Virtual Systems, Real Security Holes

As businesses seek new ways to cut costs, IT departments are often placed on the hot seat, and that has fueled interest in virtualization. For example, VMworld 2010, held in San Francisco recently, drew more than 17,000 attendees and saw more than 145,000 virtual machines deployed.

However, as businesses rush to virtualize, they too often tend to sweep security under the carpet, figuring they'll deal with that problem later.

A survey conducted jointly by Altor Networks and Juniper Networks at VMworld 2010 found that the cost-cutting mindset is pushing organizations toward virtualization at the expense of security and risk mitigation.

"There's a constant pressure on IT to utilize hardware resources more fully," Bill Roth, chief marketing officer at LogLogic, told TechNewsWorld.

The Good, the Bad and the Mixed Up

The survey conducted by Altor and Juniper found that IT is conflicted as it struggles to meet needs that may sometimes be diametrically opposed.

"The business benefits of embracing virtualization may be too great, and so enterprises may use some legacy security mechanisms that are already in place and put in the virtualization security after the fact," Johnnie Konstantas, chief marketing officer at Altor Networks, told TechNewsWorld. "So, while they're aware of the security risk, they are prepared to deal with it after the fact."

Some enterprises do take a phased approach to virtualization rollouts, Konstantas pointed out. However, large enterprises that either have a lab where they can test for disaster recovery or are under regulatory pressures often tend to roll out security after they've virtualized their systems, she said.

Groping Through the Fog

The notion of planning out a network and laying out security considerations first has been well established in IT, so why is it that many enterprises don't follow this procedure?

"Traditionally, IT has two big problems -- it's asked to do more with less every year, and it's asked to do it faster," LogLogic's Roth pointed out. He was head of new product development for GSI Commerce, an e-commerce provider that handles Toys 'R' Us and the NFL among other major clients, and "those were the restrictions we were under," Roth said.

Meanwhile, IT often lacks a sufficiently deep understanding of what's going on in the virtual environment.

"We have a virtual appliance that delivers log management," Roth said. "What we don't understand when we get into a cloud or are being run under the aegis of VMware (NYSE: VMW) Cloud Director is, what are the security issues between the virtual machines?"

For example, a virtual machine (VM) running office apps may be housed on the same physical sever as a VM that requires strong security. That inadequate understanding can lead to complications. For example, juxtaposition of VMs with different security requirements could lead to security problems because an improperly secured VM may be used by hackers as a springboard to infect other VMs running on the same physical server.

Expect the Unexpected

Much of the time the problem is that IT staffers are treading new ground when they virtualize, so they don't know what to expect.

"For example, when I create a virtual machine or install a virtual environment like VMware Workstation on my desktop, it creates two more network interfaces that we may not know we have to monitor," LogLogic's Roth said. "So virtualization is wonderful, but it doesn't always deliver exactly what we expect. As you get to the next evolution of computing platforms, there's always some unintended consequences, and the unintended consequences of virtualization are where the security problems lie."

Perhaps the best way to cope with that type of uncertainty is to take it in stride and work out ways of dealing with it that don't require users to make too many changes in the way they work.

For example, about 70 percent of people mix workloads and plan to continue doing so, Altor's Konstantas pointed out. A solution that goes along with this tendency may work better than one that doesn't.

"Our view of the world is that this is going to happen, and you should be able to shrink-wrap every virtual machine in layered security and a firewall, and do that in a way that the security follows the machine around," Konstantas said. "Then you won't have to worry about mixing workloads."

Possible Solutions for Security

One of the main barriers to implementing security in the virtualized environment is the lack of proper tools. Major vendors such as Computer Associates and HP (NYSE: HPQ) have extended their security products to cover the virtual environment, but virtualization experts contend this isn't enough because the virtual world has a different set of requirements from the physical.

"The rate of change in the virtualized environment is much higher than in the physical environment," Altor's Konstantas said. "For example, 55 percent of the respondents to our survey at VMworld 2010 said they experienced change several times a day in which they added to, deleted or changed the content of a virtual machine."

New tools and approaches designed specifically for the virtual environment are emerging.

