BusinessContinuity_0.jpg

NetConnect Blog - Your Resource For IT Tips, Tricks and News

Shellshock: It Has Nothing to Do with Ninja Turtles

Posted by Brian Johnson on Oct 17, 2014 4:13:04 PM

shellshock-bug-100457107-largeI’m probably starting to show my age, but when I hear the word “Shellshock” the first thing I think of is the old Teenage Mutant Ninja Turtles cartoons. But unfortunately, the Shellshock we are talking about has nothing to do with pizza-loving reptiles, and everything to do with a gaping security hole affecting many of your Internet-connected devices. Here’s what Shellshock (a.k.a. the “Bash bug”) is all about and why you should care:

What is it?

There are a few terms and technologies contributing to the Shellshock nickname. First up is Bash, which is a command-line interface used in Mac, Linux, and many other operating systems and devices. This interface, often referred to as accessing the “shell,” can be used to enter commands to perform various actions on a system, such as editing files, running tools, or initiating a restart or shutdown. 

The heart of the Shellshock problem is that when these Bash commands are tweaked for potentially malicious purposes, really really really bad stuff can happen all across the Internet. 

I don’t run Macs or Linux – so can I stop reading now?

No – please don’t! This still matters to you. You may not directly run these operating systems on the machines you use every day, but Linux is everywhere. It could be found on video cameras, routers and other devices on your home or work network, and is prevalent on thousands and thousands of Web servers scattered across the Internet. 

To understand the seriousness of this issue, we have to get a little nerdy first and look at an example Bash command:

/bin/eject

This simple command, when executed on some Linux servers, will eject the CD drive. No harm done there, right? 

Ok, but what if I could somehow modify that command and, from my comfy office in Waconia, use it to make a server across the Internet eject its CD drive? Wouldn’t that be cool? Well, if my target server was vulnerable to Shellshock, I could do exactly that with this command:

 curl -H "User-Agent: () { :; }; /bin/eject" http://www.example.com/

Again, this looks like a bunch of gibberish, right? But when we break it down, here’s essentially what this command is doing: first, it is asking www.example.com to display its Web content, much like it would if you visited www.example.com in a Web browser. Next, as my computer and the Web site send data back and forth to complete this connection, my computer sends the characters () { :; };. And here’s the bug: the server misinterprets the /bin/eject command as something to ignore or discard, and runs it instead. Wa-lah! The CD tray pops open!

Microsoft-Court-Email-Orders-01I don’t run a Web server either – why am I still reading?

In the example above I used a command which caused a Web server to eject its CD tray. Just a silly trick to show friends at parties, right? But use your imagination and think of some of the more sinister things I could do with this Shellshock vulnerability. Maybe I could figure out a way to make thousands of these severs attack your corporate network. Or I could craft a command to make the server send me sensitive information it has stored about you, such as your name, address, phone number, password, purchase history, credit card information…the possibilities are endless! 

And keep in mind, this vulnerability does not require any advanced skills on my part. I do not have to steal any usernames or passwords of people who administer these servers, download any special software or take a master’s class in hacking. Nope, just a quick Google search and about 10 minutes of my time would be all I needed to start launching attacks on vulnerable servers and potentially do damage to your networks, accounts and sensitive information. And that is why you should be concerned with Shellshock.

So what can I do about it?

If you are running Macs in your environments, check the support article Apple has published about the Bash bug, and download/install the appropriate patch.

On Linux systems, you can usually do a quick Google search for the type of Linux you run and the word “Shellshock” to find articles and instructions containing a fix. For instance, I run Ubuntu, and by searching for Ubuntu Shellshock I was treated to this nice article which walks me through patching the bug.

Don’t stop here. In your home or corporate network, you need to check other devices that may be vulnerable, such as video cameras, routers and backup devices. Tripwire offers a free tool to scan up to 100 internal IP addresses for free. Depending on what devices are identified as being vulnerable, head to that vendor’s Web site and search for any knowledge base articles or updates that might be available.

If you are concerned about Shellshock on your servers that are accessible via the Internet, this tool can help you test them.

