IBM DataPower Overview

Business is changing, gone are the days that organisations could operate tightly corralled infrastructures for the benefit of their employees and a small number of large similarly disposed partners.

Consumers demand instant access to relevant data, mobile updates in real time – updates relying on information hitherto locked tightly away at the heart of your business. Always-on access – that does not peak or trough with the traditional rhythms of the day. Downtime is not tolerated and  security breaches can lead tp fatal loss of trust. 

Simultaneously organisations are expected to work seamlessly with an ever-increasing range of partners and loosely coupled- often startup – organisations that rely on technologies such as OAuth, JSON and Web Services to interact and provide services.

The impact of this is greater risk, more exposure to the internet and significant headaches for Security Architects and practitioners. Increasingly Fortune 500 and even Government have been deploying IBM WebSphere DataPower equipment to meet these demands. Now Big Blues naming of products is something of a maze, Im not sure how they intend to move the branding forward for clarity, but as the old joke goes I wouldn’t start from here. The upshot of this is that its frequently difficult to work out just exactly what a piece of WebSphere equipment does and particularly what a subset of the range – like DataPower – devices do. This posting aims to clear it up and describe some of the features – at least as it pertains to DataPowers.

DataPowers provide 2 main high level uses:-

1. Edge Zone Proxy / Gatekeeper aimed at REST and Web Services

2. Integration between disparate services within or between organisations

DataPowers are not supposed to be used for complex aggregation tasks or to host WebServices themselves.

DataPower started their journey about 8 years ago when XML and WebServices were becoming increasingly voguish. The core of the concept is an XSLT capability that is compiled to machine language enabling extremely fast XML and data manipulation. This capability has a clear use when dealing with high demand WebServices but also enables incoming requests and streams to be checked for data integrity and validation issues. 

It’s now possible to see where the two main high level uses come from. The ability to transform and validate incoming requests enabled the DataPower to operate no only as a Proxy but as a gatekeeper – effectively becoming an application firewall. The ability to rapidly transform data from one format to another ensures that the DataPower is a potent integration device when systems are required to start talking.

So what other features recommend these systems?

The DataPowers locked down firmware places security first. Out of the box the system has no open ports. The OS is encrypted on flash memory with a key that is stored securely in an onboard TPM. On boot the decryption is only allowed once a scan of the boot sequence has been completed for interference.

The system has build in load balancing allowing multiple devices to work as one and therefore maintain service in the face of failure. 

Its possible to specify the devices with an HSM which is very handy if the device is terminating TLS/SSL or performing any kind of crypto.

The systems have build in crypto libraries and authentication support for OAuth and SAML.

In summary if an organisation is designing a SOA implementation and wish to ensure low latency whilst maintaining a robust security posture these devices are certainly worth a look.

 

 

Audit Integrity Pattern

We work in an environment that rarely allows security reality to match aspiration. It is still far too common to find even security focused software making basic and fundamental errors; often in the arena of authentication, authorisation and audit. Role separation on security critical tasks is rarely enforced and generic administrator accounts are frequently in common use.

This has particular impact for auditing; the organisation needs to be sure its logs are tamper free, collected consistently by the SIEM and archived for potential investigations. If the SIEM or log management tool does not provide adequate authentication and authorisation then the organisation will fail most kinds of security audit and compliance activity. Unfortunately this is often the case and the admins mantra of if “I can Administer it I can break it will come to haunt you.”

The following logging design pattern aims to control for these vulnerabilities. 

The principle concept here is the Audit Integrity Zone (AIZ). This zone comprises several important logical elements:-

The first of these is the relay. This relay sits in series between the IT equipment generating the logs and the SIEM (or log management tool) that is ultimately collecting and acting upon the information generated. The relay passes the logs onto the SIEM and most importantly is administrated by a different group than the SIEM.

The second of these logical elements is the archive. The relay passes the logs to an archive, within the AIZ, where the logs are stored and an integrity function is performed e.g. a signed hash is also stored. Again the principle here is you have a separated archive of the logs to the one associated with the SIEM which enables the logs to be kept under different permission and personnel.

Using this pattern you can be assured that no one administrator can delete and interfere with your logging, ensuring that you are more secure, and your systems more compliant.

 

 

 

3-DES Encryption of XML Fields Using Python

Data, data, XML, data its everywhere easy to manipultate and transfer; difficult to secure and protect. This Python script will loop through an xml structure and encrypt the named fields. It uses the freely available pyDes and minidom libraries and if your needing to send sensitive data anywhere or simply store it. Its very easy to use. This script assumes an XML file with the sensitive fields in nodes called ‘Classified’.


