Review of the pentesting course at cybrary.it

Cybrary.it provides free online training courses in certain fields, among them security related. I have just been through the Penetration testing and ethical hacking course and I thought I would write a few notes on it.

The course is taught by Leo Dreiger who seems pretty knowledgeable. It includes 19 modules where some has more content than others. The sessions I most enjoyed were the whiteboard sessions where Leo talks about the specific subject. He does this quite well and offers some good advice along the way.

As for the particular tool demonstrations, I do not find them as interesting. Especially the ones that highlights vulnerabilities in Windows 2000 Advanced Server. I can understand the concept of demo environments but Windows 2000 seems a bit too outdated to be of interest. Also, modules like Denial of Service seems to be me a little out of scope. I would find it very odd if I were to perform a denial of service attack as part of a pentesting assignment. Knowing about denial of service is good, but running LOIC in a demo is perhaps not what I expected to find in a course about penetration testing.

There are two tools that to me are the bread and butter of penetration testing, those being Metasploit and SET. Neither of these tools are demonstrated in this course. They seem to be featured in other courses on Cybrary.it but I found it a bit disappointing never the less.

I guess it really boils down to what you expect to see in any course, and for me there were both pros and cons, but it is how it usually is with any form of training.

Overall though, the course is free, as are any courses on Cybrary.it so I would still recommend anyone visiting their site and see for themselves. I think the idea behind Cybrary.it, providing free IT training is great and benefits all. So, I will stick around and check out other courses, I suggest you give it a try if you feel you need some training for yourself.

Is the packet filtering firewall dead?

Does a packet filtering firewall really add to your security? In my last post, I wrote about UTM and NGFW devices, and in this post I will look a bit deeper into the NGFW devices and explain why I believe that a packet filtering firewall has serious limitations.

When I look into firewalls and especially the throughput figures I am quite amazed that a quite a few show the the throughput for using their NGFW (Next Generation Firewall) as a packet filtering firewall. To exemplify this, look at this particular firewall series from FortiNet, the 1000 series.

The FortiGate 1500D has a maximum throughput of 80 Gbps when being used a packet filtering firewall. If you scroll right until you find the figure for the AV (Proxy) throughput which is 4.3 Gbps. That is roughly 18 times slower, and that is something to be aware of. If you are one of those people who says that AV is not part of a NGFW, I say different as almost all of the NGFW devices on the market can be used as UTM devices. There is a choice you as a customer do when you buy your device, choosing a NGFW or UTM bundle to go along with it, or simply just use it as a packet filter.

FortiNet is not in any way unique in this aspect. A lot of companies do the same, displaying their NGFW devices and make sure the throughput figure you see first is the throughput when used in packet filtering mode.

Packet filtering has been around for around 25 years and it has served us well, but their time is perhaps coming to an end. Instead of filtering on ports, we want to filter applications. Certain applications are very hard to filter out when using a packet filter as they are designed to use any open and available port to communicate, Skype is an example. Another reason for wanting to use application filtering is easier management, it is quite simply a lot easier to understand. Instead of knowing the port, you know your applications. Also, it adds to security as it follows the user due to a new feature in many NGFW devices, identity awareness. Identity awareness adds the ability to allow the firewall to know which user who is doing what on your network, and that can be very helpful. By combining functionality, a firewall can track which user that is using which applications, and the administrator can create policies to control which user that can use which application. Where on the network the user is becomes less important, it is what the user is able to do on the network that is more important.

It is impossible to do this with a packet filtering firewall, it is not designed for this. It has no application control and no identity awareness. Another very important aspect is that virtually all modern operating systems has builtin support for at least packet filtering firewall functionality. Linux IP-Tables is a great packet filtering firewall, as is the Windows firewall which even has limited application and identity awareness support. The only reason for deploying a packet filter on your network instead of allowing the local operating system to do the filtering is to stop unwanted traffic further out in your network. This can be done using your router and switches ACL function. With a packet filtering firewall, the security on your host really becomes all the security you can rely on. Say for instance that you have a public website, so your firewall has a rule that allows all external networks to access your web server on port 80. The firewall in this instance do not add to your security posture as it does not check traffic on port 80 bound for your web server as it has no application control nor IPS. In this case, your web server does not gain any help from your firewall to fend of attacks. A NGFW with proper controls add to your web servers security posture by making sure that the traffic to your web server is actually web traffic and nothing else, and it also checks its IPS signatures to see if an attacker tries things like SQL injection.