Altor is one of the vendors offering new tools. Its products automate the process of monitoring VMs and alerting security when something goes wrong. They also look deep into a VM, enabling IT to implement very detailed policies governing VMs.

"Making granular policies for each and every virtual machine isn't possible with current offerings because they don't have the visibility inside the VM host that our tools do," Konstantas said.

LogLogic, which offers log management, has worked with VMware to create logs for the latter's Cloud Director product that users can conduct forensics and security analysis on.

Trend Micro (Nasdaq: TMIC) recently announced an agentless antimalware module for VMware virtual environments. This is in its Deep Security 7.5 product.

Agentless security ensures that, when you pull up a VM you've parked, it automatically is provisioned with the right level of security. Antimalware apps that use agents don't let you do that because the agent stores the level of security that was appropriate when the VM was parked, and that may be out of date when you call up the VM again.

Another problem agentless security resolves is the occurrence of brownouts. These happen when security operations running concurrently on several VMs on one physical server compete for that server's resources.

However, products alone aren't enough.

"The best security plans focus on three things -- people, process and products," LogLogic's Roth said. "You've got to hire good people and know your people; you need the right products; and you have to implement proper processes."


Wireless Security For Linksys WRT54G Router Setup

Keep unwanted neighbors and nearby laptop users for stealing access to your Internet connection. You can never be certain of what wifi theives are doing under your account. Even if their activity is not questionable they are still taking up your resources without permission.

Here are the step-by-step instructions to secure wifi on your Linksys WRT54G wireless access point to prevent intruders:
  1. Log in to your router by opening your web browser and going to http://192.168.1.1 - this is the address to acces your router. If this is your first time logging in, leave the username field blank and enter 'admin' (without the quote marks of course) as the password.
  2. The first thing to do is back up your current configuration. This way if you set something incorrectly you can always revert back to the original setup. Click the "Administration" tab.
  3. Click "Config Management"
  4. Click the "Backup" button. Choose a location to save your configuration where you will remember.
  5. Click the "Wireless" tab.
  6. Where it says "Wireless Network Name (SSID)" enter a unique SSID name for your wifi to be identified when your laptop scans for access points.
  7. Where it says "Wireless SSID Broadcast:" tick the box that says "Enable".
  8. Leave the other fields as they are.
  9. Click the "Save Settings" button and wait for the confirmation page.
  10. Click the "Continue" button.
  11. Click "Wireless Security"
  12. For this example we will use WPA2 Personal encryption. Before you proceed make sure the wireless software your laptop uses has support for this type.
  13. Where it says "Security Mode:" select "WPA2 Personal"
  14. Where it says "WPA Algorithms:" select TKIP+AES
  15. Where it says "WPA Shared Key:" enter anything you wish here. The longer the key the harder it is to hack. Combining numbers and letters and avoiding using dictionary words is the best practice. Write down or save this in a safe place.
  16. Where it says "Group Key Renewal:" enter '3600' (without the quote marks of course).
  17. Click the "Save Settings" button and wait for the confirmation page.
  18. Click the "Continue" button.


Cisco RVS4000 4-port Gigabit Security Router - VPN


Secure and Speedy Network Access

The Cisco RVS4000 Gigabit Security Router delivers secure, high-speed network access with switching capabilities to help staff in small businesses safely connect to required resources. IPsec VPN capabilities allow employees working remotely to access files and email as securely as if they were in the office.

Fast Gigabit speeds, internally and externally, allow your employees to send and receive large files quickly and easily. Strong security features include a proven firewall with an intrusion prevention system (IPS) that scans deep—detecting and blocking most worms, Trojan horses, and denial-of-service attacks. An optional security service helps block malicious websites and control web access to protect a small business and its employees.

Features of the RVS4000 Gigabit Security Router include:
  • High-speed connectivity, internally and externally
  • Full VPN capabilities for up to 5 remote workers
  • Advanced security, including intrusion prevention, keeps the network safe
  • Simple, browser-based configuration
  • Limited lifetime warranty
  • Support for Small Business QuickVPN software


Basic Cisco Router Security

This document describes some basic security tips for Cisco routers. The tips are based on my experiences regarding routers during the time I was employed by Philips Communication and Processing Services, Origin IT and Atos Origin.
These tips are basic tips to harden your network devices, but they are not the ultimate set of things to do. Keeping in mind how an IP network works and keeping your skills up to date with general networking- and security-mailing-lists is a must.

