Category Archives: UTM

SSH In Nutshell : A protocol for secured network communication

Estimated reading time: 4 minutes

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. A widely used Transport Layer Protocol, SSH is used to secure connections between clients and servers. SSH was basically designed as a replacement for conventional Telnet and for unsecured remote shell protocols such as the Berkeley rlogin, rsh, and rexec protocols. These protocols send critical information, such as passwords, in plain text format, and are susceptible to interception and disclosure using methods like packet analysis or deep packet inspection. The encryption used by SSH provides confidentiality and integrity of data over an unsecured network, such as the Internet.

                                         Fig. 1: SSH Protocol Stack

How Does SSH Work?

The SSH protocol employs a client-server model for authentication and encryption of data transferred between them.

Negotiating Encryption for the Session

  • Version Exchange: When a TCP connection is made by a client, the server responds with the protocol versions it supports. If the client can match one of the acceptable protocol versions, the connection continues.
  • Key Exchange Initialization: To kick off the key exchange, both sides send a SSH_MSG_KEX_INIT message to each other, with a list of cryptographic primitives they support with their preference. These primitives are basic building blocks, used to perform key exchange and bulk data encryption. The following table (Tab.1) shows some examples of cryptographic primitives.
                                                                                          Tab.1: Cryptographic Primitives

 

  • Diffie-Hellman Initialization: The key exchange begins by the client, generating an ephemeral key pair (private and associated public key) and sending its public key to the server in a, SSH_MSG_KEX_ECDH_INIT message (Fig. 2). The server checks the authorized_keys file of the account that the client is attempting to log into for the key ID. If strict key checking is enabled, and key is not found to be correct, the connection is rejected by the server thereby safeguarding the server from connecting with unknown clients. The key pair created will only be used during the key exchange and disposed afterwards. So, for an attacker it is extremely difficult to steal a private key while passively recording encrypted traffic. This property is called forward secrecy.
                                                   Fig. 2 Generation of the key exchange initialization message

 

  • Diffie-Hellman Reply: On receiving SSH_MSG_KEX_ECDH_INIT message, server generates its own ephemeral key pair. The shared secret key K is generated by server, with its own key pair and client’s public key. After successful generation of shared secret an exchange hash H is generated (Fig. 3). The exchange hash is signed by server to generate its signature HS (Fig. 4).
                                                                 Fig. 3: Generation of the exchange hash H

 

The exchange hash and its signature serve several purposes:

•  The signature or verification loop, of the exchange hash and its signature enables the client to verify whether the server has ownership of the host private key. If yes, the client is connected to the correct server.

• A faster handshake is achieved by signing the exchange hash instead of input to exchange hash.

                                                                  Fig. 4: Generation of the ECDH KEX reply

 

The exchange hash is generated by taking the hash (either SHA256, SHA384 or SHA512, as per the key exchange algorithm) of the following fields:

• Magics M

• Server host public key (or certificate) HPub

• Client public key A

• Server public key B

• Shared secret K

Magics consists of client version, server version, clients SSH_MSG_KEXINIT message and server SSH_MSG_KEXINIT message. With this information in hand, the SSH_MSG_KEX_ECDH_REPLY message can be constructed by the server from the following:

ephemeral public key of the server B,

the host public key of the server HPub,

and the signature on the exchange hash HS.

After SSH_MSG_KEX_ECDH_REPLY is received by client, the client can calculate the secret K and the exchange hash H.

The client extracts the host public key (or certificate) from SSH_MSG_KEX_ECDH_REPLY and verifies the signature of exchange hash HS, hence proving the ownership of the host private key.

In order to prevent Man-in-the-Middle (MITM) attacks, after the signature is validated, the host public key (or certificate) retrieved is checked against a local database of the trusted hosts; if this key (or certificate) is not trusted the connection is terminated.

If you have ever seen a message like below (Fig. 5), it means that the key presented is not in your local database of known hosts.

                                                                          Fig. 5: Prompt for Authentication of Server

Authenticating the User’s Access to the Server

The next stage involves authenticating the user and deciding access. There are various mechanisms for authentication but which mechanism to use depends upon what purpose the server is configured for.

