Professional Documents
Culture Documents
Agenda
Background VPN Solution and Process Database Architecture Areas of Concern Security Challenges
Background
Background
We were hired by Apex Trucking Company to create a new, enhanced crypto security architecture for their company Apex moves materials for clients throughout North America and Europe Apex has their HQ in New York, with at least one marketing group in Mexico, Germany, Canada and three in the US
5
Background
Current security includes one firewall and a web server that is directly connected to the Internet All computers are Windows NT The databases currently use MySQL Passwords are the only method of security as Apex does not currently use any encryption
6
Current Architecture
Our Proposal
We Chose to Include:
Virtual Private Network (VPN) Secure Socket Layer (SSL)
VPN Basics
VPN stands for: virtual private network Though the users of a VPN are on a public network, they are given the level of security typically reserved for a private network By using a VPN, communication goes through an encrypted tunnel through the Internet To implement a VPN, one uses a firewall
Pfleeger, C.P. & Pfleeger, S.L. (2007). Security in Computing. Boston, MA: Pearson 10 Education, Inc.
Firewall Basics
Firewalls are access control devices that sit between the private and public components of the network It manages traffic between these two network components When confronted with a user requesting access to the private network, the firewall sends the user authentication data to a server The server confirms (or denies) that the user has access, then gives him/her the appropriate security privileges
Pfleeger, C.P. & Pfleeger, S.L. (2007). Security in Computing. Boston, MA: Pearson 11 Education, Inc.
SSL Basics
Secures messages that are sent over the Internet Uses a layer between the TCP and IP layers SSL uses public-and-private key encryption Java-based firewall can provide the service Downloads itself onto users computers Clients can log-on anywhere as long as they know their credentials and the URL to the WebSSL VPN concentrator
Bedel, C. (2010). The Benefits and Different Types of SSL VPNs. Retrieved from: 12 http://searchenterprisewan.techtarget.com/tutorial/The-benefits-and-differenttypes-of-SSL-VPNs
SSL Basics
The end user can securely access multiple network services through the portal The site is called a portal as it allows access to many resources through one page User just needs to use an authentication method to get access to the Web page
Bedel, C. (2010). The Benefits and Different Types of SSL VPNs. Retrieved from: http://searchenterprisewan.techtarget.com/tutorial/The-benefits-and-different- 13 types-of-SSL-VPNs
14
We are going to configure SSL VPN access for employees We will allow customers to log-in securely at the webserver to allow them tracking of their orders The following will discuss how this will be configured and work (see diagram)
16
Proposed Architecture
Customer Access
1. Customers will go to the Apex Trucking website http://www.apextrucking.com 2. Click on tab Track Order 3. Clicking on tab takes customer to the link https://apextrucking.com/tracking 4. Customers log in with created username and passwords credentials (created when first ordering, and required to open account with company) 5. Will take them to the tracking website running Drupal CMS (Content Management System) 6. After they complete their session, they can simply log out.
19
Technical Configuration
Running Windows 2008 Server for both HR and Marketing Servers Using Windows 2008 built-in firewall as the VPN concentrator Routing and Remote Access Server (RRAS) Passwords are stored on systems using SHA-1 Hashing, and Bit-Locker on Server 2008. Windows NT will use TrueCrypt There are 3 Servers in the LAN (HR Server 2008, Marketing Server 2008, and a Database Server running MySQL for queries from the Webserver in the DMZ running 2008 and Drupal Software. Drupal running on the Webserver in DMZ, this is a free product and open source NOTE: Using Windows 2008 built-in VPN is free, no additional licensing is necessary. Windows 2008 can be configured as a Certificate Authority (CA) for creating digital certificates
20
Technical Configuration
In order to use Windows VPN, a VPN Group is created by default, and users are added as VPN is requested. The users have access to their respective department once logged into VPN i.e. HR or Marketing Windows Server 2008 now supports a new VPN protocol Secure Socket Tunneling Protocol or SSTP. SSTP uses SSL encrypted HTTP connections to establish a VPN connection to the VPN gateway. SSTP is secure because user credentials are not sent until after a secure SSL tunnel is established with the VPN gateway. SSTP is also known as Point-To-Point Protocol (PPP) over SSL, so this means that you can use PPP and Extensible Authentication Protocol (EAP) authentication mechanisms to make the SSTP connection more secure. All customer data will be stored in MySQL Database
21
Database Architecture
22
Introduction
The section will describe the Database architecture and how we will address the confidentiality, integrity and availability of the valuable and sensitive data that is stored in the database. Our marketing groups that are in Europe, Mexico and Canada need management access to the data to enter new shipments and change orders before they ship through an internet connection.
23
The MySQL Server version 5.5.18 access control system will work through a series of so-called grant tables, which make it possible to define access levels for each user at the database, table or column level. While these tables do allow administrators to set blanket permissions for a user or set of tables using wildcards, and doing so is inherently dangerous because a hacker could use a single compromised account to gain access to other parts of the system. For this reason, we will be precise when assigning users privileges to the HR marketing teams and always ensure that users have only as much access as they need to perform their tasks. SUPER privileges to individual users will not be assigned, this level allows users to manipulate basic server configuration and access all databases.
