Browsing safely

A lot of my real-life friends ask me how I go about securing my PC, mistakenly believing that because I’m a network guy, I also know something about security.  I know enough to secure the devices for which I’m typically responsible, but the home-user use-case tends to be so widely different and varied that the answer is always “it depends,” and there are infinite dependent variables.  It’s easy for me to secure my LAN against rogue DHCP servers, but less so to (cheaply, in terms of time and money) secure a family PC from a teenager who opens every attachment in their email, or clicks through every page on 4chan.  So take what follows with a grain of salt.  It’s also written with Windows in mind (in other words, spare me the “use linux!”).

As far as personal, home-use computing goes, I find the talk that goes on about the relative insecurity of my Windows Vista and XP boxes to be little more than histrionics.  If someone wants the pictures from my digital camera, it’s easier just to add themselves to the Ottawa, ON network on Facebook, and they can probably get a look at them that way.  There are lots of easier ways to steal information about a person than breaking into their PC, when we so readily make information about ourselves available publicly.

(And even once they’ve done that, what can happen, exactly?  Steal my banking information?  That’s not exactly “risky.” A phone-call to my bank, and the problem goes away.  At worst, I show up to a branch in person to verify my identity with all manner of official documentation.  Inconvenient, but hardly life-endangering.)

Want to get someone’s phone number?  Look them up on Facebook.  Check out their friends list.  Randomly send messages to people on the list, say that you’re an old friend trying to contact them for a high-school reunion, but they aren’t responding to your notes and you’re not sure if they check Facebook that often.  Use your imagination.

From there, you can start to draw the conclusion that security isn’t just technical;  it’s social.  It’s about who and what you trust.

But since not everyone can root through my trash for banking statements and hydro bills, remote compromise of my machine may be their only convenient option.  The goal isn’t complete and total security; as the saying goes, the only way to completely secure your PC is to turn it off.  The goal is to make accessing your PC as inconvenient as possible.  For many users, sticking their PC behind a broadband router provides a cheap form of firewalling that’s more than enough to protect them from outside threats.  Personally, I just turn on Windows Firewall and connect directly to my cable modem.  Never was one for trying to hide my PC behind a router.

Next up, the absolute minimum required to easily get around the internets is a browser.  I’m primarily a Firefox man; Google Chrome is incredibly fast and lightweight, but seems a bit lacking in the feature department.  I’ll confess to not giving it a true college try.

But here’s what I use:

Firefox: http://www.mozilla.com/en-US/firefox/personal.html

With the following addons:

AdBlock Plus: http://adblockplus.org/en/

NoScript:  http://noscript.net/getit

Install the add-ons, configure ABP to subscribe to the easylist filter, and that’s it.  NoScript is a bit annoying to work with at first, but you’ll soon get a feel for it.  Under Firefox’s menu, go Tools -> Options -> Advanced -> Update, and make sure everything is checked off to automatically check for and install updates to the browser and add-ons.

After that, configure Windows Update to check for updates frequently, and to download and install frequently.

I don’t run real-time signature-based AV e.g. Norton Anti-Virus, at all.  Vista takes up 800MB of RAM on its own; I don’t need a few million signatures adding another 250MB.  Every month, Microsoft releases an updated Malicious Software Removal Tool (MSRT website: http://www.microsoft.com/security/malwareremove/default.aspx) which runs in the background and is very quiet (as in, you don’t even know it’s running unless it finds something).  You can force it to run manually so that you can actually watch what it’s doing by going Start -> Run -> mrt.exe.

As a backup to the MSRT, I’ll occassionally run MalwareBytes’ Anti-Malware tool: http://www.malwarebytes.org/mbam.php

I run Threatfire (http://www.threatfire.com/) on its most sensitive settings.  It’s another one of those things that appears obnoxious at first, but you get use to it.

For generic cleanup, I run ccleaner (http://www.ccleaner.com/).  I check off just about everything possible, with the exception of “Wipe Free Space,” because that takes FOREVER.  I clear out all histories and saved-form information.  If you’re the kind of person who checks off “Have browser remember passwords,” you may find using this annoying.  But that’s the kind of person who makes themselves most vulnerable when sharing their PC/laptop with someone else.  If you’re incredibly serious about wanting to secure your information, clear out that crap and start getting better at memorizing complicated passwords.  You can configure the program to add itself to your Recycle Bin, so you can just right-click the bin and open it up.  Close all your browsers (so it can access and delete browser caches) and run it every few days.  Clean out everything, and do the “Clean Registry” step, too.

