4.3 Implement secure communication channels according to design
- Voice
- Multimedia collaboration
- Remote access
- Data communications
- Virtualized networks
- Third-party connectivity
Voice
There are three ways to delivery voice (phone calls).
- POTS (Plain Old Telephone System). POTS has no security. Anybody can take a buttset and tap your phone call, if they have access to the physical wiring at any point in the circuit (between your phone and the other party’s phone).
We can’t do anything to secure POTS. That includes using POTS with normal analog phones, PRI, cell phones, VoIP phones that use POTS for trunking (such as Cisco, Mitel, Polycom), and Digital phones that use POTS for trunking (such as Nortel, Panasonic, NEC, etc.). We might call the digital phone system a PBX, or Private Branch Exchange.
But if both parties have a secure phone with encryption/decryption capabilities, then they can have a secure conversation over an unsecure POTS line.
The older phones include RCA STU-III phones. Encryption keys for these phones have not been produced since 2009.
The current protocol for securing voice communications is called the Secure Communications Interoperability Protocol or SCIP. We can secure any type of communication over POTS, radio, satellite, VoIP, or cell phone as long as the medium has a bandwidth of at least 2400 Hz. The way it works- Each party must have a communication device with encryption/decryption capabilities.
- The parties connect over a medium (VoIP, POTS, cellular, etc.)
- A key exchange happens over the medium.
- The parties negotiate (agree on) a voice encoding protocol
- The voice call is encrypted and transmitted over the medium. AES is a common method of encryption.
- Each party must have a communication device with encryption/decryption capabilities.
- SIP (Session Initiation Protocol). SIP is a protocol for transporting calls over the internet. SIP works with VoIP phones (phones that connect to an ethernet network). Encryption protocols for SIP exist but they don’t work or don’t work well.
The only way to secure a SIP call is if we have end to end encryption between the two SIP endpoints (phones). This could work if we are making SIP calls between two phones in the same company on the same physical network, or on the same WAN or VPN.
If we don’t have the ability to secure the underlying network, General Dynamics makes the Sectéra vIPer Universal Secure Phone, which allows us to make secure phones over VoIP and Analog networks.
- Applications such as Skype, Teams, WhatsApp, Signal, etc.. These applications provide communication over the internet with end-to-end encryption built in. But note the following
- If you use a Skype or Teams app to call a landline phone or other POTS/PSTN number, then there will be no encryption on the PSTN side.
- There is no proof that Skype, Teams, WhatsApp, etc. are actually secure because nobody has been able to validate the source code or examine the servers that run these applications. There may be back doors in the applications and they are certainly suitable to man in the middle attacks.
- Signal and Telegram are apps that are recognized to have good end-to-end security at the time of writing, but there is no guarantee that a backdoor does not exist.
- There might be a backdoor on your phone or computer that can spy on all of your communications, even if the communication app is secure.
- If you use a Skype or Teams app to call a landline phone or other POTS/PSTN number, then there will be no encryption on the PSTN side.
Remote Access
How do we provide external users with secure access to our network? There are many ways to access a corporate network remotely
- VPN – we will discuss VPNs in depth
- Modem – a user can dial in to a modem that is connected directly to a server or router. Some internet service providers still use dial up modems to connect directly, so that they can configure and reboot equipment remotely. Modems are less common now.
- Remote Desktop Protocol with RDP Gateway – RDP allows us to remotely log in to a single computer or server and control its screen. Some applications do not work over RDP. RDP is a common protocol for when an external user needs to connect specifically to one device.
- Remote software like TeamViewer, VNC, LogMeIn – Remote software allows you to connect to a single computer or server. You must install the remote software on each remote device that you want to control. You then must install the client on your computer and connect to any device needed. Remote software offered by third parties may present security risks. They also cost money and are difficult for administrators to control.
- Cloud-based system like Amazon Workspaces – these systems are somewhat like Remote Desktop Protocol. You must download and install a proprietary client application.
- Service Specific – user can connect to specific services such as e-mail, accounting application, etc. Citrix is an application that can allow us to connect to specific services only. It uses containerization as discussed earlier.
- Remote Control – we can fully control the computer, so our monitor and keyboard are acting like they are directly connected. This can be achieved through a remote KVM switch (over ethernet). The KVM is a box that connects to the USB and video ports of a server (or multiple servers). We then remotely connect to the KVM box.
- Screen Scraper – we can remote in to the computer via Remote Desktop. Some applications will not operate over Remote Desktop due to licensing restrictions. We should use a Remote Control when Remote Desktop does not work.
