Risque Management

Microsoft SSL VPN is here

Not quite a while ago when I was asking Microsofties - when they're going to release SSL VPN solution - they asked me back: we support a lot of functionality over the Web, as well as standards-based VPN, so why do you need an SSL VPN?

That was a good question of theirs, which had two-part answer: not everything is a part of Microsoft ecosystem, and SSL VPN is the flavour of the day. Apparently, Microsoft listened: they bought Whale Communications, a SSL VPN company.

Enter Microsoft's Intelligent Application Gateway 2007, the SSL VPN solution from Microsoft. SSL VPN is highly competitive market, with Check Point, F5 and Juniper being major established players. I think all of them ackquired SSL VPN technologies too!

The product is a part of Microsoft Forefront Edge Security and Access family. It's getting really comfusing, as so many so different solutions are branded Forefront. I'd prefer Microsoft Antivirus, Antivirus for Servers, Enterprise Firewall, SSL VPN and so on. Something descriptive to the point.

I'll be dissecting IAG really soon. Stay tuned for updates.

What's proper strong authentication?

Everybody knows the answer: strong authentication involves more than one factor, usually something you know and something you have. Yet it doesn't cease to amaze me how wild interpretations of strong authentication go.

Strong authentication is one where multiple factors have interdependency, and one of the factors cannot be issued without full knowledge of the system administrators or cloned (easily).

Take GSM mobile telephone. The telephone's SIM, when protected with PIN, is strong authentication: no one can easily clone the SIM. However, the telephone number assigned to that subscriber via the SIM, isn't: it is quite easy to misrepresent the source phone number when placing calls (there are DIY solutions, process exploits, and services; same applies to SMS). A Java applet that is loaded to the phone and requires a password to run, is not strong either - it can be copied.

I would discard biometrics for one cannot replace those authentication factors easily. Plus, one's fingerprints, voice or DNA aren't kept strictly private. Cloning is always an option - some fingerprint scanners, including one marketed by Microsoft, happily accept artificial fingers made of lollies.

Smart card is, by far, the best strong authentication solution. the technology is available in Windows since 1999, and is quite mature by now. There are no excuses for living with passwords, especially when you see passwords as a risk.

A vision for IPv6 enterprise

Without much fanfare, stock exchange opening bells and stuff like that, IPv6 protocol stack made it to all major computing platforms. In Windows XP Service Pack 1, fully supported IPv6 stack replaced previous experimental version (which is also available for Windows 2000); it was also integrated in Windows Server 2003 and is available for Windows CE. IPv6 is available (and probably supported) in recent versions of RedHat Enterprise Linux (kernel 2.6-based), and in Solaris for a long while. Cisco IOS and other operating systems running on network equipment also support IPv6. The protocol has arrived.

Here's how IPv6 enterprise will look like:

• Enterprise firewalls - gone. They are dinosaurs right now, and it's long past the ice age;
• Enterprise access/VPN gateways - gone. Enterprises will utilise assigned, Internet-addressible address space;
• Access to the enterprise servers will be controlled using IPsec host authentication mechanism. Public services won't require authentication; whereas internal services will require both user (traditional) and system (IPsec AH) authentication;
• Computers will use keys stored in TPM (Trusted Platform Module) to authenticate aganst corporate IPv6 infrastructure services;
• Network QoS (Quality of Service) won't happen... again. In past there were too many issues integrating transport-layer QoS protocols with applications up the OSI stack, and increased bandwidth was always the answer. That won't change, and QoS will remain limited at most.

Pretty cool, huh? 

When enterprises will move to IPv6 en masse is everyone's guess. I think the change will come from telcos providing services to consumers - all the world is potential customers, and the telcos already facing limitations in both address space available (including private), and gateway capacity between their private and public networks. IPv6 will solve both issues. Switching enterprises across takes retiring support for IPv4...

Some IPv6 resources:

1. http://microsoft.com/ipv6
2. http://www.ipv6style.jp - Japanese are heaps ahead with this
3. http://www.ipv6.org.au - I finance this with my taxes... Which makes it personal!

