Part 3: Creating a DMZ for an Internet facing server
Now that you have gotten your PA-220 working as a basic firewall for your small network, you might want to host something like mail server.
As this server is Internet facing, you should create a DMZ to host it.
For this part of the set up, I will use the interface “ethernet1/5”.
Go to Network -> Zones -> DMZ-L3 (which was created in part 2)
Add Interface “ethernet1/5” to the Zone. Remember to remove it from zone “Trust-L2” if you have added it there previously before adding it here.
Next, go to Network -> Interfaces -> Ethernet and click on “ethernetnet1/5” to edit the settings.
Make sure the interface Type is “Layer 3” and the Security Zone is “DMZ-L3”.
In the IPv4 tab, I chose to give my server a static IP, configure it as such
Click “OK” to continue.
Next, you will need to set a security policy for the DMZ. Go to Policies -> Security and click on “add”
Create a policy like this:
- Name: mail
- Source Zone: Untrust-L3
- Destination Zone: DMZ-L3
- Action: Allow
If you want to be able to manage the system from your internal VLAN, you would need to add another security policy rule:
- Name: internal
- Source Zone: Trust-L3
- Destination Zone: DMZ-L3
- Action: Allow
Now you would need to add a rule to allow the mail server to reach the internet.
- Name: mail-1
- Source Zone: DMZ-L3
- Destination Zone: Untrust-L3
- Action: Allow
If you would like to further secure the access. You can limit the ports that can be access using Object -> Service and create an object “service-mail-tcp” with all the mail ports and limit service to just these ports.
After you have defined the security policy, you will need to define the NAT policies rule.
You would need to create these 3 rules, 1 for webmail access (over HTTPS) and 2 of incoming and outgoing mail.
Do note that to make things easier to read, I have create an address object to name the IPs:
No, all you have to do is ensure your mail server’s IP is set to 10.0.10.5 and that the host firewall (if any) has the relevant ports open.
Lastly you will need to configure a static route to your DMZ. Go to Network -> Virtual Routers, click on “default”
Now add a new static route by got to “Static Routes” and click on “add”
Create a new route like this:
Note: My DMZ server is directly attached to the PA-220 hence the static route is based on the DMZ server's IP address, else it would normally be the DMZ default gateway IP address.
Click “OK” to continue.
Now “Commit” and you should be able to use the mail server in the DMZ.
Part 2: Configuring your Network Zones
Now that you have setup the PA-220 for use, it is time to define and create the zones and interfaces.
Remember to change your IP to the right subnet you used to configure the MGT interface.
After you logged in, go to Network -> Zones
Click on the “Add” button at the bottom of the page.
Here you would need to create 4 Zones.
- Untrust-L3, Type: Layer 3
- Trust-L3, Type: Layer 3
- Trust-L2, Type Layer 2
- DMZ-L3, Type L3
- VPN, Type: Layer (If you intend to set up Global Protect VPN with own zone later)
After adding the zone, you should see these 2 columns like this:
At this point, you can connect the ethernet cable from the GPON to port 1 (ethernet 1/1) on your PA-220.
Now go to Network -> Interfaces -> Ethernet, and click on “ethernet1/1” to configure it.
You will see this screen and you will need to set the Interface type to “Layer 3”, Virtual Router to “default” and Zone to “Untrust-L3”
Next click on IPv4 and set the Type to “DHCP Client”, unless your ISP requires a manual configuration for static IP)
Click OK to continue.
Create a VLAN
Next go to Network -> VLANs and click on “Add” at bottom of screen
Create a VLAN, you can call it “Vlan Object” and add all the interfaces you want to this VLAN. In my case I added all except ethernet1/5 that I used for the DMZ.
Next go back to Network -> Interfaces -> Ethernet to edit the settings for ethernet1/2, and so on.
Set the following for ethernet1/2 to 1/8
- • Interface Type: Layer2
- • Netflow Profile: None
- • VLAN: VLAN Object
- • Security Zone: Trust-L2
Next go to Network -> Interfaces -> VLAN to edit the settings:
Under the config tab, set the following:
- • VLAN: VLAN Object
- • Virtual Router: default
- • Security Zone: Trust-L3
Under the IPv4 tab, enter the gateway IP you defined earlier (in Part 1)
Click OK to continue.
