VPN Part 2 Remote Access

A remote access VPN is what you would use to connect to the office network from a computer that is outside of the LAN. The practice manager might have a computer at home that she wants to connect temporarily to the network to do some remote work

In this scenario, the remote computer runs a VPN client software which creates a virtual network adapter on the client computer. The VPN server will need to authenticate the remote user, allocate an IP address to the remote client and inform the client of the DNS server on the home network to use. It will also need to add to the client PCs routing table the VPN server’s end of the tunnel as the gateway for packets destined for the office network

VPN technology that traverses NAT such as SSL, IKE , SoftEther etc will easily work behind the home router. A static IP address is not needed for the remote user’s home network.

The steps for the remote user are to connect to the VPN and then use a tool like remote desktop connection to connect to a computer within the office network. This technique is very resistant to compromise by ransomware

The Email Problem

The two most common distribution vectors for ransomware are RDP and email.

RDP is relatively easy to secure by interposing a VPN.  The email route poses a near intractable threat.

As mentioned under firewalls, a NGFW can do a good job of combating most email threats.  Webmail services can be made subject to a custom policy and subjected to deep ssl inspection.  This should trap most infected emails.  The policy often requires nomination of webmail services and because there are so many some may still slip through.  It is difficult to prevent end users from using their own insecure webmail services.

The business’ main email can be protected by mail scanners – there are various services available.  The effectiveness of these services is unknown

Virus scanning is in itself imperfect and hit rates for new viruses can be modest leaving open a significant security hole

The only highly effective strategy is browser isolation.  This is a difficult technique where the internet browser itself (eg google chrome) is actually running on a virtual machine on an isolated network segment.  If a virus is downloaded and opened on that network segment, it will not be able to propagate through the office network but will remain confined to the segment.  This can be implemented as a “browser server” which is itself a virtual machine in a unique segment.  In the event of infection, the browser server can be instantly rolled back to a safe checkpoint

It is moderately difficult to configure this so that the isolated browser can print.  Being able to attach or detach files to email in the main office network poses significant issues. 

Simple and cheap browser isolation solutions do not yet exist.  It is a key objective for cybersecurity and is a commercial opportunity for a clever developer.

The combination of securing RDP and browser isolation would reduce the ransomware risk to close to a negligible level.

Virtual Private Networks (VPN) part 1 site to site

We use VPNs to enhance network security in two ways : site to site VPN and remote access vpn

A site to site VPN creates a connection between two private networks via the internet. The simplest example is a business with two sites. Each has its own internet connection

site 1 : 192.168.0.0/24 router R1 192.168.0.1 external IP address 203.45.30.45

site 2 : 192.168.10.0/24 router R2 192.168.10.1 external IP address 84.33.24.77

Ideally, each of the external IP addresses are static IP addresses – that is they do not change. The two routers create a secure tunnel between themselves and create a tunnel interface. Let’s say R1 has a tunnel interface of 10.10.10.1 and R2 has a tunnel interface of 10.10.10.2

The static route from site 1 (network 1) to network 2 needs to be set in router 1 ie

Ip route 192.168.10.0 255.255.255.0 10.10.10.2

so an attempt to go to a computer on network 2 C2 192.168.10.90 from a computer in network 1 C1 192.168.0.55 is as follows

the C1 determines that the packet needs to go out of the subnet, sends it to the default gateway R1. R1 matches the destination against the static route and sends it to the tunnel interface on R2. R2 knows how to send the packet to C2 and does so

You will need the opposite route configured as well ie

Ip route 192.168.0.0 255.255.255.0 10.10.10.1

Now computers can see each other regardless of which site they are on.

This functionality is built into Next Generation Firewalls but often is available too on cheaper commodity modem routers as well. It is possible to tunnel from within the network with technology such as SoftEther or OpenVPN but the routing is more difficult

How Much can a NGFW do?