The most common way is through a VPN.
A VPN is a Virtual Private Network. It allows a remote user (working from home, a hotel, a hotspot, etc.) to connect to a corporate network through a tunnel. Essentially, the traffic from the user’s computer is packaged and sent through a tunnel to the corporate network. If the user attempts to access a website, that request is sent to the corporate network. The corporate network sends the traffic to the website. It takes the traffic that it received from the website and sends it back to the user through the VPN. Therefore, traffic received from the user appears to be coming from the corporate network, regardless of the user’s location.
A VPN “tricks” the user’s computer into thinking that it is on the corporate network so that the user can access resources such as internal applications, shared drives, and printers.
A VPN concentrator is a device that collects and manages VPN connections from multiple users and passes their traffic to the LAN. It could be hardware-based or software-based. The VPN concentrator functionality can be incorporated into another network device such as a router.
VPN functionality is incorporated into devices such as
- Cisco Routers
- Cisco ASAs
- Fortigates
- Sonicwalls
- Cisco Meraki Routers
Remote users can use software to establish VPNs (such as Windows VPN or Cisco AnyConnect) or can install hardware-based VPN appliances such as Meraki Z3.
Features of the VPN can include
- Remote Access vs. Site-to-Site. A Remote Access VPN allows users to connect back to a corporate network, typically through their computer. A Site-to-Site VPN allows two offices to connect to each other and pretend like they are part of the same physical network. A Site-to-Site VPN typically applies to the site’s router and not to individual devices on the network.
- The performance on a VPN is affected by the quality of the user’s internet connection, by the quality of the corporate network’s internet connection, by the number of active users, and by the type of resources being accessed.
- When there are multiple sites that need to be connected, a site-to-site VPN should be replaced by a WAN. A WAN is more expensive but offers better performance.
- The performance on a VPN is affected by the quality of the user’s internet connection, by the quality of the corporate network’s internet connection, by the number of active users, and by the type of resources being accessed.
- IPSec. IPSec is a set of protocols that allow hosts to exchange packets securely. IPSec has several modes of operation, including
- Tunnel Mode. The Tunnel Mode encrypts the source, destination, and contents of every packet. Essentially, it establishes a secure tunnel between two network devices where data can travel securely. The devices that are establishing the tunnel are not necessarily the devices that are creating the traffic. For example, a router is sending traffic on behalf of a server inside the network. An outsider will not be able to examine the source, destination, or contents of any traffic.
- Transport Mode. The Transport Mode only encrypts the contents of the packet. It does not encrypt the source or destination. An outsider will be able to examine the source and destination. Transport Mode is established by the two network devices who are communicating, and not by the routers on the edges of the network.
- SA. An SA, or Security Association is an algorithm and key that are used to encrypt traffic in an IPSec tunnel. Each direction of communication requires a separate SA. Therefore, most IPSec tunnels will require two SAs.
- There are four methods of connecting a tunnel. Consider that two computers (each inside a separate network and behind a router) would like to communicate securely across the internet. How can an IPSec tunnel be established?
- Machine-to-Machine. Two computers (or smartphones) establish a tunnel and communicate. This is not practical because each computer will expend a substantial amount of computing power encrypting and decrypting the IPSec traffic.
- Router-to-Router. It is assumed that the connection between the computer and the router (on the internal network) is secure. The routers establish an IPSec tunnel. The computers no longer encrypt traffic between themselves and the routers. The routers encrypt all traffic between themselves.
- Machine-to-Machine and Router-to-Router. This combines the previous two scenarios. Each machine establishes an IPSec tunnel with the router on its network, and the routers establish an IPSec tunnel between themselves.
- Remote User. A remote user connects to a router through an IPSec tunnel, and then establishes a secondary IPSec tunnel to connect to a device deeper in the network.
- Machine-to-Machine. Two computers (or smartphones) establish a tunnel and communicate. This is not practical because each computer will expend a substantial amount of computing power encrypting and decrypting the IPSec traffic.
- Tunnel Mode Encryption. The tunnel mode is the method for encrypting the traffic. Consider that two routers have created an IPSec tunnel and that behind each router is a computer that wants to communicate. What is the order of operations?
- The computer generates some data and places it in a packet.
- The computer puts the address of the remote computer in the header of the packet (or the address of the network that it is sending it to, when the network employs NAT – more on this later).
