Educate. Innovate. Inspire.

CRYPTO SECURITY ARCHITECTURE PROPOSAL FOR APEX TRUCKING

DECEMBER 7, 2011

PRESENTED BY TEAM TWO

BRIGGS ROLFSRUD GENERAL MANAGER NISCHIT VAIDYA SYSTEMS ENGINEER LYNELL DENNIS DATABASE MANAGER RAMARCUS BAYLOR NETWORK MANAGER NADINE GRAHAM INFORMATION SECURITY MANAGER ANTHONY MAIDA SR. SYSTEMS ENGINEER
2

Agenda
Background VPN Solution and Process Database Architecture Areas of Concern Security Challenges

Background

BRIGGS ROLFSRUD GENERAL MANAGER

Background

We were hired by Apex Trucking Company to create a new, enhanced crypto security architecture for their company Apex moves materials for clients throughout North America and Europe Apex has their HQ in New York, with at least one marketing group in Mexico, Germany, Canada and three in the US
5

Background

Current security includes one firewall and a web server that is directly connected to the Internet All computers are Windows NT The databases currently use MySQL Passwords are the only method of security as Apex does not currently use any encryption
6

Current Architecture

Our Mission is to Protect

Internal Data Future marketing plans Financial data Employee records Customer records Customer shipping date External Data Tracking Number Location of shipment Size of shipment Value of shipment ETA of shipment Customer contact information

Our Proposal

We Chose to Include:
Virtual Private Network (VPN) Secure Socket Layer (SSL)

VPN Basics
VPN stands for: virtual private network Though the users of a VPN are on a public network, they are given the level of security typically reserved for a private network By using a VPN, communication goes through an encrypted tunnel through the Internet To implement a VPN, one uses a firewall

Pfleeger, C.P. & Pfleeger, S.L. (2007). Security in Computing. Boston, MA: Pearson 10 Education, Inc.

Firewall Basics
Firewalls are access control devices that sit between the private and public components of the network It manages traffic between these two network components When confronted with a user requesting access to the private network, the firewall sends the user authentication data to a server The server confirms (or denies) that the user has access, then gives him/her the appropriate security privileges

Pfleeger, C.P. & Pfleeger, S.L. (2007). Security in Computing. Boston, MA: Pearson 11 Education, Inc.

SSL Basics
Secures messages that are sent over the Internet Uses a layer between the TCP and IP layers SSL uses public-and-private key encryption Java-based firewall can provide the service Downloads itself onto users computers Clients can log-on anywhere as long as they know their credentials and the URL to the WebSSL VPN concentrator

Bedel, C. (2010). The Benefits and Different Types of SSL VPNs. Retrieved from: 12 http://searchenterprisewan.techtarget.com/tutorial/The-benefits-and-differenttypes-of-SSL-VPNs

SSL Basics
The end user can securely access multiple network services through the portal The site is called a portal as it allows access to many resources through one page User just needs to use an authentication method to get access to the Web page

Bedel, C. (2010). The Benefits and Different Types of SSL VPNs. Retrieved from: http://searchenterprisewan.techtarget.com/tutorial/The-benefits-and-different- 13 types-of-SSL-VPNs

VPN Solution and Process

NISCHIT VAIDYA SYSTEMS ENGINEER

14

Proposed New Crypto-System

Configure a Virtual Private Network (VPN) architecture This will enhance security by providing encryption and secure transfer via a secure tunnel The weakness of VPN would be replay attacks, proposed mitigation for this is the use Public Key Infrastructure (PKI), and Digital Certificates, and signing (non-repudiation) Digital Certificates will be issues by the Windows 2008 Server Certificate Authority
15

How will employees and customers use the new crypto-system

We are going to configure SSL VPN access for employees We will allow customers to log-in securely at the webserver to allow them tracking of their orders The following will discuss how this will be configured and work (see diagram)
16

Proposed Architecture

Black = Current traffic Red = VPN (added Crypto Solution)

17

Employee VPN (SSL) Access

1. Employees will use VPN Client on Windows NT desktop 2. Type in URL of Webserver https://apextrucking-emp.com 3. Log-in with username/password (no new credentials, same as they use for their company desktops if provided) 4. After logging in, based on job role i.e. Marketing/HR, they get access to the Apex Trucking Network. Users will Remote Desktop into the HR/Marketing Servers respectively, and if possible, into their company desktops 5. VPN will use AES-128 bit and SHA-1 for Hashing
18

Customer Access
1. Customers will go to the Apex Trucking website http://www.apextrucking.com 2. Click on tab Track Order 3. Clicking on tab takes customer to the link https://apextrucking.com/tracking 4. Customers log in with created username and passwords credentials (created when first ordering, and required to open account with company) 5. Will take them to the tracking website running Drupal CMS (Content Management System) 6. After they complete their session, they can simply log out.
19