A next generation firewall can add a great deal of security to the network. Configured correctly it will not allow connection to known malicious sites. It will scan all unencrypted traffic so has a good chance of blocking the downloading of a virus from a website if that download is not using encryption. One hopes that malicious websites do not have a certificate that is trusted although that cannot be relied upon. Malware authors have previously hijacked certificates to allow such traffic through. In general, the NGFW will not scan the contents of encrypted (https) webpages unless configured for deep ssl inspection. If so configured, many services within the network such as Windows Update may stop working .

Webmail clients such as gmail use https for communication with their servers so unless deep ssl inspection is enabled for webmail services then the NGFW is not protecting against ransomware delivered by that vector.

In order to enable the use of this email with the deep inspection necessary to detect the viruses it is necessary to install the NGFW certificate on all of the client computers that will use the email. Email remains the number one infection route for ransomware so this is a very important albeit moderately difficult to do step.

Versioning

A backup system with versioning allows the reconstruction of a given file or set of files at a particular point in time.

Say you have a file important_stuff.docx

and this file gets corrupted – by you, by accident or by ransomware

Without a versioning system, the backup will be corrupted along with the original. Obviously with many and large files, the problem is that storing multiple copies of the file starts to use up a lot of disk space.

Efficient backup systems will store either the original (O) and the changes so that the 3rd version can be created from O+1+2+3 or will store the most recent (C) and the reverse changes so that the third version of 4 can be created from C -1 .

Most ransomware will attempt to modify the file in place and then rename it. Backup software without versioning works most of the time (assuming the location is safe) by keeping the original and the corrupted version. However, some versions of ransomware do not rename the file and without versioning, the backups will also be corrupted.

Virtual replica and backup

One of the fantastic things about using a virtualized environment for your key servers is that you get Disaster Recovery, Ransomware resilience and Backup in one solution

I have used Hyper-V as the virtualization platform but VMware, Virtualbox, KVM and others can also be used.

Replication involves maintaining a live copy of the virtual machines on a second physical server. The capability is built into Windows Server. The replica server is updated at intervals as short as 30s. In the event of a physical failure of one server, failover to the replica server is quick and easy.

You can also run backups of the virtual machines on the main server so that you can restore a machine to a particular (last good) point in time in the event that the files are corrupted – for example by Ransomware. Veeam and Altaro and others provide good products for this.

The easiest way to use Microsoft Hyper-V is to purchase 2 licenses for Windows Server 2019 standard and deploy this on two computers – the primary server and the replica server. The replica server can be lower spec hardware and is to be used temporarily if there is a physical fault in the primary server. This also gives the right to have two virtual installations of windows 2019 for say domain controller and main medical software server.

This is a relatively expensive solution – the two licenses together are over AUD 3000. If you have an existing domain controller there is a cheaper but much more difficult way to do it.

Microsoft Hyper-V server is a free product which runs on the bare metal and it is possible to configure replication on the platform.

Remote File Systems

One feature of computer networks we use at the office is access to files that are on a remote server. This might be a shared drive, a networked attached storage or similar. The capability is also used by much medical and imaging software. Software on the client computer accesses files on a remote computer via a share. Underpinning this capability is a brilliant invention – the remote file system.

Although there are a number of these systems including AFS and NFS, almost all such communication is now done through the Microsoft Server Message Block (SMB) file sharing system. The system offers great flexibility including strong authentication of users, authorization of rights to those users and the ability to lock all or part of the file to prevent two users simultaneously accessing the file making incompatible changes.

In a Windows Active Directory, the system is even more powerful with the Domain controller performing authentication of users with a powerful encryption system known as Kerberos.

Unfortunately, the power of SMB file sharing also yields its key vulnerability to ransomware. Malware that runs within the context of a logged on user can use the credentials to traverse the network, finding network shares on all computers on the domain. Worse, for computers running Windows 8 or earlier, the malware can actually extract username and password from memory. If that user has domain administrator privileges, the malware can destroy the whole network. The malware can also run a dictionary attack within the domain to try to crack the “Administrator” account giving it supreme power within the domain – even able to lock out all existing users

Using SMB file sharing as the method between client and imaging server constitutes and unacceptable security risk by design. Software and hardware vendors should be strongly discouraged from using this technology – convenient though it is

The other consideration is that backups created using this technology are also extremely vulnerable to ransomware which will seek them out. It is much safer to send the backups to a remote location by a technology other than SMB file sharing

It is precisely the fact that the ransomware targets and often succeeds in destroying backups before or at the same time as attacking the primary files that makes paying the ransom often the only option

The way back – Static routes

Our recommendation is to segment part of the network behind a routed firewall to protect backups and virtual hosts. The problem is that computers on our general network cannot find the secure network segment.

