Security by Frank Wickham: Be Secure!

A Sunday wedding at a public pavilion in the town park. Another two restaurants closed and are up for sale.  In front of a church a sign that read "Free Lunch Saturday" was still displayed.  Many motor homes and boats for sale too along the way. Was upstate this past weekend. Took a ride.  Hesitant due to gas increasing in price again, but went anyway.  Great day for a ride. Motorcycles are starting to arrive for Americade.   Elvis Convention and the Tow Truck Show are just winding down.  

A quick stop at a motorcycle show.  A stop to take in the beauty of a lake.  A very nice couple offers me the 2 hour balance of their parking meter. Thanked them, but passed since I was only passing through. 

-- Frank

We were challenged recently to demonstrate the capabilities of our Sun Ray 2 technology with the embedded VPN feature to several customers that required wireless networking.  So here is what was done to showcase this technology.

We had on hand a Sun Ray 270 thin client which had the latest firmware that allows configuration of the integrated VPN.  We employed the help of a LinkSys Wireless-G Access Point  model number WAP54G revision 3.1 with firmware version  V3.04, dated December 27, 2007.  The WAP was configured via the web interface to function as a "access point client" prior to connection to the Sun Ray 270.   By doing so it allows a hard wired Ethernet device to plug in and participate on a wireless network.  To put the WAP in "access point client" mode a MAC address of the remote access point is required.  The LinkSys WAP web interface has the facility to conduct a site survey to determine existing access points and allows for the selection of a remote access point.

• Insure you have a Sun Ray 2 or 270 thin client with the latest firmware with VPN capabilities.
  
• Get and configure a wireless access point (WAP) via another computer.
• Verify connection to the wireless network with that computer. 
• Connect the WAP to the Sun Ray.
• Power on the Sun Ray. 
• If previously configured to access a VPN you will be prompted for a username and a one time password generated via a secure id device.















• Your internal login screen will be displayed.
• If you have deployed smart cards insert it at this point.







• If a previous session exists you will be displayed a lock screen, Enter your password.
  
• The Sun Ray should come to life and your desktop through the VPN should be displayed with the applications you had previously started.

-- Frank

I just received a brand new Sun Ray 270 thin client.  I have been using one at home since January 2007.   I have had one on my desk since 2000 and have used them in many of the Sun Offices across the US.   The purpose of this new unit is to replace an aging Sun Ray 150 which had been used for years to show off Sun Microsystems thin client technology at various marketing events.   We also use a  Sun Ray 150 in our conference room for customer meetings and product briefings.

--Frank

One of the up and coming computer based solutions in the security space is video surveillance.  You may say to yourself "hey video surveillance isn't new".  Well it's not.  It's what is being done with the video after it leaves the camera that is new.  Commonly call CCTV or Closed Circuit Television these cameras have been analog based.  The cameras are connected to a central location via coax cable.  One cable per camera to the central location.  The cameras also require electric power to function.  Far more than 90% of the surveillance systems installed today are analog based.  Similar to the VCR technology rather tan DVR technology. Technology in this space is changing vary rapidly.

A new breed of camera is available by nearly ten vendors which offer  IP connectivity with many other advanced features. IP being "Internet Protocol" which is commonly spoken between computers on a network.  These new cameras include low light adjusting, infrared, remote control pan and zoom.  They can be set to record only when motion is detected.   These new video cameras are even powered by the Ethernet network that they are connected to.  That translates into lower wiring costs.   Some based on a small internal PC board can store up video and send it as requested.  Some hove wireless network interfaces too.

When the total cost of a solution is examined analog cameras cost $2K to $3K each while a similar digital solution would cost $1.5 to $2K per camera.  The initial purchase costs are higher then traditional CCTV cameras but the new features are extensive.

I have found that the market space is young but the players in the space are in some cases very mature.  Many have existing analog based solutions.    For more information on  Sun Microsystems Video Surveillance Solutions follow the link.

-- Frank

As the IT world is moving at a rapid pace toward some level of virtualization we, as solution architects, must not forget the basics that we have learned to protect our computing resources. All of the same principles still apply if we are deploying single systems or a virtualized environment with several different guest operating systems.

Over the past few weeks I have undertaken a "homework assignment" to become more familiar with Sun xVM Server technology. I have gotten my hands on an AMD based Sun Fire X4200 Server with two internal 73 GB disks.  Once I fired up the system I quickly noticed that the BIOS, ILOM, and hardware controller firmware levels were several revisions back from the current release.  In the case of the ILOM it lacked some of the functionally I was familiar with from a previous project.  I upgraded the BIOS, ILOM, and hardware controller firmware via the ILOM's web interface.  It was much easier than I thought it would be.   The required files were downloaded from the Sun Download Site on Sun.com.  This exercise got me thinking about security in the virtualized world.

