Sunday, June 29, 2014

VLANs vs Subnets

VLAN vs Subnet

---

Do you want to restrict traffic at layer 2 (switch - VLAN) or layer 3 (firewall - subnet) or both?

Do you need to cut down on broadcast noise (VLAN)?

How much overhead do you want to manage? 

Most VLANs are tied to one subnet so you typically will see subnets with out VLANs but not the opposite.

So if, for example, you want to set up a guest portion of your network and an internal portion for a SOHO you ca set up subnet 1 on firewall and VLAN 1 on switch that only works on subnet 1 for guests. Repeat for subnet 2 and VLAN 2 for your internal network.

You could have a DMZ hanging off the firewall that isn't behind the switch or in any VLAN.

A shared printer could hang off the switch not in any subnet or VLAN. (Just one option ...if you want to share thee printer between subnets.

Typically you'd have device connected to net, then firewall, then switch if separate devices.

A larger company might have more firewalls between different network segments.

If an APT (hacker) can get onto a device that has permissions in different subnets and VLANs, you're not really segregated.

---

Related Links:

Extensive Q & A - says VLANs more secure because not based on IP.

http://superuser.com/questions/353664/what-is-the-difference-between-a-vlan-and-a-subnet

VLANS and Subnets - 10 things you need to know 

http://www.industrial-ip.org/en/industrial-ip/convergence/vlans-and-subnets-10-things-you-need-to-know

VLAN vs Subnet - says VLAN can be hacked but does not expound. Includes configuration.

http://blog.router-switch.com/2014/03/vlan-vs-subnet/

Interesting discussion of segmenting traffic at Layer 2 and 3 - pros and cons of VLANs vs. subnets. Understand your network traffic.

http://serverfault.com/questions/54417/best-way-to-segment-traffic-vlan-or-subnet

Thursday, June 26, 2014

Java JIT Optimization

Write short methods for inlining.

Avoid polymorphic dispatch on same call site - putting different types in a list and call a method.

Keep small objects local to aid in escape analysis

Use intrinsic methods. (putLong, etc.)

Inspect inlining - PrintInlining, PrintAssembly (yeah...we all know assembly....)


Friday, June 06, 2014

Secure Java Programming

Notes for secure Java programming

Normalization - convert all data to common format before checking input since the same character can be represented by different codes in different languages and character sets.

http://docs.oracle.com/javase/tutorial/i18n/text/normalizerapi.html

Code injection - injecting commands into exec statements in Java, for example.

Identification - who user is

Authentication - verify person is who they say they are. Make sure you are using a reputable, solid JAAS implementation

Authorization - verify user is allowed to perform selected action. Many options: again make sure solid source and reputable vendor, well tested over time.

Output encoding - let everything come into your app, then validate and make sure data cannot be executed as code when submitted to any other process. Encode special characters for the output context.

Blacklisting - many ways to bypass. Not best approach. Characters in different languages, character sets.

Whitelist - only accept known good characters. Hard to do because can break functionality - such as when checking names or passwords that may have special characters.

ReDoS - regular expression denial of service attack.

- Deterministic regular expression engines try to match one time

- Non-Deterministic regular expression engines try multiple times - can craft inputs that take systems down. Beware of repeating groups and make characters required if possible.

Use parameterized queries wherever possible to prevent SQL injection

Can use Apache XML encoding library to encode XML data, for example

Jdgui - Java decompiler

JavaSnoop - debug Java code without the source code. Defeats obfuscation tools:

http://resources.infosecinstitute.com/hacking-java-applications-using-javasnoop/

Consider implementing sensitive code in C/C++ and call using JNI. Allows advanced obsfucation, anti-debug, anti-tamper tactics.

Obsfucation and compiling to native code (Excelsior JET, GCJ -- may not be production ready) can make it take longer to get source.

Don't trust client. Even if behind firewall. Some sources report over 50% of breaches are by accidental or intentional insiders. Phishing and social engineering can cause user machine to be hacked and used by an attacker.

Validate XML against XSD (javax.xml.validation.Validator) or DTD (javax.xml.validation.Validator

XML injection - alters XML to invalid format.

XPath injection - XPath concatenation can allow querying additional information. No such thing as parameterized queries for XPath.

External entity attack. Use of word SYSTEM goes external file doctype, entity which can include malicious entity replacements, try to read system files or create DOS attacks.

XML entity expansion attack. Recursive entity replacement to create huge payload what parsed even though initial input is small.

To prevent XML attacks can configure XML parser to disallow vulerable features.  Disallow doctype declarations, turn on FEATURE_SECURE_PROGRAMMING. If you require external doctype declarations write a custom entity resolver - this is complicated. Static analysis tools may check for this.

Path Manipulation Attack -unauthorized access to files by breaking out of current path or accessing a file via absolute path. To prevent verify you are in expected directory before proceeding.

Use Java Security manager to limit what code can do. Run your application with the security.manager flag and specify policy file.