Conclusion

Shellshock is a big deal – some experts say even bigger than Heartbleed. But as you can see above, Shellshock is not a real simple vulnerability to explain. I have had several conversations with clients who misunderstand it as “I don’t run Macs or Linux, so I don’t need to care.” Hopefully I was able to show you that is simply not the case, and you can help your fellow friends/family/coworkers better understand the bug when the opportunity arises. 

If you have any questions about Shellshock or perhaps want your network scanned for the vulnerability, we welcome the chance to talk to you. Contact NetWork Center, Inc. or FRSecure for any questions. 

This blog post is written by our guest blogger Brian Johnson, Information Security Analyst with our partner in information security, FRSecure

Topics: Technology Solutions, Network Security, Security, Security Technologies, IT Solutions

Your Information, Their Cloud

Posted by Tyler Voegele on Sep 18, 2014 3:30:00 PM

CloudServerBy now, you've probably heard a lot about the cloud and how most of our private data is soon going to be stored there. Be forewarned, 'the cloud' will be used many times in the following article. If you aren't sure what 'the cloud' is yet exactly let me explain it to you simply. When we talk about 'the cloud' it really is just a collection of servers that store data somewhere that is not residing in your physical location. That's it. Nothing fancy floating up there in the sky, other than actual real clouds. The number of people entering information into the cloud increases each year by a fascinating amount. Everything we do might soon be stored in servers around the US or even other parts of the world. Some of our mobile devices already automatically sync our data to cloud services such as Apple's iCloud. Our PCs and documents are now also making the move to cloud services and why wouldn't they? It is an easy, no-hassle way to store our information safely and securely, or so we think.   

We trust our personal and work data completely with companies providing these cloud solutions, but just how secure are these companies keeping our personal information? You've most likely heard of numerous security breaches with multiple companies which almost seems like a common occurrence. Data privacy legislation proceeds in a tempo that is unable to keep up with the speed of our technological process. You'll find it hard to get any universal rules or laws that could be applicable to any cloud services legally binding companies to uphold standards to protect us. So, what must we accept if we are going to store our data in the cloud?   

password security1. Passwords can be hacked. This isn't something new that you've probably heard. Security professionals have long been shaking their proverbial finger at us for a long time. People who want to obtain our information will use a dictionary and brute force attacks to hack our passwords. You will have to think of a strong password that can easily beat these attacks but also keep you sane from having to remember a 25 character mess. (More on this below.)  

2. Data can be captured en route. Fortunately, most cloud services encrypt data while it's going to and from their site, making it impossible to read even if someone were to obtain the files while in transit. Still, if you are using a cloud service in the web, make sure that you have "https" instead of "http" in front of the URL in your browsers address bar. Secure HTTP or HTTPS ensures you that the site you are currently using should be sending files...you guessed it, securely.  

3. Data breaches can happen. The data breach at Target, resulting in the loss of personal and credit card information of up to 110 million individuals, was a recent theft that took place during the normal processing and storage of data. People can sometimes get access to data, and what we store in the cloud is susceptible to whatever security practices companies currently have in place.  

4. Data loss can also happen. A data breach is the result of a malicious and probably intrusive action, and data loss may occur when disk drives die without the company having created a backup or having reliable redundancy. Small amounts of data were lost for some Amazon Web Service customers who suffered "a re-mirroring storm" due to human operator error in April 2011, showing that data loss could occur un-intentionally or intentionally in the event of a malicious attack.  

5. Denial of Services can stop you from obtaining your data. The assault by hundreds of thousands or millions of automated requests for service has to be detected and screened out before it ties up operations, but attackers have improvised increasingly sophisticated and distributed ways of conducting the assault, making it harder to detect which parts of the incoming traffic are the bad traffic versus legitimate users. This leaves you without access to your data and sometimes they shut down the service for an unknown amount of time to fix the problem.  

6. There could be malicious insiders. With the Edward Snowden case and NSA revelations in the headlines, malicious insiders might seem to be a common threat. If one exists inside a large cloud organization, the hazards are magnified. We must rely on the company to have practices in place to protect us, or have encrypted data to protect us from theft.    


We can break these problems down into 3 simple questions. Is my data securely stored? Is my data safe from outside intruders/attacks, and also protected from other tenants in the cloud service? Is my data protected from the cloud provider themselves or government officials trying to collect corporate server data? These are very important questions to ask our providers. The real question is, how can we protect ourselves from what almost seems like an inevitable breach in our personal data we store in the cloud?  

