowerDesigner, CA data modeler, and E/R data architect.  I personally found PowerDesigner and E/R data architect is easier to use, and E/R data architect license cost is the lowest.  The normalized data can be stored in Oracle database, which provides multi-dimensional analytical processing (OLAP) capability. 

In all, effective MDM starts with understanding of corporate master data requirement and modeling, followed by effective system architecture, tools, and process for DNS management, inventory collection, data transformation and normalization, interoperable schema and data redistribution.  Ensuring consistency and correlation among corporate data vaults (warehouses, marts, stores) using standard are key to the reusability of those master data sets, as any new operation process or system can aggregate necessary data sets and meaningfully correlate them for specific purpose.   For this purpose, NIST security content automation protocol (SCAP) should be adopted by vendors and industries so that the security data can be standardized and interoperable among external feeds and internal systems.

Posted in Technology | No Comments »

Understand enterprise threat environment for hacking prevention

August 1st, 2011

In the past few months, there have been quite some hacking reports hitting headlines, notably defacement of CIA web page, hacking of Sony PlayStation Network, and News of the World’s phone hacking, among the others, no wonder it is said that hacking is now a “business”, and in most cases carried out by organized hacker groups like LuzSec or Anonymous.  With the disclosure of the widely reported hacking of uranium purification control systems using well designed and implemented “Stuxnet” malware, it is good evidence that information system hacking has now officially been confirmed to be a warfare weapon just like nuclear bomb or cruise missile.

With the globally connected Internet, hacking threats could potentially come from any corner of the earth and could strike any moment without being noticed, with hackers up 7×24 around the global, how could an enterprise defend against these almost invisible threats?

To address enterprise information security and prevent hacking and intrusion, there has been many discussions of layered defense setting up layered defense, including perimeter ACL, firewall, IDS, IPS, proxy, anti-virus and anti-malware.   These are apparently all good and necessary measures to thwart hacking and intrusion, but it seems a myth that there are still many successful hacking reported, with potentially many still ongoing silently.

I think one reason that hacking being able to succeed is at least partially due to the failure of quality assurance of software engineering industry.  Besides social engineering attacks, hackers typically take advantages of vulnerabilities of OS and applications or protocols.  Those vulnerabilities typically come from inherent vulnerabilities of programming languages, architecture design, or application implementation by the programmers who do not have sufficient security skill or sufficient time to implement security measures.  Even today, the priority of many vendors still is getting the product to the market quick to win the competition, and for many small startups, quicker to the market is vital to their survival.  After all, the first ‘A’ for the security is “availability”, isn’t it? 

To ensure enterprises having secure OS and applications to run in their environment, software industry (include in-house development) needs to adopt consistent security assurance before releasing the product.  It should include using well tested security components like OWASP ESAPI, and adopting open common standards as that recommended by MITRE, such as CPE, CCE, among others.  Running OS processes in separate memory space will prevent the propagation of malwares, as realized by Juniper JUNOS, PaloAlto PANOS, and Apple IOS.  

Given that security is always an evolving process, enterprises needs to have good understanding of external threats and internal defense.  External threats would include organized hacking groups and their operation and activities, and most importantly the potential tools and techniques they could leverage.  While it is not possible to know or prevent all the external threats given the original design purpose of Internet, i.e. connecting the whole world, enterprise should be able to exam the attack surface for the possible attack vectors.  Internet (ISP facing routers and DMZ), B2B entry points, VPN gateways, wireless access points are especially important.  Properly designed routing architecture, router ACL, firewall rules, and application layer prevention will help prevent the external attacks.  Application layer detection and prevention so far is the most difficult one due to the numerous attacking pattern and OS/app vulnerabilities, identifying attacks from tons of daily data is still a challenge.  However if enterprise can have up-to-date systems inventory, centralized configuration control, effective vulnerability tracking and patching system, it will facilitate defending the external threats.  Even better, if the information system vendors can adopt the open standards for the software development, security assurance, xml-based configuration, vulnerability assessment (OVAL), and automated patching, I’m sure it will significantly reduce the attack window from external threats.

Posted in Threat and Hacking | No Comments »

Most commonly used Netscreen firewall commands

June 26th, 2011

Netscreen firewalls are very popular firewalls with many features, but it lacks auto command completion like that in JUNOS.  Below is the reference card for the most commonly used commands, which will be handy when working with Netscreen firewalls.

