Cloud computing is a HOT item and all are talking about the benefits it brings. Recently I got an email from a colleague regarding this topic with the subject “No need for a computer guy anymore…” then he added, “you see, the days of you running over to a customer premises are over read below article”, so I followed the link to read about the new wonders of this new hype “Cloud computing” and why we all should join the hype. No doubt this new HOT item offers some really good benefits to any organization that wants to mainly cut costs and “simplify” their IT infrastructure as well as mitigating Disaster Recovery operations. Do not get me wrong I like new technologies and would adopt it, but with some sense before going forward. I would like to share you with some of my thoughts;

1. Where is your data?
As it sounds “Cloud” means my data can be “traveling” on the wire to anywhere in the world. This done for the sake of cost reduction and backup or as redundant site and is not something you, as the owner of the data can have control over.

2. What type of data will be saved?
Data types can include intellectual property, personal information that contains social security, credit card numbers or maybe medical information.

3. Do I need to comply with any regulation such as PCI?
Many companies have procedures, policies and regulations to comply when it comes to sensitive data as I mentioned above.

4. Who has access to my data?
Since the information and applications are served from the “cloud” anyone that sits in the cloud may have access.

5. Can my data leaks from my systems to other systems?
Your data can leak from your cloud systems to another system in the cloud, it is possible when different systems are joined together to ease management tasks and costs.

6. How will my internal applications be interacting with my cloud applications?
Today varies systems are interconnecting with other systems for data exchange, for instance accounting systems is getting its data from client management software for billing, how this move to the cloud will affect my business.

7. How will my business continue to work when?
a. No Internet connectivity
b. The cloud service is down
c. A bottleneck over the internet connection.

After all of the above questions have been answered, it is possible to make a decision. Maybe some of the functions can be moved out from the business premises to the cloud and all “core” applications and information will stay in house?

I would recommend reducing costs by creating the cloud computing in house first, before seeking an outside cloud.

Updating...

[2010-03-12]
2Secure Corp is now member at the Manhattan Chamber of Commerce. The Manhattan Chamber of Commerce (MCC) is a membership organization comprised of a cross section of member businesses ranging from sole proprietors to large corporations.

[2010-03-12]
2Secure Corp is now member of the ISSA, The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.

[2010-03-12]
2Secure is now memeber of OWSAP, The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software.

[2009-11-03]
2Secure Corp has signed a business partner contract with Sentrigo and we are certified to sell, install and maintain Sentrigo products.

The problem: Employee awareness
The target:    Raising employee awareness to the organization’s information security effectively and rapidly
The method:  Interactive educational software for information security

Interactive educational software for training of the entire staff in the information security area is the most effective tool to raise the awareness of the employees.

The educational software trains each and every one of the employees in confronting potential threats on the organization’s information and computer systems.

1. The training process is based on short flash movies and analysis of various security incidents, and includes:
   Watching the incident
   Identification of the challenging factors
   Analysis of the reasons of defining the factors as challenging
   Recommendations as to how to fix the challenge
   Conclusion of the incident and its implications
2. The use of the educational software:
   The duration is about 25 minutes; upon completion, the users are requested to answer a short test which examines their knowledge
   The educational software can be customized, and therefore can meet the unique requirements of every organization, according to its security needs
   The software can be adapted to local and international regulatory and standardization requirements
3. Possible training environments:
   Installation in the organizational network
   Integration into existing e-Learning environment
   Stand alone station

Upon completion of the training, the users are required to pass a short test, examining their knowledge. The results of this test, as well as various reports are sent to the Information Security Officer as a basis of an independent data base.

The advantages of this training method:
Quickly enhances the information security level in the organization
Easy and simple to learn and operate
Significant ROI in regards to the deployment of the security in the organization
Involves each and every employee
Cost savings in employee training in comparison to current methods
Makes it possible to register, report and control employee participation and knowledge in the area of information security

For additional information, please call 646-666-9601

Preface

The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

Ongoing development of the standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to the PCI DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for QSAs and ASVs. The PCI Security Standards Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on this Web site.

The new Astaro Licensing Model which will come into effect on February 1st, however we will have a transition period until March 31st, 2010 in which both the former and the new licensing model will be valid.

What’s new:

We rearranged the former Base License: Out of the advanced network security features we created a dedicated subscription called “Network Security”, while our free “Essential Firewall” contains basic networking and network security features. We also adjusted the maintenance and support.

There are several reasons for the changes in our licensing: We wanted to create a more flexible licensing so that customers can buy exactly what they need. With this new model the clustering and user upgrades processes are much easier. We also developed a more competitive price point for smaller appliances. 

With this new strategy there is no longer a need for our multipoint appliances, the Astaro Mail Gateway and the Astaro Web Gateway. These appliances will no longer be sold after March 31st, 2010. Mail Security and Web Security applications will be available as subscriptions for the Astaro Security Gateway but no longer as separate hardware appliances.