- The computer sends the packet to the router
- The router encrypts this packet, including the headers
- The router encapsulates this packet inside a larger packet and adds the recipient’s router address to the header
- The router sends the packet to the destination router
- The destination router removes the outer header, decrypts the packet, and forwards it to the computer inside its network
- Neither computer is aware of the existence of the IPSec tunnel
- The computer generates some data and places it in a packet.
- Tunnel encryption works through the following security protocols
- AH. Authentication Header. When AH is used, the original IP header (created by the computer that generated the data) is visible to outsiders, but the contents are protected. AH protects the integrity of the data. That is, the recipient can be sure that the sender listed on the packet is in fact the true sender.
- ESP. Encapsulating Security Payload. ESP encrypts the contents of the data, but it does not guarantee integrity.
- It is recommended to use both AH and ESP, thereby providing privacy and integrity.
- AH. Authentication Header. When AH is used, the original IP header (created by the computer that generated the data) is visible to outsiders, but the contents are protected. AH protects the integrity of the data. That is, the recipient can be sure that the sender listed on the packet is in fact the true sender.
- IPSec algorithms
- IPSec is a framework for exchanging data, but the contents of the framework vary from vendor to vendor and network to network. Just like there can be many different models of vehicles on a road, all following the same traffic rules, there can be many different types of algorithms to exchange data within a tunnel.
- Many different encryption algorithms can be used. This flexibility allows an algorithm to be replaced when it is discovered to be weak.
- Methods include
- Diffie-Hellman key exchange with public key signing
- MD5 and SHA-1 hashing algorithms to ensure data integrity
- Diffie-Hellman key exchange with public key signing
- IPSec is a framework for exchanging data, but the contents of the framework vary from vendor to vendor and network to network. Just like there can be many different models of vehicles on a road, all following the same traffic rules, there can be many different types of algorithms to exchange data within a tunnel.
- IPv4 vs IPv6. IPSec is integrated into all IPv6 packets by default, but not IPv4 packets. When IPv4 was designed, security was not a primary consideration. As the internet grew, the design of IPv6 required security to be integrated into all communications. A device can use IPv6 and not activate the IPSec feature however.
- Tunnel Mode. The Tunnel Mode encrypts the source, destination, and contents of every packet. Essentially, it establishes a secure tunnel between two network devices where data can travel securely. The devices that are establishing the tunnel are not necessarily the devices that are creating the traffic. For example, a router is sending traffic on behalf of a server inside the network. An outsider will not be able to examine the source, destination, or contents of any traffic.
- L2TP (Layer Two Tunneling Protocol)
- L2TP was a tunneling protocol that was developed in 2000.
- L2TP does not provide encryption but the tunnel can be carried by the IPSec protocol, which operates on Layer Three.
- Effectively, the two parties use L2TP to create a VPN tunnel between themselves. This tunnel is used to pass data.
- Then the two parties use IPSec to agree on an encryption scheme and encrypt the data that they send over the L2TP tunnel.
- L2TP was a tunneling protocol that was developed in 2000.
- Split Tunnel vs. Full Tunnel
- In a Full Tunnel VPN, all traffic is routed through the VPN, but in a Split Tunnel VPN, only specific traffic is routed through the VPN.
- The advantage of a split tunnel is that it reduces bottlenecks. Consider a corporate user working from home. The user needs to access network resources such as a shared drive and corporate finance applications. This traffic must go over the VPN. The user is also watching YouTube videos. There is no reason to route YouTube videos over the corporate network (requiring encryption on both sides). YouTube traffic can travel over the user’s home internet connection.
- In a Full Tunnel VPN, all traffic is routed through the VPN, but in a Split Tunnel VPN, only specific traffic is routed through the VPN.
- TLS. In addition to providing internet security, Transport Layer Security is an alternative to IPSec VPN. A TLS VPN is useful when the network uses NAT.
- Always-On VPN. An Always-On VPN is just like it sounds. It is a VPN that is always on. Typically, an Always-On VPN is part of a hardware appliance, but it could also be software-based. When the VPN detects an active internet connection, it automatically attempts to re-establish the VPN.
For security purposes, an Always-On VPN can block traffic from travelling over the internet when the VPN gets disconnected. This would prevent a user from inadvertently disclosing his true location. - HTML5. An HTML5 VPN is a new concept. Since HTML5 supports cryptography, we can build a VPN application that runs through a web browser. That means that we can build an internal web application, and have external users connect to it through a VPN login without having to install any software or making configuration changes to their computer. All they require is a web browser.