Network layout

For this document we have the following layout of the network:


  

The following assumptions regarding network design are made:
  • There is a difference in the IP space for the network and for the user LANs. This makes it possible to distinguise traffic from user LANS from traffic within the network.
  • Despite the fact that there is a firewall in the picture, this document only describes security on the routers. It's there only to complete the picture.
  • The IP space of the network management LAN is dedicated to network management systems. No other systems are there.
  • User LANs are not allowed to access the network infrastructure. If people on a user LAN want to access the network, they have to hop via the network management LAN.
    User LANs IP subnet Comment
    On router-A 130.140.254.0/24 Network Management LAN
    On router-B 130.140.2.0/24 Firewall LAN
    On router-C 130.140.1.0/24 and 130.140.5.0/24 Via a router of the user
    On router-D - Link to public internet
  • The network management LAN has a rich set of features. This includes, but will not be limited to, a TACACS+ server, an NTP server, a syslog server and an SNMP server.
  • The routers use an external authentication mechanism, like a TACACS+.
  • Each router has a loopback interface.
    Device name Loopback IP address
    router-A 10.254.254.1
    router-B 10.254.254.2
    router-C 10.254.254.4
    router-D 10.254.254.5

Initial router configuration

There are a couple of things which are assumed to have happened:
  • The routers have hostnames 
    router(config)#hostname router-A
  • The routers have loopback interfaces.
    The loopback interface will be used as source-address for all the outgoing IP traffic and as interface to connect to the router. As long as one of the physical interfaces is up, the loopback interface will be reachable. 
    router-A(config)#interface loopback0
router-A(config-if)#ip address <Loopback IP address> 255.255.255.255
  • All the routers should have their clocks right. Without this, it is not possible to do fast and proper debugging and analyzing. 
    router-A(config)#clock timezone UTC 0
router-A(config)#service timestamps log datetime show-timezone
router-A(config)#service timestamps debug datetime show-timezone

Access security

This part describes security to access the router via normal telnet. Authentication is done via TACACS+. The router should use it for both login- and enable-authentication. If no connection could be made with the authentication server it should fall back on the enable password. 
router-A(config)#aaa new-model
router-A(config)#aaa authentication login default tacacs+ enable
router-A(config)#aaa authentication enable default tacacs+ enable
router-A(config)#tacacs-server host <ip address of TACACS+ server>
router-A(config)#ip tacacs source-interface loopback0
Now an enable password should be defined. Cisco routers have three types of password-encryptions:
  • Type 0: no encryption. All your passwords are plain text.
  • Type 7: password is encrypted, but can be decrypted.
  • Type 5: password is an MD5 hash, it cannot be decrypted. 
router-A(config)#service password-encryption
router-A(config)#enable secret <password>
Only TCP connections coming from the network management LAN are allowed to access the routers. 
router-A(config)#no access-list 1
router-A(config)#access-list 1 permit <subnet address of network management LAN> <subnet mask>
Next it's finally time to enable the possibilities to login. There will no passwords specified on the lines because that's configured with the aaa statements. A 30-minute time-out shall be standard on all console and virtual terminal lines. 
router-A(config)#line console 0
router-A(config-line)#exec-timeout 30 0
router-A(config-line)#line aux 0
router-A(config-line)#no exec
router-A(config-line)#transport input all
router-A(config-line)#line vty 0 4
router-A(config-line)#access-list 1 in
router-A(config-line)#exec-timeout 30 0
In the past, it was possible to access the router via the chargen or echo ports. These services are not needed and should be disabled: 
router-A(config)#no service udp-small-servers
router-A(config)#no service tcp-small-servers