Good principles for sysadmins and solution architects

Solaris™ Administration Best Practices by Peter Baer Galvin is an old gem. Here's the list:

• Keep an Eye Peeled and a Wall at Your Back
• Communicate with Users
• Help Users Fix It Themselves
• Use Available Information
• Know When to Use Strategy and When to Use Tactics
• All Projects Take Twice as Long as They Should
• It’s Not Done Until It’s Tested
• It’s Not Done Until It’s Documented
• Never Change Anything on Fridays
• Audit Before Edit
• Use Defaults Whenever Possible
• Always Be Able to Undo What You Are About to Do
• Do Not Spoil Management
• If You Haven’t Seen It Work, It Probably Doesn’t
• If You’re Fighting Fires, Find the Sources
• If You Don’t Understand It, Don’t Play with It on Production Systems
• If It Can Be Accidentally Used, and Can Produce Bad Consequences, Protect It
• Ockham’s Razor Is Very Sharp Indeed
• The Last Change Is the Most Suspicious
• When in Doubt, Reboot
• If It Ain’t Broke, Don’t Fix It
• Save Early and Often
• Dedicate a System Disk
• Have a Plan
• Cables and Connectors Can Go Bad
• Mind the Power
• Try Before You Buy
• Don’t Panic and Have Fun

It so happens, the practices can be equally applied to Windows system administration and creating solution architectures, including security solutions.

I don't agree with one of the pearls of wisdom included in the writeup - this one:

The question you ask as a sys admin is not “Are you paranoid?”; it’s “Are you paranoid enough?”

Last time I checked paranoia was some sort of mental illness. Being paranoid isn't good for you. Paranoia results in malformed perception largely replacing reality in someone's mind.

And I'd add another rule: Always question "Best Practices".

Resist googlisation!

I don't use Google Search. That's because I see dangerous thing going on: googlisation of everything. Too often people say "just google for it" referring to the way to get facts, without realising that Web search is only going to return the most popular, most often cited source. Which is not necessarily is truthful. Same applies to Wikipedia.

Critical perception of information is crucial for an intelligent person. For that reason, getting facts by just googling it is not acceptable - it is only good for getting some information for consideration. There are too many questions without answers that can be found on the Internet. There are too many with wrong answers being mostly given on Web sites. If Google to be taken as a source of truth, that would be misleading in many cases - especially when it comes to complex problems. In Ukraine, higher education is plagued by google-and-paste (or worse, copy-and-paste - from ready to reuse sources like referat.ru, a Moscuvite McEducation site) way of writing thesis.

And some competition is search space is also required. I'm not looking forward to see an advertising agency replacing libraries.

It it googlisation or googlization? I don't give a damn. Resist it.

The most secure modern OS, Part I

It's in wide use, it's mature yet modern (a new version was released just recently), and it's the most secure consumer OS out there. It's a Microsoft product.

The OS in question is Windows Mobile. Formerly known as Windows CE, it became nameless power in Windows-powered Pocket PC and now available on the mobile telephone near you. Still not without identity issues - there is Phone edition and Smartphone. Windows Mobile rocks. It's not the only OS that rocks - thus Part I.

My Windows Mobile device contains copy of my mailbox, address book and some files, giving me option to synchronise using cradle USB connection, Bluetooth, Wi-Fi and mobile phone networks. A variety of applications is available, both productivity and leisure. And I can browse Web from, like anywhere - without annoying Flash banners. And I'm in full control of the device - as the administrator (or the runlevel 1-like root, if you wish).

I have seen numerous suggestions that I should run firewall and antivirus on the device. That's loughable. I don't do that on my PC, but in this case those won't make much difference for Mr. Average User - apart from perhaps shortening the device battery life and adjusting content of his wallet by few bucks (annyally, in case of Symantec). On years-old fear of imminent worm outbreak a market for the useless software is built. And still, we have just hadful of proof-of-concept viruses for the platform (none dangerous or self-distributing), and no prominent incidents involving Windows Mobile.

It is a big mistake to judge something by only its past but in this case something makes me more confident: SANS, a security education organisation, joins desperate vendors in spreading FUD:

IT managers are being warned of the threats that are likely to keep them awake nights in 2007, with laptop security, VoIP and the contentious issue of mobile phone viruses all featuring on one organisation's 'hit-list'.