We want to offer you the following introductory promotions as part of the launch of our new licensing model:

• A customer signing for 3 years Full Guard will receive the appropriate hardware appliance for free.
• A customer signing for 5 years Full Guard will receive two hardware appliances in Active/Passive HA Mode for free.

This offer is valid until March 29th, 2010.

If you have further questions or want to personally discuss the new licensing model with us, we invite you to conact us.

Best regards,

2Secure Team

Preface

This post is about a known issue with Astaro SSL VPN client installed on Windows Vista and Windows 7. You can install and run the application, make a connection to the Astaro Firewall, but you can not access the internal network. In order to create a path to the Internal network a dos command “route add destination mask gateway interface metric” should be executed after connecting to the Astaro Firewall. Running this command in dos prompt will show an error message that elevation is needed. Windows Vista/7 requires re-validation before running dangers commands to prevent malicious software installations.

Solution 1:
One way to go is to run Astaro VPN client application by right click on the .exe file and chooses Run As Administrator, Windows will ask you to approve this. Now try to connect to your Internal network.

Solution 2 (worked on Windows 7 Starter version and may not work with other win 7 versions:
I found a small VB script that can do the trick and run the application automatically. You will need to tweak it your needs.

<-SCRIPT->
set WshShell = WScript.CreateObject(“WScript.Shell”)
WshShell.run “runas /user:computer_name\User_name %comspec%” ‘Open command prompt
WScript.Sleep 500 ‘ wait for the above command to complete
WshShell.SendKeys “Password” ‘send password
WshShell.SendKeys “{ENTER}”
WScript.Sleep 1000 wait for the above command to complete
‘ Open Astaro vpn client
WshShell.SendKeys Chr(34) + “C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui” + Chr(34)
WshShell.SendKeys “{ENTER}”
WshShell.SendKeys “exit” ‘Close command prompt
WshShell.SendKeys “{ENTER}”
WScript.Sleep 200
set wshshell = nothing

<- END SCRIPT ->

Open a new text document and copy and paste the above code, save the file as VPN.vbs. Make changes to computer name, user name, password, and time to wait for each command (Don’t make it too smaller than 500)
Before you run make sure the program is not running by checking the toolbar, otherwise you will get an error message.
Next we need to stop the program from running at boot time, to do so run the command msconfig, click the services tab and locate the Astaro application, and uncheck the box, save and exit.
Restart the system to make sure it’s clean. Now double click VPN.vbs. Connect to the Firewall and try to ping the internal network.

Done!

Will post a new update regarding this issue.

Updates 12/16/2010:

On Windows XP you will have the same issue as described above, the solution can as stated above or to add the user to the Network group, this will give the user the right permission to run the command “route add”.

Please note: the above solution won’t work on Windows 7 machines.

———————————————-END UPDATE 12/16/2010—————————————————-

1. Simple single-homed Profense implementation

Figure 9.1. Simple single-homed Profense implementation

This scenario is the easiest to implement, since Profense can be introduced in the already established network without any major reconfigurations. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to the web systems) is using a single Ethernet interface.

Profense is placed on the same network (DMZ) with the web systems web1 and web2) it is protecting.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.0.2.

The web systems’ default gateway is unaltered and is still the router with IP address 192.168.0.1.

Figure 9.2. Firewall’ed single-homed Profense implementation

This scenario requires an extra interface in the firewall since Profense is deployed in a DMZ-segment separated from the segment in which the web servers are placed. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to web systems) is using a single Ethernet interface.

A separate network segment (subnet 2) is configured between Profense and the firewall.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.10.

Outbound traffic from Profense to web systems is again inspected by the firewall and sent to the web systems on subnet 3.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

Figure 9.3. Firewalled Profense implementation with a fail-over/backup Profense

In this scenario Profense is deployed in a high avalibility configuration with an extra Profense (backup) used for fail-over. A dedicated network or crossover cable is used to connect the Profense cluster and a separate interface is used for synchronization of various information between the active and the backup Profense. Inbound and outbound traffic share the same interface.

The two Profense systems share a virtual (VIP) IP address 192.168.1.12.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s VIP address 192.168.1.12.

In case the active Profense system fails or looses the connectivity, the backup will take over the VIP and start handling the requests from clients.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

Figure 9.4. Dual-homed performance optimized Profense implementation

In this scenario Profense is configured in a dual-homed setup with separation of inbound and outbound web traffic. 2 Ethernet interfaces are utilized. Client requests are terminated in VLAN2 and responses from web systems are terminated in VLAN3. This setup (or similar) potentially provides greater performance (since 2 interfaces are used) and security.

A separate network segment (VLAN2) is configured between Profense and the layer 3 switch.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.9.

