Requirement:

You want to allow connections from the Internet to your local LAN.

Assumptions:

You want to access RDP server such as Windows XP or Windows 2003 server

You have xDSL connection to the Internet

You don’t have a firewall between your network and the Internet

Port: 3389 TCP

Server/Workstation IP: 192.168.0.100

WAN fix address: 123.123.123.123

Netgear Router

Problem

Since IP communications can not be passing from the Internet to an internal address such as 192.168.0.0 since these IP subnets are assigned for internal use.

The solution

We need to have some mechanism that will forward communication based on the Port to the internal address.

What you will need?

User name and password to your router.

Router’s IP address.

Make the server or XP workstation ready to accept connections.

Any Cable modem or xDSL connection have an IP address on the WAN side assigned by the ISP. Note your WAN IP address by accessing this site: www.whatismyip.com this address is dynamic (can be changed next time…)

1. Login to the router using web browser
2. Under the advanced section click on Port Forwarding

Click the “Add Custom Service” 

 

Under the service name type the name you want such as “RDP”

Under the starting Port: type 1

Ending port: 3389

Server IP Address: 192.168.0.100

Click Apply

The next step is to test it.. go to another station from the Internet and launch the RDP and type the WAN address 123.123.123.123 and click connect…

Good luck!

Warning: anyone from the Internet would be able to access this workstation or server, make sure you are using

1. Strong password (at least 8 charters long numbers, small/CAPS letters)
2. All security patches are installed
3. Antivirus installed and updated

Please note: You are using the information above at your own risk.

 

Task:

Require servers or systems behind the ASG to be accessible to internet connections.  This requires specific services to be forwarded through by opening service ports.Common implentations used are Webservers (HTTP, HTTPS) FTP servers, Remote Desktop Proctocol (RDP), Outlook Web Access (OWA)4 common scenarios to setup:

Scenario 1 - Common port on public interface
Scenario 2 - New service port creation needed to forward
Scenario 3 - Additional public address
Scenario 4 - Additional public address and new service port

Steps:

For all scenarios it is recommended to first spend some time creating host definitions for webservers, email servers, ftp servers etc.
Example: Webserver host definition
Goto Definitions>>Networks
New Network Definition
Name: Webserver
Type: Host
Address: 10.200.200.10
Comment: My internal webserver IPFor all Scenarios it is also possible to simply select the option for auto packet filter rules to be applied if you do not wish to create the rule seperately.
 
Scenario 1 - Common port on public interface
  Example: Webserver on HTTP TCP port 801) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: Webserver
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTP
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Webserver
Destination Service: left blank
Click Save
Once created click traffic light  from Red to Green

2) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTP
Destination: Webserver
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow http traffic to webserver
Click Save
Once created click traffic light  from Red to Green

Scenario 2 - New service port creation needed to forward
  Example: Remote Desktop Protocol (RDP) on TCP port 10040 public to Exchange Server on TCP port 3389
  Normally Microsoft RDP uses predefined service of TCP 3389 however it can be changed to a different port for access to multiple servers behind the ASG

1) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)
Click Save
Once created click traffic light  from Red to Green

3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server
Click Save
Once created click traffic light  from Red to Green

Scenario 3 - Additional public address
 Example: Outlook Web Access TCP port 443 (HTTPS) on second address translated to Exchange server

1) Create Additional public address
Goto Network>>Interfaces
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address
Click Save

2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: OWA Access
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTPS
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service:  left blank
Click Save
Once created click traffic light to Green

3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow OWA HTTPS traffic to Exchange Server
Click Save
Once created click traffic light to Green

Scenario 4 - Additional public address and new service port
 Example: Remote Desktop Protocol (RDP) on TCP port 10040 on second public address to Exchange server on Microsoft Remote Desktop Protocol (RDP) TCP port 3389

1) Create Additional public address
Goto Network>>Interfaces
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address
Click Save

2) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

3) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)
Click Save
Once created click traffic light  from Red to Green

4) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server
Click Save
Once created click traffic light  from Red to Green

Identity theft statistics released by the FBI claims that 9.91 million Americans were identity theft victims and have experienced losses totaling $52.6 billion. This can happen while surfing the Internet or while shopping, using the ATM for money withdrawal, trashing documents, and so on. The increase of online shopping, social networks, and web email increases the risk for identity theft. What’s identity theft? It happens when someone else assumes your identity; this can be your ssn, credit card, bank account number, and other information, to perform actions such as stealing money or committing other crimes on the behalf of the victim. How long it takes to notice? In average one year. Victims have been known to lose their jobs, be refused loans, education, or housing. Some were victims for false arrest for crimes they didn’t commit. How this is being done? Some of the methods are Low-tech and some are high-tech. 

