1 |
thegeezer <thegeezer <at> thegeezer.net> writes: |
2 |
|
3 |
|
4 |
> > I'm researching where we run all sorts of applications very securely, |
5 |
> > for one person at a time. It's eventually (hopefully) going to be |
6 |
> > a full LMS Learning Management system, something comprehensive, maybe even |
7 |
> > www-apps/moodle and or SWAD. Eventually a full ecommerce system, just |
8 |
> > for one company, not as a service to others. |
9 |
> |
10 |
> sounds interesting. going for full interactive video distance learning |
11 |
> too would be a great direction to take, especially if the teacher |
12 |
> controls who has audio (to speak). |
13 |
> |
14 |
> the only thing i would add is to keep each system seperated as much as |
15 |
> possible. don't put everything on one server. bad things happen to good |
16 |
> people so try to make sure one thing doesn't affect another. depending |
17 |
> on the age of the people you are helping they probably will try to use |
18 |
> latest scriptkiddie toys against you first, so think about the ingress |
19 |
> and egress of the network and of the individual nodes when you think |
20 |
> about security. |
21 |
|
22 |
We're planning on lots of unwanted noise from a range of talented |
23 |
problem hackers. Eventually a massive VM system approach will be |
24 |
deploy, but first I want to test security the old fashion way.... |
25 |
|
26 |
> > But for now, just running various forms of secure, minimized DNS. Some |
27 |
> > machine controls (SCADA) will use the DNS as part of the SSL services. |
28 |
> > |
29 |
> |
30 |
> scada huh. i wouldn't put it on a public facing internet connection. |
31 |
> even on a network connected to things i care about. i'm sure you have |
32 |
> good reasons, i would probably urge you to reconsider them [3] |
33 |
|
34 |
Let me share a little background with you on SCADA. Most networks that |
35 |
have SCADA on them, are really poorly secured. It's just layers upon |
36 |
layers of MS crap. I do not design those sorts of machine networks. |
37 |
|
38 |
I have been given the opprotunity of 'fix' many such networks. Most I just |
39 |
walk away from. I employ techniques I would characterize as "network |
40 |
partitioning" and "asymmetric traffic routing" and loads of passive |
41 |
monitoring and profiling. Many scada networks have all sorts of |
42 |
improperly configured devices, bounced packets, and no sort |
43 |
of 'state machine' design on what is and is not need, how often |
44 |
and why. They have evolved, mostly by technicians and poorly trained |
45 |
IT folks that just 'got it to work' without optimization or system |
46 |
design constraints being enforced. Far too many folks and machines |
47 |
are present on those critical networks. IT folks view a 20 million |
48 |
dollar gas turbine, just like an expensive printer. Hacking them |
49 |
is trivial. Most SCADA networks have MS servers on the same segments for |
50 |
the'convenience' of all sorts of non-essential personel. To boot they |
51 |
put video surveillance networks in place, so the hackers can actually |
52 |
"see" the physical layout of the plants. Stupid does not begin to |
53 |
characterize the mistakes common to scada operations. |
54 |
|
55 |
You have the very wrong impression of my scada network designs. Most |
56 |
companies I talk to, do not like my 'draconian' designs, and I'm never |
57 |
going to be responsible for MS inspired, stupid networks. That said |
58 |
the big vendors do make billions of (scada) dollars and I search pretty |
59 |
hard form companies that will listen and I like enough to work for. |
60 |
|
61 |
Networks with many machines and without humans are easy to secure, |
62 |
you just have to think out of the box a bit.... (sorry trade secrets here). |
63 |
Just keep anybody with an MBA out of the process. |
64 |
|
65 |
|
66 |
> >> if you are looking for dynamic dns updates you want to make sure you |
67 |
> >> have auth by secured ip (encrypted traffic) and you want to guard your |
68 |
> >> keys to allow DDNS. |
69 |
> >> |
70 |
> >> DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you |
71 |
> >> can see some starter material at ISC BIND website [1] |
72 |
> > DNS sec will be down the road. I have time to build, test, research |
73 |
> > and adjust the strategy as this goes along. It's not fixing a desparate |
74 |