Temp files may be pre-created with malicious content. On Unix systems create a symbolic link. Java now has ability to set file permissions.

java.util.random - predictable

Java 7 introduced several new methods in the java.nio.file.Files can create file names with unpredictable names. Also will not create a file if file with that name. Also has shutdown hook to delete temp files. java.io.File.deleteOnExit()

In Java 7 try statement can have objects that implement closeable interface which will be automatically closed on end of try.

Java 7 has a multi catch block to handle multiple types of exceptions.

Race conditions - timing issues while accessing resources causes data to be invalid.

TOCTOU - check a property on a resource then someone changes that resource before the resource is used.

Java Files API has TOC/TOU issues. Checks file properties, then properties could be changed before the file is used because the files API works on file paths. Using the File object does not have this vulnerability because it gets a handle on the actual file.

Deadlocks can cause DoS attack.

Encryption problems: skipping cert checks, no hostname check, no certificate validation, no certain in truststore

HTTPSUrlConnection in Java does this for you - other libraries do not




Thursday, June 05, 2014

Chef, Ansible, Puppet, Salt

Articles comparing Chef, Puppet, Ansible, Salt

Comparison
http://m.infoworld.com/d/data-center/review-puppet-vs-chef-vs-ansible-vs-salt-231308

Usage Stats
http://redmonk.com/sogrady/2013/12/06/configuration-management-2013/

Ansible beats salt on security 
https://missingm.co/2013/06/ansible-and-salt-a-detailed-comparison/

Ansible vs Puppet, Chef
http://probably.co.uk/puppet-vs-chef-vs-ansible.html

A search of the Mitre cve database shows some pretty substantial vulnerabilities in salt, most in Puppet (but is most widely used and been out longer), least for Ansible:

http://cve.mitre.org/cve/

Ok after all that I lean towards Ansible but need to try it. I like the idea of using a language popular with says admins vs. a customized language. The model of agent-less appeals more from a security and administration standpoint. Agents can't be hacked if not there. Push vs. pull can get changes out more quickly. This - having not yet used the tool. But I also know the AWS kids at Amazon use it and love it.

Here are some interesting ideas to try:

Fixing HeartBleed with Ansible
http://www.ansible.com/blog/fixing-heartbleed-with-ansible

Secure MySQL with Ansible
https://coderwall.com/p/yez9yw

Ansible SSH security considerations
http://stackoverflow.com/questions/23704437/security-considerations-when-using-ansible

As noted in previous posts I am interested in storage of keys separate from data as number one problem with encryption in companies today. Earlier this year Ansible added a vault feature. Will be interesting to see how this works and if facilitates this separation.

http://www.ansible.com/blog/2014/02/19/ansible-vault

Web Security Vulnerabilities

Same Origin Policy: ability for web browser to restrict scripts from accessing DOM properties and other methods of another site.

JSONP - opens up a lot of risks. Recommend not using.

DOM based cross site scripting

Cross domain messaging

Stealing data from web storage

Risks introduced by HTML5 elements and attributes (Video, Auduo, Canvas, Geolocation)

Architectural Flaws, Implementation Bugs

Can run into buffer overflow with unmanaged code in C#.

XSS - JavaScript can be injected by many different tags: video, script, etc. Insert JavaScript into form, URL or submit malformed request straight to server to direct response data to an alternate site to steal data. If can get a user to login to a malicious page can steal credentials and session IDs.

Input encoding - attempts to block certain characters with white lists, black lists, exact match, semantic rules.

Output Encoding - may be preferable to input validation. This tactic allows entering any character but encoding problematic characters so they won't be interpreted as executable code. There are common encoding libraries but some are not suitable for production. 

Output encoding should be done for any user or 3rd party input in HTML, CSS, JavaScript, URL, etc.

SQL injection: insert SQL into web inputs to run arbitrary SQL code against web database. First step is to insert a single quote. Is site is vulnerable will throw an error. Check version, etc. To get database type. Then query system tables, columns. Then execute random SQL. Not always that simple but that's the gist of it.

Session Vulnerabilities:

Session Fixation: change session ID after login

Session Prediction

Brute-Forcing

XSS

Eavesdropping: Fireshoot plugin - keep session URLs on SSL.

Cross Site Request Forgery - making a request to another site, which is different than XSS which injects code into a request. Example - loading an image from another site would include information in cookies from the image site which could be used be the site including the image link. So for example, if someone is logged into a site and an email is sent including an image but the image includes a malicious command, the cookies are included when the user views the image and will allow the malicious action to occur. To prevent: #1 have to prevent XSS. #2. Tokens per session, page, form. Not in a cookie, tied to session.

When using an iFrame can set sandbox properties so no code in the iFrame can affect the page embedding the iFrame.

Client side validation can help reduce load on the server but should never be used for validation because client side validation can be bypassed by web site visitors.

TamperData Firefox plug in alters web request submissions.

Set autocomplete = off in input fields.
 
For Web Storage introduced in HTML5 store sensitive data in session instead of local so is not persisted. 

http://www.w3schools.com/html/html5_webstorage.asp

Indirect Reference Map - map fake data to real data and only send fake data to the browser and map it back to the real data for server processing.

LSASS system service runs on Windows. .Net apps can use it to encrypt values and only use the encrypted values in memory.