It is a contentious non-issue, together with VoIP. I despise FUD. Therefore I proudly proclame Windows Mobile the most secure OS, and forecast another virusless year for the platform.

P.S. If only the had data encryption for Windows Mobile...

Life without firewall and antivirus

I don't run firewall or antivirus software on my personal computer. And the operating system there isn't Mac OS.  And I work logged on as the Administrator.

The reason is simple. I want to know if the intruders out there will outsmart me - by coming up with a new kind of remote exploit (I don't run unnecessary services on the Internel interfaces); by making me double-click on an email attachment; or by making me go to a Web site that has a picture containing binary virus payload. Or maybe they will come up with a totally new technique (like I did with exploiting implicit trust using wireless access point)? I do my housekeeping: apply updates, disable unnecessary services and configure others securely, and only access trusted content. I think I'm up to the challenge.

I don't suggest anyone to follow my example. In fact, I recommend using both firewall and antivirus/antispyware software. But I think that traditional network-based, remote exploit type of attacks will die off, and traditional virii soon after.

Kashrut, Sarbanes and Oxley

This is about interpretations, and how they transform law into something unrecognisable.

The first example is karshrut, the orthodox jewish diet. Its origins can be traced mostly to the eleventh chapter of the third book of Bible (or Torah, if you like) - the Leviticus:

And the LORD spake unto Moses and to Aaron, saying unto them, Speak unto the children of Israel, saying, These are the beasts which ye shall eat among all the beasts that are on the earth...

(the full text is here)

Couple of thousand years later, we find the concise set of rules transformed into something very complicated, apparently bloated and sometimes conflicting. The main thing is - if you want to sell kosher food, you cannot just claim that the food is kosher. There is no self-assessment. You must hire someone from a Kashrut authority to supervise your processes and certify your compliance. To something that is vaguely based on the initial law.

A more recent but very similar example is An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes, commonly referred to as the Sarbanes-Oxley Act (or just SOX). It is the US Congress' response to series of corporate scandals, including burst of the telecom bubble (read Om Malik's excellent book "Broadbandits" about it), and Enron demise.

The act is about implementing audit and security controls so that corporate executives won't tamper with financial results in order to inflate share price and such. Yes, it includes something about information security - so vague that I can easily post the entire Section 404 here:

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.

(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall -
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

That's it. Much shorter than the Leviticus Chapter 14. Do you see anything about firewalls, intrusion detection and prevention systems, antivirus software and email journaling? Me too. The law requires have verifiable set of controls around financial information (which is reasonable); the controls aren't defined (which is bad); and it's up to the auditors to define what's required.

Boom! Big Five acounting firms (okay, they're Big Four - Andersen becape a scapegoat) all of a sudden have a lot of new business to do. That is, they interpret the law at their will, and they are charging a fee to check compliance to what is largely a result of their own imagination. In just five years, SOX resulted in creation of a new Kashrut system.

Probably I should give examples of SOX stupidity. The most fascinating one, if true, is this one: based on SOX, the IT auditors require all routers to be tested under high load for a fortnight before connecting those to production. I cannot name the source, nor the auditors here - just heard it through the grapevine. But for some reason I tend to believe it.

CEOs, CFOs and CIOs hardly ever touch routers or administer servers. In all cases of corporate fraud they were using other means to defraud the investors.

Compliance is only good if it brings benefits. More secure infrastructure is usually more stable, because it must be well-managed to stay secure. But it's very easy (and tempting, to some) to go overboard with compliance. If you attend a presentation of a new product, and you hear "SOX" or "HIPAA" in the first five minutes - walk away.

Enterprise firewalls are a thing of the past

Do you have an enterprise firewall? Here's a rule set for you to try:

• Source: ANY
• Destination: ANY
• Protocol: ANY
• Action: ALLOW

Yes, I'm asking you to allow everything across the firewall. Horrors!

But wait a minute. Most modern networks, large or small, do not use public IP address space, so John Citizen cannot connect directly to the systems on the network at will. Outbound connections a significant threat? I don't think so. There are so many ways for users (and malware) to send information out using already available connectivity devices and infrastructure - trying to keep it under tight control will cost a lot and won't stop determined malicious insider (or clever trojan).

If there is any tangible risk resulting from applying the abovementioned firewall rule set, then you have a big problem - insecure infrastrucutre. And you don't solve it with a device that may be located on another continent.