> > situation; more along the lines of building up various secure dns |
75 |
> > platforms along an increasing features set. |
76 |
> |
77 |
> if your scada devices are using the public internet to get to your dns |
78 |
> servers i would seriously urge you to rethink things, even if you are |
79 |
> using dnssec. |
80 |
|
81 |
Ok, so even though folks consider these 'devices' as scada, I do not. |
82 |
I mostly work on industrial control systems, when I choose to do scada |
83 |
work. |
84 |
|
85 |
What you are referring to, something like using a cell phone to open your |
86 |
front door, turn on the hot tub, or manipulate your audio gear, is not |
87 |
really what I consider scada, but others do. If those things get hacked, |
88 |
you flood a basement, illegally enter a house etc etc. Bad things but |
89 |
not really catistrophic to the neighborhood. For me, scada means |
90 |
big industry, water supply, chemical plants, manufacturing etc etc. |
91 |
So if you hack them, costs rise astronomically, very quickly. Loss of |
92 |
life is a distinct possibility. These types of things should not |
93 |
depend on MS anything, or using the open internet for anything. Few listen |
94 |
now a days, because of the allure of sexy visual candy for folks that |
95 |
do not need access to the data/controls/equipment. Large telecom companies |
96 |
are the worst offenders, that why the gov. is not considering them |
97 |
to mandate security standards, under the guise that it is for their |
98 |
customers...... |
99 |
|
100 |
|
101 |
Stuxnet was a weakup call. Few listen. Far, far worse is bound to happen, |
102 |
sooner or later. |
103 |
|
104 |
|
105 |
> >> In terms of "hack my dns server" there are many things that can hamper |
106 |
> >> it - something at the bleeding edge like gentoo is ace for this kind of |
107 |
> >> thing (*cough* centos is prehistoric *cough*) and if you were to load up |
108 |
> >> metasploit with ISC specific filters you can try to see what is |
109 |
> >> vulnerable. you can filter by CVE on your favourite website [2] |
110 |
> > Yep: |
111 |
> > |
112 |
http://cyberarms.wordpress.com/2014/04/20/detecting-openssl-heartbleed-with-nmap-exploiting-with-metasploit/ |
113 |
> > |
114 |
> > I got that, hense the advise is being sought out, first. |
115 |
> > |
116 |
> and bear in mind the security in depth. your perimeter will be bypassed |
117 |
> - what happens next is down to you. |
118 |
> you are looking at having possible external user generated web content |
119 |
|
120 |
I'm looking for consolidated information. I have a very very good track |
121 |
record for (2) things. Keeping machines very secure and pissing |
122 |
off managers by designing system with a need to know and very very |
123 |
limited access. I usually save folks signficantly by using the word |
124 |
"No" to all sorts of stupid ideas. One customer paid me out a fraction of |
125 |
the savings they realized, for a very long time. |
126 |
|
127 |
What managers need are reports from databases on systems, production and |
128 |
security scans, not real time access...... However, go to a trade show |
129 |
on scada and it's a feeding freenzy for hackers....... Vendors are putting |
130 |
controls on cell phones and have security equivalent to WEP. |
131 |
|
132 |
Thanks for your input. My goals here are building a series of dns servers |
133 |
from very simple and very secure, and on up, slowly learning and creating |
134 |
a portal for other to experinece what I figure out. My techniques on |
135 |
machines are pretty much unpublished and unique. In a big industrial |
136 |
environment, I teach folks to build something unique, and not follow |
137 |
the vendor main-line approach. Few listen, hence all the noise lately |
138 |
about the chineese hacking industries in the US...... The sad thing |
139 |
is most industries think the US governement is watching their network, |
140 |
will swoop in just in time to save them, and not make the managers look |
141 |
like idiots, when press reports are leaked. They do not understand that |
142 |
government agenices have a singular focus to increase their funding, and not |
143 |
to protect anyone. You nor I can get through to them, until |
144 |
after the pooper has been hacked. |
145 |
|
146 |
idiots....abound, sorry for the digression. |
147 |
|
148 |
peace, |
149 |
|
150 |
|
151 |
James |