Setting DHCP Server
Go to Network -> DHCP -> DHCP Server
Click on "add" at bottom of page.
Add the IP range from 10.0.5.1 to 10.0.5.252 and set to enabled.
Click "OK" to continue.
Define a Security Policy
Next go to Policies -> Security
Click on “add” to create a new policy:
Next go to the tab “Source” and add the zone “Trust-L3”
On the “Destination” tab add the zone “Untrust-L3”
Next go to the “Actions” tab and make sure action is set to “allow”
Click on OK to continue.
Next go to Policies -> NAT and click on "Add"
Create a NAT Policy Rile called “Internet Outgoing”
On the Original Packet tab, add the source zone “Trust-L3”
On the “Translated Packet” Tab, set the following:
• Translation Type: Dynamic IP And Port
• Address Type: Interface Address
• Interface: ethernet1/1
With this you should be able to connect a PC to any port from ethernet1/2 to ethernet1/8 on your LAN and out to the Internet on ethernet1/1
Assumptions: Home network would consist of a fibre broadband connection to the PA-220 and there will be 2 zones (a DMZ and an internal trusted zone)
Part 1: Get it Up and Running
The 1st thing to do is to establish some basic information such as:
- 1. IP Address from your ISP (if static IP)
- 2. Determine an IP range you would like to have for your internal zone and DMZ zone
- 3. Determine the IP to be used for the MGT port
- 4. Determine the IP for your default gateway
- 5. Determine which DNS service you will be using
Once you got that information, you will want to do an initial setup (assuming the PA-220 is brand new or factory reset).
Plug in your computer directly to the MGT port via an ethernet cable. Set the ethernet port IP of your computer to an address in the 192.168.1.0/24 range. (e.g. 192.168.1.2)
Connect to the PA-220 on your browser via the URL https://192.168.1.1
When Prompted, use the default username/password which is admin/admin
(note that you will be asked to change the password on 1st login if your box is shipped with PAN-OS 9.0.4 or later)
If you have an older box, go to Device-> Administrators
Click on the admin role and you should get a window to change the password like this:
Next, you would need to configure the MGT interface by going to Device -> Setup - > Interfaces and click on the “Management” interface.
You should see this window:
I would suggest to start with using a static IP (DHCP for MGT is mainly used in some cloud environment like AWS and Azure) and I have chosen the MGT IP to be 10.0.5.1 with a netmask of 255.255.255.0 and the gateway to be 10.0.5.254.
You can enhance the security by limiting the IP addresses that can access the MGT interface by adding them to the table on the left. (but I suggest you do this later once you have setup your whole environment)
Next you would need to setup your DNS service. Go to Device -> Setup -> Services. And click on the gear icon.
You should get to this screen.
In this example, I use Google DNS (220.127.116.11) as the primary and Cloudflare (18.104.22.168) as the secondary. Obviously, you can use whatever DNS server you wish here.
To set the time server, clink on the NTP tab on top to set the NTP server:
If you wish, you could setup the hostname and domain in the Device -> Setup -> Management tab, but this is not necessary.
After you have done all that, it is time to commit the changes. Go to the top right of the window and click on the “Commit” button.
Now that you have it all setup, you would need to change the IP of your computer to re-login to the firewall.
I will be kicking off the 1st in a series of classes around security architecture.
Today is the official launch of the SUTD Academy and I am happy to be the 1st new class launched this year!
here is a link to the class -> https://sutd.edu.sg/Education/Academy/Our-Offerings/SkillsFuture-Series-Courses/Cybersecurity/Cybersecurity-Architecture-Fundamentals
This would be an introduction level class covering approach to security, threat modelling, misuse cases, and how to document architecture decisions.
I would also cover the inks between good architecture and the ability to support operations like the various incident response frameworks which might be adopted by various organisations.
Too often vendor who are only engaged to build a solution fail to take the operational aspects of a system into consideration when designing the system.
With my experiences in running operations, I hope to help raise the awareness of architecture impact to operations.
So if you are interested and in Singapore, please do register for the class!
Over the last few years I have seen many security professionals split into 2 main categories:
Security operations (at fixed levels)
I do feel that there are far too few folks moving to security architecture. I am not sure if it is because of a lack of opportunity or interest.
For those who are interested and are looking to venture into this space, I am trying to create a class and (hopefully) write a book on this topic.