1. Read up about where you are storing your information. Every cloud provider has different guidelines and security about how they store your data. You wouldn't want your important or sensitive data stored in someone’s garage server would you?  They should even state whether or not they comply with government gathering data. Most big companies are cracking down on security measures and offer many ways to protect you such as two-factor authentication. I always recommend the extra step in enabling two-factor authentication. It may seem like a hassle, but if security is important to you then this step is a must.  

2. You need to get serious about passwords. Yes, yes, you've heard it one thousand-trillion-infinity times, but it's still a problem! The reason people lose sensitive and important data is almost always related in some way with weak passwords. Even worse, many people use the same password for multiple accounts making them even more vulnerable with cloud services. My favorite XKCD comic shows us how we've been creating our passwords all wrong. Creating a long password such as "correcthorsebatterystaple" is very easy to remember, but for a PC to guess it is very difficult. Obviously, simplicity is what we are going for, (Which is why most of us use the same "strong" password for many accounts.) so try to correlate your passwords with your service. You want to create a password in Google Drive cloud storage for your accounting documents? What about, "storagedocumentsaccountingworkgoogle." See? Easy as pie.

comic photo

3. Encrypt your data before sending it to the cloud. Encryption is, so far, the best way we can protect our data. Encrypting our data before we send it to our cloud storage is often the safest solution in many of the cases we made above. This way if someone was to obtain the data they would not be able to read the contents.  

4. Use an encrypted cloud service. This may not always be an option and there isn't many options as of late. The cloud provider in some way should provide local encryption and decryption of your files in addition to storing and backing them up. This means that the service takes care of both encrypting files on your computer and storing them safely in their cloud infrastructure. This way not only would intruders not have access to data, but also neither would the service providers or administrators.  

The bottom line is we need to think about where we are storing our data and how comfortable we are with storing it in sometimes less than reputable places. Whether we like it or not data is slowly migrating to cloud infrastructure in many businesses, but we also have a choice to choose what we do to protect ourselves and our data.   

Are you a candidate for cloud services? Are you currently using cloud services? How safe is your data? Contact NetWork Center, Inc. to talk to one of our engineers about your cloud services.

Contact Us Today!

Topics: NetWork Center Inc., Data Backup, Protection, Cloud computing, Security Technologies, IT Consulting

Securing Your Website with SSL

Posted by Joe Dunnigan on Sep 12, 2014 3:15:00 PM

SSL CertificatesWith the ever-increasing risk of privacy concerns and data breaches, it is important to know what steps can be taken to mitigate these risks. One area that can be addressed to increase security and decrease exposure to attacks is securing a website with SSL. This not only will this strengthen and encrypt communications between the user and the site they are visiting, but it will also increase visibility of the website, and show users that their actions on the site will remain private and secure.

Traditionally, a website would employ SSL (https) security only in areas of the site where the potential for sensitive user information was being transferred. This may include user login forms, shopping carts and checkout, or application forms that include sensitive information such as a social security number. Increasingly today we are finding that organizations recommend and sometimes require that SSL be present on the entire website to ensure that all communications between the client and the website are secured. If you are responsible for a small to mid-sized bank, you may have already received information from your security auditors recommending site-wide SSL be employed on your website. Even if all of your online banking processes are handled by a third party and not run directly through your website, you should still expect to see this recommendation show up on your next audit.

Another area that is seeing the increased need for SSL security on websites is the widespread availability and ease of use of content management systems such as Drupal and Wordpress (http://info.netcenter.net/Blog/bid/335313/Why-CMS-is-Important-for-Your-Business). These systems provide an easy-to-use backend for managing your website content and configuration. Typically you access the CMS by going to a login page on your website, entering your credentials, which then grants access to administration areas and content editing features. When logging in or performing content changes, having the communications between your web browser and the website backend encrypted helps ensure that your website stays safe from unauthorized access.

secure websiteUpgrading your site to use Always-On SSL is not a difficult process, but may involve additional costs and considerations. SSL certificates must be purchased, typically on a 1-3 year basis, and can expire if they are not renewed. Also, you may have to upgrade your website hosting plan, depending on what plan you currently have. Most providers should be able to assist with this transition and keep your site going while the upgrade happens.