Common usage Commands Comment
Show what command is available at current path (level) -> ? This is your best friend if you want to find what commands are available to you
Show complete configuration for the system -> get config This is all you need for reviewing the configuration
Show system OS version, interfaces, manager-ips -> get system  
Show all the zones -> get zone  
Show configured firewall rules -> get policy  
Show traffic log including denied traffic log -> get log traffic You can find denial logs here
Show currently active sessions -> get session  
Show BGP config -> get vrouter trust-vr protocol bgp config  
Show BGP neighbors -> get vrouter trust-vr protocol bgp neig  
Enable BGP -> set vrouter trust-vr protocol bgp enable To disable, use “unset”
Update or restore system configuration from tftp server -> save config from tftp <ip> <config.file> to flash  
Patch kernel from tftp server -> save software from tftp <ip> image to flash  
Backup configuration to tftp server -> save cofig from flash to tftp <ip> <backupfilename> Handy for restoring configuration
Backup system image remotely -> save software from flash to tftp <ip> <backupimagefilename>  
Make firewalls manageable by NSM -> set nsmgmt server <primary|secondary> <nsm_ip> This setup the NSM manageability for the firewall
Show NSM manageability info -> get nsmgmt  
Setup a read only user -> set admin user <userid> password <pwd> priv read-only  
Find out CPU usage -> set performance cpu  
Find out memory usage -> set memory  
Show various counters -> get count statistics|flow|policy|screen  
Show cluster setup info -> get nsrp  
How to setup debug? -> debug bgp-> debug flow basic-> get ffilter-> set ffilter src-ip <sip> dst-ip <dip> ip-prot 6

-> undebug all

-> unset ffilter

 This useful debug option will show you the policy processing sequences, and indicating possible issue such as missing routes or missing rules.Don’t forget to unset the filters and debug flag.
How to setup traffic snoop? -> snoop info-> snoop filter ip ?-> clear db-> snoop

-> get db str

-> snoop off

 This provides snoop/tcpdump like traffic for packet analysis.  Do not forget to delete the filters when done.

Tags: , , ,
Posted in Firewall, Netscreen, Technology | 1 Comment »

What security lessons can we learn from RSA SecurID hacking?

May 26th, 2011

Month after RSA was hacked , the World is still in disbelief that one of the oldest and trusted security companies has been hacked. Some RSA SecurID customers had to switch to different authentication solution concerned about the breach, and remaining customers are still worrisome what more breaches could be resulted from RSA hacking.

So as hackers took away RSA data in this security incident, what lessons can RSA and companies take away from it?

Lesson 1: Identify and encrypt and protect valuable information asset
Always know what you need to protect, and always prepare for the worst for the valuable assets.

Even though EMC RSA has not disclosed the complete listing of data loss, RSA SecurID Seed Records were reportedly stolen, and apparently not encrypted and usable by hackers for token prediction. If these sensitive records were encrypted and protected with appropriate level of security such as dual-control and authentication, it would not have caused as much outcry for an encryption company like RSA.

Lesson 2: Employee training and awareness on the email security and phishing
RSA hacking is a result of Spear-phishing that employees were sent emails to their company email addresses and tricked into opening an email attachment of a spreadsheet containing a zero-day exploit that installs a backdoor. It is known that emails have been primary phishing vectors. Even though sometimes it is legitimate to provide company email address to business partners, employees should be trained and aware that company emails should be considered as valuable information that needs to be protected from un-authorized use or misuse, which including not providing company emails on social web sites or un-solicited parties. If hackers had not able to send emails to company addresses, hacking might not as easy.

Needless to say, employee awareness of various phishing schemes and social-engineering is also necessary.

Lesson 3: Ensure the effectiveness of the firewall and perimeter protection
In RSA hacking, the backdoor (Poison Ivy variant) was installed on the compromised PC and reached out from inside to the outside (outbound) for the command and control rather than being operated from outside (inbound). The attacker then was able to use FTP to transfer password protected RAR files from the RSA file server to an outside staging server at a hosting provider.

It is apparent that RSA may not have firewall in place or the firewall rules are not implemented properly to prevent unauthorized outbound connections. It indicates how important it is to review the perimeter devices (firewall and/or routers and/or IDS) configuration and rules for the effective protection.

Lesson 4: DLP needs to be in place and effective
Data should have been protected with proper DLP mechanism on the perimeter to prevent FTP or HTTP upload from internal hosts to external hosts, or at least alerting on the abnormal transfer.