Of course, there are limits on what a web-based application can do.
When a user logs in to a VPN, we must validate his username/password. We should also use multi-factor authentication (via a certificate or a token).
The best setup for remote access
- Create a VPN for remote users
- Enforce authentication through RADIUS or another secure system. Authentication should be tied to the user’s internal account or profile.
- Enforce two-factor authentication
- Set clear permissions for each user based on their role
- Log all access attempts
- When a user is connected to the VPN, they can access other internal resources as normal (for example, using RDP to connect to a server or using a web browser to access an internal application). Do not expose internal resources directly to the internet and allow users to connect to them directly.
One other tool we can use is geofencing. Geofencing allows us to block a device from accessing a network unless it is in a specific location. For example, we can design a laptop or tablet that shuts down or locks when it leaves the building or when it is disconnected from the corporate wireless network.
Email Security – some of the following protocols may be in use in your organization. They should be configured to be as secure as possible.
- SMTP – SMTP is the protocol that allows your email client to send emails. SMTP should be configured to use TLS. The SMTP protocol itself does not have any security, but the client and server create a tunnel that secures the SMTP commands.
- POP – POP is an outdated protocol that allows your email client to retrieve e-mails from a server. When an email is retrieved by the email client, it is deleted from the server. It can also be configured to wrap the communication in TLS.
- IMAP – IMAP is a protocol that replaced POP. In addition to being able to retrieve emails from a server, it can also sync the contents of the email client with the email server. It should be configured to use TLS.
- An Open Relay SMTP means that anybody who can reach the server can send messages through that server. This is opposed to an SMTP server that authenticated each sender. An Open Relay is bad because unauthorized parties can send messages through our server. That means that people can send out SPAM using our server. If enough SPAM messages are sent, people will block our servers and then legitimate e-mails won’t be received.
- SaaS E-mail. We can use Google Apps or Microsoft Office 365 to send and receive e-mails. We don’t have to worry about configuring the e-mail server or the hardware. The SaaS provider does all the work. But we need to make sure that the basic configuration is correct. A security threat on the SaaS server can be worse than one on a local server because we may not have access to investigate or resolve it.
- We want the following in our e-mail configuration
- Non-repudiation – that means we can always verify that the person who claimed to send the e-mail is the person who sent it
- Restrict messages to intended recipients
- Ensure message integrity – that means that we can always verify that the message that was received is exactly like the message that was sent
- Be able to authenticate senders who send us messages – this is not always possible because other senders may not configure their e-mail clients.
- Confirm that messages we send are delivered – this is not always possible. The receiving server must be configured to acknowledge receipt. Some e-mail servers do not do this either accidentally or intentionally.
- Non-repudiation – that means we can always verify that the person who claimed to send the e-mail is the person who sent it
- We might have some of the following
- Acceptable Use Policy – this provides a set of rules for what each user can or cannot do while on the server, and the consequences for violating this policy. It could include not sending SPAM or offensive material.
- Privacy – we might have rules restricting the type of information that cannot be sent via e-mail. For example, we might not want to share sensitive or personally identifying information. This rule can be enforced with a data leak prevention device.
- E-mail retention – How long do we keep an e-mail after it has been sent or received? We might keep it until the user deletes it, or we might have a policy in place to retain the email for longer. Some laws require organizations to keep e-mail for up to seven years.
- Acceptable Use Policy – this provides a set of rules for what each user can or cannot do while on the server, and the consequences for violating this policy. It could include not sending SPAM or offensive material.
- Security
- What are some of the risks?
- SMTP, POP, and IMAP use plain text to send and receive email and are not secure out of the box.
- People use email to send SPAM, viruses, trojans, and ransomware
- It is easy to spoof the sender address on an e-mail
- We have no way to check if the message was modified on the way between the sender and recipient. An email may pass through many third-party servers before it recaches its final destination.
- We can DoS somebody by sending them many messages. The messages will fill up the inbox on their server and they won’t be able to receive any new messages.
- SMTP, POP, and IMAP use plain text to send and receive email and are not secure out of the box.
- What are some of the risks?
- How can we protect against these risks?
- S/MIME – Secure Multipurpose Internet Mail Extensions
- We can use an X.509 certificate to authenticate senders
- A sender uses the certificate to digitally sign each message. The recipient receives the message and verifies that the signature is valid.
