RSSAll Entries Tagged With: "internet"

Security Architecture Cheat Sheet for Internet Applications

From Lenny Zeltser: author bio details at the end of the post.


This cheat sheet offers tips for the initial design and review of an Internet application’s security architecture.

  1. Business Requirements
  2. Infrastructure Requirements
  3. Application Requirements
  4. Security Program Requirements



To print, use the two-page PDF version; you can also edit the Word version for you own needs.

#1: Business Requirements

Business Model

What is the application’s primary business purpose?

How will the application make money?

What are the planned business milestones for developing or improving the application?

How is the application marketed?

What key benefits does the application offer its users?

What business continuity provisions have been defined for the application?

What geographic areas does the application service?

Data Essentials

What data does the application receive, produce, and process?

How can the data be classified into categories according to its sensitivity?

How might an attacker benefit from capturing or modifying the data?

What data backup and retention requirements have been defined for the application?

End-Users

Who are the application’s end-users?

How do the end-users interact with the application?

What security expectations do the end-users have?

Partners

Which third-parties supply data to the application?

Which third-parties receive data from the applications?

Which third-parties process the application’s data?

What mechanisms are used to share data with third-parties besides the application itself?

What security requirements do the partners impose?

Administrators

Who has administrative capabilities in the application?

What administrative capabilities does the application offer?

Regulations

In what industries does the application operate?

What security-related regulations apply?

What auditing and compliance regulations apply?

#2: Infrastructure Requirements

Network

What details regarding routing, switching, firewalling, and load-balancing have been defined?

What network design supports the application?

What core network devices support the application?

What network performance requirements exist?

What private and public network links support the application?

Systems

What operating systems support the application?

What hardware requirements have been defined?

What details regarding required OS components and lock-down needs have been defined?

Infrastructure Monitoring

What network and system performance monitoring requirements have been defined?

What mechanisms exist to detect malicious code or compromised application components?

What network and system security monitoring requirements have been defined?

Virtualization and Externalization

What aspects of the application lend themselves to virtualization?

What virtualization requirements have been defined for the application?

What aspects of the product may or may not be hosted via the cloud computing model?

#3: Application Requirements

Environment

What frameworks and programming languages have been used to create the application?

What process, code, or infrastructure dependencies have been defined for the application?

What databases and application servers support the application?

Data Processing

What data entry paths does the application support?

What data output paths does the application support?

How does data flow across the application’s internal components?

What data input validation requirements have been defined?

What data does the application store and how?

What data is or may need to be encrypted and what key management requirements have been defined?

What capabilities exist to detect the leakage of sensitive data?

What encryption requirements have been defined for data in transit over WAN and LAN links?

Access

What user privilege levels does the application support?

What user identification and authentication requirements have been defined?

What user authorization requirements have been defined?

What session management requirements have been defined?

What access requirements have been defined for URI and Service calls?

What user access restrictions have been defined?

How are user identities maintained throughout transaction calls?

Application Monitoring

What application auditing requirements have been defined?

What application performance monitoring requirements have been defined?

What application security monitoring requirements have been defined?

What application error handling and logging requirements have been defined?

How are audit and debug logs accessed, stored, and secured?

Application Design

What application design review practices have been defined and executed?

How is intermediate or in-process data stored in the application components’ memory and in cache?

How many logical tiers group the application’s components?

What staging, testing, and Quality Assurance requirements have been defined?

#4: Security Program Requirements

Operations

What is the process for identifying and addressing vulnerabilities in the application?

What is the process for identifying and addressing vulnerabilities in network and system components?

What access to system and network administrators have to the application’s sensitive data?

What security incident requirements have been defined?

How do administrators access production infrastructure to manage it?

What physical controls restrict access to the application’s components and data?

What is the process for granting access to the environment hosting the application?

Change Management

How are changes to the code controlled?

How are changes to the infrastructure controlled?

How is code deployed to production?

What mechanisms exist to detect violations of change management practices?

Software Development

What data is available to developers for testing?

How do developers assist with troubleshooting and debugging the application?

What requirements have been defined for controlling access to the applications source code?

What secure coding processes have been established?

Corporate

What corporate security program requirements have been defined?

What security training do developers and administrators undergo?

Which personnel oversees security processes and requirements related to the application?

What employee initiation and termination procedures have been defined?

What application requirements impose the need to enforce the principle of separation of duties?

What controls exist to protect a compromised in the corporate environment from affecting production?

What security governance requirements have been defined?