The simplest is password authentication, but this is highly not recommended due to complexities and automated password breaking scripts.

The most popular and recommended alternative is the use of SSH key pairs. SSH key pairs are asymmetric keys. The public key is used to encrypt data that can only be decrypted with the private key. The public key can be freely shared, because, although it can encrypt for the private key, there is no method of deriving the private key from the public key.

Summary

SSH provides a secured encrypted channel for configuration of remote servers, established by agreed cryptographic primitives, and user authentication by symmetric key pairs.

The following diagram shows various stages of SSH handshake in establishing a secured channel that uses a password authentication mechanism.

                                                      Fig. 6: Stages of SSH Handshaking with user Password Authentication

The post SSH In Nutshell : A protocol for secured network communication appeared first on Seqrite Blog.

Don’t put the network visibility of your enterprise at risk

Estimated reading time: 3 minutes

We live in a connected world – thanks to the rise of new trends and concepts like Internet of Things (IoT) or Bring Your Own Device (BYOD), enterprise networks can’t restrict themselves to a specific set of predefined devices. Hence, the number of devices that now exist on enterprise networks are rapidly multiplying.

Obviously, this would mean that the importance of network visibility has grown by multifold. Just a few years back, it was far simpler to get an outline of a business network, but courtesy to the ever-expanding number of devices that connect to business networks now, it is a whole new ball game.  From a cybersecurity perspective, network visibility is extremely important – it is important to monitor what an enterprise is trying to secure.

How does network visibility help an enterprise? Here are some ways:

Identifying anomalies in network activity

Network visibility enables cybersecurity administrators to observe network activity. This can allow them to spot and benchmark patterns, leading to easy identification of anomalies. Normal activity is thus easily detected and anything which stands out can be sent for investigation.

User activity

Are employees following their information security policy seriously? Proper network visibility will provide answers to this question with detailed information on how employees are using confidential and sensitive data. Network administrators can also readily find out if their policies are being followed and if there are backdoors in the network.

Secure Remote Connectivity

A secure connection from an endpoint to the company’s network for its remote users is very important and a virtual private network (VPN) does just that. It also helps build site-to-site connections to ensure protected and seamless connectivity. Typically, Secure Sockets Layer or IPsec is used to verify the communication between the endpoint and the network.

Ease of use and operational benefits

A single centralized solution offering network visibility helps provide an easy snapshot to understand what is happening in an enterprise network. It allows for operational benefits by eliminating the need to have multiple security solutions to perform the task.

Sensitive assets

Network visibility allows administrators to understand their network’s weak points. What part of the network gets attacked the most and what kind of attack vectors are used? Through these trends, network administrators stay up-to-date on the everyday changes happening in a fairly massive enterprise network.

Seqrite’s Unified Threat Management (UTM) solution offers a one-stop solution for network visibility. UTM reduces security complexities by integrating key IT security features in one integrated network security product. The platform brings network security, management, backup and recovery of UTM data and many other critical network services together under a single unified umbrella, tailored to suit the complexity of emerging threat scenarios.

A few benefits of the UTM solution are:

  • All traffic through the firewall is tracked and logged and pre-defined business rules are applied to block all threats and non-business traffic. This improves productivity and ensures security. The antivirus built into it scans all inbound and outbound traffic for malware at the gateway level. The IPS system can detect and prevent attacks from a wide range of DoS and DDoS attacks before they infiltrate the network.
  • It validates and encrypts every IP packet of communication using Perfect Forward Secrecy (PFS) and NAT traversal. VPN compression, Multiple Subnet Support, and DNS Setting for PPTP Server as well as SSL VPN, Remote Access VPN, Site-to-Site VPN, dead peer detection are some of the other features of this tool to ensure secure remote connectivity.
  • It includes mail antivirus and anti-spam as well as keyword blocking for emails and HTTP(S) traffic fortifying your email communication. Website category and custom web lists based filtering are also provided.
  • It boasts of a revamped ISP load balance and failover feature including policy-based failover routing and automatic divert of data traffic from inactive ISP to active ISPs. IPv6, VLAN, USB Internet support for 3G/4G and NTP support, configurable LAN/WAN/DMZ ports, and Layer 2 bridging and link aggregation are also provided.
  • A user-friendly web-based logging and reporting console gives a complete view of the network. Configurable scheduling of diagnostic tools and monitoring CPU/RAM/Disk usage with timely reports and alerts through SMS or email. Stronger access control with enhanced user/group bandwidth and quota management is also provided.