Our general network, including our virtual servers (not hosts) are on the network 192.168.0.0/24 with a gateway of 192.168.0.1 Consider a computer on the network C2 with an ip address of 192.168.0.77

Our secure segment is behind a routed firewall. That network segment is 192.168.10.0/24 with a gateway of 192.168.10.1 Consider our host server H1 at 192.168.10.55

Our routed firewall F1 has two interfaces – one in each network. These are 192.168.0.2 and 192.168.10.2

So C2 tries to communicate with the H1. C2 determines that the address of H1 is outside of its subnet so it sends the frame to its default gateway. The gateway sends the packet out to the internet and not to F1. The communication does not find H1.

The solution to this problem is to add a route to the gateway router. In Cisco IOS this would be

ip route 192.168.10.0 0.0.0.255 192.168.0.2

With Cisco ASA it can be configured through the web interface

with a Fortigate it can also be done through the web interface

This complexity is difficult but necessary to maximally protect the secure network from a compromise of the office network segment.

Firewalls

A firewall is a device that separates two network segments and filters the flow of packets between them.

In general, firewalls are routers (routed firewall) but they can be between separate physical parts of the same subnet. This is known as a transparent firewall. In this scenario, you would have two switches, each connected to different interfaces on the transparent firewall. The advantage of this is that the firewall can be removed and the two switches connected together if necessary. This won’t work for a routed firewall because the two parts are in different subnets and still need a router. Either type of firewall is much slower than a network switch and most routers when they are not firewalled

A simple firewall will track outgoing requests (for example an http request for a webpage) and will allow the return traffic – this is known as a stateful firewall. It will also allow specified traffic to pass from the unsafe to the safe interface if it conforms to certain rules (port, protocol, source IP address etc)

This sort of firewall is good for the segment boundary but is inadequate for the interface to the internet. For that, a next generation firewall (NG firewall) is required. This will check each packet against regularly updated lists of threats. NG firewalls need an annual subscription. Popular models include Cisco, Fortinet and PaloAlto

Network Address Translation (NAT)

In thIe previous example, we had a router connecting our two private networks – the office network 192.168.0.0/24 (the /24 means a subnet mask of 255.255.255.0) and 192.168.10.0/24

So C1 sends the data to an interface on R1, R1 determines the destination is via its other interface and send the data on to O1. O1 needs to send the reply back to C1. It sends the reply to its gateway – the interface on R1 which sends it back out the other interface back to C1. This all works fine.

When C1 wants to send a message to gmail for example, it finds the address of the server by DNS. (you can do this yourself by typing nslookup at a command prompt).

gmail.com resolves to the IP 216.58.200.101 This is not in the subnet so the frame is sent to the router for the next hop.

The modem/router will have an IP address on the interface that faces the internet. This is known as the public IP address. You can find yours out by going to the website

What Is My IP?

without NAT, the return ip address for gmail will be the internal address of our computer C1 192.168.0.55 gmail has no way of sending a reply to that address and it won’t work.

What NAT does is that the router will change the return (source) address from C1’s address to its own public IP address (which gmail can find) and then when the return comes in to change the IP addresses again to C1’s address. It does this by maintaining a table of translations and manipulating ports. Ports are a feature of some level 4 protocols (above level 3) such as TCP and UDP. They are important to be aware of because firewall filtering can be done by port. Protocols that have no port cannot be processed by NAT. An example of this includes some of the protocols underpinning Virtual Private Networks (VPN). NAT will also make a mess of some other protocols including the Voice over IP protocol SIP