24
25
All users home directory will be secured with directory permissions of 600 where the owner is the only one that can read and write to the directory. This will ensure that such peruser configuration files are not viewable by other users on the system, and are stored in non-public locations.
26
The HR marketing teams will manage data and display reports through a internet connection to the MySQL server. We will insure that our client-server architecture is secure with sensitive data being transmitted over the network. If client-server transactions take place in plaintext, it is possible for a hacker to "sniff" the data packets being transmitted and thus gain access to sensitive information. To mitigate this risk, SSL will be enabled in the MySQL configuration, and we will be using SSL VPN 128 bit to create a secure encrypted "tunnel" for all of our sensitive data to pass through. Additionally SHA-1 will be used for Hashing. Encrypting our client-server connection in this manner makes it extremely hard for unauthorized users to read the data going back and forth.
27
Data at rest within the database will be encrypted using the MySQL built-in Rijndael AES (Advanced Encryption Standard) 128 bit encryption, an encryption standard certified by the federal governments National Institute of Standards and Technology (NIST). Encryption keys are never stored on any of the servers within our security perimeter, further protecting the integrity of the data. Backup tapes, a common security vulnerability, will only contain encrypted data.
28
We will keep track and analyze all log files to gain an understanding of the source of the activity (i.e. client connections, queries and server errors). Of these, the most important is the general query log, which logs each client connection and disconnection with a timestamp, and also records each query executed by a client.
29
Areas of Concern
30
Source: csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf
31
Implementation/Management
Pilot version of the VPN to address possible problems before deployment and to set up policies that work with organization needs Ensure availability, scalability, and functionality of the VPN Monitor Access Control Lists Provide training and information to both users and technical staff Manage the VPN by reviewing logs and performing audits Keep the software up to date; Apply patches in testing environment first
Source: csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf
33
Future Considerations
Adding an appliance SSL VPN as opposed to a software VPN, such as Juniper or Cisco device More costly, but comes preconfigured Placing the VPN device behind the firewall within the internal network Information passing from the SSL VPN to the internal network happens behind the firewall Upgrading equipment while maintaining functionality and interoperability
34
Security Challenges
35
Security Challenges
Impact of Implementing SSL VPN Solution Mitigation of Impact Cryptography Restrictions Considerations for New Policies/Changes Process/Procedures for Implementation
Policy Changes
36
Considerations
DATABASE (MySQL)
HR
Marketing
Windows NT
37
Mitigation of Impact
Decryption
Authentication
Policy
Virus Scan
Resource Access
Encryption
Remote Users MEXICO OFFICE CANADA OFFICE GERMANY OFFICE
Audit
Policy
Logs
Databases
38
International Laws
Cryptography Restrictions
Canada* None Mexico* None Germany* Actively Support the Spread of Secure Encryption
39
Require Use of Specific Security Layer for Remote (RDP) Connections Always Prompt for Password upon Connection Do not allow passwords to be saved Specify SHA1 thumbprints of certificates representing trusted .rdp publishers:
40
Policy Changes #2
41
Policy Changes #3
Phased Approach
42
Trade Analysis
43
VPN ALTERNATIVES
SSL-VPN connections have an exploitable flaw which enables man-in-the-middle attacks to prevail and expose data to unauthorized users. Intrusion Detection Systems and Enterprise Antivirus systems cannot monitor VPN connections due to encryption and that most network topologies consider a VPN connection to be trusted. Virtual Desktop Interfaces address the security concerns of VPN-SSL connections. However, with the restriction of no technical refreshes of capital equipment this solution would not work efficiently.
44
AES is a symmetric key algorithm which encrypts and decrypts data in 128-bit blocks. It is a common misperception that 256-bit AES is more secure than 128-bit. According to Federal Information Processing Standard (FIPS) Publication 197: All three key sizes [128, 192, & 256] are considered adequate for Federal Government applications up through Classified Secret. (~2031) Whatever breakthrough cracks AES-128 will also crack AES-256.
45
It will take 77 quintillion years to crack AES128 with every computer in the world coprocessing. Thus, AES-128 is adequate.
46
SHA-1 VS MD5
Two separate messages can be found to use the same hash every operations, far fewer than the predicted operations. MD5 is weaker with a similar collision occurring every operations.
The weakness is due to the expectation that a good hash is supposed to be collision-free.
Securing the architecture with HMAC-SHA-1, which is not susceptible to this exploit involves additional hardware costs leaving SHA-1 as the most cost effective solution.
47
MySQL is a fast and free relational database program whereas ORACLE is expensive with yearly licensing fees. MySQL has the ability to authenticate based on location. While ORACLE offers role based policies, the network infrastructure is segregated into different groups which makes MySQL a better choice for this solution.
48
Windows 7 VS Windows NT
If it werent for the hardware upgrade restrictions, the team would have chosen Windows 7 as the workstation operating system.
Windows NT is end of life as of Dec 31, 2004 Windows NT is susceptible to elevation of user privileges through a debugging component. Windows NT is susceptible to a Virtual DOS machine exploit which gives access to the kernel.
While Windows 7 has the same Virtual DOS exploit, it is preventable with the firewall protection.
49
Conclusion
Any questions?
50