Louwrentius

Security is about defense-in-depth. It bogles my mind why it is so difficult to implement defense-in-depth security in web applications. 99.9% of applications use a single database account, with root-like privileges. Easiest for the developer of course, and the database is just a data store. It is not understood for what it really is. Your database is your only and last defensive layer that you have before the attacker compromises your data. Use it well.

For example, you can use your database to protect you against high-impact attacks such as SQL-injection.

I created a presentation about this topic a while ago You can download this presentation here:

http://mini.louwrentius.com/static/files/designingsecureapplications.pdf

A short summary of the points made.

• Truly understand your application and their requirements.
• Do not create a monolithic application, create separate applications. For example, at least separate front office and back office.
• Run those applications under different operating system users or ideally on different servers, residing in different network segments.
• It suddenly makes sense to put your database server in a separate secure network segment as opposed to running it on the same box as the application server.
• Do not use a single database account with root-like privileges.
• Create separate database accounts for separate application components. Only assign those privileges required for that application. White-list privileges within the database. This is key.
• Understand that for end-user authentication, 'select username,password from user' kinda privs is not required!
• Use stored procedures and functions wisely. By only providing access to functions, views and stored procedures, while preventing access to tables, you can significantly reduce the impact of SQL-injection or other application level security breaches.
• In any case, understand that an attacker can never obtain more database privileges than the database account used. Even if the entire application server is compromised. This is especially important for your internet-facing applications.
• Use your database as an extra layer of defense.

Many people asume that if you regularly update your computer, you are safe from hackers. But nothing could be further from the truth. Keeping your systems up-to-date only protects you against exploits for publicly known vulnerabilities.

Your systems are still not protected against privately known vulnerabilities and if hackers have zero-day exploits for such vulnerabilities, you are clearly having a false sense of security.

There couldn't be a better example than a high-risk vulnerability MS12-020 regarding the Microsoft Remote Desktop Protocol interface, as present on TCP-port 3389. Any unpatched Microsoft Windows-based server or desktop system can be compromised through this vulnerability. If the system is vulnerable and TCP-port 3389 is accessible, it is over. Your data is compromised.

Now, how many people knew about this vulnerability and for how long?

As we speak, someone may be reading these very words on your computer, just remotely, because of an undisclosed, unknown vulnerability. That sounds like paranoia, but it isn't.

Zero-day exploit market

There is a whole zero-day exploit market. Exploits are sold at enormous prices, as high as $100.000+ dollars. Only those who have the means (money) and a need for them will pay such prices. Buyers often tend to be government agencies and such.

There is no doubt in my mind that the computer I'm currently working on is affected by high-risk vulnerabilities I don't know of. It is very likely that for some of them, exploits exist. But look at the risk: who is going to spend a $100.000 exploit on me? But is the intelectual property of your company worth that much? Might sound way more realistic already, doesn't it?

You may hope that zero-day exploits are sold to trustworthy governments, but the marked is free. Anyone with sufficient means can buy them. Some sellers may scrutinize to whom they sell, but others?

This whole zero-day exploit market is a problem. Exploit-sellers have nothing to gain and only to loose from public disclosure of the vulnerability. As long it is undiscovered, it can be used by buyers. All parties involved in this market benefit from keeping systems insecure. From keeping systems unpatched.

So instead of informing the vendor of a security vulnerability so the public can be protected, knowledge of the vulnerability is sold to the highest bidder who then does who knows what with it.

For most organisations and people, the upside is that nobody will spend a $100.000 on you if you're not worth it. The reason is that every time an exploit is used, it can be discovered, rendering the exploit useless once a security patch is released.

Protecting against zero-day exploits

The question is then what to do against this kind of threat. What can you do to protect yourself against the risk of zero-day exploits if you perceive the risk as realistic towards your organisation.

The answer is a security strategy of defense in depth. It is not a solution that ends all problems, but it decreases the risk that your organisation gets compromised. It is about trying to diminishing risk to acceptable levels.

Assume that you will get compromised. Then, think about what can be done to reduce the impact of the hack. Will only one server get hacked, or the entire internal company network?

Defense in depth is the principle that you do not rely on one single security measure to protect systems and services from a compromise. There are many ways to implement such a strategy and I will name a few.

1. Only expose those services towards the internet that are required for production.
2. Make sure you have proper network segmentation in place, systems should not provide a stepping stone for an attacker to enter your internal company network.
3. Never expose management interfaces such as RDP towards the internet directly, use an additional security layer (white list IP address or use VPN).
4. Establish an emergency patch-policy to make sure that all systems are patched outside regular maintenance windows if high-risk vulnerabilities are reported.
5. Monitor the heck out of your environment. Carefully try to log and alert to those events that may indicate a security breach.
6. Audit your systems, regularly check for misconfigurations and resolve them.
7. Select hardware and software vendors based on their security track record.
8. Use different vendors and brands for different defensive layers.
9. Consider internet off-limits for end-user systems processing sensitive information

Software is vulnerable so prepare for the worst.

Updated October 24, 2012, see below.

This post is a description of my home network setup based on gigabit ethernet. I did a non-standard trick with VLANs that may also be of interest to other people. I'm going to start with a diagram of the network. Just take a look (click to enlarge).

I now have replaced my Mac Mini with a HP N40L router based on Ubuntu 12.04 LTS. This server is now placed in the basement. The managed netgear switch is swapped with the Airport extreme.

Design

I have a Mac mini running Linux that acts as my internet router. The closet that houses the cable modem is not a friendly environment for such a device and there is not a good location for it. The closet is also outside of my house, behind a door not too well protected. So this is why I keep my router inside my house.

From this closet, one UTP cable terminates in the living room, the other in the basement. This configuration has a very big problem. How do I run two different networks over one wire?

I have to connect my iMac to my 'internal' home network. However, the Mac mini must be connected to both the internet network segment (connected to the cable modem) and the home network. All through a single UTP cable.

Therefore I use VLANs. I transport both the internet network and the local home network though one cable. VLAN 10 is for internet, VLAN 20 for my local home network. For this all to work you need managed switches that support 802.1q.

How traffic flows

So let's say that the server is accessing the internet to obtain the latest Linux security updates. How does this network traffic flow through the infrastructure (click to enlarge)?

All internet traffic must flow through the router. Thus, even if the traffic from the basement travels through the switch next to the cable modem, it must first travel to the router in the living room. There the router decides if the traffic is permitted to go out to the internet and thus enter the internet VLAN.

Pros and cons

Pros:

• Just a single cable to the living room
• no extra USB-based ethernet adapters required for the Mac mini
• Mac mini resides in save and computer friendly environment

Cons:

• Managed switches supporting VLANs are relatively expensive