Another thing is that I see with packet filter firewalls are those long lists of policies that states that this machine can talk to that machine using TCP over port 80, but one thing is often missing, a description that explains the reason for the firewall rule. Over time as rules gets added, the chaos emerges. NGFW can suffer from this as well, but the impact is lower. The application policy is in it self at least a bit self explanatory as you see which application it implies.

Packet firewall may or may not be dead, but if you are in the process of buying a new firewall, you should consider the facts and think about what you really want to protect and how you wish to go about it. Deploying a new fancy packet filtering firewall may not protect you as much you would like.

Network Protection in Depth

Every company has some sort of network protection, whether it is as simple as a router ACL to the most advanced NGFW or UTM device on the market. The question is what a company really needs to stay ahead of the game today and that is what I am going to discuss a bit in this post.

Network security needs one thing to truly effective, and that is that the traffic must somehow pass through it. The only exception is an IDS running in monitor mode which simply sniffs network traffic and does not require it to pass the device. There are other monitoring systems that provides additional insight on to what is happening on the network as well, and most of these also rely on passive monitoring.

For Packet Filters, Next Generation Firewalls (NGFW), IPS (Intrusion Prevention System) and UTM (Unified Threat Management), these types of devices requires the traffic to pass through them to be of any value. NGFW and UTM are often compared and they do share capabilities, but the NGFW as I see it is merely an extension of the packet filtering ability of a traditional firewall, adding things like application control (http proxy as an example) and IPS functionality. UTM on the other hand tries to do everything the NGFW does, but also adds url filtering, spam blockers, antivirus and other features. Quite simply, the UTM promises to be all the security you need in a single box. Whether this is true or not all depends on your companies requirements.

Personally I do not believe that UTM or NGFW solves every security problem in your company, but it can certainly add to boost your security posture if implemented correctly or put you at serious risk if implemented incorrectly.

First and foremost, you have to know your network to implement a network security solution correctly. If you do not know your network, make sure you learn and understand it before you do anything else. Once you have the full network picture in front of you, you can start looking into all these amazing appliances on the market and see what appliance goes where in your network topology. You also need to decide on which features a network security appliance should have, what matters most to you? What are your security requirements, what do you really want to protect and from what? Simply buying a NGFW or a UTM and slam into your network with the default settings is not gonna help you very much.

You must also understand one thing, even with the most advanced NGFW ot UTM on the market today, none of them protects you at 100%. This is not a statement I make up, this is a documented fact. NSS Labs, which tests these types of devices very thoroughly, last test of NGFW’s was done in 2014, rated no device at 100% being able to block all types of attacks. This is something you need to be aware of so you do not solely rely on a NGFW or UTM to handle all security threats. The SVM (Security Value Map) from NSS Labs below show this, this is NGFW devices and not UTM devices. This graphic below belongs to NSS Labs and is available free of charge. The full report however is not free.

WG-FW-NSS-map

As you can see, no device is 100% effective. If you are wondering why Palo Alto Network rated so low, you can read the full story in the NSS Labs Blog post.

Therefor, these types of devices may add to your company security, but as I mentioned earlier, only if implemented correctly, and also extremely important, used and managed correctly. If you are to invest large sums of money into these devices, do make sure that your firewall administrators knows how to manage them and utilise the full potential. There are a lot of stories about improperly configured firewalls floating around, do not become one of those. As these devices gains more and more capabilities, training must keep up. These are not simple packet filters anymore, simply looking only at SRC, DST, Port and Protocol, nope, they can do a lot more. If you have one of these devices and still treat it like an old packet filter firewall, then you are missing something.

So, now you know you have to know your network topology very well, know what your security requirements you have, and you also need to know what capabilities and limitations these devices have, and also, you have to invest in proper training of your firewall administrators. Is that all then? No, not even by a long shot.

NGFW and UTM devices are simply nothing more than one more tool in your security toolbox and they address one specific thing, traffic coming from one network to travel on to another network. Unless you route all your traffic through them, these devices do not protect you at all from attacks within the same network segment. If they cant see the traffic, they cant do anything. This is a very common problem with many companies, they have a very hard perimeter but very soft networks on the inside. It is like an egg, a hard shell but once that is cracked, everything is accessible.

This is where additional network security resources comes in to play. If you are running a mixed IT environment, you probably have a selection of network security features available on your hosts, where I would like to focus a bit on two of them, The built-in firewall of Linux which is IP-Tables and the Windows operating system host firewall. Both of these firewalls can actually do quite a lot and they should be used to further hardening your network security posture.