Lesson 5: Malware detection and employee awareness
It is apparently that RSA failed to detect the malware in the email attachment, and employee was not aware of the risk opening un-recognized external email attachment. With the popularity of malware in many hacking incidents, it justifies that malware detection and prevention to be in place, and employees need to be educated to avoid being victim of malwares. Research on the potential malware polymorphism or variants could provide advantage to enhance company’s defense of malwares beyond known exploits.

With all said, despite all the security hardware and software and training in place, there is always chance that hacker can cause some breach somehow some way, thus effective security intrusion detection and monitoring is demanded. It is not clear how RSA detected this APT-type SecurID hacking, but network IDS or host IDS will help security analysts to identify breaches. SEMS or SIEM will be able to provide easier correlations among different systems if relevant events are captured and aggregated into SEMS. Hopefully someday RSA will tell the story how the hacking was detected and prove to the world the values of security devices and software, so that companies will continue to buy EMC/RSA security product with some faith on the security of the company that was once well respected.

Tags: , , , ,
Posted in Security Incident | No Comments »

Choose the Next-Generation Enterprise Network Firewalls

April 10th, 2011

Network firewall has been one indispensable layer of defense to external attacks and regulatory requirement for many companies. With many competitive vendors on the market, next-generation firewalls have been a buzz word in a red-hot war for the market. But what does exactly the next-generation firewall mean for the customers? And are you choosing the future winner who will survive the war and not having to migrate to another vendor in the future?

Checkpoint may be the first one to officially use “NG” as the product name, the used NGX (Next-Generation Extension) for recent product line. After popular firewall platform Netscreen was acquired by Juniper as a strategy of integrating Netscreen firewall engine into JUNOS routing platform, Nir Zuk founded PaloAlto to start another line of firewall product with the similar architecture of Netscreen firewall engine, and has been intensively marketing PaloAlto as the next-generation firewalls.

To win the war on the next-generation firewall campaign, Nir had a very interesting debate with Mike Rothman recently. Nir defined the next-generation firewall as the application-aware network firewall, which can recognize the application specific traffic and ability of the deep application layer (layer-7) inspection for policy control and anti-virus purpose, while Mike challenged the some aspects of it on the hardware capacity and configuration issue.

No matter what the next-generation of firewalls the vendors are selling for, it will be very important for the customers to do comparative testing and have hands-on experience on the following key areas for the long-term firewall deployment.

1. Firewall policy implementation and maintenance requirement

The most resource intensive effort for enterprise firewalls support is the policy implementation and rule life-cycle maintenance due to the pure number of firewall rules and changing nature of the network environment. Firewall rules should be easy to define and understand with central management capability. Checkpoint management suite and client GUI so far is still the best GUI on the market so far, unfortunately CLI users will be disappointed that Checkpoint does not support command line loading of policy rules, which I sometimes feel is so much inconvenient for rule processing.

2. Consider migration requirement and cost for the legacy firewalls

As firewall technologies evolve, it is un-common for companies to move from one firewall platform to another. One thing does need to check is that firewall software should support sufficient features for the rules migration if you have legacy firewalls. For example, if Netscreen supports nested subgroup, but another platform has not yet supported this feature, it may be better off waiting until the same feature is available in another platform. You cannot image what nuisance this kind of not-so-obvious limitation can cause to the firewall policy rule conversion and maintenance, more importantly, it causes the confusion for the original rule business owners and technical staff supporting original rules.

3. Choose zone-based firewalls verse non-zone-based firewalls

Some firewalls like Checkpoint are not zone-based firewalls because firewall rule does not require interface to be assigned to a security zone for rule construction. On the other hand, Juniper and PaloAlto are based on the similar firewall engine architecture design that requires zone to be defined as one dimension in the firewall rules. This extra dimension may cause the difference that you never expect in a dynamic routing environment. For example, checkpoint rules only concern about the source, destination, and port triplet, routing for the related IPs are not checked unless anti-spoofing is turned on. For Juniper and PaloAlto, traffic for the related IPs has to come from the specified interface zones. If for any reason routing changes the direction, the rules will no longer work, which is different behavior from Checkpoint, so it is important to evaluate company routing environment for deploying zone-based firewalls.

4. Firewall deployment effort and system upgrade

Checkpoint appears requires more steps and effort in deploying and support its current firewall product line (I cannot speak about its newest products), while Juniper and Netscreen is more streamlined in term of deployment and software upgrade.

