VPN Haus recently talked to Rob Shein, a Washington, DC-based IT security expert. Shein gives us his perspective on managing IT security for organizations.
VPN Haus: Let’s start basic. How do you prevent users from tampering with policy settings?
Rob Shein: Most technical solutions with policies that can be defined at a central management point also have the ability to lock them down, so that only administrators can change them. If you’re using a product that doesn’t have centralized policy management…replace it.
VPN Haus: That’s a good point. Let’s talk more about why is centralized management so crucial for IT management.
Shein: Centralized management is crucial for IT management for a number of reasons. The first is simply a question of scale; without a central point for control over functionality, the cost of operating an IT environment will grow horrendously as the environment grows in size. Imagine configuring Cisco switches by having to keep track of separate logins and passwords for each one, as well as documenting each one’s configuration using Notepad. Just keeping things operating would be a nightmare.
Then, add to that the challenge of ensuring that system drift doesn’t occur, ensuring that systems are configured and operating as they should be; this challenge has a real monetary impact on it when compliance comes into play, and audits need to be performed. Both the cost of the audit and the risk of being found in noncompliance go up. Last of all, there is the increased effort and risk of changing an environment, either as part of an integration project or addressing a security risk across the enterprise.
VPN Haus: With the remote access landscape changing so rapidly, sometimes IT administrators have to make quick changes “on the fly.” What should they take into account when doing this?
Shein: IT administrators should never make changes “on the fly,” but should work with change control. The larger the environment, the more important this becomes, as there are more and more dependencies and less obvious ramifications from certain kinds of change. The wireless landscape may change quickly, but the actual installed base of technologies in any enterprise doesn’t change at the same rate.
View Rob’s LinkedIn
Ready or Not, IPv6 Security Threats are Coming
Posted: August 17, 2010 by vpnhaus in Industry CommentaryTags: VPN, IPv6, Defcon
First, let’s cover the baked-in security of IPv6 protocol stack. Is simple terms, the major difference is section RFC4601 which mandates use of IPsec for all nodes – something available for IPv4, however, not required. The large address space in IPv6 safeguards against port scanning. Again, there’s math here that Samuel Sotillo details in his East Carolina University paper. Changes to the authentication header, encapsulating security payload, transport and tunnel modes, protocol negotiation and key exchange, and neighbor discovery and address auto-configuration further improve security.
Defcon speaker, Sam Bowne warns the industry that adoption will likely cause “severe security headaches” because IT professionals haven’t really dug into the issue yet as it’s not widely adopted today. What is happening today is a slow rollout – or a dual-stack environment – where both v4 and v6 are comingling, creating two infrastructures to secure instead of just one. Bowne stressed during his presentation that it is extremely important for white-hat hackers to dig in and identify these threats. Sotillo identifies a few areas worthy of inspection, including header manipulation issues such as spoofing, and flooding issues such as Smurf-type attacks on multicast traffic. Jake Kouns and Daniel Minoli dive into these issues in detail with their 2008 book, Security in an IPv6 Environment.
Interestingly enough, much of the advice given as far back as 2005 has still not been widely adopted. For example, Mike Chapple, CISSP, offered five tips that networking pro’s should pay attention to, including education across configuration, new tunneling protocols risks and addressing complexity created by auto-configurations. Yet most professionals are still unfamiliar, according to a recent article by Robert Westervelt of SearchSecurity.com.
Buffer overflows and bugs will be an issue with the IPv6 transition as well. Joe Klein, Defcon attendee and subject matter expert with the North American IPv6 Task Force, states that it will take years for the bugs and flaws to be worked out, but will do so as it starts to gain wide acceptance. One particular flaw that is unique to IPv6 and causes chaos in networks is packet amplification attacks. This particular attack places a 0 in the routing header of each packet, and causes them to travel in a looped path. Ping pong exploits then take advantage of the 64 subnets available in the protocol, and allows attackers to send packets from one non-existent connection to another. This results in an ongoing series of ICMP Unreachable error messages and floods the network with wasteful data. In a podcast with TechRepublic’s Michael Kassner, Klein gives a great overview to of some of other issues that’s worth a listen.
IPv6 is a completely new protocol, not a simple patch slapped on existing IPv4 technology. Any technology has to be able to handle these changes, including VPN, routers, intrusion detection and prevention, firewalls, network access control (NAC) solutions. Work-around solutions create gaps and gaps are what hackers exploit.