Always-On SSL not only offers security benefits and the added sense of security for your users, but may also help your search rank. Recently, Google announced that they are giving an SEO rank boost to sites secured with HTTPS everywhere or Always-On SSL (AOSSL) (https://blog.digicert.com/google-gives-ssl-secured-sites-search-ranking-boost/). When Google crawls your site and sees that all pages are encrypted with HTTPS, your search rank is automatically increased. This has the potential to move your site up in search results, increasing exposure to potential customers. Right now this is a lightweight signal, but over time it will continue to be more important for ranking search results.

If you've considered adding SSL to your site in the past, or are currently using SSL for only certain areas on your site, there are more reasons now to consider adding Always-On SSL. You'll give your customers an added sense of security, and might even drive more traffic with better search rank. Contact NetWork Center, Inc. to find out how to secure your website using SSL security.

Contact Us Today! 

Topics: Technology Solutions, NetWork Center Inc., Security, Protection, Security Technologies, IT Solutions

Convenience & Security: You Can't Have it All

Posted by Tyler Voegele on Mar 21, 2014 3:30:00 PM

In today's world almost everything is done through the Internet, which means that our security is more at risk than ever. Identity theft, corporate espionage, and financial loss are just the tip of the iceberg when it comes to thinking about security. Many people and companies try to balance the need for online security and convenience to access what they need. In a perfect world, we would be able to have both, but usually when you have the most convenient approach, security is at risk and vice versa. If businesses take the safest approach they take the stance of "locking it down." This is when users have access to little to nothing without administrative privileges. It makes it easy for management purposes and is by far the safest, but at some cost of user productivity.

Security lockImplementing security practices in the business environment requires a lot of careful consideration for how the business functions and accesses information currently. If you take the "locking it down" approach, then you may stifle the productivity of end users, but not properly practicing security measures could leave you wide open to attacks.

To have a proper, secure system in place there needs to be a number of technologies used to provide a certain amount of system hardening to successfully secure information. Most companies already have the hardware and software to accomplish the most needed security measures, but they need to configure them properly to use them. Passwords, user accounts, e-mails, network access, file shares, and wireless access are a few things that should be taken into account when incorporating security measures. 

When talking about convenience vs. security, usually a hot topic is passwords and how they should be handled. We can relate this to a house. It would be convenient if there was no door and you could walk in, but you also want privacy and to prevent strangers from entering, so you have a door. Of course, other people can also open the door, so you have to go further and put a lock on it. Now you have a secure home, but you have to unlock and then open the door to enter your home. This seems like an acceptable balance between convenience and security, but how do we reflect this balance in our digital life? Strong passwords can cause problems among users, but simple passwords provide easy access for unwanted people.

If you do implement security practices and measures you have to make sure users find practicality with it. If something is inconvenient, it is human nature to find a way around it or stop doing what is required altogether. How can you achieve a balance of security and functionality with ease of access? The first step is to understand your users' needs, internal policies, and how the business runs as a whole. Throwing hardware and software into an environment will not make it more secure unless there is an understanding of how the business accesses day to day information. Protective measures require you to always be changing, but if you take a comprehensive look at how the network runs, you can reduce the work you will have to do.

security comic
The next step for implementing a more secure and convenient network is implementing changes slowly. Introduce new security changes and policies slowly to users so they can continue to work as efficiently as possible. Explaining the benefits rather than inconveniences and administering them slowly makes more sense for everyone when implementing. Looking at what really matters and putting effort into securing parts rather than the whole network will ease the process.

In conclusion, you should look at securing the data where it is rather than securing the data in transit. Also think about requiring strong passwords that can be easily remembered and have to be changed every few months. Educating users can be one of the best investments for a company as well. If users know what to do and what to look for, risks can be mitigated. If you work toward better practices and take a full overview of your network, you'll find a successful marriage between the most secure environment and most convenient for everyone's benefit.

If you have questions or concerns about your security practices you can contact our experienced staff at Network Center, Inc. today!

Contact NetWork Center, Inc. 