5. Firewall vendor future development strategy and sustainability

Make sure which direction firewall vendors are going for their firewall product, you do not want to deploy something that will be end-of-service or end-of-life and have to migrate to another product or vendor. Also need to be aware of technical support arrangement and typical software upgrade release cycle.

Because all layers of traffic data (including application layer) can be inspected by the firewall, it is always feasible to integrate defense mechanism such as anti-virus, anti-malware, routing ACL, web defense, application vulnerability detection, and even IDS/IPS in the firewall appliance. Many vendors have tried one-way or other, noticeably Checkpoint’s SmartDenfense and Web Intelligence, Juniper’s intention to collapse routing with firewall, and PaloAlto’s feature of single-pass detection of virus and application-aware policy control. The question is not whether they can do it, but how well they will do it for the added defense features as a firewall platform. That is apparently related to the vendor’s vision of the next-generation of Internet threats from evolving technologies such as web 2.0, mobile computing, cloud computing, and their capability of software implementation on a scalable hardware.

It is never easy to evaluate and choose truly next-generation enterprise firewall due to the constant evolving technology, threat environment, and unique company requirement. However with comparative testing of multiple vendor products for the required functionalities, and matches vendor products future development strategy with company’s future plan, it will reduce the risk of choosing a product that will be a loser of the war of next-generation firewalls, and improve ROI on the firewall deployment and maintenance.

Tags: , , , ,
Posted in Firewall | No Comments »

How to integrate security into SDLC?

February 18th, 2011

With the headline of recent hacking of Facebook owner Mark Zuckerberg’s Facebook account and NASDAQ breach, it reminds us the ultimate importance of information security especially the web application security. In today’s web central world, pretty much every company has branded web sites up on the Internet. Internet websites have provided great benefit to the end-user and customers, but in the same time also opens the door to the hackers or other malicious users. Hackers know that firewalls are open for web traffic and that is a quick and easy tunnel to the corporate web servers, database, and even internal systems and applications, and that makes attacks on web applications accounts for more than half of overall attacks from the most recent report by Verizon and US Secrete Service.
To avoid the embarrassment and financial loss, every company nowadays has put tremendous effort and budget into secure applications especially web applications. One most frequent question is how (web) application security can be improved from the start of SDLC? With years’ experience in design and implementing applications using half dozen programming languages, and experience in the Vulnerability Analysis and Intrusion Detection, I cannot agree more that security has to be integrated in all phases of application development life cycle (SDLC) as below. We will delve into how security measures can be accomplished in each phase.

- Security Requirement Collection
- Security Architecture Design and modeling
- Security Implementation
- Security Testing
- Deployment and Operation

Security Requirement Collection
In this phase, the controls have to be designed for the most common vulnerabilities and attacks, such as input validation mechanism, exception error handling, and AAA mechanism including password strength and protection in transit and storage, and session management. It is important to consider things like the classification of data in transit and storage, and then decide the required encryption strength. Defense against buffer-overflow and DOS is a must as they are the most common attacks for C/C++ based applications. Availability is also important so that application is resilient to attacks such as DDOS or unexpected component failure. For web applications, it should be standard to prevent attacks such as SQL-injection, cross-site scripting, cross-frame hijacking. One can refer to the more complete list of vulnerabilities on OWASP and SANS web site, among the others.

Security Architecture Design and Modeling
A secure application should have the security architecture built-in rather than patch-and-fix. The one that just has business logic in mind is most likely subjected to the security issue and attacks. The security of the applications lies on the designed security architecture. The security has to be integrated into application business logic, data flow, and use-cases. An objected-oriented design (OOD) tool using unified modeling language (UML) will help identify, model, and document the security measures required based on the business requirement.
Note that for the best security, besides application itself, the networking deployment and related database components are also need to be in the best secure posture, even though they are typically handled in the different context by different teams.
The increased adoption of cloud computing has present some challenge to the application security, as it is not as clear as traditional layered application architecture with distinguished front-end, application server, and database tiers. As design has evolved to service-oriented architecture (SaaS), it will be subjected to a different discussion for cloud security.

