Hello again. I have a keen interest in network infrastructure since my experience with routers and switches had got me through 3 years of excellent work with the Bank of America. Security plays a great role in layer 3 and layer 4 traffic of the OSI layer. Today my major focus will be correlated to the security structure of any layer 3 device. I will not dwell into vendor based stuff as a lot of you out there would be running devices across vendors like Juniper, Cisco and Alcatel.
Given my focus is related to layer 3 traffic, i would be talking about securing routers, or internet facing devices.
What is a router? http://compnetworking.about.com/cs/routers/g/bldef_router.htm
Now that you know what a router is; there are three sub-divisions on a router. The control plane, the management plane and the data plane. As it is reflective, the control plane is the section that handles the routing and inherits the sole purpose of why a router is there. The management plane, describes how the router is managed and the protocols/systems involved in managing and governing a router. It can be also denoted as how the user interacts with the machine. The data plane, on the other hand, is the dynamics of packet transmission on the router. It can also be called the forwarding engine.
A detailed understanding of the three planes: http://networkstatic.net/the-control-plane-data-plane-and-forwarding-plane-in-networks/
From my perspective as a security technologist, and someone who has worked with this devices and managed them; this are a few points to take heed!
1. Update your firmware and this coincides with securing the operating system of the router.
2. Practice defence-in-depth; look at security as an onion; its made out of layers, peels.
3. Apply whitelisting instead of blacklisting; this gives lesser work to the hardware and believe me a great reduction of typing to do *haha*
4. Have a firm understanding of your networks, and routing protocols you implement to gain network connectivity to your neighbours.
5. Practice incident management and implement logs. Spend if you have to; this is a critical part of managing your devices.
6. Implement physical security, and login databases/credentials.
7. Do frequent auditing on your network devices such as routers and switches
From the above; key terms.
whitelists vs blacklists – i have written a post on this, check it out.
defence in depth: https://www.nsa.gov/ia/_files/support/defenseindepth.pdf
I believe most of you would have grind PCI DSS compliance into your daily coffee and have it all in your mind, so i will not state the obvious. View Section 2.3(x) from PCI DSS v3.1 to see this emphasis.
So what is the difference between the prior PCI DSS and the v3.1? The emphasis of compliance seekers to upgrade their SSL and anything under the belt of secure communications on the web to the point where POODLE does not affect the consumer. This means one would probably have to disable SSL3.0/early TLS for compliance. There are however, work arounds, to this; reading the paper from the link below would explain this in detail.
What is POODLE: https://www.openssl.org/~bodo/ssl-poodle.pdf
I am happy that PCI has taken a strong stance in this matter. Unlike the BEAST and Lucky 13, POODLE is a beast one can’t fix unless you remove it. Remember, PCI gives you till 30th June, 2016 to fix this in your system.
Sarbane-Oxley Act is a fundamental act that focuses on regulating corporate behaviour to protect financial audit records.
For the nitty gritty of Sarbane-Oxley Act: http://www.soxlaw.com
There are three key sections for IT Security; it is section 302, 404 and 802
For section 302, it is about corporate responsibility for financial reports. It is key to certify the validity of the financial reports using set controls.
For section 404, it is about management assessment of Internal Controls. It is the responsibility of the executive/auditor to confirm the effectiveness of the internal audits
For section 802, it is about implementing criminal penalties for altering documents. This section mandates the protection and retention of financial audit records.
As i would look at it, it works in sync with a set regulation of internal controls, which might stem from a NIST/ISO standard or government regulatory notions, and this act works as a policer to keep /maintain financial records securely.
No its not Shakespearean literature, it is openssl at its finest. 🙂
Having said that, we all know what openssl is right? I am sure yes, in simplicity, it is one way to keep your personal traffic out of bounds for internet voyeurs. Openssl has been the go-to-person for ages. I can definitely go on and on about it but seriously this post is not about “what” openssl is.
So for that knowledge; go here: https://www.openssl.org/
This also means, you now know where to get the latest information and the latest patches for your machines. NO bloody excuses. 🙂
So why does my heartbleed so bad?
It leaks a portion of the memory content from its heartbeat extension, pretty much being a snitch for evil guys out in the open. The problem with this is.. it is an implementation bug on openssl itself and not so much a blackhat violation from the wild. Given that the heartbeat extension plays a role in securing communications, this bug leaks, out the keys and the certification you long to keep private, maybe that naughty little cheat chat you have with some person. Somebody might just compromise your reputation with this bug.
SO, hey, upgrade unless you want to play a reality tv show or a voyeur show of personal info on the internet transactions.
For more technical details : http://heartbleed.com/
Upgrade! No more excuses hey.