 

Seqrite UTM is a one-stop network security solution for your enterprise ensuring round-the-clock security for your network.

The post Don’t put the network visibility of your enterprise at risk appeared first on Seqrite Blog.

DDoS attacks – Protection is better than cure

Estimated reading time: 3 minutes

DDoS Attacks on Rise…. 

As per recent cyber security reports, there has been a rise in DDoS attacks in Q1 2019, with number of attacks lasting more than an hour. Many researchers believe that cyber attackers who had been doing DDoS attacks for monetary gain, had focused their attention on income sources like crypto mining. The decrease in crypto mining activity has once again led to increase in DDoS attacks.

What are DoS and DDoS Attacks? 

denial of service (DoS) attack is a strategy in which unknown zombie aims to prevent others from accessing web server, web application or cloud service, by flooding them with service requests from single origin, rendering target internet service inaccessible.

On the other hand, distributed denial of service (DDoS) attack is a DoS attack from multiple sources on different networks disrupting any service like mobile application API’s, web pages, email services or DNS services. 

Why DDoS Attacks? 

Attacker might be doing these attacks for fun, to slow down competitor business, public votes, monetary gains or other income sources like crypto mining etc. DDoS attacks can even cover up for stealing valuable data from victims.

Types of DDoS Attacks? 

Basic DDoS attacks include UDP Flood, SYN Flood, ICMP (Ping) flood, DHCP starvation attack, Ping of Death attack.

UDP Flood 

Flooding random ports on remote host with UDP packets. Victim continuously check for application listening on that port when no application found, victim replies with ICMP destination unreachable repeatedly. Hence resulting in victim resources exhaustion, leading to inaccessibility.

SYN Flood 

Flooding SYN requests or even spoofing SYN requests for which no ACK will be received. Victim waits for acknowledgement from flooder for each request binding resources until new connection can be made then resulting in denial of service.

ICMP (PING) Flood 

Flooding ICMP Echo Request packets without waiting for replies. Victim keep on generating ICMP Reply Packets for each request leading to exhaustion of both incoming and outgoing bandwidth, leading to system slowdown.

Ping of Death Attack 

Flooding of malformed or malicious pings. Victim ends up with IP packet exceeding 65,535 bytes when reassembled. This results in overflow of memory buffers allocated for packet ending up in denial of service for legitimate packets.

DHCP Starvation attack 

Flooding DHCP Discover Packets to DHCP servers with intent of exhausting all IP addresses that can be allocated by DHCP server, resulting in denial of service for legitimate network users.

Business Impact of DDoS attacks… 

Generating DDoS attacks is not much expensive but then it can have huge impact on business. Imagine a service down for 24 hours; in addition to financial loss, company’s reputation is also at risk. In 2015, BBC’s server was flooded with traffic of 602 Gbps leading to collapse of BBC’s sites and content services provided by BBC’s server [1][2]. There are many more countless examples. IT administrator contact 3rd Party vendor to resolve this issue. Delay in controlling DDoS attack circumstances may lead competitor to quickly step in. 

So, isn’t protection against DDoS attacks better than cure? 

Day by day internet speeds are increasing, our application server could be attacked by hackers with high volume connections, which results in denial of service scenarios. We need to protect them from DoS and DDoS attack. So, what’s the solution?

Protect your application servers with Seqrite UTM, a gateway security solution.  

SEQRITE UTM (Unified Threat Management) has excellent Gateway Security Solution against DDoS attacks. It provides protection against DoS/DDoS attacks for SYN Flood, ICMP/ICMPv6 Flood and UDP Flood. 