Low-Tech:	High-Tech
Telephone scams	Computer hacking
Social engineering	Spyware
Check information and Social Security Numbers	Phishing emails
Dumpster diving	Internet Café
Shoulder surfing

 Low-Tech defenses:

1. Don’t accept phone calls from people you don’t know.
2. Add your phone numbers to the “National Do Not Call Registry” (1-888-382-1222)
3. If someone calls and he or she claims to be a phone technician saying that they need to come and fix something that is not broken…
4. Before trashing - Shred it! Even if it has your name and address or other information don’t be so easy…
5. While surfing the Internet or ATM make sure you are hiding your hands..
6. Keep all credit card, and ATM recites, then use statements from bank, and credit card company and reconcile Merchant’s name, date, and amount
7. Store your Social Security Card safe at home and not in your wallet
8. Don’t keep you pin with your ATM card
9. Don’t give too much information, default is none!

 

High-Tech defenses: 

1. keep your computer up-to-date by installing all security updates
2. keep your Anti-Virus up-to-date
3. Install Spyware program
4. Phishing emails are very dangerous, if you get an email from Chase bank, but you don’t have an account - DON’T CLICK - just delete it completely
5. When you get emails from senders you don’t know - DON’T OPEN!
6. On some email you have the option to be removed from the list, don’t tempt to click this is a trick
7. When using Internet Café, don’t log to ANY bank account or shop online these places are best for hackers
8. Change passwords regularly, and don’t use one password for everything, be creative J
9. Do not email your credit card or bank information
10. Before you checkout, make sure your information will be protected by encrypting the data. This can be done by checking for the “S” in the web address (after http). In addition if you click on the lock icon than a box stating “This connection to the server is encrypted” should be displayed and this will verify that your information is secured.    

Note: In this sample we used Internet Explorer version 7 with Microsoft Windows XP

We should note that criminals can get information from both Low-Tech and High-Tech methods whichever is easier to capture.

In this article we tried to focus on some practical advice on how to reduce the risk without disconnecting the computer from the Internet… bear in mind that there is no 100% security, and the last line of defense is … YOU!

Yigal Behar is the owner of 2Secure, an IT security consultant firm; you can contact the author by leaving a reply to this post!

Businesses everywhere, whether they have heavy-duty networks or not, have seen the necessity in protective hardware for firewalls, backups and such, but with so many options to choose from, it is hard to pick one that will get the job done and at an optimal expense. Some harsher budgets have driven some companies to lower quality equipment and many times overlooking compatibility issues with jerry-rigged hardware and do-it-yourself systems.

DIY has its advantages. It is true; you’ll probably be saving a good share of money from tagged-on labor and manufacturing costs along with whatever comparable margin you can find.

But remember: you get what you pay for.

“Costing less” might end up making you pay more. Data protection and system restoration can be next to survival for your business. Why have this hinging on servers that were set up by someone who “knows what they’re doing;” especially if that person is you. The security your business seeks for the right price will be found with professionals.

The products and services you get with those that specialize in IT have their work streamlined enough to the point where you have less time worrying about your networks and more time tackling what your business does best - making profit. Do-it-yourself might be what your business wants, but it is not enough without consideration of what IT specialists have to offer. Time is money; spend what you need to get the job done right the first time with IT professionals.

Computer systems are the core tool of today’s business and are vital to every business from the smallest to giant organizations. Money transactions, customer service are just simple examples. Despite high hopes, disasters in one form or another eventually strike every organization. Whether it’s natural disaster like a hurricane or earthquake, or man-made disaster like a street riot or explosion - every organization will encounter events that threaten their very existence.

We all work on our computer systems without thinking about “What if” scenarios. However, computers are not like other electronic devices such as TV, DVD and etc. Dependent on a combination of hardware and software, they may suddenly stop working for some reason. Even power failures can cause malfunctioning. To avoid such problems we need to draw up a Plan, or a number of alternate plans for possible scenarios, to help mitigate the effects a disaster has on the company’s continuing operations and to achieve a speedy return to normal operations.
Advanced preparation saves time, money, and prevents loss of clients, and business reputation.