IP-Tables are getting additional support for more advanced features such as security zones with the firewallD project from Fedora which is now also part of RHEL version 7. IP-Tables is stateful which means it keeps track of connections, so it can distinguish between new and existing connections and which side initiated the communication. By using IP-Tables to lock down the network presence of your Linux hosts you add to the overall network security posture. There is also an implementation of IPSEC available for Linux, the FreeS/WAN Project. By combining IP-Tables and IPSEC, you can make it a lot harder for an attacker to gain an effective foothold in your company network.

The Windows host operating system firewall on the other hand is also a great tool which should be used. Firewall rules can be managed using Group Policy (Yes I know it becomes hard to manage when the number of policies grow, so without endorsing it, take a quick look at Addlevel Isolation Management for a better view of your central Windows Firewall Management). The Windows firewall is also stateful, it has IPSEC support and it also has the ability to accept or deny connections based on who is making them. As an example, you can have a firewall rule which allows all members in a certain group use RDP to access your server network, but nobody else. If you also use IPSEC, you can enforce the use of strong authentication of both the computer making the connection as well as make sure that the user also is authenticated before allowing the connection to occur. The Windows firewall has many great features which makes me a bit surprised that so few are actually using them.

Another piece of the puzzle is to know what is going on in your network. There are several ways to do this, but what is most important is that your security team really understands how it can be used. Visualisation of network data often makes it easier to track what is happening than a log file with a lot of text in it.

After all, it is you who has the responsibility to understand how well your network is defended, so knowledge is the last key to it all. Without knowing you can not react and you can certainly not predict what you might need to do before something happens. You need to know your network, do correct network security implementations, monitor them and evaluate them, and over time, do it all over again. Security is never a onetime deal, remember that.

Of course there a lot of other things that relate to security which are not network based, but I will focus on those in another post.

Tired of users who spreads malware using USB devices?

Then perhaps you should get them a USB-device that will teach them a serious lesson, no I am just kidding, let me explain.

A russian security researcher nicknamed Dark Purple seems to be inventing a killer USB device, or more a computer frying USB device. It is an interesting way to use a USB device, thats for sure. You can you read more about it here. It is not for sale, at least not yet, but it is quite fascinating to read about it.

If you wish to employ a little less drastic counter-measures, there are some.

  • Use Active Directory to simply deny the use of USB devices

I know, it sounds impossible, but it is not. It all depends on whether you want to take on the administrative burden of managing exceptions or not. Yes, in a large organisation it will most likely be quite impossible. Even though, it is worth knowing that Active Directory can mitigate the threat from USB devices.

  • Malware Protection Engines

Same as the above actually, the rely on the class ID and serial numbers of the USB devices wether to allow it or deny access. The same administrative burden awaits.

I am not even gonna suggest using superglue on the USB ports since it is almost never an option, but instead say that most important thing you can do about USB devices is training and NOT allowing your users to do their day to day work running with local admin privileges. Then make sure you disable autorun and if possible, never allow code execution on removable devices. Stick with those and the USB threat is at least mitigated. Unfortunately, the USB threat is here to stay and will remain a threat to most organisations for a long time.

Gemalto and the NSA

Gemalto has presented their findings regarding the allegations about being hacked by the NSA and GCHQ. They do admit that is probably true that they were indeed hacked, but that the encryption keys were not compromised. Only the office network is supposed to have been compromised and it is not where the encryption keys are stored. If they were, it would seriously surprise me. As these encryption keys are vital for securing our cellular communications, I trust that they are stored safely. In this case it is quite hard to really argue on what is safe or not, as they NSA and GCHQ often are described as having endless means of attacking anyone and anything.

The report from Kaspersky on the Equation Group leaves no doubt that the NSA has advanced capabilities. A company like Gemalto also has advanced capabilities and are probably well aware that intelligence agencies are very much interested in what they do. Therefor it is not unlikely that they had taken steps to secure their encryption keys even from such adversaries. They describe their network as a cross between an orange and an onion which is quite familiar to me. When dealing with critical infrastructure, different security zones are needed. Connecting such networks directly to the Internet is not something such a security model would allow.

The NSA and GCHQ on the other hand wants to be able to intercept and store any type of communication we use, whether it is by phone, email or the web. The use of encryption is a huge disadvantage for them, so of course, getting the encryption keys from a company like Gemalto would be a huge win.

In this case I do not think they got what they were looking for, but I am quite sure that they will try again. In their effort to protect us (at least thats what they say), they are pushing for the ban of encryption or that backdoors are implemented in the algorithms used. This is not something we can allow, as history has shown us many times that everyone has the right to privacy. It is one of the basic fundamentals for our modern society and it is a principle we must fight to protect. As I have written before, even if you have got nothing to hide today, who knows what tomorrow says about you and your ideas?