For more information visit:  https://www.seqrite.com/seqrite-utm

References 

1.http://www.csoonline.com/article/3020292/cyber-attacks-espionage/ddos-attack-on-bbc-may-have-been-biggest-in-history.html 

2.https://www.cyberdefensehub.com/famous-ddos-attacks/

The post DDoS attacks – Protection is better than cure appeared first on Seqrite Blog.

Why someone needs VPN?

Estimated reading time: 3 minutes

What is VPN?

A VPN, or virtual private network, is a secure tunnel between your device and the internet. It is an encrypted connection which is used to protect your online traffic from snooping, interference, and censorship. It allows you to open secure communication channel from one network to another network over the internet. It extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Why someone needs VPN.

  • You have a remote workforce: You have a workforce or freelancer that works for you from remote location and wants to access your network regularly.

 

  • You encourage BYOD policy: BYOD (Bring your own device) policy reduces your infrastructure cost but it will increase the security risks.

 

  • Your employee travel to customer location: Your employee may travel to client location to close the deal or for business essentials. They need to access your private network from the client location and they may also have to work while traveling. Using public WiFi at such times on Airport or Hotels increases security risk.

 

  • You want to secure communication and browsing: Your employees may use unsecure web pages while browsing, potentially exposing sensitive data such as passwords and business details.

 

  • You have multiple branches: You may have multiple branches which you want to connect with each other without compromising on security. Also, you may want to share/access your private network resources over public network.

Benefits of VPN for your Business.

  • Enhanced data security for remote users: VPN provides a secure communication tunnel for your remote workforce. Your employees use this secure tunnel to access your private network resources as well as public network without compromising the security. It also secures your BYOD policies.

 

  • Encourage productivity: If your employees are aware about internet vulnerability, then they may be cautious about accessing the confidential private data from public network. VPN provides a secure means to access your private network while ensuring peace of mind for your employees.

 

  • Make your clients feel more secure: If you are collecting your customer’s data as business offering, then VPN helps to mitigate their worries by providing one more layer of security to build their confidence.

 

  • Geo Independence: Some countries restrict what you can access. And if you and your employees travel a lot, to complete your work your employees need to stay connected with your office and that time you need VPN.

Challenges with Remote Access

Even though VPN provides secure communication channel to your remote employees, they can misuse your organizational resources. They may use your internet bandwidth for their personal benefits. You need to restrict this kind of unwanted usage.

Seqrite UTM offering

 

Seqrite UTM has a provision to create Virtual Private Network in two scenarios.

  • Site to Site: A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the internet.
  • Remote access: Allows you to securely access your organization’s network over the Internet.

Seqrite UTM provides the following three types of VPN:

  • IPSec VPN: This VPN uses layer 3 IP security standard to create secure tunnels between the client and the server.
  • PPTP VPN: Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. This VPN uses MPPE authentication for connection between client and server.
  • SSL VPN: This VPN uses SSL certificates and Public Key Infrastructure (PKI) for authentication and encryption of the tunnel between client and server.

Seqrite UTM also offers to enforce multiple policies over your remote VPN users, so that you can control their access. i.e.

  • Web policies
    • URL Categorization
    • Keyword control
    • File size policy
    • Black/White list URLs
  • Mail policies
    • Attachment control
    • Keyword blocking

Seqrite UTM also offers multiple security features over VPN traffic to secure your private network.

  • Antivirus
  • Antispam
  • Internet Quota Management

Seqrite UTM offers unrestricted VPN access to the customers….

 

The post Why someone needs VPN? appeared first on Seqrite Blog.

Email technology and its security in nutshell

Estimated reading time: 5 minutes

Email has become a necessity of day-to-day communication. We can realize the importance of email with the fact that the down-time of organization email server directly affects the organization’s productivity. Email has become most prominent and integral part of network system, hence one must know how to manage it and keep it secure. Let’s understand the email technology and its basic flow in nutshell.