- S/MIME uses PKCS – Public Key Cryptography Standard
- A digitally signed message has integrity, sender authentication, and nonrepudiation
- An enveloped message has integrity, sender authentication, and confidentiality
- A digitally signed and enveloped message has integrity, sender authentication, confidentiality, and nonrepudiation. That means we can verify that the message that we received is exactly the same as the message that was sent, that the person who signed the message is actually the person who sent it, that no unauthorized people read the message, and that sender will be unable to deny that they didn’t send it.
- We can use an X.509 certificate to authenticate senders
- MIME Object Security Services (MOSS)
- MOSS provides authentication, confidentiality, integrity, nonrepudiation
- MOSS uses Message Digest 2 (MD2) and MD5
- MOSS provides authentication, confidentiality, integrity, nonrepudiation
- Privacy Enhanced Mail (PEM)
- Encryption with authentication, integrity, confidentiality, and nonrepudiation
- Encryption with authentication, integrity, confidentiality, and nonrepudiation
- DomainKeys Identified Mail (DKIM)
- The sending organization creates a digital signature and uploads the public key to their DNS server
- Each time they send a message, they sign it with the private key
- Recipients of the message compare the signature against the public key on the DNS server. If it matches, they know that the message originated from a server controlled by the owner of that domain (i.e. the from address was not spoofed)
- The sending organization creates a digital signature and uploads the public key to their DNS server
- Pretty Good Privacy (PGP)
- PGP is a framework for using public key cryptography to encrypt email messages
- PGP is a framework for using public key cryptography to encrypt email messages
- Opportunistic TLS for SMTP
- This allows us to send encrypted messages when the receiving mail server accepts encryption
- It uses SMTP over TLS
- Each time we send a message, our mail server contacts the receiving mail server and determines if encryption is supported. If it is, an encrypted connection is set up, and the message is sent securely. If not, then the message is sent in plaintext.
- This allows us to send encrypted messages when the receiving mail server accepts encryption
- Sender Policy Framework (SPF)
- This system checks every message to ensure that came from a host that is authorized to send the messages
- When we receive a message, the e-mail server verifies that the IP address of the server that sent the message is actually the IP address corresponding to the domain of the sender. The server does this by looking up the DNS records.
- This system checks every message to ensure that came from a host that is authorized to send the messages
- Blocking attachments
- Attachments are a common source of malware, especially ransomware
- We need to find a balance because some users need attachments
- We can use an antivirus program, but it might not detect the newest viruses
- The key is to block certain types of attachments (macro enabled Office documents, executables, etc.) for all users. A user who has a specific business case can request that attachments are enabled from some trusted recipients.
- Attachments are a common source of malware, especially ransomware
- Blacklist
- A blacklist is a list of senders that we do not want to receive mail from.
- The server automatically discards any mail from a sender on a blacklist.
- A blacklist is a list of senders that we do not want to receive mail from.
- Whitelist
- A whitelist is a list of senders that we do want to receive mail from.
- The server automatically discards any mail from a sender that is not on the whitelist.
- A whitelist is a list of senders that we do want to receive mail from.
- Reputation Filtering
- Gives us a grade for each e-mail or host so we know if it is likely to be SPAM
- An algorithm can analyse many different aspects of the message such as its sender, whether it is on a whitelist/blacklist, the time of day it was sent, any attachments, the contents, etc. It then derives a numerical score corresponding to the sender’s overall reputation.
- The server is configured to reject any messages with a score below a certain value.
- The reputation filtering can be calculated for each message or for each sender. The sender’s reputation can increase or decrease over time depending on the types of messages that are sent.
- Gives us a grade for each e-mail or host so we know if it is likely to be SPAM
- Challenge/Response
- In cases with high volume of SPAM, we would send the sender a response to prove that they are actually human.
- Human senders will accept the challenge and reply but spammers won’t.
- This is not common
- If they confirm that they are human, we can add their IP address to a whitelist so that they do not have to go through the authentication procedure for each message.
- In cases with high volume of SPAM, we would send the sender a response to prove that they are actually human.
- Fax
- People steal faxes. If you receive a fax, but you are not at the machine, it might sit in the output tray and somebody else can steal it or copy it without you knowing.
- Faxes are sent over plaintext and anybody who intercepts the phone line can see the fax message
- It is better to send fax via e-mail and secure the e-mail
- People steal faxes. If you receive a fax, but you are not at the machine, it might sit in the output tray and somebody else can steal it or copy it without you knowing.
- S/MIME – Secure Multipurpose Internet Mail Extensions