Thursday, November 09, 2006

a good security design for an office


One issue that is rarely considered is how to deal with office break-ins for the purpose of espionage. I believe that this issue has been solved reasonably well for military systems, but many of the military solutions do not apply well to civilian systems - particularly the use of scary dudes with guns. Also most office environments don't have the budget for any serious security, so we want to improve things a bit without extra cost. Finally the police aren't interested in crimes where an office is burgled for small amounts of cash and items of minor value, it gets lost in the noise of junky burglaries, so prevention is the only option.

Having heard more information about such break-ins than I can report, I'll note a few things that can be done to improve the situation - some of which I've implemented in production.

The most obvious threat model is theft of hard drives. The solution to this is to encrypt all data on the drives. The first level of this is to simply encrypt the partitions used for data, support for this is available in Fedora Core 6 and has been in Debian for some time. The more difficult feature is encrypting the root filesystem, encrypting root means that important system files such as /etc/shadow are encrypted. Also if the root filesystem is encrypted then an attacker can't trivially subvert the system by replacing binaries. An unencrypted root filesystem on a machine that is left turned off overnight (or for which an unexpected reboot won't be treated seriously) allows an attacker to remove the drive, replace important system files and then re-install it. If the machine is booted from removable media (EG USB key) which contains the kernel and the key for decrypting the root filesystem then such attacks are not possible. Debian/unstable supports an encrypted root filesystem, but last time I tried the installer there did not appear to be any good support for booting from USB (but given the flexibility of the installer I think it's within the range of the available configuration options). I have run Fedora systems with an encrypted root filesystem for a few years, but I had to do some gross hacks that were not of a quality that would be accepted. With the recent addition of support for encrypted filesystems in Fedora it seems likely that some such patches could be accepted - I would be happy to share my work with anyone who wants to do the extra work to make it acceptable for Fedora.

Once the data is encrypted on disk the next thing you want to do is to make the machines as secure as possible. This means keeping up to date with security patches even on internal networks. I think that a viable attack method is to install a small VIA based system in the switch cabinet (no-one looks for new equipment appearing without explanation) that sniffs an internal (and therefore trusted) network and proxies it to a public network. This isn't just an issue of securing applications, it also means avoiding insecure protocols such as NFS and AoE for data that is important for your secrecy or system integrity.

An option for using NFS is to encrypt it with IPSEC or similar technology. AoE can be encrypted with cryptsetup in the same way as you encrypt hard drive partitions, it doesn't use IP so IPSEC won't work but it is a regular block device so anything that encrypts block devices will work. I have been wondering about how well replay attacks might work on an encrypted AoE or iSCSI device.

Security technologies such as SE Linux are good to have as well. An attacker who knows that a server has encrypted hard drives might try cracking it instead. A thief who has stolen a laptop and knows that it has an encrypted drive can keep it running until future vulnerabilities are discovered in any daemons that accept data from the network (of course if you have enough technology you could sniff the necessary data from the system bus and from RAM while it's running - but most attackers won't have such resources). I have considered running a program on my laptop that would shut it down if for a period of 48 hours I didn't login or un-blank the screen, that would mean that if it was stolen then the thief would have 48 hours to try and crack it.

Prevent access to some hardware that you don't need. If you allow the system to load all USB drivers then maybe a bug in such a driver could be exploited to crack it. Remember that in a default configuration USB drivers will be loaded when a device is inserted (which is under control of an attacker) and the device will use data from the attacker's hardware (data of low integrity being accessed by code that has ultimate privilege). Turning off all USB access is an option that I have implemented in the past. I have not figured out a convenient way of disabling all USB modules other than the few that I need, I have considered writing a shell script to delete the unwanted modules that I can run after upgrading my kernel package.

Once these things have been done the next issue is securing hardware. Devices to monitor keyboard presses have been used to steal passwords. The only solution I can imagine for this is to use laptops on people's desks and then store them in a safe overnight, unfortunately laptops are still quite a bit more expensive than desktop machines and consequently they are mostly used as status symbols in offices. Please let me know if you have a better idea for solving the key-logging problem.

