Monthly Archives: October 2009

Auditable internet perimeter using bastion hosts.

What a mouthful, Auditable Internet Perimeter using bastion hosts! Sometime ago I published a technical recipe on securing Web based applications using open source tools. Here is then another recipe in almost completely auditing external users and their actions.

Although my claim is that too much security is a bad thing, there are situations where one has to be paranoid. Take for example the access of remote, even intercontinental sometimes,  support engineers who get to work on your digital assets. How can one be sure that the unknown self proclaimed support engineers are not of the slacking kind, or even worse of the malicious kind?  One must be able to review their work and act upon that knowledge.

First of all you will need a firewall. No really you do, although firewalling is not enough , it is a necessity of modern business. Let’s assume for starters that you configure your firewall for remote VPN access for your teleworkers and remote support engineers. When you give access to remote users,  auditing firewall logs becomes as useful as counting grains of sand. It is time consuming and worthless. Configure then your firewall to allow access only to your bastion servers for the remote users.

I use two sets of bastion hosts, unix based on linux and Windows based on you guessed it, windows ™. On linux I do not use the stock SSH server but a hacked version of it. It saves to a file all the users’ terminal interaction and you can replay or text search the log. The patches are on my site  for version 4.7p1. For previous versions of sshd look under  kdvelectronics. Gotchas: to built sshd with my patches you first have to build the ssh client , then the server. Also remember to include the UsePrivilegeSeparation no directive in sshd.conf.

Let’s do windows now. First you will need a Windows based terminal server with enough licenses, you dig? Then grab and install Rautor by yours trully, lastly include the rautor executable in your AD Group Policy’s logon script. Presto screen dumper, keyboard logger, screen scraper in one shot with a playback application that works for Remote Desktop connections also! It is  bit more difficult to locate / text search under the windows environment but at least you will have something to start with.

Now for the dessert. To properly maintain a secure perimeter one needs a unified password management system. Active Directory is very useful in that affair , couple it with winbindd on unix and all your remote and local users operate under a common access mechanism. Still not satisfied ? Still want the whole cake ? SSHD with my hacks can be compiled under cygwin in windows, so you can roll out a single bastion host under a single security policy, fully auditable and relatively secure.

Oh did I mention the cost? The Windows licenses plus consulting time. Somebody please do a bit of market research for an equivalent solution, if it exists, and let me know. Gracias a todos.


Too much security is a bad thing

As far as most corporations around my neighborhood  are concerned,  the role of  IT security is to keep the authorities at bay, so that business can go on as usual. Intelligently ran business realize that they need security to safeguard what I consider the most valuable asset of theirs in the modern service economy, their data.

So a security officer is always been drawn between the need for productivity, the need to assuage the authorities AND the necessity to safe guard the corporate infrastructure. Which leads me to “Too much security  is a bad thing“.

If one designs systems and services so that they are “absolutely” secure, then it will come to pass that not even their designer can use them.Once upon a time I worked someplace where we created a log in/access system that required three different sets of passwords and three different hops through an equal number of firewalls  to get to the target machines. It was and still is very secure on paper, but it made our life so difficult that we scripted automated log in systems to bypass all that cruft. Not to mention that uploading or moving files was a nigthmare of chasing spagheti SSH connections and we had to maintain three different firewall technologies.

Too much security annuls itself. It forces people into such stress that they find ways around it. A moderate, well designed IT security model  where certain liberties are given, yet monitored, is a much better alternative. But that on another technical recipe of properly setting up an auditable bastion perimeter for data centers.