Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security...
-
Upload
audra-obrien -
Category
Documents
-
view
216 -
download
0
Transcript of Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security...
![Page 1: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/1.jpg)
Securing Desktop Access to Host Systems –
Protecting Critical Data
Eric Raisters
Security Technical Lead
WRQ, Inc.
![Page 2: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/2.jpg)
What’s the problem?
• 70 - 80% of security breaches come from inside the firewall. (FBI and CSI surveys as recent as 2000)
• New regulations (e.g. HIPAA) require confidential data to be transmitted securely.
• Popularity of the Internet increases risk.– B2B/Web services– Working from home
![Page 3: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/3.jpg)
Assumptions
• Securing the desktop is a whole topic on it’s own.
• Both desktop and host systems have a base level of security.
• The network between them is not secure.• This is geared towards desktops running
Windows, but could equally apply to other desktops.
![Page 4: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/4.jpg)
Proprietary Products - Pluses
• More difficult to crack if don’t know algorithm; have to reverse-engineer
• Usually better administration utilities, services, and documentation
![Page 5: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/5.jpg)
Open Source/Standard -Pluses
• Lots of eyes and hands working on it
• Not dependent on the trustworthiness of several programmers or one company
• Algorithms proven to be cryptologically sound
![Page 6: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/6.jpg)
The Three A’s of Network Security
• Authentication– proving who you are– getting proof back (mutual authentication)
• Authorization– proving what resources you may use
• Audit– logging who has done what – primarily a server-side responsibility
• [Administration]
![Page 7: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/7.jpg)
How Do We Securely Communicate?
PC Host
Firewall
??????????????????
?????
PC
![Page 8: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/8.jpg)
Historically - Clear Text “Security Through Obscurity”
PC Host
Firewall
PC
Data Password Name
Data Pwd Name
![Page 9: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/9.jpg)
Middleware Model (Proxy)
PC
Host
Firewall
PCData Pwd Name
EncryptedData Password
NameData Password Name
ProxyServer
Clear text
Clear text
Firewall
ProxyServer
Data
Pwd
Nam
eC
lear te
xt
Data Password Name
Encrypted
![Page 10: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/10.jpg)
Encrypted Tunnels Model (Direct)
PC Host
Firewall
PC
Data Password Name
Data Pwd Name
Encrypted
Encrypted
![Page 11: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/11.jpg)
VPN (via IPSec) Basics
VPN
Client
VPN
Server2. Negotiate Phase 2 SA(inbound & outbound SA)
5. Encrypt packets using outbound SA
6. Decrypt packets using
inbound SA and send to
application
1. Use IKE to negotiate
Phase 1 SA
4. Decrypt packets using
inbound SA and send to
application
3. Encrypt packets with outbound SA
![Page 12: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/12.jpg)
SOCKS Clients - Features
• Standard protocol developed by NEC– Application client makes a request to SOCKS to
communicate with the application server.– On behalf of the application client, SOCKS establishes a
proxy circuit to the application server, then relays the application data between the client and the server.