Security Implementation
Implementation phase is typically where the application vulnerabilities get introduced. It could be logic implementation error, such as not catch all error conditions, or not all use cases are caught and handled; or it could be simple mistake of forgetting to close the open connections upon session closure. The most dangerous may be that programmer has no sufficient security knowledge and unwilling to implement additional coding for the security, and cut corner to just have business logic implemented.
For the implementation, it will be very important to choose the right programming language. Programming languages have evolved a lot over the past twenty years. At my high school, it was procedure “Basic” (grandpa of Visual Basic), then came “Fortran” and “C/C++” language. After that came the object-oriented languages such as object-oriented C++ and Visual programming.
Needless to say, procedure C programs are most likely to be exploited, as it can directly address memory space, and very difficult to prevent the loopholes by programmer himself. I confess that I did crash the machines some times with my buggy procedure C/C++ programs in my early period of C/C++ programming. With the ability to manipulate the memory addresses (stack and heap pointers), C/C++ has been popular language to produce exploits and hacking tools.
After sometime of procedure C/C++ programming, I came across object-oriented design and programming with C++. I was so much into it as it is so elegant and easier to debug and extend with objects than procedures. As Java picked up steam in middle 1990s, it was no-brainer that Java is the best to go for security as it has common objects, memory protection, design-patterns, and security framework built in the language itself. Why should one prefer to write C/C++ code to re-invent the wheels unless he needs the performance or address manipulation of the C/C++?
That means: Go, Java, Go! (not ‘Diego’!)
Given the security features provided by Java, there are still some more security needs to be implemented for the application. Java has buffer-overflow defense built-in, however, input validation and logics still need to be implemented properly. Client-server application model so far is still be the most popular design, it is best to validate both on the client side as well as server side, because client side validation could be circumvented easily, especially with web browser hacking. In my implementation, I have the XSS JavaScript and SQL injection defense code built into library. In most cases, building a white list for the input is more secure than a black list, as black list may not be complete.

Security Testing
In this phase, it is time to put every previous design and implement into examination for testing business logic as well as security and vulnerabilities. For security, vulnerability scanning and penetration can be performed with automated tools or manually done. Code review will be the best way to find the back-door that is planted by the programmer (intentionally or just for self-convenience).

Deployment and Operation
After the applications are ready for production, they are deployed into operational mode. At this phase, another layer of security will rely on the security awareness of the operation staff. Despite the most strict password protection in the application, the operation persons could be triggered into leaking confidential information from Social Engineering or impersonation. At this stage, operation security will need to be implemented.
Another risk at this phase would be that application was used in an un-intended way and the use case is not handled or handled improperly. This is typically hard to be detected by the vulnerability scanning as there is no way to tell all the potential uses of the application beforehand. This has to rely on the design and proper logic implementation to catch all the exceptions. However with the security considered and integrated in SDLC, one can expect that the chance of this type of vulnerability is slim.
In this phase, it is also important to harden the components supporting the applications, such as OS, web server, and database servers, and networking components. As it says, security is as good as the weakest link. It will be a good time to exam the overall security posture for the application with external hacking, fail-safe testing, availability testing, and disaster discovery.

Tags: , , ,
Posted in App Development, Technology | No Comments »

Checkpoint SPLAT firewall routing software limitations

January 15th, 2011

Checkpoint is a well-known vendor for enterprise firewall, one of the popular firewall platforms is its SecurePlatform firewall appliance. Last I was told was that this Linux based firewall appliance will be the only platform that Checkpoint will support, and Solaris based firewalls will be discontinued. If it is indeed the case, I’d hope Checkpoint strengthen its SecurePlatform development, as I know at least two routing software limitation will handicap its deployment, and what concerns me is that these limitations appears not documented anywhere, and customers mostly can only discover them when devices are being deployed.

SecurePlatform firewall appliances have routing software built-in, which is called Advanced Routing Suite software. It is based on open source gated software and customized by Checkpoint. Generally I have a pleasant experience with this routing software. However I discovered that there are following two limitations that surprised me.

First is that this Advanced Routing Suite can only supports up to 25 BGP peers. That is the total peers you can have for all the peering Autonomous Systems (AS). Beyond that BGP configuration loading will lead to an error message, and only 25 BGP peering can be loaded, you have to check which peers get loaded. The limitation appears hard-coded in the software. This limitation may be not that critical for most of the enterprise environment, but you can bet there are some environments that this won’t fly.