Objectives

• Business Continuity Planning (BCP)
• Disaster Recovery Plan (DRP)

Process Flow

• Risk Management
• Business Continuity Planning
• Disaster Recovery Plan

Summary

Business Continuity Planning (BCP) and Disaster Recovery Plan (DRP) are very important plans for business from small to big sizes. Before planning, the business should identify its assets and risks. The process is called Risk Management, and is divided in to 4 sections:

• Risk Analysis
• Asset Valuation
• Calculating Safeguards
• Handling Risk

These elements help to see the full picture before preparing the plans. Business Continuity Planning (BCP) helps a business to recover one of its systems which as ceased to function. It is divided in to 4 sections:

• Project Scope and Planning
• Business Impact Assessment
• Continuity Planning Goals
• Approval and Implementation

Disaster Recovery Plan (DRP) deals with worst case scenarios when ALL systems or one major system have ceased to function. This Plan is executed as in autopilot mode.

Process Flow - Risk Management

Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasures cost, and implementing cost-effective solutions for mitigating or reducing risk. Risk is the possibility of something occurring to interrupt business continuity.

The primary goal of risk management is to reduce risk to an acceptable level. The organization should decide what that level is, while assessing its assets, size, and budget. It is important to consider all possible risks when performing risk evaluation for an organization.

Risk management is done through risk-analysis. It includes:

• Analyzing an environment for risks
• Evaluating each risk as to its likelihood of occurring and the cost of the damage it would cause if it did occur
• Assessing the cost of various countermeasures for each risk
• Creating a cost/benefit report for safeguards to present to the upper management

Risk Management

Risk management also requires evaluation, assessment, and the assignment of value for all assets within the organization. Without proper assets valuation, it is not possible to prioritize and compare risks with possible losses.

Risk Analysis

Risk analysis provides upper management with details necessary to decide which risks should be:

• Mitigated
• Rejected
• Accepted

Asset Evaluation

When evaluating the cost of an asset, there are many aspects to consider. The goal of asset evaluation is to assign a specific dollar value to each item.

Calculating Safeguards

For each specific risk, one or more safeguards or countermeasures must be evaluated on a cost/benefit basis.

• Cost of purchase, development, and licensing
• Cost of implemenation and customization
• Cost of annual operation, maintenance, administration, etc

Handling Risk

The results of risk analysis are:

• Complete and detailed valuation of all assets
• An exhaustive list of all threats and risks, rate of occurrence, and extent of loss if realized
• A list of threat-specific safeguards and countermeasures that identifies their effectiveness
• A cost/benefit analysis of each safeguard

Management must now address each specific risk, and decide on a response. There are four possible responses:

• Reduce
• Assign
• Accept
• Reject

Process Flow - Business continuity planning

Business continuity planning is a process that helps organization to recover one of its systems that does not work and it involves risk assessments and drawing plans, policies and procedures to reduce the impact when a disaster is striking the organization IT infrastructure. This process contains four elements.

Project Scope and Planning

There is a need for structured analysis from the business’ point of view. The organization needs to set-up a team to handle the crisis.

Business Impact Assessment

With the team ready, there is a need to identify resources that are critical for the organization’s ongoing viability and the threats posed to those resources.

Continuity Planning Goals

The next step is to describe the Plan’s goals. One important goal is to ensure continuous operation of the business in face of an emergency.

Approval and Implementation

Once the team has completed the Plan process and the documentation, it’s time for top management approval. Upon approval the team should begin with the business continuity planning implementation by setting up a time schedule. The next step should be maintenance and testing for this Plan to be efficient.

Process Flow - Disaster Recovery Plan

This process deals with the worst case scenarios such as hurricanes, earthquakes, power failure, fire, and terrorist attack by denying access to the organization main server’s room. Personnel should be trained so this Plan will run on auto pilot mode when disaster strikes the organization.

Natural Disasters

Earthquakes

Earthquakes are caused by a shift of seismic plates and can occur almost anywhere in the world without warning. A well-known example is the San Anders fault, which poses a significant risk to portions of the western United States. The organization’s DRP should hava a procedure in place that is implemented when a seismic event interrupts normal activities. For example the following states: Pennsylvania, New Jersey and Delaware are considered as a moderate seismic hazard.