 

 

Topics: Technology Solutions, Security, Security Technologies

Getting Granular with Security Policies and Procedures

Posted by Jeff Bolstad on Nov 1, 2013 5:28:00 PM

Secure NetworkIn our previous post, Tyler gave a great overview of different aspects of IT Security, and mentioned a top-down approach. Let’s look at IT Security as starting at the broadest point, security implementations that have a single point but affect the entire network. Then moving to devices and practices that affect the entire organization but have multiple points of implementation. And finally narrowing it down further to items that affect specific items, whether it is a unique group within the company, or specialized hardware and software.

A great place to start when reducing a network’s vulnerability is securing it against outside threats. There are a multitude of options that add a layer of protection. These options include hardware appliances such as firewalls, intrusion prevention systems, mail filters, and web filters. Some options can also be offered as part of a cloud-based solution. This is especially true of the last two items listed, but this also entails relinquishing a certain amount of control over these systems.

Moving down the list of possible security measures, there are a number of options that can be implemented and managed from a single point, but have multiple points of failure. Included in this group are more familiar methods like anti-virus and anti-malware products, user training, and application and operating system patches. I say multiple points of failure because protection can fail based on the individuals or machines. Anti-virus is one of the most common options mentioned when it comes to protecting a network, but it cannot protect a network alone. Proper configuration can go a long way in mitigating damage.

Network SecurityAn increasingly prevalent area of security concern is managing mobile devices. This becomes especially true as more users are allowed to bring personal devices into the workplace. This introduces concerns of lost or stolen devices, company data being exposed over an unsecured network, ownership of information, whose responsibility it is to support those devices, and separation of home/work functions on these devices. End user device policies help address a number of these issues, and services such as MAAS 360 allows for greater control and security over both corporate devices and those provided by the end user. Another option for mobile devices, predominantly laptops and tablets, are VPN connections back to the corporate network. These machines can also benefit from measures such as whole disk encryption and TPM.  These are all great possibilities for improving security, but are ineffective if employees don’t take the proper precautions as well.

Employees can make or break security as easily as anything. Proper training will mitigate a vast amount of problems you can encounter, provided employees adhere to the new policies. This includes proper procedures for securing unattended devices, procedures for reporting lost/stolen devices, and acceptable use of company resources. Having to spend five minutes talking to a user about an email attachment they’re unsure of beats two hours of cleaning up an infected machine, or worse an infected server.

Luckily, through the use of administrator defined policies, choices can be taken out of the hands of end users, preventing files in certain locations or with certain extensions from being executed, limiting access to potentially damaging websites, and limiting access to company data, among other options.

Network SecurityRemaining security measures should fall solely to IT ideally. These include user account security, server and application hardening and patching, and keeping third party applications properly patched. This can be achieved on a machine by machine basis or through the use of products such as WSUS and Shavlik.  Additionally, once these policies are in place, regular monitoring and review of polices should take place.

You can of course drill down into more and more specific security measures, but this must be balanced against the resources needed to implement them. Not all of these options are feasible for all organizations, but through identifying those with the greatest benefits, security can be vastly improved for a corporate environment. A regular review of your security measures will allow your security to evolve as the threats faced do.

If you have any questions about network security, please contact NetWork Center, Inc.

Contact NetWork Center, Inc. 

Topics: Technology Solutions, Security, Protection, Security Technologies, Firewall

Getting Serious About IT Security

Posted by Tyler Voegele on Oct 25, 2013 5:15:00 PM

We can all agree that the Internet, PCs, mobile devices, servers, and other equipment are essential to everyday business, and without them we would not be able to complete our work. Also, everyone knows by now the impact and multitude of viruses, malware infections, and even hackers that can affect our businesses. It's no secret to how much money can be spent on these problems to try to properly resolve them, so why don't we give it as much attention as any other area? We need to be more proactive in our view towards security. More often than not, the only time we think about security is when it is already too late.