Outbound traffic (downstream) from Profense is sent to web systems via VLAN3.

The layer 3 switch is configured only to allow traffic on the necessary ports (typically 80/tcp for HTTP and 443/tcp for HTTPS to pass from Profense to the web systems.

The web systems’ default gateway is the layer 3 switch with IP address 192.168.0.1.

Safeguard Sensitive Data. Enforce Security Policies with Web Application Firewall.

Advanced Web Application Security and Compliance Solution

Astaro Web Application Security hardens your web servers using Reverse Proxy technology to protect them from modern attacks and data loss. With it,  you can securely offer  applications like Outlook Web Access (OWA) and guard against techniques like SQL Injection and Cross Site Scripting (XSS). Stop hackers from using these types of attacks to gain access to sensitive information like credit card data, personal information, and social security numbers. Astaro Web Application Security aids you in compliance efforts where a web application firewall is required, such as PCI-DSS.

Why it matters?

 You can’t afford down time or an IT security breech when implementing mission-critical business solutions. Our security services & solutions are designed to minimize your risk and deliver results that will impact your business by keeping your IT system current, secure and available when you need them.

Before we begin, ask yourself:

 Question: Who has access to data?

Answer: You should examine your user account policy, delete unused accounts, and set an audit policy.

Question: Can someone from outside access my data and how?

Answer: You should check every entry point; wireless access points, modem installations, flash drives, and remote access.

Question: Can someone from the inside misuse my data?

Answer:You should need to run an assessment to check file permissions on network shares.

Question: Is my Antivirus software effective?

Answer: Having a central point of management is a key requirement for maintaining updated software on desktops, laptops, servers, and network gateways.

Question: Is my database safe?

Answer: You should examine database account users, install patches, enforce audit, access control, and may recommending DB firewall installation.

Question: Is my website safe?

Answer: You should run vulnerability scans verifying that your website is a. configured correctly & b. no vulnerabilities exist within the web application c. Check perimeter Firewall policy.

Question: Can my business recover from a disaster?

Answer: If you have a backup, it’s a good starting point. Setting a HOT Bare Metal recovery with disk to disk to tape is a good solution for providing faster & reliable recovery.

Yigal Behar

The Astaro Security Gateway integrates complete Network, Web and Mail Security through an intuitive browser-based user interface. The Astaro Unified Threat Management appliance is the most easy-to-use and cost-effective “all-in-one” solution available, working to effectively shield businesses from internet based threats. Networks need to be protected against a wide variety of Internet threats, including denial of service attacks, port scans, worms, trojans, botnets and application exploits. Organizations often implement point products like IPS systems, VPN routers and firewalls as a solution. This not only requires the maintenance of multiple products, but users also need to be continuously assured that these products are fully integrated in order to effectively protect their network. The Astaro Security Gateway Network Security eliminates these issues, providing a single security application suite, integrated into an easy-to-manage Unified Threat Management solution. The Astaro Security Gateway also protects Email.  More than 80% of all email messages are spam related, phishing attacks are on the rise, and email spreads the majority of virus and spyware infections. Email security is therefore a major business requirement for organizations of all sizes. Furthermore, as the majority of emails are sent unprotected, comparable to a traditional postcard, organizations are exposed to major risks, including the loss of vital information and violating industry regulations when disclosing confidential or proprietary information. The Astaro Security Gateway embodies a unified solution for all of these risks, combining email filtering and encryption in one powerful appliance.  The Astaro Security Gateway also includes Web Filtering.  Web surfing, file downloads, and programs which tunnel over HTTPS can put your computer and network at risk from spyware, viruses, and exploits. Furthermore, applications such as Skype, Instant Messaging and Peer-to-Peer present many new risks for the company network that circumvent established protection mechanisms. Employee access to inappropriate sites could potentially induce legal consequences or reduce business productivity. Astaro Security Gateway unifies the entire web filtering scope in one easy-to-use appliance, eliminating the complexity and high costs associated with the deployment of dedicated URL filtering, antivirus and IM control tools.

We also have two point solutions for customers that already are using a Firewall or want the “layered approach.”

The Astaro Web Gateway provides complete protection and control over data transferred over the web. The All-In-One web security appliance features Malware Detection, Application Control, URL Filtering and Bandwidth Management, fully integrated and manageable through a single and intuitive browser-based user interface.

The Astaro Mail Gateway provides complete protection and control over spam, viruses, worms and Trojans transferred through email. The All-In-One mail security appliance features comprehensive features for spam detection and malware filtering. An easy to use UserPortal gives end-users at any time control over a personal quarantine and e-mail log. Integrated encryption features allow a secure way to transmit emails and VPN access secures the native access to internal e-mail servers for mobile users from anywhere in the world.
 

All Astaro Products are available in Hardware, Software or Virtual.  We can tailor the best solution for your specific need.

Yigal Behar