Monday, December 1, 2003

Internet Security

Internet Security

The World Wide Web has become a center for e-business, communication, entertainment and information.  Anywhere money is made, you will find a crook that will try to steal it.  How do you keep your information safe?  How do you secure the privacy of business or personal information, and your identity?  This paper will explore three levels necessary to provide security and privacy of information on the Internet: information protection in transit, certified identity, and a secure point of access.

Information protection - Encryption

Cryptography is essential for the secure exchange of information across intranets, extranets, and the Internet. From a business point of view, the security functions enabled by cryptography are authentication, which assures the recipient of a message that the originator is who he or she claims to be; confidentiality.  Cryptography protects users by providing functionality for the encryption of data and authentication of other users. This technology lets the receiver of an electronic message verify the sender, ensures that a message can be read only by the intended person, and assures the recipient that a message has not be altered in transit.  which ensures that a message can be read only by the intended recipient; and integrity. From a technical point of view, cryptography is the science of protecting data by mathematically transforming it into an unreadable format.
Encryption is that process of transforming data to secure the communication of data, in this instance over the Internet.  There are three main classes of encryption: symmetric-key encryption, public-key encryption, and hash algorithm encryption.
Symmetric-key encryption uses a single key to encrypt the data at the source, and also decrypt the data at the destination.  This key is called a secret key or a symmetric key because both the sender and recipient possess an identical key.  Symmetric-key encryption is efficient for large amounts of data, and its effectiveness is dependent on the complexity of the encryption algorithm and the length of the key.
Public-key encryption uses two separate keys that are mathematically related, a public and a private key.  The public key can be published openly but the related private key remains protected.  Data encrypted with the public key can only be decrypted with the private key, and vice-versa.  Public-key cryptography uses very complex and slow algorithms, and so is used primarily for short critical transmissions.
It is common to use public-key cryptography to transmit a symmetric-key, and then complete a data transmission using the symmetric-key encryption.
One-way hash encryption is the conversion of a piece of data of any length into a non-reversible fixed-length number by applying a one-way mathematical function called a hash algorithm to the data. The length of the resulting hash value is large enough to make the chances of finding two pieces of data with the same hash value insignificant. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, there is an extremely high probability that the message was transmitted intact.
But simply protecting the data you transmit is not always enough.  Sending credit card information over the Internet requires not only that the number is protected from interception, but also that the sender and receiver are actually who they say they are.

Certifying Identity – Digital Signatures

When a message is sent or received, the recipient may desire to verify that the message has not been altered in transit.  Also, the recipient may wish to be certain of the originator's identity.  Both of these services can be provided by the use of a Digital Signature. A digital signature is an electronic analogue of a written signature in that the digital signature can be used in proving to the recipient or a third party that the originator in fact, signed the message. Digital signatures may also be generated for stored data and programs so that the integrity of the data and programs may be verified at any later time.
Signature verification makes use of a public signature key, and each user possesses a private and public key pair. Thus anyone can verify the signature of a user by employing that user's public key, but only the possessor of the user’s private key can perform signature generation.
Digital signatures are created using a combination of a public-key encryption techniques and the Digital Signature Algorithm (DSA), standardized by the Federal board of Information Processing Standards.   A hash function is used in the signature generation process to obtain a condensed version of data, called a message digest. The message digest is then input to the DSA to generate the digital signature. The digital signature is sent to the intended verifier along with the signed data (often called the message). The verifier of the message and signature verifies the signature by using the sender's public key.