Let’s take a look at some statistics to make more sense of how breaches are effected today:

IT SecurityIT SecurityIT Securityhttp://www.verizonenterprise.com/DBIR/2013/

What are your biggest concerns with IT security? Preventing data loss? Preventing outages? Keeping security up-to-date? To better understand you have to determine where your valued assets lie or maybe you want to focus more on certain parts of your business structure. I like to think of security in three seperate layers. It may be an oversimplification, but it's easier to understand where you should focus time and energy when starting to get serious about security. One of the first road blocks many people come to find when beginning to secure the entirety of their network is where extactly to start.

1. External Network/Edge Devices
2. Core Network/Server Structure
3. Endpoint Devices/BYOD 

As I mentioned, this is a very broad view into your network, and at some point we have to look at cost of dealing with security breaches and spending money to be more secure. Let’s say you want to go with the top-down approach. It is a more comprehensive strategy towards IT security and is definetly not the only way it can be done. I’ve outlined some key steps that I think are very important and the components that are involved in each step.

1.       Create Security Policies and Procedures

This is by far one of the most important and hardest steps you will do. You should create an overall security policy document, BYOD security policy, and determine an action plan for an overall security audit, and also establish a risk management framework and determine the level of risk the business is willing to tolerate. After developing these policies you have to train the staff to adhere to them. Training staff is equally as important as sticking to a training schedule.These documents should always be continuously updated to make sure you can adapt to future security needs. After completeing documenation and an action plan you’ll be better equiped at knowing where to spend time, focus resources, and tackle the big projects. Preparation and adaptiveness are the keys to security success.

2.       Inventory Equipment and Data

Finding old, outdated, or decommissioned equipment and replacing or removing it is important to keeping vulnerability out of the business. Eleminating unnecessary or old data, starting to keep track of what you have, and whether or not it is secure is important to keeping data loss to a minimum. Creating an inventory of what equipment is in the network and asset tagging equipment helps logging and maintentence which is the last step.

3.       Fix Secuirty Holes and Update Equipement

Run tests to see where the security flaws in your network are. Having external auditors run tests both internally and externally is a good idea. Updating software, firmware, operating systems, and antivirus are usually a top priority. Applying security patches when needed and creating secure configurations throughout the network is also important. Create a maintenance window for all equipment and devices you've done, getting up to date. Protect your network against external and internal attacks. Manage the network perimeter of devices at all locations. Create filters for unwanted access both internally and externally.

 4.       Harden Network Security

You’ve probably already documented the policies for most of this step. They may include locking down the operating system and software you run. Creating Group Policies for workstations, servers, and users might also be part of  your policies and is also important. Locking down firewalls and other network equipment is probably one of the most important steps to hardening your security. Why? At least 92% of attacks originate from the external facing part of your network. Put in place policies to disable features that allow users to either remove, disable, or inhibit the functions of a firewall and virus protection suite. Managing user privileges, management processes, and limiting the number of privileged accounts is important. Preventing data loss by creating secure backups is a must to save you in case of critical failures.

 5.       Protecting Mobile Users and Endpoint Devices

Securing users that authenticate from the external world is a must. PCs and other media used to access internal resources need to be as secure as the servers themselves. Manage risks related to the use, processing, storage, and transmission of information or data. Data needs to be kept safe and made sure it is not lost or stolen. Apply a security baseline to all devices. Protect the data in transit as well as outside the network. Those who log into the business through mobile means must have guidelines and restrictions in place to prevent any possible data loss.

 6.       Stabilize and Monitor

Establishing a monitoring strategy is important to maintain support of the policies you’ve created and preventing further exploits that could arise. Continuously monitor the network and analyze logs for unusual activity that could indicate an attack. This is were having an IDS or IPS helps immensly. Without de-emphasizing prevention, focus on better and faster detection through a mix of people, processes, and technology. Tentatively monitoring users can be the difference between pinpointing malicious intent whether intentional or unintentional. Further educate the users of the business to keep policies in check and to make sure they are understood.

IT Security
There is no way to absolutely prevent everything from happening. We can only strengthen our ability to try and detect, prevent, and fix threats that can slip through our defenses. Attackers don’t rely on a single tactic to breach your defenses and neither should you. Remember, there is no “one-size fits all” strategy and many of the things I am suggesting are a great start to a security plan you can implement.

Keep an eye out for the next security blog posts defining more detailed approaches to the top-down approach I explained in this post.

Questions? Comments? We’d love to hear from you! Leave a comment or email us with your questions and we will gladly respond!