I think the security space need more people with deeper background in system architecture and engineering, of coz we will always need specific specialist like the crypto guy but in general we need more people who can relate to our colleagues in infrastructure, development and especially operations.
I will be starting a series of class at the SUTD Academy in Singapore on the "Fundamentals of Cybersecurity Architecture" where I hope to get more folks interested in pursuing this as a career aspiration.
the course will cover architecture considerations across all phases of a system lifecycle from requirements and build to operations and decommission.
The short 2 day introduction class is not to make anyone an architect but to introduce the discipline of security architecture to a wider audience, to demystify the role and to spark more interest in the topic.
Here is the agenda of the class :
Hope to see more people taking this up!
Cyberattacks surfaces can be classified into 4 main areas: public spaces, private networks (home), organizations’ network, partner networks. This is illustrated by GRA Quantum with their infographics below:
Figure 1: Cyber attacks surfaces
As part of my series of papers to cover the cyberattack surfaces, I have covered public and private spaces (home networks) with my papers “Public Wi-Fi Hygiene: Things to Consider” and “Protection of Home Networks: A Suggested Approach” respectively. Now I shall cover a part of the organization’s network pertaining to application security.
As cyber criminals’ skills evolve and with network security maturing, cyber attacks are increasing moving to application level hacking. According to The Solutionary Security Engineering Research Team (SERT) Quarterly Threat Report for Q2 2016, web application attacks, malware and application specific attacks comprised approximately 62 percent of all attacks during the second quarter of 2016. A chart from the report can seen in figure 2 below.
Figure 2: SERT summary of attacks for Q2 2106
There is clearly a need to improve the security posture of all applications before they are placed in production.
Over the years, security has generally been focused on network perimeter security with reference architecture clearly mandating the deployment of network firewalls, intrusion detection and prevention systems, etc., but with the rise in application level attacks, it is clear that traditional network security solutions cannot adequately protect against application attacks.
While firewalls and intrusion prevention systems (IPSs) are essential for preventing network
attacks, “next generation” firewalls go one step further by adding application awareness, which compares traffic against fingerprints of known applications. Unfortunately, none of these products understand acceptable user behavior in the applications, such as the field input length found in interactive screens, and allowed characters. Without this application understanding, network security products cannot accurately detect application attacks like SQL injection, XSS, CSRF, and parameter tampering.
Although Web Application Firewalls (WAF) play an important part in blocking off some of these attacks, there is a limit to externalizing the protection of applications.
To improve the security posture of applications, security needs to be baked into the design from the beginning and not as an afterthought. There is a need to apply design thinking to security too. Most application teams use design thinking techniques to see things from the users’ perspective, but I argue that we also need to apply these same techniques to how a hacker would think.
Security needs to be applied in every stage of the software development lifecycle to improve security in every aspect from requirements to operations.
There are a handful of secure SDLC frameworks proposed by multiple parties, these are some of the more prominent ones today:
Figure 3: Secure SDLC frameworks
l shall not go into the details of each framework or suggest which framework to adopt, but will go through some of the key considerations when putting in place a Secure SDLC methodology in the organization.
I would highlight some areas to be aware of to improve your security while planning, designing, developing/testing and deploying/maintaining the application.
During the planning phase, it is important to design security into the application. You should also be doing some form of threat modelling here.
Start with security in requirements (Abuse case)
Typically, in planning phase, requirements are gathered in the form of use cases. These use cases need to be supplemented with abuse cases. The concept of abuse cases is not new, it was developed in 1999, but is not often used. An example of abuse case for a university system is show in the figure below:
Figure 4: Abuse Case example in UML
It is important to start thinking about exploits so you can bake the defence into the product. I would highly recommend including a security professional or white hat hacker to be part of the planning stage as it “takes a crook to catch a crook” and most application designers are not used to thinking in terms of exploits.
Risk in business processes
As we adopt a risk-based approach to security, we need to look at how risk is injected into process flows and what are the risk-mitigation measures to put in place. These can be technology based measures or simply process based measures. An example of a normal and imperilled business process flow can be seen in the figure below.
Figure 5: Normal vs imperilled process flow
Understanding the risk at each process steps early, can help strengthen the process flow and overall security posture of the application.
During the design phase, we will be looking into the architecture of the solution. These should include the enterprise security architecture as well as application specific security architectures.