SNMP security

SNMP is used to retrieve data from remote machines. This should only be allowed by machines on the network management LAN. If you want to allow non-network management hosts to have SNMP access to a router, put them in a different access-list and give them a uniq community-string. 
router-A(config)#no access-list 3
router-A(config)#access-list 3 permit <subnet address of network management LAN> <subnet mask>
router-A(config)#no access-list 4
router-A(config)#access-list 4 deny any
Let the router send its SNMP information to the SNMP server, which is on the network management LAN. If there is an unauthorized attempt to access the router via SNMP, let it send a warning to the SNMP server. Limit the machines which can perform SNMP queries to the machines on the network management LAN. Also disable the possibility to do a system shutdown via SNMP. 
router-A(config)#snmp-server community <community-string> RW 3
router-A(config)#snmp-server community <community-string> RO 4
router-A(config)#snmp-server host <ip address of SNMP server> <community-string>
router-A(config)#snmp-server trap-source loopback0
router-A(config)#snmp-server enable traps snmp authentication
router-A(config)#no snmp-server system-shutdown
router-A(config)#snmp-server tftp-server-list 3

Routing Process security

The routing-process is the most part of your network: If it is screwed up, your network doesn't function. Also, it gives a lot of information away is people have access to the routing-tables.
If a routing-neighbour gets lost, it should be logged in the syslog: 
router-A(config)#router eigrp 12
router-A(config-router)#eigrp log-neighbour-changes
All interfaces which are not connected to another router managed by you should be turned off for routing. 
router-A(config)#router eigrp 12
router-A(config-router)#passive-interface loopback0
router-A(config-router)#passive-interface ethernet0
Also, don't accept any routing information from routers not belonging to you. If you want to route to other routers on the user LANs, managed by you or not, use static routes which points to that router and let a default gateway point from them to your router. 
router-C(config)#ip route 130.140.5.0 255.255.255.0 130.140.1.2
router-C(config)#router eigrp 12
router-C(config-router)#redistribute static

user-router(config)#ip route 0.0.0.0 255.255.255.0 130.140.1.1

Logging security

The logging done by the routers can be send to a central host. If you enable this, make sure the syslog-deamom op that host allows syslog-messages from remote machines. 
router-A(config)#logging buffered
router-A(config)#logging console debugging
router-A(config)#logging trap informational
router-A(config)#logging source-interface loopback0
router-A(config)#logging <ip address of syslog server>

NTP security

Knowledge of the time with regarding to debugging, general logging and analyzing of problems is very important. Therefor all routers should have their time to a single source and accept no time information from any other source. It is also possible to configure routers to act as NTP servers for either other routers or to hosts on the user LAN. 
router-A(config)#no access-list 5
router-A(config)#access-list 5 permit <ip address of NTP server>
router-A(config)#no access-list 6
router-A(config)#access-list 6 deny all

router-A(config)#ntp access-group peer 5
router-A(config)#ntp access-group serve 6
router-A(config)#ntp source loopback 0
router-A(config)#ntp server <ip address of NTP server>

User LAN Interface security

The user LAN interfaces is the place where the traffic goes and comes from the users. And thus the place which will receive bogus and illegal packets first. There are a couple of things things to take care of:
  • Do not advertise yourself towards the user LAN as a router: 
    router-A(config)#interface ethernet0
router-A(config-if)#no cdp enable
  • Do not forward IP packets with source-routing header options enabled: 
    router-A(config)#no ip source-route
  • Do not answer to ARP requests for hosts which are not on the user LAN: 
    router-A(config)#interface ethernet0
router-A(config-if)#no ip proxy-arp
  • Only allow packets which are expected to come from the user LAN and are ment for other user LANs. That means, don't forward packets to network devices: 
    router-A(config)#ip access-list extended outgoing_e0
router-A(config-ext-acl)#deny ip any <ip space of network> <subnet mask> any
router-A(config-ext-acl)#permit ip <subnet address of user LAN> <subnet mask> any
router-A(config-ext-acl)#deny ip any any
router-A(config)#interface ethernet0
router-A(config-if)#ip access-group outgoing_e0 in


RSS FeedSUBSCRIBE
Follow me on Twitter!FOLLOW ME!