• Designed for traversing TCP-based client/server applications
• Version 5 provides secure authentication and encryption with GSSAPI
![Page 13: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/13.jpg)
SOCKS Client - Pluses• Standards-based protocol• Facilitates firewall traversal• Widely available in client programs• Can be used regardless of the protocol
the application uses• Imposes little overhead on network
communications
![Page 14: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/14.jpg)
SOCKS Client - Minuses
• May require identd running on client PC (requires the use of DNS server or relay)
• Requires that applications be modified to become “SOCKSified”
• Additional server to administer that may be separate from network servers
![Page 15: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/15.jpg)
SSL / TLS / OpenSSL
• SSL (Secure Sockets Layer) v3.x– proprietary protocol originally developed by
Netscape for Web (HTTP) security – the de facto security standard for the Web
• TLS (Transport Layer Security) v1.0 – standards-based version that uses open-
source algorithms– currently an IETF draft
![Page 16: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/16.jpg)
SSL / TLS - Features
• Uses public key cryptography and X.509 certificates to authenticate
• Negotiates session keys for symmetric encryption
• Includes 56-bit DES, 128-bit RC-4, 168-bit 3DES encryption
• Provides data integrity and encryption
![Page 17: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/17.jpg)
SSL / TLS Basics
SSL / TLS
Client
SSL / TLS
Server or
Gateway
1. Establish secure tunnel
2. Authenticate server
4. Encrypted
session
3. Authenticate client (optional)
Telnet
Server
5. Unencrypted session
![Page 18: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/18.jpg)
SSL / TLS - Pluses
• Proven technology for securing the Web
• IETF standard coming (IBM is pushing)
• OpenSSL available for UNIX/Linux
![Page 19: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/19.jpg)
SSL / TLS - Minuses
• Open standard may not interoperate with proprietary SSL — different key negotiation and encryption algorithms
• Certificates difficult to administrate• Not many choices for Telnet or FTP
server vendors (primarily IBM big iron)• Possible trademark and royalty issues
![Page 20: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/20.jpg)
Kerberos
• Created at MIT in the early 1980s
• Current open-standard version is 5.0
• Used for authentication, data integrity, and encryption
• Implemented in Windows 2000 and XP via the Security Service Provider Interface (SSPI)
![Page 21: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/21.jpg)
Kerberos - Features
• Secure authentication – Password never travels over the network– Memory-only credentials caches
• Data stream protections– Detection of data stream modification– 56-bit DES or 168-bit 3DES encryption– Telnet, FTP, rlogin, rcp, rsh protocols
![Page 22: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/22.jpg)
Kerberos Basics
Kerberos
Client Domain
Controller
KDC
Telnet, FTP, etc. Server
1. Request TGT
2. Return TGT
3. Using TGT, request ST
4. Return ST
5. Present ST
6. Encrypted session
![Page 23: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/23.jpg)
Kerberos - Pluses
• Mature, open standard that’s never been broken
• Minimal administration and server overhead
• Programmatic access - GSSAPI• Widely available for UNIX/Linux,
Windows, Unisys, OpenVMS, • No patent or royalty encumbrances
![Page 24: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/24.jpg)
Kerberos - Minuses
• The KDC(s) must be secured
• Prone to offline attacks on TGT; brute force attacks feasible on 56-bit keys
• Significant cost of implementation– Requires applications be “kerberized”– Administrators require specialized training
![Page 25: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/25.jpg)
Secure Shell (SSH)
• Provides strong authentication - password, public key, Kerberos
• SSH-1 (deprecated) and SSH-2• Replaces Telnet, rlogin, rsh, and rcp• Secure forwarding of TCP connections,
including X-11 protocol• FTP replacement sftp in SSH-2
![Page 26: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/26.jpg)
Secure Shell - Features
• 56-bit DES, 168-bit 3DES, 128-bit Arcfour, 128-bit CAST, 443-bit Blowfish and AES algorithms up to 256-bits
• OpenSSL libraries used for SSH-1 compatibility
![Page 27: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/27.jpg)
Secure Shell Basics
Secure
Shell
Client
Secure
Shell
Server
1. Establish secure tunnel
2. Authenticate server
4. Encrypted
session
3. Authenticate client
OS
TCP Stack
OS
TCP Stack5. Arbitrary
TCP port forwarding
![Page 28: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/28.jpg)
Secure Shell - Pluses
• Internet draft, open-source standard
• Only one firewall port open
• No patent or royalty encumbrances
• Protocol-independent
• Available on UNIX/Linux, OpenVMS, Windows
![Page 29: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/29.jpg)
Secure Shell - Minuses
• Administration problems– Certificates difficult to manage in timely
manner if using user key– Specialized administration required if using
Kerberos• Requires regular security updates as
bugs and holes are identified and fixed in the open-source implementation.
![Page 30: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/30.jpg)
Security Availability
SOCKS VPN
SSL/ TLS
Kerberos
Secure Shell
UNIX/Linux * OpenVMS MPE Only through middleware servers
Mainframes
*
Unisys
Windows
![Page 31: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/31.jpg)
Questions?
![Page 32: Securing Desktop Access to Host Systems – Protecting Critical Data Eric Raisters Security Technical Lead WRQ, Inc. ericr@wrq.com.](https://reader035.fdocuments.net/reader035/viewer/2022062719/56649ec75503460f94bd39f5/html5/thumbnails/32.jpg)
Thank you!