 Contact NetWork Center, Inc.

Topics: Technology Solutions, NetWork Center Inc., Email Security, Network Security, Data Backup, Security, Security Technologies, Firewall

Wireless Data Security: How to Keep Your Wireless Devices Safe

Posted by Tyler Voegele on Oct 4, 2013 4:00:00 PM

wireless securitySince most of our work is done through wireless technologies like laptops, desktops, tablets, or other mobile devices, they need to be secured just as we take precautions with wired networks. Basic security includes the use of Service Set Identifiers (SSIDs), open or shared-key authentication and optional MAC address authentication. Each of these features has some level of access control and privacy, but they can be compromised by attackers as well.

Basic Security

SSID is a common network name for the Wireless Local Area Network (WLAN). By default, most access points broadcast the configured SSID in its beacon. Even if the broadcasting of the SSID is turned off, an attacker can detect the SSID through monitoring on a network. The first step you should always take, whether it is a home or business wireless setup, is to configure the SSID and hide it from broadcasting. When wireless technologies were first developed the need for security created the Wired Equivalent Privacy (WEP) protocol. This was the original encryption protocol developed for wireless networks. WEP encryption can use a pre-shared key to connect to your network. Due to security flaws in this encryption and how easily it can be cracked, it is recommended to use a different encryption. Some WLAN access points support authentication based on the physical address, or MAC address, of the client’s network interface card (NIC). MAC authentication can also be compromised as addresses can be mimicked, or spoofed, to gain access to the network. When configured, an access point will only allow client access if the MAC address matches its MAC address configured in the authentication table.

Advanced Security

The more secured forms of security include WPAv1 or WPA2. The WPAv1 (Wi-Fi Protected Access) security method, sometimes called WPA-personal, uses MIC (message integrity check) to ensure the integrity of messages, and TKIP (Temporal Key Integrity Protocol) to enhance data encryption. TKIP uses the RC4 cipher with 128-bit keys for encryption and 64-bit keys for authentication. By encrypting data with a key that can be used only by the users, TKIP helps to ensure that only they can connect to the WLAN more securely. TKIP encryption can generate up to 280 trillion possible keys for a given data packet.

The WPA2 security method uses the more secure Advanced Encryption Standard (AES) cipher instead of the RC4 cipher used by WPA and WEP. Unlike WEP, which uses a key stream acting across a plaintext data input stream for encryption, AES encrypts bits in blocks of plaintext that are independently calculated. The AES standard specifies an AES block size of 128 bits with three possible key lengths 128, 192 and 256 bits. If you use older technologies it makes it that much easier for attackers to gain access to the network and data inside. Security algorithms such as WEP and WPAv1 can be cracked with readily available tools on the web.

Steps toward Better WLAN Security

So how do you best secure your wireless networks? The following suggestions can be the starting steps to helping you form a layer of security for your WLAN:

wireless securityUnique SSIDs and SSID Broadcast

Changing the SSID name may not seem important, but it helps prevent attackers from scanning for standard SSID names that vendors have for basic setup. A simple measure can also be taken to attempt to secure a wireless network by hiding the SSID from broadcasting to devices with wireless capabilities. This provides little protection against attackers but can avert casual intrusion methods.

Complex Passwords

Attackers can use cloud computing resources to test millions of passwords in minutes, so wireless password should be a considerable length and include special characters to make it harder for attackers to gain access. The more complex the password becomes, the harder it is for attackers to crack the password to gain access.

Authentications Strategy

You want to use the most secure and up-to-date authentication methods available such as WPA2. To prevent something like MAC address spoofing, you can set up MAC filtering to only allow authorized computers with the addresses you provide. If you are using WPA2-PSK you are using one of the most secure authentication methods available, but if you share the Pre-Shared Key with everyone, they may share it with others causing a security risk. Remember that any user, once authenticated, can see any of your network traffic. If an employee leaves the company, they may retain your network key—allowing them to later decrypt your traffic or access the network. For larger organizations it may be feasible to consider using a certificate-based authentication mechanism or server based authentication so that each user has their own managed credentials.