Enterprise security architecture
An enterprise security architecture helps tie up multiple applications together by creating solid foundational components and subsystems that are used across all applications. These should include security audit, flow control, access control, trusted credentials and integrity subsystems. A sample enterprise security architecture block diagram is shown in the figure below.
Figure 6: Sample Enterprise Security Architecture
These subsystems can be further expanded to components and processes that must be managed. An example of the credential subsystem process is shown in the figure below.
Figure 7: Sample credential subsystem processes
User experience design
Security should not be separate from design. Many instances of data breaches are a result of human error. Many of these can be avoided by knowing who your users are, and how they would be using the applications. One key design principle to remember is never leave users guessing what they should be doing or how to use the application. Using microinteractions is a very good thing in security design, for example in changing passwords, etc.
I have grouped developing and testing into a single group for discussion as I believe they are tightly integrated. Development is moving to a continuous integration cycle and testing is an integral part of this cycle.
Secure coding practice
There are many articles and books written on good secure coding practises so I shall not go into details here, but these practices are important habits for the development team to adopt.
Some of the principles of secure coding practices are to validate all inputs, keep it simple, default deny to all access, pay attention to compiler warnings, etc.
It would be good to do a refresher once in a while for the development team to reinforce the habits and to introduce new employees to adopt them.
Peer review is also encouraged for highly sensitive applications to further reduce the risk of vulnerabilities creeping in. As this can be an expensive process, users should adopt this at their discretion based on the risk rating.
Static code scanning
Dynamic code scanning
Before deploying an application, it is usually necessary to perform a dynamic code scan. A dynamic code scan can help discover vulnerabilities in a run-time environment which might be missed by static scanning.
Before going live or with any updates, it is recommended that dynamic scans be run and in addition, there are some other actions that are necessary to further enhance the security of the application.
Penetration tests should be employed to discover if any vulnerabilities can be exploited to gain access to the system or data. As penetration testing is an established and mature discipline, I shall not go much deeper into this.
Environment vulnerability scanning
Beyond the boundaries of the application, it is important to understand the environment in which the application is deployed. The operating systems it runs on, the application server it is deployed to, the database where the application data is stored, the transport mechanism used, the message payload protocols, etc. are all areas that needs to be examined for vulnerabilities and needs to be patched or harden accordingly.
With the popularity of container technologies like docker, it is also important to perform image comparison and vulnerability scanning of the container. There are freeware tools such as DockerScan available on GitHub and these should be employed if possible.
Containers should also be configured to only have the minimum required components to run the application to reduce the attack surface.
Security Operations (SecOps)
I would also like to add a section on Security Operations which covers a wider spectrum of the Secure SDLC cycle.
Security operations is the marriage of IT security and operations in the way DevOps is the marriage of development and operations. An example of SecOps practices is “Continuous Security Testing” , which is similar in concept to continuous integration found in Devops practices. Just as DevOps break down development silos in the development and operations process, SecOps does the same to break down security silos to allow a better integration approach.
Adopting SecOps practices would also reduce human errors by automating many of the security testing task that used to be handled manually.
A team adopting SecOps practices would also be able to have better monitoring and controls by integrating better with Security Operations Centres (SOCs) and enable better threat prediction and remediation.
This is a much bigger topic which would be covered in more details in a future paper.
This paper is not a prescriptive approach to secure software development but serves as a piece to encourage better practices that can be adopted in software development to improve the overall security posture of an organization.
There are a lot of developing areas in secure software development and I encourage you to find practices and tools you can adapt to your development and to bake these into your SDLC or DevOps cycles.
Security is everyone’s business, we can all make this world a safer place.
PDF version of this blog can be found here
As we are becoming a more connected society, the need for internet access on the go is becoming more important. Many people would look for a public Wi-Fi access when they are out and about. In May 2016, Symantec (a leading cybersecurity firm) conducted an online survey of 1025 people to find out what users are doing on public Wi-Fi.
From the report, 57% of consumers think their information is safe when using public Wi-Fi connections. And only 49% think that they are responsible for securing their own information. 18% believe that the Wi-Fi provider is responsible for protecting their data and another 18% believe it is the website operators who are responsible.