Additional Resources

OWASP Guide to Building Secure Web Applications

ISO 27002 Standard: Code of Practice for Information Security Management

BITS Standards for Vendor Assessments

Security Guidance for Critical Areas of Focus in Cloud Computing

Payment Card Industry (PCI) Data Security Standard (DSS)

How to Write an Information Security Policy

IT Infrastructure Threat Modeling Guide

Post-Scriptum

This cheat sheet is distributed according to the Creative Commons v3 “Attribution” License. File version 1.2.

About the Author: Lenny Zeltser leads the security consulting practice at Savvis. His team provides security assessments, design, and operational assistance for business-critical IT infrastructure. Lenny also teaches malware analysis at SANS Institute, explores security topics at conferences and in articles, and volunteers as an incident handler at the Internet Storm Center.

admin | Jun 22, 2009 | Comments 0
Read More

Maximum Risk to Maximum Security

From http://blog.sebastien.raveau.name/

(Sorry for the delay; doing now what I should have done a long time ago: split my article in two parts, as it is the second part that really keeps me back… What do you want? Being a perfectionist I can’t publish a “From Maximum Risk To Maximum Security” article until I have everything covered :P)

What I describe here should be very useful to you if you can find yourself in at least one of the following situations:

  • you can use an Internet access but it lacks security (e.g. free WiFi hotspots, campus Internet, etc)
  • you want to demonstrate ineffective firewalling during a pentest
  • you subscribed to a 2-years contract for “unlimited mobile Internet access” – so unlimited their marketing department even named it “Illimythics 3G+” in my case – asked every rep you could if it would indeed correspond to your needs, and while none of them seemed to know what SSH is, they all blatantly assured you that it was possible… until you realized, too late, that it is in fact HTTP-only
  • you feel ripped-off by a hotel reservation that you chose specifically because it advertised Wi-Fi access for customers, but once there you realize they charge extra for it.

All in all, this comes down to a simple problem: how to get a full & secure Internet access in (almost) every case?

To address this problem, we’ll rely on what I call a “stepping stone”, i.e. a computer reachable by all means, preferably 24/7, with a private full Internet access and to which we will tunnel our Internet traffic by whatever mean we have available at some point.

Now, being able to reach your stepping stone depends on what kind of traffic you are allowed on the connection you try to reach it from… Let’s enumerate them from best case to worst case in terms of usability:

1. IPSec traffic directly to the stepping stone

I cite IPSec first because it is THE standard for secure Virtual Private Network-ing and therefore available on all operating systems. However, you will only be able to use it if there is no firewall or if the firewall doesn’t filter it (cf. paragraph on IPv6 below), and if behind a NAT router, if you’re the sole IPSec user or if the router supports NAT-T.

2. any kind of traffic directly to at least one UDP port on the stepping stone

In this case the best is to use OpenVPN; if you know the port number in advance all you have to do is configure OpenVPN to bind on this port, otherwise you can redirect traffic arriving on other UDP ports to OpenVPN with Netfilter:

iptables -t nat -A PREROUTING -i eth0 -p udp -j REDIRECT --to-port 1194
I made my OpenVPN reachable on all UDP ports because every now and then I am surprised to see some exotic UDP port allowed through a firewall, no idea why… HD Moore wrote a very useful script to test that.

3. any kind of traffic directly to at least one TCP port on the stepping stone

Here you can use OpenVPN like above (but two separate configuration files are needed in order to get it to listen both to UDP and TCP) or OpenSSH tunneling.

I put TCP under UDP because TCP over TCP is considered a bad idea so OpenVPN over TCP or OpenSSH with its new VPN capability (ssh -w) won’t work as well as OpenVPN over UDP.

Personally I chose OpenVPN on TCP too because:

  • using OpenSSH to tunnel to a HTTP proxy (like Squid) on the stepping stone is definitely quick to setup (ssh -L 3128:127.0.0.1:3128, and adjust HTTP proxy parameters in your browser, instant messaging client, etc accordingly), or to act itself as a SOCKS proxy (ssh -D 1080) which is even quicker if your applications support SOCKS proxying (all browsers do), but that requires having a highly-privileged daemon facing the Internet for little reason
  • it sure is nice to be able to administer your stepping stone remotely with OpenSSH, but you can always do that once you’re connected with OpenVPN

And, same as above, if you know the port number in advance all you have to do is configure OpenVPN to bind on this port, otherwise you can redirect traffic arriving on other TCP ports to OpenVPN with Netfilter:

iptables -t nat -A PREROUTING -i eth0 -p tcp -j REDIRECT --to-port 1194
Like with UDP, you never know what crazy TCP port a firewall might allow. I once found a firewall that would allow me nothing but emailing the whole Internet (TCP port 25) : what the f… oh well.