The solution to overcome 25 BGP peer limitation is to put some peers into peer-group, however that is where the second software limitation kicks in. The SecurePlatform routing peer-group does not support configuration for “soft-reconfiguration inbound”, which is so important in dynamic routing environment with BGP. The software does not even alert anything when this configuration is applied, it simply silently drops it. You do not even notice it gets dropped unless you verify the loaded routing configuration. I tried to confirm that this setting is the default, but it proved that it is not. Checkpoint has admitted that a REF needs to be opened to address this.

Overall I think SecurePlatform has quite some good features as an enterprise firewall appliance, however if these two limitations are not addressed, it will need to be carefully validated and tested when deploying for the very large BGP routing infrastructure.




Tags: , , , ,
Posted in Firewall | 2 Comments »

How to troubleshoot connection issue on a Checkpoint firewall?

November 13th, 2010

Firewall has been widely deployed by companies to protected perimeter with business partner and Internet, including VPN. Firewall denies all connections unless explicitly allowed by the business for the best security.

It’s not unusual that business connection is not working after firewall rules are implemented on the firewall, which causes financial loss and frustration to the business, up to the point that some people even question the benefits of the firewall.

With business transaction being interrupted, it is important to be able to troubleshoot the connection issue methodically and systematically to ensure the timely resolution of the issue. The outcome of the troubleshooting is either proving firewall is not guilty as charged, or acknowledge guilty and rectify the issue accordingly.

This post will be focusing on troubleshooting with Checkpoint platform based on my years’ hands on experience. Troubleshooting with other firewall platform will follow in other posts, but concepts should be the same.

Below are the steps that I typically use to troubleshoot connectivity issue on Checkpoint platform:

1. Collect devices info for the impacted business hosts

First and the most important, it’s critical to get the complete list of IPs for the impacted business hosts. This typically can be provided by business, however there are following caveats to watch out:

  • Hosts may be multi-homed and have multiple interfaces, so what business gives may be just one IP of several interfaces, and that IP may not be the one registered in firewall rules, so ensure to get all interface IPs for the host.
  • Checkpoint host object is object-oriented, meaning that each host object has one IP explicitly registered and visible, but there may be other IPs registered in topology property of the host object, and those IPs are not easily visible unless you click on “topology” tab for the host object. When search the rules, ensure to search for the all the business host interface IPs.
  • Sometimes business can only provide IPs that they think are in the scope, but due to the unique network or application design, it could be that other related device IPs that are having issue, this typically the cases when connections are proxied or NAT is involved. It is helpful to have business provide the information about how the connections are setup to direct the troubleshooting in the right direction.

2. Verify the routing path for the business connection

After business side IP information is collected, next step is to find out if firewall has probability of being guilty, i.e., to find out if firewall is in the routing path of the connection, and if there is firewall in path, find out what firewall to investigate (note that companies typically have many firewalls and complex routing).

This typically can be done using “traceroute” tool from the source host. Actual “traceroute” command differs depending on the OS system. In Unix, it is “traceroute”, in windows, it is “tracert”. There are following caveats to watch out for the traceroute:

  • Traceroute needs to be allowed by the firewalls and routers in path. If host not traceable, or being blocked by in-path firewalls and routers, traceroute output will display “request timed out” messages. In such cases, if there is no related network topology diagram available, one has to jump to the last hop to continue to traceroute until all hops are mapped out.
  • There may be firewall behind firewall for some connections, so ensure to find out how many firewalls are involved in the issue.

Once firewalls in routing path are identified, traceroute should be attempted from firewall to business hosts to ensure there is no asymmetric routing going on, as firewall may drop the connection due to the SmartDefense setting.

3. Verify business host and application is up and reachable

When people complain about firewall issue, it is sometimes in fact the host or application is not up, or not reachable due to routing issue. Checking that host and application is up may save quite some time working on the firewall. If ping and traceroute is allowed outbound, ping and traceroute the host will help speed up identifying the root cause.

4. Check the drop logs to see if traffic is denied

If host and application is up, and routing appears working, also the firewalls are confirmed to be the routing path, next is to focus on the firewall rule. Check the firewall logs are typically the most effective way to find out where the problem is. As checkpoint could store firewall logs locally, or forward to SmartTracker, or any other remote hosts, it is critical to know where the firewall rule logs are stored. Checking the logging property for the firewall object will identify where the logs SHOULD be. Note that sometimes the logs are stored locally due to the connection issue to the remote log server, even though it is set to forward to the remote log server. If logs are not seen on the server where it should be, check the logging connections on the firewall, checkpoint is using tcp port 257 for the logging, so check if the connection for this port is established on the firewall.