#! /usr/bin/env python

#import modules
from pyDes import *
import xml.dom.minidom as dom1
from binascii import unhexlify as unhex
import os

#Define 24 Byte Encryption Key – I’ve put this in the code for simplicity you should never store it plainly in the code. Apply it each time and remove
EK = unhex(“150DDCB0AE7904FD764551DC433D26195D5B04793854FEFD”)

#Create dom and load with batch xml
doc = dom1.parse(‘yourfile.xml’)

#get document element
node = doc.documentElement

#get array of classified elements
clEls = doc.getElementsByTagName(“Classified”)

#loop through classified elements
for clEl in clEls:
#get array of the child text nodes containing the data
nodes = clEl.childNodes
#loop through child nodes encrypting and replacing
for node in nodes:
#Define 8 Byte IV
IV = os.urandom(8)

k = triple_des(EK, CBC, IV, pad=None, padmode=PAD_PKCS5)
encCl = k.encrypt(str(node.data))
clEl.removeChild(node)
encNode = doc.createTextNode(IV.encode(‘hex’)+encCl.encode(‘hex’))

clEl.appendChild(encNode)
break

#replace values
f = open(‘enc.xml’,’wb’)
xmlStr = doc.toxml(“utf-8”)
print xmlStr
f.write(xmlStr)
f.close()

Why Charles Arthur is Wrong about Online Porn

In todays Comment is Free piece  Charles Arthur takes on the move to regulate porn.

Charles like many of us steeped in internet lore since the dawn of dial-up see our beautiful world changing our technolgy being corrupted….by the muggles!! We dreamt of mankinds greatest thoughts shared and transmitted globally at the speed of information but got LOLcats and tracking and profiling and facebook and now filtering. We see our dream dying only to be left with intrusive industrial advertising and government control.

So Charles is right if the Internet is going to remain a force for change and a motor for humanity then its core strength must be protected its very liberality a sacrosanct demonstration of freedom!! I get it I truly do, but unfortunately it then goes wrong and it goes wrong by denigrating a very simple wish.

“People do not want there children to view unsuitable material on the internet.”

That is their right to decide what is suitable for their children. In this piece anyone of this quite rational opinion is systematically shredded. Despite admitting twice in the article that there is a problem with porn on the internet Charles never seeks to address the internet community to solve it. Politicians are devious populists trying to shore up support. Press support can be dismissed as right wing blimpery but the greatest ire is reserved for parents. You see the reason that your child might see porn on the internet is that you are a bad parent and not a good progressive techno savvy parent of the type that might read the Guardian. The piece assumes that all inappropriate material is seen by kids on machines that shouldn’t be in their rooms. Which should always be within the view of an adult and that you should use the filters that are built in.

So mys 7yr old was doing a project on Florence Nightingale in the dining room and about half way down the Google image results for Lady of the Lamp….well lets not get in to it.

YouTube allows un-logged in access and will show anything at all there is not granularity between lego games and video game violence or naked girls. There was no filter for this – I blocked YouTube completely using a technique that one wouldn’t expect the average parent to know.

Here is a sobering thought. Charles dismisses Claire Perry, the MP that wishes to introduce regulation, with the hackneyed idea that the internet routes around censorship as it was designed to survive a nuclear war. This was true of the original internet; however Egypt turned off the internet during the revolution by placing 4 calls to the 4 ISPs that operated there. We also have 4 that cover 96% of the UK.

The problem here is that unless we engage positively with the real concern then those uninformed voices that wish to block the internet at the ISP level will win.

There is a risk and its down to the tech savvy to develop controls that mom and pop can easily use to protect their family. If our vision of the internet is to survive we cannot live in the past and we cannot reach for misplaced superiority.

The Principle of Least Identity

Identity and privacy on the internet are increasingly fraught issues as the rapid pace of change continues to challenge governments, excite citizens and disrupt businesses.

Governments, usually citing counter terrorism or combatting paedophilia, seek to monitor our email and web interactions; witness the recent furore in Britain as the coalition proposed the installation of on demand snooping equipment at ISPs – http://news.sky.com/home/uk-news/article/16200559. This may or may not happen but under the provisions of the Patriot Act the US can already read any information held by US companies even if those servers are outside the US; that’s anything on Facebook, in your Dropbox folder and all your Gmail. Meanwhile businesses make billions collecting every last piece of behavioural information possible. If you have a Facebook or Google account then not only do they store the huge amount of information we directly share, but as you surf the web all those little Facebook Like and Google Plus buttons enable them to know every site you visit – even if you don’t click them. The reality is that every search, every click and every status is catalogued and analysed in order to bring higher value advertising to your screen.

In the other corner we have a groundswell of groups emerging and evolving that rely absolutely on the traditional secrecy of the Net. Groups with political agendas, technical savvy and the conviction that freedom is utterly dependant on anonymity. Wikileaks gives us the skeletons that governments wish were firmly tucked away in the closet. Occupy protests, hidden behind their vendetta masks, cascade from city to city threatening authoritarians and democrats alike and of course Anonymous move from corporation to government spying agency probing and taunting with apparent impunity.

The paradox is that both sides believe they are doing the right thing. Identity allows for reputation, it breeds trust, co-operation and frequently security. Im more likely to lend you money if I’ve known you some time and know that you are who you say you are. On the other hand democracy depends on the anonymity of the secret ballot and freedom is crushed if we live in fear of being identified and pursued for what we say. Most creativity and originality is honed and polished in private; free from the premature judgement of the status quo.

The question becomes how do we operate online in an environment where both identity and anonymity have real value?