Floods

Flooding can occur almost anywhere. Some flooding results from the gradual accumulation of rainwater in rivers, and lakes. According to government statistics flooding is responsible for over $1 billion of damage for businesses and homes each year. The Plan should consider sufficient insurance coverage to protect the organization from the financial impact of a flood.

Storms

Storms pose high risks to a business. Hurricanes and tornadoes bring the possibility of severe winds exceeding 100 miles per hour that threaten the structural integrity of buildings.

Fires

Fires can start from natural or man-made sources. Businesses need to address fires in their DRP plans.

Man-Made Disasters

Our sophisticated society depends on an information and communication infrastructure to support our daily activities. Business employees can be one source of intentional vandalism and unintentional man-made disasters.

Bombing/Explosions

Explosions may result from many sources of man-made actions. Gas leaks can ignite and cause damages to buildings.

Acts of Terrorism

September 11, 2001 brought new/old scenarios to our consciousness, where small business can be diminished and large businesses can suffer long-term damage.

Power Outages

In order for businesses to operate they need electricity power. What happens when there is no power? To address this scenario there is a need for Uninterruptible Power Supply (UPS) to take over and allow saving of data before shutdown of the systems.

Hardware/Software Failures

Computer systems have tendency to fail without any further warning, this applies to hard-drives, mother boards, etc. Software may crash due to internal errors or a combination of hardware and software conflicts. The recovery team should address the issue of how replacement parts can be quickly obtained and installed.

Theft/Vandalism

Equipment may be stolen, as well as information in the way of a leakage from your database, such as clients list or financial records crucial to businesses continuity.

Recovery Strategy

When a disaster interrupts business, the disaster recovery Plan should be done automatically, meaning the recovery operations should start immediately.

Business Unit Priorities

In order for a business to recover quickly, all business operations have to be priorities. The highest priority should be recovered first and so forth. In some cases to recover just 40 percent from the highest operation would be sufficient for short period of time and then to move on to a lower priority operation to gain minimal business operation.

Crisis Management

This is hard on training but easier on the battle field - meaning business recovery team should be trained and organized at all times to be ready when a disaster strikes.

Emergency Communications

When disaster strikes it is important that the business be able to communicate to the outside world and internally.

Alternate Processing Sites

Alternate sites are set up for cases when the main site is not functioning. We will examine three options for alternate sites.

Cold Sites

Cold sites have minimal support: There are no computer systems, and only open space is available for work group, as well as some telephone lines. This option is inexpensive, downtime is longer.

Hot Sites

A hot site is a working site, equipped with the necessary computer systems and communication lines. The data from the primary site is constantly been updated to servers on site. This option is expensive, downtime is shorter.

Warm Sites

Warm site is almost a hot site: The site has standby servers and some minimal communication lines. To fully operate the site, a recent backup tape is needed from the main site. This option combines hot and cold sites options.

Recovery Plan Development

Once the business has established prioritization and attained a good overview of appropriate alternative recovery sites, the time has come to prepare appropriate documentation for each audience.

Backups and Offsite Storage

Backups are the key component in the business DRP or BCP. With effective backups strategies a business can fully recover. Offsite storage it is a fiscal location were all backup media are stored.

Logistics and Supplies

A business will suddenly face the problem of moving employees, equipment and supplies to an alternate site. The Plan must also address this issue.

Training and Documentation

Like the Business Continuity Plan, it is essential to provide training for all employees who will be involved in a disaster recovery effort. The DRP should be documented and modified according to business needs.

Testing and maintenance

For the DRP to work, a business needs test the Plan periodically to ensure it meets the requirements. There are five different tests that a business can use:

Checklist Test

The check list is the simplest test, and its purpose to make sure we have everything in place, such as an inventory check. It make team members familiar with the Plan.

Structured Walk-Through

The structured walk-through is designed to “play” a disaster scenario and help team members to exercise their role.

Simulation Test

The simulation test measures team response to a non-critical disaster scenario.

Parallel Test

The parallel test checks the next level, relocating employees and supplies from the main office to the alternate site with current backup tapes for restoration on the backup servers.

Full-Interruption Test

The full-interruption test checks the Plan by shutting down the main office and shifting all activities to the alternate site.

Maintenance

The DRP is a living document. The business should update it during its life time.

The author works as a computer security consultant at 2Secure Corp. Questions and ideas? Please contact us or call 215-779-7953

Often employees find themselves overwhelmed by work they need to finish within a short time. The simple solution is, to send the work to their home computer or connect from the home computer to the office network. By connecting from home computer to the office network the corporate network is exposed to attacks coming from the employee’s home computer without his knowledge.