Just because we would architect a solution at a "higher" level, a virtual level, we must be as vigilant as we would with a single system.  We must still be concerned with the basics.  I have noted several basic housekeeping tasks that can serve as a starting point to keep your virtualized environment a little more secure.

• Secure the ILOM with an alternate unique set of user names and passwords.  Set strong passwords that include numbers, symbols, upper and lower case characters.  If deploying into a large environment integrate into the existing LDAP naming infrastructure for authorization to the ILOM.

• Connect the ILOM to a private management network used for functions such as system administration, device management, and backup.

• Physically secure the systems in a locked data center quality environment.

• Secure passwords on the guest operating environments as if they are standalone systems.  Avoid using generic, default and well know account names for administration functions.

• Use virus protection and firewalls as if they are individual systems.

• Use caution when connecting to networks and SANS.

• Continue to implement SAN Security.

• Patch the base hypervisor platform and guest operating environments as needed.  This may require a controlled patch process.   Patch them as if they are individual systems or a whole sale replacement of the guest environment which include the newly applied patches.

• Use non wire IP traffic between guest operating environments for more secure communications.

• Deploy a separate NIC rather than sharing a NIC between guest operating environments.

•  Implement hypervisor and guest operating environment best practices for hardening.

• Adjust your corporate security policy as needed to accommodate virtualization technologies being deployed in your specific environments.

 This is an active work in progress.   Please check back for more details.

-- Frank

A friend of mine has pointed out that if you are using an older version of the browser Mozilla or Fire Fox you have the ability to save the page you are viewing as postscript. Then with any old text editor you can go into the postscript file and change the information as you see fit.

In the case of online airline check in, a security hole has been brought to my attention. Someone can display and print a boarding pass. They also can save it to a file and edit it. Changing the flight number, date and time this allows someone with a questionable background access beyond the airport security check points. Of course if an airline is using some type of scanning as part of their boarding process they should not get access to the plane.

-- Frank 

I was asked to assist someone with a "computer" problem they were having recently. As soon as I sat down in front of their personal computer I noticed their personal firewall was "disabled". I questioned why it was disabled. They replied that some application they had attempted to use did not work. So they turned it off. I asked how long had it been disabled? They indicated a few days. While fixing their original problem I updated their virus protection software with the latest files. It had been many months since their virus definitions had been updated. So "Keep Your Guard Up"!

-- Frank 

I have been asked this question several times this past week so I will formalize my response as a Christmas Gift to you all.

Well you are now on your second or third generation digital camera. You have 3000 to 5000 photos on the hard disk of you home computer or laptop. If you are like myself you have been taking digital photos since the late 1990's. You now have a digital camera built into you phone. Sure hope all of these priceless photos are backed up someplace!

My recommendation to you all is to go out and get some high quality write once CD-ROM media that can be found at places like CompUSA or Wal-Mart. Divide your photos into some logical grouping. I like filing by year and then by activity or event. If I don't have a specific activity or event but have several disparate photos, I just file them in a directory/folder named month_year, like Feb_06 (usually a slow month). This way I can archive an entire year at a time. So far I have not hit the maxium size of a CD-ROM in a given year.

I burn two copies. One I keep in my computer CD-ROM collection at home. The other I put in a safe place such as a bank safety deposit box or fire proof safe. Preferably someplace other than where you are keeping your first copy. I archive my photos yearly. I backup my photos on hard disk every few weeks.

Now for a great Christmas gift for that owner of that digital camera. Get them a USB thumb drive or memory card/stick to keep their most recent photos on. This will allow them to bring their most recent photos with them to show off at family gatherings and other various social events that typically take place here in the United States at this time of the year.

Happy Holidays! --Frank

Was in lower Manhattan yesterday between customer meetings. Walking across Cedar Street to Broadway very near Wall Street. I passed a FedEX truck with the rear door open. A stack of boxes sitting on the sidewalk. All unattended. As I passed I noticed one of the boxes was clearly marked in bold lettering Iron Mountain. I got to the end of the block before thinking of getting a photo if they were still there. So I returned to get this snapshot, the boxes still unattended.

Do you think this customer entended to have their data or backup tapes out on display for all to see on Cedar Street?  Do you think they were protected in some way?

I sure hope my personal information isn't on these tapes.

-- Frank