4. IPv6 traffic directly to the stepping stone

While not answering the communications confidentialy aspect by itself (but it goes along with IPSec pretty well), if you’re lucky enough to have IPv6 support on both sides and if the firewall administrators were as clueless as to have a default allow policy (yes… they’re many) and as not to take IPv6 into account (usually that goes together), IPv6 is a firewall traversal mean deserving to be mentioned.

5. any kind of traffic or just SSL traffic to at least one TCP port (typically 443, the HTTPS port) on the stepping stone via a HTTP or SOCKS proxy

Many people use OpenSSH tunneling with connect.c to get through such proxies; it is indeed convenient but once again, I’m not comfortable with the security implications. Fortunately, OpenVPN supports HTTP and SOCKS proxying out of the box. You can make OpenVPN reachable on TCP port 443 and other ports like explained above.

Note: some mobile Internet operators filter access to their proxy based on the User-Agent string of the web browser shipped with your smartphone; copy it to OpenVPN via the “http-proxy-option AGENT” parameter and off you go!

6. ICMP (like ping) traffic directly to the stepping stone

If for example you are able to ping 4.2.2.2 (one of the easiest publicly pingable IP address to remember), chances are you can use PingTunnel to connect to a TCP port on your stepping stone, and from there access the whole Internet securely by using OpenVPN or OpenSSH… There are issues with some NAT routers, so you might want to try “unprivileged mode” in PingTunnel, not for security reasons (I heavily patched PingTunnel to make it super tight; you’ll see in next blog post) but because it then uses real ICMP Echo requests and replies (to the cost of throughput), which get through the NAT routers that don’t like how PingTunnel normally operates.

Also, a firewall not allowing ICMP Echo doesn’t mean it won’t allow ICMP messages of other types… Come to think about it, I’ll have to add this feature too to PingTunnel.


7. recursing DNS requests to the stepping stone via some DNS server

Now, about DNS tunneling: I put it among the last in this list because it provides less throughput than the previous solutions and really, from a protocol engineering point of view, it’s ugly… Then again, it’s AWESOME because it works almost everywhere!

In order to use it, you will need a domain name (or a subdomain at DNSTunnel.de, kindly offered by Julius Plenz) and one of the following: NSTX, Iodine, OzymanDNS, Heyoka

Research is still active on the subject of DNS tunneling, this is why there are many tools already and more coming up. NSTX is the historical one, Iodine offers better throughput than NSTX and is available for most operating systems. OzymanDNS and Heyoka are less than a year old and still a bit proof-of-concept-ish but nonetheless interesting: the former is Dan Kaminsky’s attempt, and the latter has the highest ambition.

Personally I’m more than happy with Iodine.


8. HTTP traffic to TCP port 80 on the stepping stone through a (transparent) HTTP proxy

As the name suggests, transparent proxies transparently redirect your connections to the Internet on TCP port 80 to a local HTTP proxy; it may look like you are simply allowed TCP port 80 to the Internet, but try sending anything else than HTTP on this port, it won’t work. Good thing to know though: even if the transparent HTTP proxy doesn’t let you through for some reason, you will most likely be able to do DNS tunneling (see above) as letting the clients perform their own DNS requests is mandatory in transparent HTTP proxy setups.

Now, allowing HTTP but not HTTPS is utterly suspicious, besides breaking many web authentication procedures. Fortunately it is very rare, but in case you end up in this situation, HTTPTunnel is the way out: it will give you the possibility to connect to another TCP port on your stepping stone (and thus reach OpenVPN or OpenSSH) while making your traffic look like HTTP.

Note: User-Agent filtering can happen in this case too, see paragraph on HTTP and SOCKS proxies for solution.


9. other means of relaying data to and from the stepping stone via some reachable server

Apparently my friend Mubix has a super-secret project coming on that… in addition to having a Hak5 episode on tunneling SSH over DNS :)

As you can see, if you want to maximize your chances to reach your stepping stone and thus get a full & secure Internet access, you basically have to make it face the Internet with all TCP ports open, all UDP ports open and even ICMP tied to a daemon… While I generally disagree with the people who say a computer with 10 ports open is more insecure than a computer with 4 ports open, I have to concede that we are kind of daring the devil here…

And that is why in the other half of this article (which I’ll hopefully manage to find the time to finish within the week) I will explain how to achieve maximum security!

admin | Jun 06, 2009 | Comments 0
Read More