For servers there is also a problem with keyboard sniffing. Maybe storing the server's keyboard in a safe would be a good idea.

Security monitoring systems are a good idea, unfortunately they can be extremely expensive. There has already been at least one recorded case of a webcam being used to catch a burglar. I believe that this has a lot of potential. Get a webcam server setup with some USB hubs and cameras and you can monitor a small office from all angles. When the office is empty you can have it GPG encrypt pictures and send them off-site for review in the case of burglary. You could also brick the server into a wall (or make it extremely physically secure in other ways) so that the full photo record would be available in the case of damaged phone lines, and to give more pictures than the upload bandwidth of an ADSL link would allow (512Kb/s doesn't allow uploading many pictures - no-where near the capacity of a few high-resolution web-cams).

This is just a few random thoughts, some things I've done, some things I plan to do, and some that just sound like fun. I expect comments telling me that I have missed some things. I may end up writing a series of articles on this topic.

PS I've uploaded day 32 of the beard (which was taken yesterday). Last night at a LUV meeting I was asked to stand in front of the audience to show them my beard. I had imagined that they might have seen it enough through my blog, but apparently not.

8 comments:

Anonymous said...

Nice post :) I'll be referring it to some friends.
Regarding your beard: I don't know how you do it - your beard keeps growing, but you keep exactly the same expression (and I'd swear, the same T-shirt) every day!
Last remark: Something is broken. I read your blog via Planet Debian, which I read through Google Reader. If I click on your entry from Google Reader, I get sent to http://beta.blogger.com/feeds/32177539/posts/2803275338755791324 - which is an "invalid content type". From Planet Debian itself, I get the proper URL. Gah :-/

Anonymous said...

Hi Russ,

Great post! I manage a corporate network and I have been pondering solutions for many of the ideas you expressed. Particularly key-logging since it's the easiest and most common method of attack. You may want to have a look at "pam_usb" which uses a usb jumpdrive to store encrypted keys. ..it might be the answer. Passwords are so "20th Century." :)

Anonymous said...

Really a nice summary. Thanks a lot.

Anonymous said...

Russell, if your host has IEEE 1394 and udev, firescope can be used to remotely examine/debug it, including DMA from arbitrary addresses.
Bill Rugolsky

Anonymous said...

Excellent post. I have a few comments that I felt would be much more easily written on my blog.

Anonymous said...

I can confirm that Russell definitely wears a different (and clean) shirt every day ;)

Simon Waters said...

Clear threat model is everything when planning this sort of security. What level of resourced opponents are you trying to defeat? If you don't know you'll spend too much, or too little.

There is also an argument that says making the people the weakest link just encourages rubber hose cryptography, or related activities.

The first level of security above "just make a working network", in the UK military usually includes a few things you didn't mention.

No devices with wireless or infrared interfaces. 802.11, Bluetooth, IRDA, including printers etc. It is also common practice to use detachable disk drives and store them in a safe when unattended.

At commercial and local government clients, I've seen the machines bolted to desks in secure steel cases, not as secure as putting the disks in a safe, but the cases prevent petty theft, and can stop people using builtin, but undesired, features of a PC (floppy, USB, CD-ROM etc), and make other physical access attacks more difficult without the inconvenience of locking disk drives away.

Of course this was mostly done to prevent theft in dodgy London boroughs, when the furniture the PCs were bolted to, was itself bolted to the floor to stop the local criminals nicking that as well. YMMV

etbe said...

I try to keep the same posture and expression to make it easier for the viewers to compare the beard growth.

In regard to the problem in reading my blog with Google reader, when a google reader has problems with a google blog service it's clearly google's fault. Please file a bug report with them (I don't use google reader).

http://etbe.blogspot.com/2006/11/more-about-securing-office.html

I have added a new post on this topic, it's at the above URL.