Tuesday, March 10, 2009

Secure Connectivity from Hostile/Untrusted Networks

Some of my friends and I were discussing how we 'securely' connect to the Internet, in particular our banking sites or email accounts, while at security events or in other venues where malicious users might reside. I use the word 'securely' loosely here since my viewpoint is that even though you might go through great effort to ensure your methods of connectivity are secure and impervious to eavesdroppers, I simply think this is pretty close to impossible unless you have a machine which is entirely disconnected from the world, and is pretty much of no use because of this. Some machines and networks fit this bill - as far as being pretty much 'disconnected' - think of some of the governments SCADA networks, but for the most part, this isn't the modus operandi for a typical user.

The following is a list of some of the methods that we use to connect. Some might be considered better then others.

Best Methods In My Opinion:

Wireless Broadband
Local Proxying of all traffic to a remote destination - via SSH tunnel
Using an IPSec and/or SSL VPN solution - to connect to the home office, or the business

Bad Method which many people use (again, this is in my opnion):

Using the Hotel's Network (you can add, or substitute free wi-fi network as well, which can be used at the airport or your local Starbucks) to connect directly to your banking sites

Now to be honest, I've pretty much used all these methods at some time or another - less wireless broadband (although I have been looking into this service for some time) - to phone home, or connect to my banking site while on the road. As time has progressed, I've evolved in respect to using more secure methods to make these connections. So your asking, what do I currently use, well right now I am using NoMachine (NX) <http://www.nomachine.com/>. I'll go over some of the cool features that NX offers, as well as what I have setup in particular in my work environment to enable this secure connectivity.

NX allows a client to run a SSH tunneled X11 session to the NX server. NX uses SSH public-key encryption and 128 bit volatile random cookie generation for the secure connection (Reference: http://www.nomachine.com/). The NX architecture consists of 3 different components:

1. NX Server (This is the machine you will be connecting to in order to launch specific applications from, or to just browse the web securely from.)
2. NX Node (This package needs to be installed on the server)
3. NX Client (This is the client software that needs to be installed on the machine you will be connecting from.)

The free edition allows you to have 2 users concurrently connected to your server. This is sufficient for my needs, but may not suit yours. NX does offer 'for pay' services which can allow an organization to increase the number of users which are allowed to concurrently connect to a server, see the following for more information: http://www.nomachine.com/features.php. For those looking for more information on the technology, I strongly encourage you to read the documentation they provide on the site. I'm not going to delve into all the specifics, but will give the reader a very general overview of how I use it when I am on the road.

My NX Server at home is running CentOS 5.2 (http://centos.org/). The NX Client software was installed on a Windows XP and Linux (Fedora 10) based host - I brought a dual-boot system to the conference. On the server, I changed the port SSH was listening on (via the sshd.conf file) to 45220 (you can continue to use the default port, but I choose to use a port that in my experience I have not seen scanned by script kiddies as often as the popular well known ports [1024 and below]). Both local client firewalls were configured with rules to only allow dhcp traffic (UDP 67 and 68), limited web traffic (TCP 80/443), as well as dns (UDP/TCP 53), in order to connect to the hotels portal page, and lastly I had a rule which allowed connectivity to my remote firewall, which forwarded the TCP45220 traffic to my NX server. Since I have currently been fiddling with a Juniper SSG5 at home, I had this on the perimeter with a dedicated DMZ configured where the NX server sits. I've included a little visio document of how this layout looks:

Network Diagram:


Closing Notes:

There are a few different methods available that someone can use, if they want to 'securely' connect to resources that are considered sensitive in nature. I've been at conferences where many of the folks I've spoken with are using their regular corporate laptop in class for the labs. Of course, I am strongly against this (data loss comes to mind here), and would beseech each of you to talk to your own corporate resources in order to get a lab laptop for class, or better yet, buy your own cheap laptop online - easily can find a used one for under 400 bucks. Upon receiving the laptop, image it, launch your packet capture tool when you connect on the hostile network, save the captures to a portable thumb drive, and re-image it when you get home. I know there are other methods available, and I welcome feedback on this, so please send us any comments, and/or questions you may have regarding this.

Hope you enjoyed...

Topics for follow up: IPTables configuration on Linux Machines.

~Matt

No comments:

Post a Comment