The most luck scenario would be that the connection is logged, and it will indicate either the connections are dropped or allowed. If connections are allowed as indicated by the logs, it can be safely say that problem likely lies outside of firewall, otherwise, the drop log should provide the necessary info to add the correct rules for the connection. For example, business may have provided the wrong IP, or wrong service ports, or additional IP and ports are needed in the rules.

If you are under the gun to find out whether the firewall is guilty or not now, as the last resort, temporarily add an allow-all rule to the firewall at the top of firewall rules, and ask business to test. If business still complains, you know that problem is somewhere else (warning: remove allow-all rule quick after the test).

5. Additional troubleshooting tools

So far above procedure should have resolved typically firewall connection issues, however in some cases, the problem may need to dig into how the firewall daemon is behaving on the firewall. These will have to resort to debug tools such as tcpdump to check the traffic packets. Checkpoint also provides utility called “fw monitor” tool and many debug options. Since these tools deserve their own length of explanation, I will cover them in different posts.




Tags: , , ,
Posted in Checkpoint, Firewall | 7 Comments »

Thoughts on Verizon 2010 Data Breach Investigations Report

August 1st, 2010

On July 28th, 2010, Verizon Investigative Response Team (Verizon IR) and United States Secret Service (USSS) released 64-page “Verizon 2010 Data Breach Investigations Report”. After reading the report, I feel that this is a very informative report, and would like to highlight and comment on a few top findings that of especially interesting to me. Obviously my comments will only represent my own opinion and based on my personal experience in the info sec field, and could be biased.

Here are my highlight and comments on the report.

1. Data collection and aggregation

According to the report, the data used in this report is aggregated from Verizon 2004-2009 paid forensic investigation for the confirmed breaches, and 2008-2009 USSS cases involving confirmed organizational data breaches. While the report provides valuable insight into the data breach landscape for the recent years, it will be even better for the report to aggregate the same period of 2004-2009 USSS cases so that the report is more reflective of five-year data breach landscape, or if only using 2008-2009 data, the report would be more accurate for the one-year span. Nevertheless, the report is still an excellent mining of aggregated data by the collaboration of both organizations.

2. Top findings on the attacking vectors

The report finds that 70% of data breach is resulted from external agents, and 48% are from insiders. One interesting point to note that is insider attack has increased by 26%. The significant increases of inside threat indicates that internal control should get more attention, due to the enormous inside information that insider can obtain and use for the attack. Internal information asset and employee is suppose to be “trust-worth” and any suspicious act can easily be “justified”, making internal control and monitoring is more challenging than for external systems or people.

3. Top findings on how the breach happened

The report finds that 48% data breach involved privilege misuse (+26%), and 40% resulted from hacking (-24%). The use of stolen credentials was the number one hacking type in both the Verizon and USSS datasets. Next comes the backdoor exploitation and SQL injection. Recall that in 2005-2006 Wal-Mart breach, attackers used stolen ex-employee VPN login credentials to get the access, and not only one ID but one ID after another, indicating that company’s access control policy was not in place or not executed well enough. As an analyst who has supported various authentication systems and database systems and applications, I would say access control and authorization is simple in principle but difficult to implement and maintain, especially for the big companies. The issue is not that people do not know how authentication or authorization works, but because the company may have many different systems, different organizations, and different level of access requirement, not only it is difficult to design and implement fit-all solution, but even after the solution is in place, as time goes on, the requirement changes, but it is difficult to change the design, and as a result, the authentication Ids may stay forever, and authorization could be beyond what is needed and not updated or deleted in time. Once attackers have some way knowing about these Ids, it is an easy game for the attackers. The report highlighted that the importance of proper maintenance of authentication system and access control. User credential and authorization is always the first door to secure for any information asset.

Not surprisingly, the report also finds web applications hacking and database server attack has the highest percent of breaches and percent of records in term of attack pathway. Due to universal accessibility of web applications and its connection to the backend database, it remains to be critical to secure web application and databases and implement monitoring to contain the web attacks and database hacking such as SQL injection.

4. How the breach is detected

The report finds that 61% were discovered by a third party, and 86% of victims had evidence of breach in their log files, with 96% of breaches were avoidable through simple or intermediate controls. This may have indicated that for the entities involved in the data breach, the effectiveness of the breach monitoring and detection still yet to be improved, may be by allocating more resources, enhance employee event analysis skills, and improve the monitoring processes.