So it's time to stop paying for those stateful inspection applicances, as well as their support and maintenance. Time to openly oppose best practices and regulatory compliance requirements that often make organisations use multiple layers of enterprise firewalls. Get back to the basics securing your applications.

I was looking for the old thread on the Death of DMZ - found it on Susan Bradley's blog (where else?). Time to bring it up again. And to acknowledge the reality - it's not just DMZ that belongs to the past; it's the brandmauer.

Notes about Active Directory integration using LDAP

I'd like to share few notes about integration into Active Directory using LDAP:

• LDAP is a directory access protocol that is used for authorisation, not an authentication protocol. Think about user who are not using passwords but smart cards or RSA SecurID one-time passwords for authentication. Even if there aren't any, there might be in future - therefore make sure authentication system is effectively separated from authorisation subsystem;
• For example, if your Web application requires a client certificate to connect, use PKI trust and don't try to match the user certificate with their userCertificate attribute in AD (which is for S/MIME);
• Make sure that upon authentication a unique attribute is used for directory lookups. Note that commonName and sAMAccountName both arent unique in AD, and UPN is;
• Do not ever use organisational units (that is, location in the directory tree) for granting access. Use groups and group membership instead;
• Make sure that you check that user account isn't locked out or disabled. Microsoft KB article How to query Active Directory by using a bitwise filter describes the LDAP query format for that. UF_ACCOUNTDISABLED and UF_LOCKOUT are the bits to look for.

Don't oversecure LDAP. It's the enterprise address book - think of Yellow Pages when you design security solutions using LDAP.

Endpoint security: not there yet

While the security industry comes up with more and more solutions enabling endpoint security (Cisco NAC, Check Point Integrity etc), I remain sceptical about the whole thing.

There are couple of reasons for that:

• Strong authentication for users and systems is seldom used - so the fundamentals are missing;
• Client system health and compliance checks run on the client - so the client is trusted for granting itself access, in a way;
• I haven't seen a solution that reliably denies transforming a connected client to a network bridge/gateway;
• Switching and routing infrastructure is completely and entirely trusted;
• Solutions that are on the market don't feature great multiplatform support - support for your Windows Mobile, Symbian and Mac OS X systems is rather limited at best.

There's one simple question that I like to ask my colleagues - at any point in time, can you tell me how many systems are connected to your IP network? (I define system as an instance of any operating system with IP stack) No one from enterprise-scale environment can. And if you are to implement an endpoint security solution, just ask yourself if you're going to have the answer as a result of that. If not, then you're going to have unknown endpoints - which, in my opinion, kills the idea.

What scares Cisco Security CTO?

Vista is out, to everybody's love or hate. And some people are scared. Bob Gleichauf, the chief technology officer in Cisco Systems' security technology group, is one of them:

Parts of Vista scare me. Anything with that level of systems complexity will have new threats, as well as bringing new solutions. It's always a struggle in security, trying to build for what you don't know.
...
Vista will solve a lot of problems. But for every action, there's a reaction and unforeseen side-effects and mutations. Networks can become more brittle unintentionally.

It strikes me that is the above passage, you really can replace Vista with any modern and reasonably complex system (Linux, Lexus LS 460L, you name it) - and it won't change much. Mr Gleichauf is scared of new technologies.

FUD is bad business. But apparently Cisco is betting on it. They should go back to switching and routing.

A story of Beauty and the Beast

An independent blogger Richard Stiennon writes in his blog on ZDNet:

Windows is inherently harder to secure than Linux. There I said it. The simple truth.

The relevation that occured to Mr. Stiennon is actually based on two pictures:

These are maps of system calls of Apache on Linux and IIS on windows, provided by Sana Security.

To me, the only conclusion I can come to based on the pictures is that they look different. I tried to zoom in, and I encourage you to do same to make sure we don't miss any significant detail that Mr. Stiennon is providing us with.

But let's assume that IIS on Windows makes more API calls. What does it mean for security? Not much, I'd say. Simpler systems sometimes have fundamental shortcomings that make them insecure. Think of MS-DOS v Linux.

And one other thing. The diagrams remind me of certain organisational hierarchies - namely, Windows development organisation and a Linux distro workshop.