1.1 How email works

                                             1.1 Diagram to illustrate basic email flow

 

MUA, also referred to as an email client, is a computer application that allows you to compose and send emails or fetch and read emails intended for you. MUA can be a web-based client which means that you can send and receive  emails  via  browser   (i.e. Gmail, Yahoo on Firefox, Chrome etc.) or it can be application- based client (i.e. Thunderbird, Outlook etc.). In order to send an email, the sender needs to compose an email, add recipient name, and click on Send button.

 

Once sender has composed an email and sent it, an email server is ready to receive and process it. Email server is a computer application that is listening on port 25 (Non-encrypted), 465(SSL/TLS), 587(STARTTLS). The email server receives email from the sender and forwards it for delivery. All outgoing emails are placed in a mail queue and in parallel the SMTP server does a query with the DNS server for its MX record in order to find out where the receiver’s email server is located. Once it finds the IP address of recipient email server, it will send the composed message to that IP. E.g. MX record for xyz.com is like mail1.xyz.com.

In an email queue, SMTP server will lookout for MX record and recipient validation. If server is not able to process that email it will place that email in deferred queue which is not going to deliver immediately and re-tries after some time for a few attempts before sending the failed acknowledgment to client. If it is validated and intended for local delivery, it will handover that email to local delivery agent or if it is intended for remote delivery it contacts other mail servers for relaying.

 

If that email is intended for remote delivery, it will relay that email to MTA. MTA is a software application that relays email from one node to another node using SMTP protocol. MTA receives the email from another MTA or a MUA. After receiving that email, it will add the “received” tag at the top of message header file and relay it to another MTA for further delivery. It is also known as relaying agent of email. For each mail, MTA processes it and keeps track of each and every activity and analyzes the list of recipients for the routing actions. It sends responses of non-delivery when a message does not reach its intended destination. A few open source MTAs are Exim, Postfix etc.

 

MDA is a software application that takes mail from MTA and is responsible for delivery of that email to the receiver’s mailbox. Upon final delivery, the Return- Path field is added to the envelope to keep record of return path. Some popular open source MDAs are Dovecot, Fetchmail etc.

 

MUA is a software application that fetches the email from POP3 server or IMAP server and loads that email from the user’s mail box to email client (i.e. Thunderbird, Outlook).

POP3 server listens on following ports:

  • Port 110 – Post Office Protocol for non-encrypted mail.
  • Port 995 – Post Office Protocol over SSL/TLS.

IMAP server listens on following ports:

  • Port 143 – Internet Message Access Protocol for non-encrypted mail.
  • Port 993 – Internet Message Access Protocol over SSL/TLS.

In nutshell,  The Mail Transport Agent (MTA), such as Postfix, Exim is responsible for sending email to the correct destination and handing over the mail to MDA.

The Mail Delivery Agent (MDA) such as Dovecot, Fetchmail receives mail from MTA and sends it into user’s mailbox.(Dovecot supports POP3 and IMAP protocols along with MDA functionality.)

The Mail User Agent (MUA) such as Thunderbird, Outlook is the email client that fetches the email from the user’s mailboxes and presents it to the user.

 

1.2 Security/Protection of Email server:

1.2.1 Scanning from threats

Scanning of emails before they reach the organization’s email server makes organization secure from the malicious activity. Proper scanning for Viruses, Spam, Spy-ware, Trojan horses, Phishing, Worms, Ransomware must be carried out. Email security/protection devices provide the facility to scan email file from the above threats.

1.2.2 Blacklisting of domain/email address

Blacklisting of email domains/ email addresses helps organization prevent receiving email from these malicious addresses or domain names.

1.2.3 Data leak prevention (DLP)

DLP helps organization prevent the leakage of sensitive or confidential information. Security devices check as per administrator’s customized policies at the gateway and accept or reject mail accordingly. Notifying such an activity to administrators would be an added advantage.

1.2.4 Content based blocking

Sometimes inappropriate content may flow through emails. Applying policies for inbound and outbound mail for file types, extension matching, keyword matching, and expression matching in both email body and email attachments reduces the flow of such an information.

