Category Archives: Security Infrastructure

Jun 23 2014
4 Comments
Security Essentials, Security Infrastructure

BitLocker with TPM in 10 Steps.

lockerStarting with Windows Vista, Microsoft used a secure development lifecycle from start to finish. By introducing this software development practices, Microsoft built better software using secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy. One of many features introduced was the BitLocker drive encryption. This allows to encrypt the full content of the volumes and is designed to work with Trusted Platform Module (TPM) security device. By encrypting the drive contents you add an additional layer of protection that helps defend against evil maid attacks, offline attacks and disclosure of data when a laptop is lost or stolen. Windows 7 brought more enhancements to this technology that will drive its adoption because is more user friendly, supports BitLocker To Go (protects removable media) and reduces the administration overhead e.g. does not require an admin to layout the hard drive partition in a special form (now you know why during Windows 7 you might see a partition of 100MB NTFS Volume – This volume allows the BIOS locate and run the Bootmgr). BitLocker can work with or without a TPM. A TPM is a tamper resistant security chip on the system board that will hold the  keys for encryption and check the integrity of the boot sequence and allows the most secure BitLocker implementation. BitLocker needs a TPM chip version 1.2 or higher enabled on the BIOS. Without a TPM the Bitlocker can store its keys on a USB drive that will be used during boot sequence. BitLocker encrypts the contents of the hard drive using AES128-CBC (by default) or AES256-CBC algorithm, with a Microsoft-specific extension called a diffuser. To run BitLocker you need Windows 7 Enterprise or Ultimate edition. When configuring Bitlocker you have a number of options:

  • TPM Only: No authentication required for the boot sequence but protects against offline attacks and is the most transparent method to the user.
  • TPM with PIN : Adds “What you know” factor to the boot process and the user is prompted for a PIN.
  • TPM with USB : Adds “What you have” factor to the boot process and the user needs to insert the USB pen that contains the key.
  • TPM with USB and PIN : Most secure mode using 2 factor authentication boot process but the most costly in terms of support e.g. user loses its USB or forgets its PIN.
  • Without TPM : It does not provide the preboot protection and uses a USB pen to store the key.

How to enable BitLocker with TPM in 10 Steps?

  1. Determine if your computer has support for TPM 1.2.
  2. Enable TPM in the BIOS settings.
  3. On Windows launch the TPM management console (tpm.msc).
  4. Initialize it and create a owner password.
  5. Save and print the password.
  6. Define Group Policy settings to ensure a TPM is used with BitLocker and define the authentication method.
  7. Turn on BitLocker on the desired hard drive.
  8. Define the authentication method.
  9. Save and print the recovery key.
  10. Encrypt the drive.

Let’s review each one of these steps into more detail.

Step 1 : To determine if your computer has TPM support you can check your computer model documentation or check the BIOS directly.  In my case I had a second hand Dell Latitude E6400 Laptop with TPM capabilities.

Step 2: I went to the BIOS and enabled the TPM Security option.

tpm-bios

Step 3 : I booted Windows and called the TPM management console by executing tpm.msc.

tpm-init

Step 4 : In the TPM management console, click on the Initialize. This will start the process where you need to manually create a password or generate one. In this case I selected to automatically create the TPM password.

tpm-step2

Step 5 : Save the password file in a USB drive (file.tpm) and print the password for recovery purposes. Please keep this file in a secure location away from your computer’s
local hard drive.

tpm-step3

Step 6 : On windows run gpedit.msc and go to the Group Policy Editor. Provide administrator credentials if you have UAC configured. Navigate to Computer Configuration – Administrative Templates –  Windows Components – BitLocker Drive Encryption, Operating System Drives: Require Additional Authentication at Startup. Here Enable this setting and under options, verify that the option Allow BitLocker Without a Compatible TPM is unchecked. I left the remaining settings by default but it is here that you can configure 2 factor for the boot process.

tpm-step4

 

Step 7 : Select the drive you want to encrypt, right click and select Turn On BitLocker.

tpm-step7

 

Step 8 : The options that you defined in the group policy will show here in order to define the authentication method, in this case I selected TPM with PIN.

tpm-step5

Step 9 : Save the recovery key to a USB pen and and print it for recovery purposes. The recovery key is used to recover the data on a BitLocker protected drive.

tpm-step6

Step 10 : Finally, encrypt the drive and select the “Run Bitlocker system check” in order to ensure the recovery key can be used.

tpm-step10

 

When you reboot your computer you will be prompted with a Windows BitLocker Drive Encryption PIN entry where you need to supply the PIN in order to start the operating system.