Common activities on public Wi-Fi include logging into a personal email account (55%), logging into social media (54%) sharing photos and videos (38%) and 20% have used it to access their banks or perform some financial transactions.
But behind some of these “free” Wi-Fi access lurks some malicious intent. This paper will cover some of the basic hygiene you should adopt when using public Wi-Fi connections.
Many people are using free Wi-Fi access without a second thought about the security of the connection. Most would trade privacy or security for convenience and are not fully aware of the consequence. The biggest threat would be that your data, traffic and identity could be stolen and majority of users are not doing enough to protect themselves.
With the lax protection in most public Wi-Fi, many users are putting their data and devices at risk. Encryption is usually employed to keep network traffic private and prevent snooping. For example, the Wi-Fi network at home is usually set up with some encryption like WPA2, so that even if your neighbour at home is within range of your Wi-Fi network, they cannot see the web pages you are viewing. This wireless traffic is encrypted between your device and your wireless router or access point.
When you connect to an open Wi-Fi network like one at a shopping centre, restaurant or airport, the network is usually unencrypted. This is usually indicated by the lack of a padlock symbol (next to the network name on your device or you do not have to enter any password when connecting to the network. Your unencrypted network traffic is then clearly visible to everyone in range. Even with a secure banking application with the data encrypted, they may be able to know which bank you use.
There are also many rogue access points that are mimicking a legitimate Wi-Fi connection to fool you into connecting to them. The biggest threat with this is the ability for the hacker to position himself between you and the connection point. So instead of connecting directly to the Wi-Fi hotspot, information will be sent to the hacker, who then relays it on.
Hackers can also use an unsecured Wi-Fi connection to distribute malware. If you allow file-sharing across a network, the hacker can easily plant infected software on your computer. Some ingenious hackers have even managed to hack the connection point itself, causing a pop-up window to appear during the connection process offering an upgrade to a piece of popular software. Clicking the window installs the malware.
I would highlight some areas to be aware of to improve your security while looking for and connecting to public Wi-Fi hotspots.
Be careful of fake (rogue) Wi-Fi hotspots
There are many hackers out there that use a fake (honeypot) Wi-Fi hotspot to collect information about the user. These rogue Wi-Fi hotspots often use the same SSID as legitimate hotspots (e.g. Wireless@SG, etc.) or use a name associated with the location (e.g. yourlocalcoffeeshopfreewifi, etc.)
These rogue Wi-Fi hotspots often attempt to capture your credentials with a spoofed login screen and often would just collect the information and pass the traffic straight to the internet so users may not realize the webpage was a fake. This is especially hard to detect in a foreign hotel.
Figure 1: Fake Hotel Login Screen
The other use of these rogue Wi-Fi hotspots is to infect your device with a malicious malware in the form of an update program or a fake “Terms of Service” link that will download and execute a malware.
At minimum, make sure your device is protected by the latest anti-virus or other end point protection software.
Be careful of Wi-Fi hotspots that ask for your phone number
There are some Wi-Fi hotspots around the world that ask for your phone number and then send you an SMS with the access code. These kind of hotspots can be used to conduct targeted attacks on the user.
Here is a possible scenario that might be played:
1. User connects to a rogue hotspot and enters the phone number.
2. User continues to use the connection to perform a few actions (check email, check bank balance, etc.)
3. Although the mail or banking app is secure, the hacker can still see who you are connecting to, therefore will know which email service you use or which bank you use.
4. Hack sends a spoof SMS which can carry a malicious link that might inject a malware or send you to a fake website.
Figure 2: Fake SMS
Choose an encrypted hotspot over an open hotspot
This is true especially at airports, some airline lounges offer encrypted Wi-Fi hotspots (those that need a password to join the network). These networks are preferred over the typically free airport wide hotspots. But do pay attention that it is not a rogue Wi-Fi hotspot.
Use of VPN
Virtual Private Networks (VPN) is a private tunnel that encrypts the traffic between end-points. The use of a VPN service will help secure your traffic from eavesdropping but do note that the VPN used should be of a reputable source. I recommend you do some research on the VPN vendor before signing up for any service. An alternative is to host your own VPN service, which is an extension from my previous paper “Protection of Home Networks”.