In most cases the home computer is not configured well enough when connecting to the office network. Let’s assume that this home PC has software installed for sharing application like Emule, or some cracked software downloaded from the Internet, which actually is a rootkit allowing an attacker to access the corporate network, utilizing the employee’s home PC as a gateway.

Every day hackers find new ways to get in from many entry points, such as operation systems, or by using weak points in an antivirus program. Many users do not update with the latest patches, leaving many weak points they are unaware of. However, hackers do know and are not sharing their knowledge. It is of vital importance to search for weak points such as wireless networks, which have made life easier than ever for hackers to come in.

Employees should maintain their PCs with updated Antivirus and a Firewall, and make sure a wireless network is well configured to prevent unauthorized use. On top of that, the main responsibility lies with corporate management to enforce a strict policy for permitting employees to work from home.

Summary: Management and employees should take proactive responsibility to enforce better security - this can be accomplished.

The author works as a computer security consultant at 2Secure Corp. Questions and ideas? Please contact us or call 215-779-7953

Have you recently connected a “wireless Access point” to your corporate Local Area Network, or you are planning to do so in the future?

If your answer is “Yes,” you have good reason to be worried … Although you’ve deployed a Firewall with anti-virus scanning systems, those have all been bypassed.

Why has this happened?

Since the time you connected the access point directly to your LAN (Local Area Network,) your network has been exposed to unauthorized access from any device that has a wireless support. Once an attacker obtains an IP address using his laptop or PDA, he can then launch an attack against computers on your network and other objects using corporate resources. Computers on your LAN will receive commands from the attacker launching timely attacks acting as robots.

Simply… wireless attacks can be launched by anyone from anywhere. From the person who’s next to you or in the office down the hall, in an elevator or the parking garage, he or she could be hacking your wireless networks at this very moment. If you do not take the necessary precautions to protect your systems, you might just as well them the alarm code to your office and your private files.

Outcomes might include:

• Slow network response when accessing files on servers and slow performance when reading or sending emails.
• A non-operational network, where users cannot access ANY resource on corporate servers.
• Interception of usernames, passwords and other data transmitted between wireless workstations and the servers on the network.
• Public relations damage to the company.

What can you do to prevent a “Security Breakdown” within your infrastructure?

Here are some of the basic things that can be down to prevent security invasions:

• Connect the Access Point to the firewall using a hub, then connect the hub to the Firewall on a separate NIC (Network Interface Card).
• Disable the DHCP (Dynamic Host Configuration Protocol) function on the Access Point. Any access point has the ability to assign an IP address to devices connecting thru the “air” - this is normal operation and needed for communication, resulting in the IP assignment working manually.
• Enable MAC (Media Access Control) address to filter connections to the Access Point. Any device that performs communication needs a physical address. The MAC address is a unique and given by the manufacturer. We can define which MAC address would be able to connect to the access point.
• Enable encryption WEP (Wireless Encryption Protocol) or WPA (Wi-Fi Protected Access) on the Access Point. To avoid data interception it is recommended to activate at least the WEP.
• Stop broadcasting the Access Point BSSID (Basic Service ID) on the Access Point. Any access point is broadcasting its name on the “air,” it says “I am here, my name is …” and we need to associate each device manually.
• Give an Unknown name to the Access Point. Any access point comes with a default name such as “linksys,” which is easily decoded. Using a name like this allows a hacker to know what kind of access point you have, and a small search will reveal its defaults.
• Change the access point’s default password. Every access point comes with a default password and hackers know these passwords.
• Authenticate users accessing the wireless Access Point using RADIUS (Remote Authentication Dial-in User Service). To enhance security measures it is necessary to check their identity before letting them in using RADIUS server.
• Deploy IDS (Intrusion Detection System) or IPS (Intrusion Prevention Systems). IDS in some cases can alert if someone is trying to tamper with your access point, and IPS can detect and prevent from pre-defined attacks from happening.
• Enable event logging on the Access Point. Any access point has the ability to log events, such as connections to the access point and etc.
• Monitor activities on the Access Point. Check logs and try to correlate events from the access point and IDS or IPS.

The author works as a computer security consultant at 2Secure Corp. Questions and ideas? Please contact us or call 215-779-7953