Manage Visitors and Restrict Traffic

If you are a business that needs to provide guest access, consider offering a separate network with restrictions on what guests can access. A hotspot registration portal can be an easy way to restrict access without a lot of administrative effort. Wireless solutions should enable you to easily deploy such networks, allowing visitors only access to the Internet and keeping them away from corporate services. There are also ways to separate their network traffic from your corporate network creating a VLAN (virtual LAN) when they are authenticated.

It should never be assumed that wireless networks are 100% secure. Those in regulated industries should consider additional monitoring techniques through IDS/IPS, NAC (Network Access Control) and log reviewing to ensure added layers of security and intrusion detection.

If you would like to know more about wireless and wireless security, contact your network security specialists at Network Center, Inc. today!

Contact NetWork Center, Inc. 

Topics: Technology Solutions, NetWork Center Inc., Mobility, Security, Security Technologies

Better Endpoint Protection: Hardware Firewall Security

Posted by Tyler Voegele on Aug 26, 2013 11:15:00 AM

Every business needs a firewall or some form of protection from external threats. Firewalls can protect from external, malicious users, network infections, and packet flooding attacks from reaching the internal resources of your network. They can also prevent your users from connecting to things that may harm the network.

With all kinds of hardware security technology out there, it can be a little challenging to choose which device is right for you. When thinking about upgrading or strengthening your security at the Internet facing part of your network, there are several things to take into consideration.

Firewall TypesSecurity Technologies

There are three types of firewalls: stateless packet filtering, stateful packet filtering, and application-layer firewalls. Each of these provides filtering at different levels within a network. Packet filtering firewalls allow only packets to pass, which are allowed as per your firewall policy. Every packet has information contained inside, such as its source, destination, port ranges, etc. Each packet passing through is inspected and the firewall then decides to pass it or not. The packet filtering can be divided into two parts: stateless and stateful.

Stateless:

If the information about the passing packets is not remembered by the firewall, then this type of filtering is called stateless packet filtering. Every packet that passes through this type of firewall is handled on an individual basis by the set of rules that were set up manually. Previously forwarded packets belonging to a connection have no bearing on the filter’s decision to forward or drop the packet.

Stateful:

If the firewall remembers the information about the previously passed packets, then that type of filtering is stateful packet filtering. The packet filtering firewalls inspect these TCP or UDP packet streams to allow or deny them. Stateful packet filtering firewalls also monitor the state of a connection and gather the information about it. With this intelligence, the firewall can not only make decisions based on the defined rules but also make decisions from prior packets that have passed through it.


Application-Layer

Application-layer firewalls, or proxy-firewalls, do not just look at the packet data; they also look at the actual data that is being transported between the application-layer. They know how certain protocols work, such as HTTP and FTP.  Since they are application-aware and inspect the contents of the traffic, you are able to block specific content such as websites, viruses, or software. They can then look to see if the data that is in the packet is valid for specific protocols, and if it is not, it can be dropped.


Other ConsiderationsSecurity Technologies

The first thing to ask yourself when you are deciding on a firewall is what are you are trying to accomplish. Whether you want a firewall that handles stateful-packet inspection, or a firewall with extra features such as IDS and IPS built in, there are options for them all. You will want to clearly identify what is important to you and figure out where the bulk of your security needs lie. With so many different options for firewall technologies, there are also a lot of features to think about. Below are just a few features that are worth considering:

  • Monitoring and Reporting

  • Spam Filtering

  • High Availability

  • URL Screening

  • Anti-Virus

  • Bandwidth Sizing

  • Layered Security

  • Remote Connections

  • Physical Interfaces

  • Intrusion Detection

  • Intrusion Prevention

  • Web Caching

When you compare the costs of different firewalls, you also need to take into account any of the extra costs associated with the features that you will want to implement. If you choose a firewall with specific features and capabilities, there can sometimes be an extra fee in licensing.

If you're in the market for a new firewall, take some time to identify the needs you are looking for. Firewalls are still one of the best ways to protect yourself from any threats to your network, and with so many options you can do almost anything. If you have any questions or want to know more about firewall security, please contact NetWork Center, Inc. 

Contact NetWork Center, Inc.

Topics: NetWork Center Inc., Network Security, Security, Protection, Security Technologies, Firewall, Filtering

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all