Security as a Function of Time & Cost
Three weeks ago I finished my 2-factor authentication project after it began, rather subconsciously about 4 years ago. First I tried to use a rainbow ikey 3000 to store my ssh key, but a lack of alpha quality support for smartcards in openssh bashed that idea up.
I have been wondering lately how secure is a network or system if i takes 4 years to implement and more importantly how security works as a function of Time & Cost. I was thinking specifically ; What if I simplified my network to reduce the complexity of it’s configuration and reduced it’s deployment time so that I could respond to security incidents quickly if they ever did occur (I seem to spend forever taking precautions for things that may never happen).
I would thereby reduce the risk of total compromise by having simpler and hence “shallower” or isolated systems ? I stumbled upon this thought why wondering why I seemed to be the only one insistent on requiring 2-factor authentication to access my systems.
I was thinking of all those linux sysadmins out there with their ssh-agents and their ssh keys. Are they safe ? I guess. I guess a ssh key + a passphrase is, strictly speaking 2-factor authentication. if someone had compromised their desktop they could use a keylogger to steal their passphrase and if the baddie was able to install a keylogger then they can read the keyfile on their system, but how often really does this happen ?
I bet it is less than 0.001% of the all attacks. Okay so Linux or * nix has a 2-factor authentication capable secure access mechanism that includes mutual authentication (ssh host keys). What else makes these systems *reasonably* secure ? Simplicity. I bet that they have no Directory System, No Group Policy, no Graphical User Interface, a good firewall ruleset and an admin that has a clue and keeps his boxes up to date.
I wonder if our complicated centralized directory system, centralized logging, Intrustion Detection systems and Public Key Infrastructures are so complicated and time consuming that they are less secure in practise than our simple non multi-homed *nix amoebas ?
Using Wikid 2-Factor Authentication with Monowall
I found out about monowall about a year and a half ago and really love it. Some of it’s best features are :
- Easy to deploy (via PC / Embedded or even as a VM)
- Easy to Manage (web based management interface second to none)
- Powerful. It is easy to create a good strong firewall rule set. Traffic Shaper, Captive Portal, PPTP and IPSec VPNs, User manager, Single config file (easy backup of configs) and the list goes on.
- Reliable & Good community support available
In the last month I bought a 2-Factor Authentication system from Wikidsystems.com and have set it up as my authentication mechanism for my monowall-terminated PPTP VPN. The steps to set this up are :
- Install Wikid Auth server via the ISO or use the RPMs (I found the ISO easier and just upgraded the RPMs after install)
- Enable the Radius Protocol modules for your wikid domain (I have the IP Address for the Radius server set as 127.0.0.1 – not sure why that works but it obviously still spawns a radius daemon on the wikid auth server’s real interface) I also had the “Multihomed” setting set to ‘on’ (the default).
- Setup a network client for your monowall using radius and a shared secret (I have the network client pointing to the interface address of my vlan, not the LAN interface address)
- Setup a Token Client and ensure that you can authenticate to the wikid auth server.
On the monowall :
- Set the PPTP VPN settings to use Radius authentication. Set the IP address of the radius server to the IP of the Wikid Auth server and set the shared secret that you specified on the Wikid Auth Server.
- **Reboot the Monowall** – I spent a day trying to figure out why this was not working. I setup a Iptables firewall rule to log all traffic and could not see any traffic coming from the monowall while trying to authenticate to the VPN. Eventually out of frustration I rebooted the firewall and viola it worked !!
Since then it has been working pretty well. I have a Token on my phone and one on my Mac, although the mac token and phone tokens are a few versions behind the current version (the current token wants a higher Java version than you can get on a Mac, which is quite frustrating).
One other issue I have is I have to request a passcode 2-4 times before I get a passcode. On my phone this is not the case so it could be a network issue or perhaps a mac / token issue. Frustrating nonetheless.
Other than those two minor issues the solution works well and I like the Wikid Auth system. Another cool feature is you can have wikid “domains” which allow you to have different zones of authentication while using only one token, for example I can use a domain to authenticate to my VPN and another (same token, protected by a different PIN) to authenticate to my linux servers !
Zero Day Internet Explorer Exploit
Check it out : http://www.microsoft.com/technet/security/advisory/961051.mspx
I hope to catch the exploit in the wild and inspect it. It would be cool to create a inline snort rule to catch this to protect networks.
Farewell November
In the last month :
- Spent a lot of time working from home (it’s driving me a little crazy)
- Reading a book called “The experience that counts” by Jonathan Edwards
- Had a fight with emusic over not being able to download music I have paid for already and lost. Eventually signed up again (to my disgust) and got “Beehives” by Broken Social Scenes and “Microcastle” by Deerhunter
- Went mountain biking at dusk/night for the first time and had a ridiculously fun time
- Got my first ESX Virtual Server customer
- Made some progress on my 2 Factor Authentication project
- Been very naughty and not updated my blog
leave a comment