5. Two interesting points from the report

I found two points from the report are especially interesting. One is that the report finds that “encryption is useless”, because “Attackers are adept at maneuvering around a strong control (like encryption) to exploit other points of weakness”. I’m not into this finding, because even though given enough skill and time, any encryption system can be broken into, nevertheless encryption remains one layer of defense in protecting valuable asset. In some cases, hacker may get around the encryption, but in most cases it is still one effective countermeasure to the attackers, especially for those hacking relying on sniffing the data. Like what happened in the WWW-II novel “Top Secret”, encryption may not be strong enough forever but the time to break the system sometimes is more critical than encryption itself, the time to get around the encryption is dependent on the links outside of encryption itself. The breach through other weak links has no correlation with the effectiveness of the encryption. It simply means that breach can happen through non-encrypted links.

Another interesting point is that cyber gang has been increasingly using Digital Currency. Since money is simply a token of exchange, I’m impressed by the creativity of the hacking community. After all, they need to find an innovative way to make a living too.

6. Summary

Overall I find Verizon 2010 data breach report is excellent, it has highlighted the importance of protecting user credential and control the access privilege, and protecting the web applications and databases. It emphasized the importance of effective monitoring and log analysis and PCI compliance, and has a good point of filtering outbound traffic for data protection.

With all the numbers and points in the report, prevention of data breach still relies on the overall company security posture. As always, the security is as strong as the weakest link. To me, the strongest and weakest link is the people who protect the information asset. People can use or misuse technology, and can develop robust process or fail to follow the best process. The security of the information asset is ultimately dependent on the skill and ability of the team on the job to implement technology and process, and diligently follow through the processes. Best employees are always the best security for the company.

p.s.

For readers who have not had chance to read the report, the original full report is available with below link:
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf



Tags: , , , ,
Posted in Data Protection, Database, Technology | 39 Comments »

Enterprise Infrastructure Defense In Depth

April 17th, 2010

With the evolution of TCP/IP internetworking, Enterprise infrastructure has been connected to the Internet cloud more than ever, which enables tremendous business opportunities and data communication for the enterprise, but in the same time also exposes enterprise to the various threats and attacks. To protect enterprise infrastructure from known and zero-day attack, design and implement a defense in depth strategy is very important.

To defend in depth, enterprise infrastructure can be subjectively segregated into two zones: perimeter zone and internal networks/systems. Enterprise typically deploys DMZ Internet web servers, external routers, firewall, proxy, Internet DNS servers in the perimeter zone, and perimeter zone is typically the attacking point for the external threat and attacks. The defense of the critical perimeter should include routing security, which includes well-designed ACL, routing redundancy, and routing design. Firewall/proxy/DNS servers need to be hardened with system security principals to prevent attacks like DDOS and DNS poisoning.

To most enterprise large or small, web application security is probably the most critical aspect, as web applications are the most convenient and easiest attack target. Http is open through the firewall and there are many known vulnerabilities for pretty much all web servers. The most common attacks include the SQL injection, cross-site scripting (XSS), buffer overflow. OWASP (http://www.owasp.org) is a good resource for web application security.

As equally important perimeter security, VPN security and wireless perimeter is often overlooked. In today’s mobile world, companies deploy more and more VPN solution and wireless networks. If not properly secured, enterprise infrastructure could be easily attacked through VPN client and VPN tunnel, or through wireless hotspots. Because of the distributed and mobile nature of the VPN and wireless devices, protecting VPN and wireless perimeter from attacks makes it even more important to have defense strategy in place before deploying them.

Even with perimeter defense in place, internal networks and systems still need to be properly secured so that penetration of perimeter won’t leave enterprise’s critical internal infrastructure wide open to attacker. This requires implement system security, application security, and database security to all internal infrastructure components. Inside threat is one particular vector to consider for the internal security, especially upon impending lay off, firing, or spin off. Appropriate access control, authorization, and auditing logging are necessity as part of the defense.

Defense in depth depends not only physically segregation of the infrastructure as above zones for protection, but also logically depends on integrating security in the networks design, application design and secure coding, database design, and continuous system hardening. Besides defense through technology, employee security awareness training and bulletproof operation procedure should be included as part of defense in depth, along with process for security monitoring and breach detection.


Tags: , , , , , , , ,
Posted in Technology | 12 Comments »

« Older Entries