I terms of  management the BitLocker settings can be configured/checked using the manage-bde.exe command. For systems where the Windows is part of a domain the key for each machine can be backed up as part of an escrow service. This way business owners like legal teams or others can gain access to the machine in case the user loses the USB key or PIN or there is the need to due to an insider threat. Another method is to use the data recovery agent (DRA) that creates a certificate that can be used to unlock the encrypted volumes. Further there are several group policies settings that can be configured.

The recovery process is also easy in case you have the USB drive/printed the recovery keys. Note that during the boot process if the system detect any changes like a different hard drive or change/upgrade the bios you might be asked to provide the recovery keys due to an alteration of the boot process. Other than the full volume encryption the BitLocker To Go is also great method to encrypt removable hard disks and thumb drives.

As you can see is extremely easy to add additional layer of protection to your system. If you have a Windows 7 Enterprise or Ultimate license then this is a great feature to protect the family photos and wife cooking trade secrets from falling into the wrong hands.

 

References:

Windows Internals, Sixth Edition, Part 2 By: Mark E. Russinovich, David A. Solomon, and Alex Ionescu

 

Tagged , , ,
Jan 06 2014
Leave a comment
Security Infrastructure

SMTP Gateway placement

smtpWhere and how should I place my SMTP gateway in the security infrastructure?

I saw this question going around in one of the mailing list I am subscribed and would like to share some thoughts about it. This is old school stuff since our IT security perimeters are being diluted from a well-defined structure to unclear points taken by the new mobility, apps and cloud ecosystem. Every day new threats are exploiting the border-less network and mobile platforms are a prime target. However, companies still need the old and traditional security perimeter and its always good to refresh the old network security infrastructure architecture and concepts.In addition SMTP is a popular vehicle of malware infection and distribution.

To answer this question, there is no right or wrong answer since it all depends on your organization size and risk appetite. Designing a specific network security solution for a business of any size its a engineering and creative task. However, there any plenty of industry guidelines and best practices that you should follow in order to have a layered security approach with defense in depth using redundant and overlapping security controls that mitigates or reduces the risk. Lets review 3 technical suggestions for deploying your perimeter SMTP gateway.

Single-arm deployment : You can have a single-arm configuration in your perimeter firewall. This is a simple solution and makes routing and switching easy. In this DMZ you will position your SMTP appliance.  This appliance normally will be from one of the many SMTP GW products outhere like TrendMicro IMSS, Ironport ESA, eSafe Gateway, etc. This SMTP appliance will normally do Anti-Virus and Anti-Spam (both ingress and egress). With this solution you will have a single physical network interface. You will run all the services on this interface. This means the SMTP traffic to the internet and to the internal MTA such as Microsoft Exchange. You will also run all the management protocols like HTTPS, SSH for accessing the management interface, SNMP for monitoring, Syslog for logging and others like LDAP. This solution is very simple with almost no complexity and low maintenance costs. It wont need any special routing and switching and will be easy to troubleshoot. However, your security posture wont be the best and you wont have segregation of data, which means management and production/data traffic will run on the same interface. Plus you need to consider that running all these protocols on one interface it might consume significant amount of bandwidth from the physical interface.

Two-arm deployment : With this configuration you will have one interface connected to the outside, typically the external firewall and one interface connected to the inside, typically the internal firewall – Its also possible to create a two-arm solution with a single firewall – The appliance needs to have 2 physical interfaces each one in different subnets. Normally you call the external interface the frontend and the internal interface the backend. Management traffic will only be accessible trough the backend interface.

Three-arm deployment : If you must have management traffic separated from data/production traffic this is the best solution. Of course your security infrastructure framework should already support this kind of model in order to have proper routing and switching. This setup will require 3 physical interfaces each one on different subnets. Normally the management interface will be in the same subnet as other security infrastructure appliances management interfaces. With this solution you will have great control and flexibility over the data and management traffic which means better security. At the expense of routing and switching complexity you will gain great flexibility and control over the traffic . This solution is normally harder to troubleshoot.

Those three models are the ones typically seen in the enterprises from small, medium to large corporations.

In addition to the positioning you should also have defense in depth for the SMTP protocol. This means you should consider different layers of AV/Anti-Spam inspection. Normally, you will have inspection at gateway level, then at the MTA level and finally at the client level. You can further complement these levels with a layer 2 inspection gateway before or after your SMTP gateway. Do not forget to have IDS doing SMTP inspection trough the traffic path as part of robust network defense solution. Furthermore, you also need to address DNS concerns for SMTP to work properly. Apart of MX and A records for SMTP deliver you might need PTRs, SPF and others properly registered.

PS: If the time permits I will add some diagrams to illustrate each one of the deployment models.

Tagged , , ,