Do you still need PSTN?

Why old technologies are bad for security? Because they aren't flexible enough. Almost everyone is using Internet banking and takes SSL encryption of the session for granted. But most banks also offer telephone banking, where you manage your account using telephone line. Usually you put your account number (or its equivalent), PIN and then you can transfer money etc. Phone line wiretapping is a trivial thing - I've done that back in school. Phone banking is inherently insecure in that regard.

Now, a business story. Telstra is Australia's almost-monopoly telco. Think of AT&T not broken up, or Ukrtelecom. In early 2006, Telstra's then-new CEO Sol Trujillo was worried about something:

PSTN decline had accelerated slightly faster than expected.

Later that year, he was more optimistic:

The shift in revenue from traditional higher margin products and services to new and emerging products and services with lower margins has continued. However, we are tackling this hard and have slowed the PSTN decline by integrating services, bundling initiatives and customer winback programs.

And most recently Mr. Trujillo sounds upbeat:

We have slowed the PSTN decline.

Apparently, PSTN decline is a ongoing thing, and Telstra is trying to slow it - successfully, according to Mr. Trujillo. I wonder if the intention is to stop customer migration to new technologies and eventually start growing PSTN customer base.

This is exactly what I don't need. All the goodness of new telecoms aside. When new technologies become secure, legacy technologies are targeted by criminals. Enable strong authentication for Internet banking - and check fraud will grow (and yes, we don't need the whole check payments thing today). Besides, many people are concerned about govenments eavesdropping on the citizens' phone calls - but your neighbor can do same, because technology allows them to.

Meanwhile, I cannot get rid of my PSTN service. And there are people who don't want me to.

More Secure SSL? Not Really.

What is the issue with SSL? It turns out that, despite all the good intentions in past, one can get a web server certificate while remaining pretty much anonymous. So you go to a Web site (like https://example.com), see a padlock and consider the connection secure. It is indeed secure from confidentiality and integrity point of view, but should you trust the Web server?

Apparently not. Which is why commercial CAs and Microsoft came up with something called Extended Validation SSL certificates. Read about it here (Microsoft) and here (Verisign). The difference between what we mostly see today and what's proposed is more thorough verification of the applicant (for example, scrutinisation of the incorporation papers), and green-coloured address bar in Internet Explorer (Customer Confidence in the Green Address Bar - Verisign).

Extended Validation SSL certificated is a bad idea, and it will fail to achieve new levels of security. Here's why:

• EV SSL certificates are very expensive (outrageously expensive, in Verisign's case) - prohibitive to small and medium businesses;
• So most Web sited will continue to use traditional SSL certificates and will be no less trusted;
• Because, for some reason, customers like me don't establish trust based on the fact that a certificate is issued by a CA that happens to come pre-installed in my browser's trust list;
• Historically, the idea of commercial CA first, and then the idea of certificate classes (Class 3 is better than Class 1), were designed to create trust based on technical means - and that didn't work, thus the requirement for EV certificates

In fact, DNS, Web search and social networks remain the most reliable sources of Web trust.

Oh, and there's one other thing. Reading through the Verisign EV SSL brochure, one might ask - why are they still pushing SGC certificates? SGC, or Server Gateway Crypto, was invented as a workaround for the US cryptography export restrictions that were effectively lifted almost 10 years ago. There's nobody who's still using browsers that support SGC but don't support full strong encryption.

And another question is - how in the world a particular SSL certificate can "enable" strong encryption? I thought that SSL certificate is used for RSA key exchange but the length of the stream encryption key (using 128-bit RC4, or 256-bit AES symmetric key encryption, and the likes) is not dependent on the length of the certificate key (like 1024-bit RSA key). 128-bit SSL Certificates doesn't make much sense to me. Where am I mistaken?

Something to Start With

Hello and welcome to my weblog.

I'm so 20th century - still using NNTP newsgroups, writing this from a Windows 2000 computer, listening Faith No More and playing Doom. Think it's time for a change. So I'm becoming a blogger.

In this weblog I'll be writing about information security, technology, politics and business. All four are closely interconnected, so I decided not to limit myself to prefessional topics only - even though I'm using msmvps.org. We'll see how it goes.

Peace.