As a bonus, the program also includes a feature to uninstall programs and disable programs that start on bootup.  Check to see if there are programs listed that you don’t recognize, or those which you know don’t need to actually start on boot.  Disable them until needed.

Complicated passwords are another obvious thing;  the more valuable the information, the harder it should be to access.  If you protect it with a username and password of admin/admin, it obviously isn’t that valuable to you.

If you need to fill out a registration form or something, make up a gmail account that you’ll never actually use (I sign up to things using qos.recyclebin@gmail.com, for example, and if you need a gmail invite, let me know), and fill in all the registration forms with fake information unless absolutely necessary.

That way, you hide as many things as you can from being harvested, and you have a convenient place to find your account info when you use it to sign up for something.  If you’re trying to get vendor whitepapers from a place like http://techrepublic.com.com/, for example, do they REALLY need your work email and phone number?  Hell no.  Make some up.  The only reason you need a “real” fake email address that you never check is so that you can check it occassionally in the event that they require you to verify your email address.  You can publish this email address ANYWHERE and never worry because you know for a fact that there’s nothing useful in it anyway.

If you approach every form on the internet with the attitude that it might some day be used against you, you protect yourself against all manner of information harvesting.

Last and most importantly, I don’t install anything I don’t need, and I don’t open weird shit that I’m not expecting.

The more you add to anything, the more you have to protect/trust.  The larger your friends list, the higher probability of someone telling someone else something you don’t want them to know.  Do you really need 4-5 different cellphone related applications on your PC?  No, get them off there.  Limit your exposure to applications to only those which you can easily update, and update often.

And don’t bother giving someone’s chain-letter email due courtesy.  It doesn’t deserve it.  Especially if there’s some sort of weird attachment or link.  Most web-based email clients can disable the display of images or running of scripts, and have good anti-spam and malware practices established.   Don’t turn on the display of images or run weird attachments.  Chances are, you didn’t request it, ergo you’re unlikely to need it.

As mentioned at the beginning, I am hardly a security professional, and am quite amenable to comments and adjustments.  Happy internetting!

NetFlow

NetFlow is a Cisco proprietary standard, soon to become (if it’s not already) an international standard in the form of IPFIX (http://www.ietf.org/html.charters/ipfix-charter.html). It tracks flows ingress into an interface and does accounting based on source/dest IP/port, TOS, originating autonomous system, and all manner of other cool things.  This info can be exported to central collectors which can store the data in a DB and mangle it as they see fit.

NetFlow is supported on any and all recent IOS routers (read as: 1800/2800/3800 ISR series, 7200/7600, etc).  Alas, no support on Catalyst dumb Layer-2 and multilayer switches outside of the 4500/6500 line, and even then it requires special hardware in the form of proper line cards/Supervisor Engine(s).

However, you can do a poor-man’s NetFlow by building a “probe” that accepts mirrored traffic from a SPAN port on a switch, and crafts its own NetFlow data from the observed traffic (see also: nTop).  Your mileage may vary depending on your IOS version; this note’s test router uses 12.4(15)T7.

You don’t need a collector to get some use out of the feature, though; it maintains a local cache and that’s what this note’s going to be about.  Quite easy to turn on:

interface FastEthernet0/1
ip address x.x.x.x y.y.y.y
ip flow ingress

Verification:

TEST-VPN-Hub-01#sho ip flow interface
FastEthernet0/1
ip flow ingress

Then turn on the top-talkers feature:

TEST-VPN-Hub-01#conf t
TEST-VPN-Hub-01(config)#ip flow-top-talkers
TEST-VPN-Hub-01(config-flow-top-talkers)#top 100

Then we get the option of viewing un-aggregated cache data, or aggregated cache data:

TEST-VPN-Hub-01#sho ip flow top-talkers ?

Display aggregated top talkers:
<1-100>  Number of aggregated top talkers to show

Display unaggregated top flows:
verbose  Display extra information about unaggregated top flows
|        Output modifiers

Un-aggregated provides a very granular view of flows stored in cache; one flow per source/dest IP/port and IP Protocol number (with protocol number and src/dst ports reported in very obnoxious hex), and by default sorted by bytes ingress to the interface:

TEST-VPN-Hub-01#sho ip flow top-talkers

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
Tu110232      10.0.30.63      Fa0/1         192.168.141.81  06 170C 88ED  2074K
Tu110232      10.0.30.40      Fa0/1         192.168.141.71  06 0FD9 F727  1519K
Tu110232      10.0.30.140     Fa0/1         192.168.141.144 06 0BFE DB22  1275K
Tu110232      10.0.30.140     Fa0/1         10.1.250.81     06 0BFE B70E  1243K
Tu110232      10.0.30.140     Fa0/1         10.1.250.81     06 0BFE B70F  1242K
Tu110232      10.0.30.62      Fa0/1         192.168.141.80  06 170C 83ED   532K
Tu110232      10.0.30.140     Fa0/1         10.1.250.81     06 0BFE A204   340K
Tu110232      10.0.30.140     Fa0/1         192.168.141.144 06 0BFE D3D8   251K
Fa0/1         192.168.141.81  Tu110232      10.0.30.63      06 88ED 170C    69K
Fa0/1         192.168.141.80  Tu110232      10.0.30.62      06 83ED 170C    60K
Fa0/1         192.168.141.144 Tu110232      10.0.30.140     06 D3D8 0BFE    38K

Useful if you have a source that’s just pounding away; you can easily see where it’s coming from (and the interface through which it enters) and where it’s going (and the interface through which it leaves).

Aggregated view allows you to aggregate the NetFlow data a whole bunch of different ways (I’ve cut a bunch of ways out for sake of brevity):

TEST-VPN-Hub-01#sho ip flow top-talkers 100 aggregate ?
bytes                  number of bytes
destination-address    Destination address
destination-interface  Destination interface
destination-port       Destination port
icmp                   ICMP type and code
ip-nexthop-address     IP nexthop address
max-packet-length      Maximum packet length
min-packet-length      Minimum packet length
packets                number of packets
source-address         Source address
source-interface       Source interface
source-port            Source port
tcp-flags              TCP flags

What follows are ways to find the hot destination ports from your router’s point of view:

TEST-VPN-Hub-01#sho ip flow top-talkers 100 aggregate destination-port sorted-by packets

There are 20 top talkers:

TRNS DST PORT       bytes        pkts       flows
=============  ==========  ==========  ==========
35053     1638362        8922           1
54232     1462512        4017           1
33773      861529        3757           1
63271     1161960        2904           1
56098      950000        2609           1
46862      916876        2518           1
46863      916472        2516           1
5900      110858        2226           2
0      688278        1030          13
2048      658800         549           1
3070       12480         312           5
4056        3492          70           1
4057        2680          67           1
57556        6804          67           1
41476       15288          42           1
3092        2860          35           3
161        2556          35           3

Note that “Port 0” shows up in the above; I believe this may be related to packet fragmentation.  Non-initial fragments will not contain a transport-layer header; rather, they’ll simply have more transport-layer payload.  NetFlow can relate such a packet to a particular transport-layer protocol on account of the IP Protocol field of the IP packet (6 = UDP, 17 = TCP), but that’s as good as it can do without reassembling the entire packet.

Mind you, the traffic could also be IPSEC, which uses IP Protocol 50 or 51 for AH or ESP, respectively, and does not have port numbers for NetFlow to count.  This test bed was also running EIGRP and GRE tunnels; this traffic may have also been counted as “Port 0” traffic.

And to see some equally hot source hosts:

TEST-VPN-Hub-01#sho ip flow top-talkers 100 aggregate source-add sorted-by packets

There are 25 top talkers:

IPV4 SRC ADDR         bytes        pkts       flows
===============  ==========  ==========  ==========
10.0.30.63          1758749        9609           1
10.0.30.140         3161180        8681           5
10.0.30.62           996875        4319           1
10.0.30.40          1266040        3226           5
192.168.141.80       121738        2444           1
10.1.250.81           35960         899           3
192.168.139.66       990000         825           1
192.168.139.129      988800         824           1
192.168.141.144       24640         616           2
192.168.141.81        22520         451           2
192.168.141.71        12372         309           2
192.168.191.234       19008         288           1
192.168.191.242        9900         150           1
192.168.141.70         3944          81           2
192.168.141.66         3360          56           1
192.168.141.65         3300          55           1
192.168.191.238        2508          38           1
192.168.141.70         1680          28           1
192.168.141.76         1680          28           1
192.168.141.75         1680          28           1
192.168.141.71         1620          27           1
192.168.141.72         1620          27           1
192.168.191.230        1650          25           1
10.1.40.169              72           1           1

The command “show ip cache flow” also produces interesting results, including timers associated with the flow cache.