Secure Point of Access – Internet Client and Operating System

Finally, guaranteeing that your information is encrypted properly, and the identities of the source and destination are certified requires a point of access to the system that is not itself vulnerable.  The Internet is literally a network of computer clients, which are physical computers running some form of Internet protocol from its operating system.  If the operating system is vulnerable, any external security measures also become vulnerable.  Here is an example of how operating system security is implemented in Windows 2000, a prominent business-client operating system. 
  • Central administration. Security requires simplicity. As networks become larger and more complex, more powerful security management tools are required. The Active Directory service in Windows 2000 simplifies security management. Administrators can manage user accounts and access rights from a central location, and delegate security administration tasks.
  • Flexible deployment. Security requires flexibility. In the past, companies could make assumptions about their network users because all users were employees. As companies extend business to the Internet, they can no longer make assumptions about the identity, integrity and desktop platform of their end users. For this reason, Windows 2000 facilitates interoperable, flexible authentication mechanisms that verify identity and securely map external users to the company's internal systems.
  • Consistent enforcement. Security requires consistency. A single, consistent model for enforcement of security is crucial. Once a user's identity has been verified, it is important that access to resources be configured and enforced in one manner to simplify management and increase security. Multiple security models often lead to redundant and complex management, increasing the possibility of administration errors and security holes. Windows 2000 employs a single, consistent access control model that is integrated with the Internet-standard Kerberos network authentication protocol.
Secure Internet-enabled Business
  • E-commerce. Companies doing business on the Internet must be concerned with proving the identity of customers. Windows 2000 provides a fully-featured public key infrastructure including a certification authority for issuing x.509 certificates and validating identity. Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols confirm the user's identity and protect data on the wire across the Internet.
  • Extranets. Support for open PKI standards and secure protocols, such as IPSec, L2TP, SSL/TLS, and S/MIME enables you to extend your network to suppliers and partners more quickly, while protecting against impostors, data theft, or malicious hackers.

Protect Mobile Users and New Devices
  • Mobile users. By design, laptops and many new devices are portable and lend themselves to theft. Often these machines hold important company data and represent a security risk if stolen. Windows 2000 offers Encrypted File System functionality that obscures data on the hard drive to render it useless to anyone without access to the encryption or recovery key.
  • Home office. Telecommuting is becoming a common part of business life. Here security on the wire becomes crucial as companies are using public infrastructure to transport company data. Windows 2000 offers an extensive virtual private network (VPN) solution with integrated tunneling and encryption technologies including IPSEC, L2TP, PKI and PPTP.

Conclusion

Internet security requires three levels of protection: first, your data must be encrypted to assure that it cannot be intercepted and modified between the desired sender and receiver; second, certifying identities guarantees that your information sent and received is being transmitted with the correct person; and third, the client you access the Internet from must be secure to protect the information used over the Internet when it resides on your machine, and to protect the encryption keys and identity certificates used to authorize its transmission.
By using these techniques, it is possible to secure the sharing of information over the Internet to the degree that the work required by a malicious party to get around the security would far outweigh the benefits.

Works Consulted:
1. Windows 2000 Home page
2. Microsoft Software Developers Network (MSDN)
2. Digital Signature Standard - Federal Information Processing Standards

Wednesday, January 1, 2003

common port and services block list

ProtocolPortService nameComment
TCP21FTPIf you use FTP, incoming only
TCP25SMTPBlock incoming or route directly to your email server
TCP/UDP53DNSBlock incoming or route to your DNS Server
TCP/UDP67, 68DHCPBlock incoming and outgoing
TCP/UDP69TFTPHighly recommended for internal use only. * **
TCP80WWW, HTTPBlock incoming or route to your web server
TCP/UDP88Kerberos
TCP135RPC/DCE Endpoint mapperHighly recommended for internal use only. * **
UDP137NetBIOS Name ServiceHighly recommended for internal use only. * **
UDP138NetBIOS Datagram ServiceHighly recommended for internal use only. * **
TCP139NetBIOS Session ServiceHighly recommended for internal use only. * **
TCP/UDP389LDAP
TCP443HTTP over SSL/TLSBlock this unless your web server is running SSL certs
TCP/UDP445Microsoft SMB/CIFSADMINISTRATION PORT! BLOCK THIS!
TCP/UDP464Kerberos lpasswd
UDP500Internet Key Exchange, IKE (IPSec)Block this unless using VPN from outside.
TCP593HTTP RPC Endpoint mapper**
TCP636LDAP over SSL/TLS
TCP/UDP1433,
1434
MS SQL Serverhosts data and local server scans
TCP3268AD Global CatalogADMINISTRATION PORT! BLOCK THIS!
TCP3269AD Global Catalog over SSLADMINISTRATION PORT! BLOCK THIS!
TCP3389Windows Terminal ServerHighly recommended for internal use only. *
TCP/UDP17027AdBotsBlock outgoing on this port
TCP/UDP31337(trojan)commonly used trojan/backdoor port, such as Back Orifice
TCP31789,
31790
(trojan)Commonly used RAT trojan ports, block incoming and outgoing.
* "Internal use only" services were originally never intended for use over the internet, and therefore are highly unsecure.
** indicates these ports are used by MS Blaster and similar worms.