1.2.5 Encrypted communication over SSL/TLS

Transport layer security (TLS) for encrypting/decryption can be provided for an email. Sending email in plain text can be intercepted and read by interceptor.

1.2.6 Verification of sender

To maintain the integrity in email communication, the sender should be a verified/legitimate entity. Pretty good privacy (PGP) let you digitally sign an encrypted document. This ensures that email coming to mailbox is not compromised.

Last but not the least, employee training also helps to reduce threats coming to or from the organization. A few points can be included in training.

  •  Never open the links from unknown senders and report to your manager/admin.
  • Do not open attachment if it is from unknown sender and report to manager/admin. If mail is from a known sender but looking suspicious, it is good to confirm before opening the mail.
  • Avoid connecting and accessing your email from public non-secure Wi-Fi connections.

The post Email technology and its security in nutshell appeared first on Seqrite Blog.

Make Seqrite UTM the first line of defense for your enterprise

Estimated reading time: 2 minutes

Network security has traditionally been a number one priority for enterprises. As the reliance on the Internet has increased, enterprises have invested in traditional network security solutions which aim to protect trusted internal networks from external actors. For this purpose, enterprises have invested in solutions like a firewall that stands at the perimeter of a company’s network and monitors and controls incoming and outgoing security traffic. Similarly, organizations have also invested in Unified Threat Management (UTM) solutions which combine and integrate multiple security devices for protection.

Enterprises can consider Seqrite’s Unified Threat Management (UTM) which combines multi-layered cybersecurity strategies for businesses, thereby safeguarding the entire IT framework while rendering it productive, secure and stable. Seqrite is one reliable security service provider that offers UTM as a gateway security solution. Seqrite’s UTM offers a host of features for enterprises in areas of networking, administration, content filtering, VPN, monitoring and reporting, mail protection, firewall, security services and user authentication.

Unified Threat Management is a holistic service that comes forth with the features like content filtering, VPN, firewall and anti-virus protection clubbed under a single dashboard. Some of the key features of UTM which can serve as the first line of defense for your enterprise are:

  • Gateway Antivirus

The Gateway Antivirus feature scans all incoming and outgoing network traffic at the gateway level. This helps to augment existing virus solutions by reducing the window of vulnerability (WoV) as threats are detected and dealt with right at the network level, hence preventing their entry into the rest of the enterprise.

  • IPS

Through the Intrusion Prevention System (IPS) feature, network traffic is scanned in real-time. This helps prevent a broad range of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks even before they can penetrate the network. IPS can also configure rules, policies and required actions upon capturing these alarms.

  • Firewall Protection

With the best-in-class firewall protection, network administrators can permit or block access for traffic between internal and external networks based on enterprise compliance policies.

  • URL Filtering

When it comes to selecting a functional UTM solution, spam blocking and URL filtering need to be prioritized. These components are the building blocks of an enterprise-level network security solution and a key feature within reliable UTM products. URL filtering helps block risky websites and when paired with spam filtering, can also block the entry of spam mails and certain forms of phishing attacks. Seqrite UTM’s URL Filtering feature allows blocking of non-business related web traffic including streaming media sites, downloads, instant messaging etc. in order to reduce unnecessary load on enterprise bandwidth.

  • Gateway Mail Protection

Thanks to the Gateway Mail Protection features, enterprises can be sure that they are protected from malicious emails and Business Email Compromise (BEC) attacks. This feature scans incoming/outgoing emails or attachments at the gateway level to block spam and phishing emails before they enter the network.

  • Load Balancing

This feature allows the distribution of bandwidth across multiple ISPs within the enterprise network and enables these ISPs to operate over the same gateway channels. Multiple ISPs can be used by Seqrite UTM through this feature. Traffic is balanced across multiple ISP lines based on weightage and priority.

The above pointers make it quite clear why Seqrite Unified Threat Management (UTM) has the power and tools required for enterprises to make it their first line of defense against cyber attacks.

The post Make Seqrite UTM the first line of defense for your enterprise appeared first on Seqrite Blog.