TEST-VPN-Hub-01#sho ip cache flow

IP packet size distribution (26090 total packets):
1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
.001 .500 .155 .007 .005 .005 .006 .007 .007 .007 .006 .204 .045 .004 .004

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
.003 .002 .002 .012 .008 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
60 active, 4036 inactive, 675 added
29520 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 0 chunks added
last clearing of statistics 00:07:23

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-other          338      0.7        29   155     22.6      18.6       9.6
UDP-NTP             37      0.0         1    76      0.0       0.0      15.4
UDP-other          184      0.4        13    75      5.8       6.2      15.5
ICMP               100      0.2         2   757      0.5       0.5      15.6
Total:             659      1.4        19   151     29.1      11.4      12.5

From the above output, you can see that flows will age out of the cache 15 seconds after data associated with the flow stops flowing.  You can test this by pinging something through the router (in my tests, locally-originated ICMP traffic was not counted by NetFlow, but there’s a chance I may have just been doing it wrong), and filtering the output of “show ip flow top-talkers” or “show ip cache flow”, until there’s been enough transferred data associated with the flow for it to work its way into the cache.

Then stop the ping.  15 seconds later, the flow won’t be there anymore; so by definition, flows that have accumulated a lot of traffic have been active for a very, very long time.  This technique is incredibly handy for tracking DoS activity; if you’re able to log into a terminal, you can work backwards to find the source address and input interface of potential DoS’ers, misbehaving hosts, etc.  Taken to its logical conclusion – assuming cooperation with a supportive and clueful ISP — you can even trace a spoofed IP address back to its real source. How this would be accomplished is left as an exercise for the reader.

There’s also a packet-size histogram; from the above, you can deduce that 50% of the packets transiting the router are between 32-64 bytes; 15.5% are between 64-96 bytes; and 20% are between 352-384 bytes.

Over at $dayJob, I use http://www.plixer.com/products/free-netflow.php to keep track of a day’s worth of NetFlow data; for a free tool, it’s incredible for providing point-in-time analysis of application use on my network.  As they say,  in network analysis, there is no substitute for knowing your network.  While longer-term analysis would be ideal, I don’t have long-term enterprise NetFlow collection in my budget, nor the time to build out my own; though after you’ve kept a watchful eye on links for a few weeks, you start to see patterns, and deviations from that pattern should be either easily explained or quickly investigated.

Monitoring/managing logins and config changes with IOS

For the purposes of this note, I’m going to pretend Telnet doesn’t exist.  Most of the stuff applies regardless of whether you use it or not, but I’m happier working under the assumption that all VTY configs look like this:

line vty 0 15
transport input ssh

I’m going to digress already and say that it’s a good idea to restrict access to certain networks:

line vty 0 15
access-class 101 in
transport input ssh

And that some go a step further and protect the last VTY line as a last resort in the event that the other 14 or so are occupied by someone with less-than-benevolent purposes; that way, the host(s) specified in ACL 102 can still manage the router:

line vty 0 14
access-class 101 in
transport input ssh

line vty 15
access-class 102 in
transport input ssh

But back to the point.  In the early days of IOS 12.3, they introduced the “login” command-set for login security enhancement (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_login.html).

login block-for 60 attempts 3 within 60
login delay 3
login on-failure log
login on-success log

This gives you three chances to pass the test before the router blocks all logins for 60 seconds (this period is called “quiet mode”).  There’s also a 3-second delay between attempts.  This mitigates someone throwing the kitchen sink at your device; it takes them 9 seconds just to try three times, and they can only do so once a minute without changing IP addresses.  A “quiet mode” list can be configured to allow certain hosts to get around these restrictions; this is a good idea, because someone spamming login attempts can lock you out, and it’s a race to log in when quiet time ends.  Luckily, the “on-failure log” will tell you which IP address is responsible for the attack. Info on configuring quiet-mode bypass is in the documentation linked at the end of this note.

Of course, the problem with this is that by default, IOS will let you attempt four SSH logins before terminating the session.  You can fix that, too. I use this:

ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2

“authentication-retries” is, literally, retries.  It lets you make two additional attempts after the first failed attempt; hence three in total, which matches up with the three attempts before you’re locked out for a minute, configured above in the “login” section. “Version 2” forces the use of SSHv2 by the client side; SSHv1/v1.5 considered insecure and deprecated for well over a decade.

Finally, the built-in config-change archiver/logger:

archive
log config
logging enable
logging size 200
notify syslog
hidekeys

This will take any change made in config mode, save a small local copy of said changes to a local buffer, and spit them out to syslog. “hidekeys” keeps sensitive info obscured (syslog packets being unencrypted and all).  How many times have you asked yourself “well, what’s changed?”  This lets you know in real-time.

All this and more over at the IOS Security Configuration Guide and Command Reference, which can be found here for IOS 12.4: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html

Whole bunch of examples below the cut!

Read the rest of this entry »