Technical Configuration
Running Windows 2008 Server for both HR and Marketing Servers Using Windows 2008 built-in firewall as the VPN concentrator Routing and Remote Access Server (RRAS) Passwords are stored on systems using SHA-1 Hashing, and Bit-Locker on Server 2008. Windows NT will use TrueCrypt There are 3 Servers in the LAN (HR Server 2008, Marketing Server 2008, and a Database Server running MySQL for queries from the Webserver in the DMZ running 2008 and Drupal Software. Drupal running on the Webserver in DMZ, this is a free product and open source NOTE: Using Windows 2008 built-in VPN is free, no additional licensing is necessary. Windows 2008 can be configured as a Certificate Authority (CA) for creating digital certificates
20

Technical Configuration
In order to use Windows VPN, a VPN Group is created by default, and users are added as VPN is requested. The users have access to their respective department once logged into VPN i.e. HR or Marketing Windows Server 2008 now supports a new VPN protocol Secure Socket Tunneling Protocol or SSTP. SSTP uses SSL encrypted HTTP connections to establish a VPN connection to the VPN gateway. SSTP is secure because user credentials are not sent until after a secure SSL tunnel is established with the VPN gateway. SSTP is also known as Point-To-Point Protocol (PPP) over SSL, so this means that you can use PPP and Extensible Authentication Protocol (EAP) authentication mechanisms to make the SSTP connection more secure. All customer data will be stored in MySQL Database

21

Database Architecture

LYNELL DENNIS DATABASE MANAGER

22

Introduction
The section will describe the Database architecture and how we will address the confidentiality, integrity and availability of the valuable and sensitive data that is stored in the database. Our marketing groups that are in Europe, Mexico and Canada need management access to the data to enter new shipments and change orders before they ship through an internet connection.

23

Remove wildcards in the grant tables

The MySQL Server version 5.5.18 access control system will work through a series of so-called grant tables, which make it possible to define access levels for each user at the database, table or column level. While these tables do allow administrators to set blanket permissions for a user or set of tables using wildcards, and doing so is inherently dangerous because a hacker could use a single compromised account to gain access to other parts of the system. For this reason, we will be precise when assigning users privileges to the HR marketing teams and always ensure that users have only as much access as they need to perform their tasks. SUPER privileges to individual users will not be assigned, this level allows users to manipulate basic server configuration and access all databases.
24

Require the use of secure passwords

User accounts are only as secure as the passwords used to protect them. For this reason, the very first thing we will do when installing the MySQL server is to assign a password to the MySQL root account (empty by default). Every user that is part of the HR marketing teams will have a password. Complexity rules will be setup so users do not use easily-recognizable heuristic passwords such as birthdays, usernames or dictionary words.

25

Check the permissions of configuration files

All users home directory will be secured with directory permissions of 600 where the owner is the only one that can read and write to the directory. This will ensure that such peruser configuration files are not viewable by other users on the system, and are stored in non-public locations.

26

Encrypt client-server transmissions

The HR marketing teams will manage data and display reports through a internet connection to the MySQL server. We will insure that our client-server architecture is secure with sensitive data being transmitted over the network. If client-server transactions take place in plaintext, it is possible for a hacker to "sniff" the data packets being transmitted and thus gain access to sensitive information. To mitigate this risk, SSL will be enabled in the MySQL configuration, and we will be using SSL VPN 128 bit to create a secure encrypted "tunnel" for all of our sensitive data to pass through. Additionally SHA-1 will be used for Hashing. Encrypting our client-server connection in this manner makes it extremely hard for unauthorized users to read the data going back and forth.
27

Encrypting Data at Rest

Data at rest within the database will be encrypted using the MySQL built-in Rijndael AES (Advanced Encryption Standard) 128 bit encryption, an encryption standard certified by the federal governments National Institute of Standards and Technology (NIST). Encryption keys are never stored on any of the servers within our security perimeter, further protecting the integrity of the data. Backup tapes, a common security vulnerability, will only contain encrypted data.

28

Actively monitor the MySQL access log

We will keep track and analyze all log files to gain an understanding of the source of the activity (i.e. client connections, queries and server errors). Of these, the most important is the general query log, which logs each client connection and disconnection with a timestamp, and also records each query executed by a client.

29

Areas of Concern

RAMARCUS BAYLOR NETWORK MANAGER

30

General SSL VPN Concerns

Interoperability Support for varying devices, applications, OS, and locations Client/server application support Endpoint security Unmanaged clients are less likely to have anti-virus and personal firewalls enabled. Clientless Operation Remote clients only require a web browser

Source: csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf

31

Advantages/Disadvantages of our Design

Advantages Initial configuration easy, and cost-efficient (packaged deal) No additional device to manage No special firewall rules to allow traffic through SSL VPN Disadvantages Only allows the functionality of Windows Server 2008 Firewall directly accessible by external users (TCP 443) If the firewall is compromised, so is the SSL VPN
32

Implementation/Management
Pilot version of the VPN to address possible problems before deployment and to set up policies that work with organization needs Ensure availability, scalability, and functionality of the VPN Monitor Access Control Lists Provide training and information to both users and technical staff Manage the VPN by reviewing logs and performing audits Keep the software up to date; Apply patches in testing environment first
Source: csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf
33

