Archive for November, 2011

Onto the next post in our series debunking SSL myths. Today’s myth: Java Authentication and Authorization Services (JAAS) framework handles all protocols and mechanisms in a secure manner.

The Internet resources and SOA Web pages are Web applications. As such, they make use of the JAAS framework, which is a user-centric authentication and authorization collection of Eclipse plug-ins to manage authentication and authorization within an application built on the Rich Client Platform framework. The plug-ins provide an implementation of the JAAS API and can be extended by developers to support their own security needs.

The code snippet below shows how easy it is to disable every authorization check in a system implementing

public pointcut hackJAAS();
: call( * AccessController.checkPermission(..) );
void around() : hackJAAS()
//Do nothing. No proceed-call.

The reason this is such an easy task is that JAAS is a standardized framework. To perform an authorization check, a user must call AccessController.checkPermission. Yet, everyone knows this—both lawful programmers and hackers. That means that if an application uses JAAS, a hacker automatically know which code they need to disable. The hacker doesn’t need to see the source code, nor do they need to see any kind of documentation. The Norwegian Information Security Laboratory does an excellent job of explaining the technical details of this vulnerability, if you’d like more information.

For now – another myth busted.

Editor’s Note: This is part 2 in a series, “FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater.” For part one, click here.

What’s the alternative to VPN? For adequate security, Welch seems to be relying on HTTPS (hypertext transfer protocol secure). HTTPS combines conventional Web HTTP with security protocol SSL/TLS (secure-sockets layer/transport-layer security). HTTPS is built into every modern Web browser, and generally is easy for end-users. HTTPS, however, has its limitations. It can put more of a burden on administrators and is only for applications that exist as Web applications running through an HTTPS server.

After a couple of decades of experience and refinement, that’s the fundamental trade-off for VPNs. There’s a significant, if well-quantified, initial cost to establish the VPN between the home network and the first remote location. With that first connection in place, though, the remote location can network just as though “at home” with a minimal impact on performance. The slowdowns which plagued the first generation of VPNs have nearly disappeared.

In isolation, a VPN-free solution for one particular access is probably easier to set up, on both the server- and client-sides. In the absence of a VPN, though, each additional application might require an HTTPS redirect, a slight firewall reconfiguration, an additional or reconfigured server-side SSL certificate, and perhaps expanded licensing (many software licenses categorize a remote work location as an additional “site”).

Room for both

It’s easy to conclude, then, that there’s need for networking toolkits to include both VPN and VPN-free choices. Younger and smaller organizations might need to support only a small number of applications for remote use, and those might be available as Web applications which lend themselves to SSL-based access. Larger organizations, and particularly those with deeper histories, are likely to rely on a wider range of networked applications. VPN is less expensive and less complicated than the combination of separate analyses and configurations that would be required to get all of those different applications working properly. Also, SSL-based solutions have a somewhat spottier history of exploits; security experts like Tom Henderson, Managing Director of Extreme Labs, make the point that “TLS 1.0 was bad, and it’s still around.”

Welch might well be right — perhaps he’s in a situation where the advantages of a VPN matter little. That certainly doesn’t mean it’s time to live without VPNs in all the other networking roles, where they are the best solution available.

What We’re Reading, Week of 11/14

Posted: November 18, 2011 in Highlights

Dark Reading, Survey: Half of Firewall Rules Improperly Configured
PC World, Lock Down Your Wi-Fi Network: 8 Tips for Small Businesses
InformationWeek, The iPhone 4S: Ready for Business
Infosec Island, Ten Tips to Stay Safe on Cyber Monday

By Cameron Laird

In “Die, VPN! We’re all ‘telecommuters’ now–and IT must adjust,” John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now:

  • Work is as likely to take place outside the office as in;
  • Work in some domains has become as likely to take place on an employee’s device as one owned by the corporation;
  • A large percentage of all work can be done through the Web; and
  • “Endpoint” (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can’t help but end up in the wrong hands.

The situation is unsustainable; what should be done?

Welch’s conclusion: adopt full-disk encryption (FDE)–and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here’s why:

What is VPN?

First, let’s review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks–everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon–and also that there is inevitably more than one technique to complete each task or fulfill each requirement.

Even the simplest analysis of the “remote problem” exhibits these characteristics. Let’s begin with Welch’s starting point: much of the work of the future will be done outside the conventional workplace, and therefore outside the usual control policies traditional IT establishes. Everyone agrees that the fundamental data of the workplace deserves protection — whether the business deals in customer names and addresses, proprietary product recipes, or factory inventories and outputs — these details must be kept private. For an IT department, data appear in two states, “in transit,” as it travels from central organization repositories to the hardware of an individual remote worker; and “at rest”, which, for this purpose, means stored on the hardware of an individual remote worker. Welch’s FDE prescriptions address “at rest” or “endpoint” vulnerabilities, with the assumption that any local copy–any file or document or report–of data on a remote machine is necessarily encrypted. In turn, to view company data, an unauthorized person would need not only physical possession of the remote machine, but also a key to unlock the latter’s storage encryption.

Data “in transit” requires a mechanism that enables protection while traveling. With computers, there are many different ways to protect data in transit. In broad terms, though, a VPN  encapsulates everything that passes back and forth from a remote worker in a single consistent way. With a VPN in place, the higher-level applications that are meaningful to an end-user, including software for project management, office productivity, multimedia chat, project collaboration, file access, enterprise resource planning (ERP), and so on, all have the impression that the remote worker is using a computer networked within the home network of the organization. The VPN takes responsibility for translating every data transmission so that what appears to be a message sent to or received from a local computer is actually a corresponding encrypted message to or from a remote location.

Cameron Laird is an award-winning author and developer for Phaseit, where his recent work has concentrated on back-end programming for secure Web applications.

By Sylvia Rosen

Imagine, you’re at the train station on your way to an important meeting. While you’re waiting, you’re drafting an urgent email. Just before you hit the send button, your wireless connection is lost – and with it, you lose your VPN connection and the link to your office email. Frustrated, you log back in, crossing your fingers that your email saved. Of course, it didn’t. Twenty minutes – and lots of good ideas — down the drain.

Sound familiar? Too many VPN solutions aren’t enabled to handle connection outages or changes, resulting in wasted productivity, and even worse, lost data.  This hassle is eliminated with VPNs that support roaming among different types of networks — allowing users to focus on business instead of worrying about their connection. VPNs with seamless roaming automatically switch to the best available network and ensure that users never have to re-authenticate.

Seamless Roaming

Seamless roaming enables smooth transitions between networks, making it ideal for traveling professionals who are always on the go. VPNs that enable seamless roaming secure your data, even in the event of a wireless outage or switching between networks, like Wi-Fi and 3G.

“If all your traffic goes to the VPN while you are connected to it, then everything is secure; nobody can really attack your machine,” explains Rainer Enders, the CTO Americas for NCP engineering. “When the VPN drops, you go back to regular ‘connecting mode’ through the Internet. If your VPN doesn’t enable seamless roaming, you now have a connecting path that is an insecure tunnel, which is why your connection to your corporate server will likely give way.”

Seamless roaming VPN, however, changes this. With seamless roaming, IT administrators can now ensure that each piece of equipment can connect securely and stay connected securely. Stay tuned for more on this.

Sylvia Rosen writes articles on a variety of telecom topics, including VoIP Phone Systems and Call Center Services.