However, do note that even with the use of a VPN to encrypt the traffic, there is still a vulnerability – this occurs at point of connection. The VPN cannot connect until you are connected to the Internet, and the VPN connection is not instantaneous. Sometimes before you can connect to the Internet, the Wi-Fi Hotspot will direct you to a captive portal to manually accept some “Terms of Service” agreement.
During this period before your VPN connection is established, your device might be trying to connect to some services. For example, you could have an email client or chat service that tries to connect automatically, and this traffic is out in the clear for all to see, including potentially the login credentials.
Even if your software attempts to use HTTPS, it could be vulnerable to attacks like SSLStrip, which tricks the software into using open HTTP anyway. This vulnerability window might be very small, but that is enough to expose valuable information like login credentials.
Configure software firewall
If you are using a public Wi-Fi from your computer, there are a few more protection actions you could employ.
The idea is to block all inbound and outbound connections on your public networks (or zones) with the exception of a browser that you use to connect to captive portals. That browser should be one you only use for this purpose.
You should also set up a profile/zone for VPN traffic where inbound / outbound traffic is less restricted (you should always block all outbound connections by default and then allow connections as needed) This approach will ensure your email and other programs do not send unnecessary data out before the VPN is connected.
Although there might be a need to get connected on the go, it pays to be vigilant on who you are connecting to, how you are connected and what you are doing online over that connection.
Paying attention to basic security hygiene can save you from a lot of trouble later.
A link to a PDF version of this blog can be found here
Some folks have asked me about some of the more affordable UTM devices they can get.
Today some of the more affordable UTMs are :
- Sophos SG series
- Dell SonicWall TZ Series
- Zyxel USG series
the Sophos devices have the highest throughput but a bit more pricey.
The lower end sonic wall (TZ SOHO) is the cheapest but also lowest bandwidth, I actually recommend the TZ300w as a minimum level for SonicWall.
My personal favourite is the Zyxel USG60w, although the USG40w could fit most needs.
at the end of the day, it would be a decision to balance cost vs performance.
One of the easiest thing to do is to get a local firewall (something like Hands Off! or Little Snitch on the Mac) which can alert you to unexpected outgoing traffic from your applications. It may be a bit annoying as you start to use it, but over time it will learn your usage behaviour and the accepted sites your computer communicates with.
Further steps can be taken to replace your home router with a Unified Security Gateway, some of these gateways are at the same price as a high end router but offer so much more in terms of protection. The one that comes to mind are Zyxel USG20 or USG60. Feel free to contact me if you have questions on how to set up something like this at your premise.
you can download a quick guide here.
I would recommend using TrueCrypt
TrueCrypt is a source-available freeware application used for on-the-fly encryption (OTFE). This application offers you a way to secure part (or whole) of your USB flash drive that you can confidently share with others.
TrueCrypt is available on Windows, Linux and Mac and is pretty straightforward to use. I would suggest encrypting most of your USB flash drive and leave a smaller partition for convenient file sharing while keeping the rest of your files protected.
Here is how you would do it:
When you start up TrueCrypt, you will see this window
Click on “Create Volume”, you will then get this window”
I recommend starting with just a encrypted file container and you can explore partitions as you get more comfortable using the technology.
You will now decide if you want the file hidden… in most cases, a standard volume is sufficient, but if you are paranoid, you could create a hidden volume, but note that this is not foolproof as there are tools that would allow people to detect hidden TrueCrypt volume (but not decrypt it).
THe next step would be to tell it where to create the file container, at this window, click on “Select Device…” and create a file on the USB drive.
The next screen will ask you what encryption algorithm you want to use, I recommend just staying with the default settings:
then you would select what size you would like the container to be. The size would depend on how you would use your drive, just make sure you allocate enough storage for the files you want to protect.
Next, create a password to access your encrypted files.
next, decided on the format, I suggest keeping it at FAT for better compatibility across operating systems
the next step involves some user action - keep moving your mouse (or trackpad) to crete a random Pool for encryption, when you are done, hit the “Format” button:
this step could take a while depending on how large is your encrypted area. when this is done, you will see a popup like this:
You can create additional encrypted areas by repeating the steps or just click exit to finish.
Now you can safely share files in the non=encrypted area of your USB Drive and not worry about private files on it.
to access your encrypted area, you have to mount the file in Truecrypt by electing the file and click on “Mount”
I would also recommend creating a directory on the un-encrypted area of your drive and putting the Truecrypt installer for all the platforms.