Future Considerations
Adding an appliance SSL VPN as opposed to a software VPN, such as Juniper or Cisco device More costly, but comes preconfigured Placing the VPN device behind the firewall within the internal network Information passing from the SSL VPN to the internal network happens behind the firewall Upgrading equipment while maintaining functionality and interoperability

34

Security Challenges

NADINE GRAHAM INFORMATION SECURITY MANAGER

35

Security Challenges

Current Security Features

Impact of Implementing SSL VPN Solution Mitigation of Impact Cryptography Restrictions Considerations for New Policies/Changes Process/Procedures for Implementation

Consideration for International Laws

Policy Changes

36

Current Security Features #1

Impact of Implementing SSL VPN Solution

Considerations

Current Physical/Logical Infrastructure

Application and Interoperability International Systems

APEX Current Architecture Diagram No Encryption

MEXICO OFFICE NEW YORK OFFICE

CANADA OFFICE GERMANY OFFICE

FIREWALL/WEB SERVER (DMZ)

DATABASE (MySQL)

HR

Marketing

Windows NT

37

Current Security Features #2

Impact of Implementing SSL VPN Solution

Mitigation of Impact

Version Control on all Application Other Security Enhancements Policy Changes

Active Directory

Proposed Logical Infrastructure SSL VPN

Decryption

Authentication

Policy

Virus Scan

Resource Access

Encryption
Remote Users MEXICO OFFICE CANADA OFFICE GERMANY OFFICE

Audit

Policy

Logs

Databases

38

International Laws

Considerations for International Laws Regarding:

Cryptography Restrictions

Domestic Laws and Regulations on Cryptography

Canada* None Mexico* None Germany* Actively Support the Spread of Secure Encryption

*Taken from a survey of International laws regarding cryptography in 2003

39

New Policy Changes #1

Considerations for New Policy Changes

Current Group/Administrative Policies Weak Add New Group Policies - Server

Require Use of Specific Security Layer for Remote (RDP) Connections Always Prompt for Password upon Connection Do not allow passwords to be saved Specify SHA1 thumbprints of certificates representing trusted .rdp publishers:

40

Policy Changes #2

Considerations for New Policy Changes

Add New Administrative Policies Users

Access Control Firewall Password Cryptography

41

Policy Changes #3

Process/Procedures for Implementation

Phased Approach

Access Control Endpoint Security Authentication Methods Architecture Cryptography Policy

Prototype Model (Develop/Test) Maintenance (Patching, Policy Changes, etc.)

42

Trade Analysis

ANTHONY MAIDA SR. SYSTEMS ENGINEER

43

VPN ALTERNATIVES

SSL-VPN connections have an exploitable flaw which enables man-in-the-middle attacks to prevail and expose data to unauthorized users. Intrusion Detection Systems and Enterprise Antivirus systems cannot monitor VPN connections due to encryption and that most network topologies consider a VPN connection to be trusted. Virtual Desktop Interfaces address the security concerns of VPN-SSL connections. However, with the restriction of no technical refreshes of capital equipment this solution would not work efficiently.
44

AES ENCRYPTION BIT SIZE

AES is a symmetric key algorithm which encrypts and decrypts data in 128-bit blocks. It is a common misperception that 256-bit AES is more secure than 128-bit. According to Federal Information Processing Standard (FIPS) Publication 197: All three key sizes [128, 192, & 256] are considered adequate for Federal Government applications up through Classified Secret. (~2031) Whatever breakthrough cracks AES-128 will also crack AES-256.
45

AES ENCRYPTION BIT SIZE

It will take 77 quintillion years to crack AES128 with every computer in the world coprocessing. Thus, AES-128 is adequate.

46

SHA-1 VS MD5

SHA-1 weaknesses were first exposed during an RSA conference in 2005.

Two separate messages can be found to use the same hash every operations, far fewer than the predicted operations. MD5 is weaker with a similar collision occurring every operations.

The weakness is due to the expectation that a good hash is supposed to be collision-free.
Securing the architecture with HMAC-SHA-1, which is not susceptible to this exploit involves additional hardware costs leaving SHA-1 as the most cost effective solution.
47

MySQL vs. ORACLE

MySQL is a fast and free relational database program whereas ORACLE is expensive with yearly licensing fees. MySQL has the ability to authenticate based on location. While ORACLE offers role based policies, the network infrastructure is segregated into different groups which makes MySQL a better choice for this solution.

48

Windows 7 VS Windows NT

If it werent for the hardware upgrade restrictions, the team would have chosen Windows 7 as the workstation operating system.

Windows NT is end of life as of Dec 31, 2004 Windows NT is susceptible to elevation of user privileges through a debugging component. Windows NT is susceptible to a Virtual DOS machine exploit which gives access to the kernel.

While Windows 7 has the same Virtual DOS exploit, it is preventable with the firewall protection.

49

Conclusion

Any questions?

50