Luckily within computing we have had a similar issue for years with regards to the privilege of accounts we run under. Since the dawn of Unix admins have repeated the Mantra – “We don’t run as root”; the account with the privilege to do anything on a system. For security reasons we mandate running with a standard account until a time when we need that privilege and only for so long as we need it.

This is the Principle of Least Privilege and it’s time it had a counterpart Principle of Least Identity that was built into our legislation, networks, operating systems and applications. We would run in a state of anonymity until we needed to identify ourselves, for some agreed useful purpose, and only for as long as it was required.

How would this work in practice?

1. The principle needs to be built into law in those democratic societies where the rule of law must be followed. If it is to hold any power over the big hitters in cyberspace and government it needs to be a part of data protection and enshrined as a part of free speech and backed up with significant penalties.

2. Our ISPs would be required to rotate our IP addresses relatively frequently so that 3rd parties could not track our Internet usage.

3. ISPs would only retain usage records in cases where a person was suspected of serious illegality or terrorism and then only in response to an order with judicial oversight.

4. It would be illegal to sell or provide a browser that had 3rd party cookies enabled by default. This is one of the primary ways that organisations track you across the web. The Facebook like buttons and similar only operate because 3rd party cookies are allowed.

That would be a start amongst many other possible measures.

There are some serious dangers here the Internet is rapidly moving from a wild west of anonymity to a loaded dice of government and corporate snooping. Most citizens don’t understand or care and those that do have the skills not only to avoid snooping but increasingly to fight back. Witness the websites of the CIA and MI5 being DDoS’d off the web, by Anonymous, last week. If this is not going to get worse then saner heads need to take action to enshrine a Principle of Least Identity into our networked world.

In subsequent articles I’ll address individual steps that you can take to protect your identity online.

Footnote: The day after writing the following appeared on the Security blogs Anonymous vs CISPA

Creating a PEM file from PFX

Many systems such as networking kit and ILO cards insist on using PEM format certificates which is a problem if you are a pure Microsoft environment as it doesn’t output in this format. You will need to use OpenSSL 

Having installed the cert created Certreq you can use the certificates MMC to export it http://support.microsoft.com/kb/232136.

Having done so you can use OpenSSL to cover it to a PEM file:-

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

Command Line Certificate Creation on Windows

On the client create an .inf file as follows

 

[Version]

Signature=”$Windows NT$

 

[NewRequest]

Subject=”etc”

KeySpec=1

Exportable=1

MachineKeySet=TRUE

ProviderName=”CSPName”

ProviderType=1

 

[RequestAttributes]

CertificateTemplate=<Template>

 

Process

 

certreq -new infile.inf refile.req

 

certreq -submit -config <CAComputerName>\<CAName> reqfile.req

 

(If you received a request from a difrerent source without a named template use the following certreq -submit  -attrib “CertificateTemplate:YourCertTemplate” -config “<CAComputerName>\<CAName>” reqfile.req)

 

Save the certificate, as cert.cer, and install it in your store using certreq -accept cert.cer

ClmAuthAgent Troublehooting

CLM is a Smart Card Management suite from Microsoft and a tricky little beasty to configure in any environment other than the trivial one in which the Microsoft documentation is set. The system operates under a number of accounts of which the AuthAgent is one of the most important. Problems here will manifest as an inability to log in after the splash screen. Check the following:-

 

1. It has read on the certificate templates required

2. It has read on the subscriber groups (these are simply any groups you have configured in AD to contain recipients of smart cards)

3. It has read on the LRAs (these are simply any groups you have configured in AD to contain issuers of smart cards)

4. It has read on the connection point.

5. it has read/write on Profile Templates

6. It is a member of the Windows Authorisation Access Group (If AD was created without Permissions compatible with pre-Windows 2000 servers)

Autoenrolment GPO Bug Server 2003

Autoenrolment GPO Issue in 2003

There are 4 settings in a 2003 GPO that affect Autoenrolment:-

1. Do not enroll certificates automatically
2. Enroll Certificates Automatically
a Renew expired certificates, update pending certificates, and remove revoked certificates
b Update certificates that use certificate templates

The first is self explanatory however the second does not always work as advertised. It is common to create a GPO at the root of your domain and enforce it. In doing so the settings contained are enforced throughout the domain no matter what GPOs you may put in lower down. It is also common to apply your autoenrolment settings here ensuring that anything you set up for autoenrolment on the certificate templates can receive their certificates without further issue.

The problem occurs if you tick option 2 without the 2 suboptions a and b. The setting does not get applied and any GPO further down the tree that touches these settings will take precedence. Oddly if you then tick a and b then untick them the setting does work and the enforced GPO works.

This can lead to some very odd behaviour with admins setting all 3 lower down with initial success to find later that re-enrolement dissapear whith no apparent change in policy.

It can also lead to severe head scratching as you try to work out why the enforced policy does not appear to be taking precedence

The Mac Security Blog » Google Safe Browsing Data Syncs to iOS Devices Via iTunes

Useful iPhone security tip http://blog.intego.com/2011/10/14/google-safe-browsing-data-syncs-to-ios-devices-via-itunes/