Securing a Private Intranet?

crustythecrab asks: "My company wants to take a web-based data management system I wrote which runs on a closed network not connected to the internet and put it out on the net so everyone can access it remotely. The number one issue of course is security, and I've been asked to write a paper on how to make the system 'secure' in order to convince management that it will be safe to proceed. But the question runs through my mind: How secure is 'secure'? I'm running all UNIX, no Windows of anything on the server side, and I'll certainly recommend a VPN, but since nothing is 100% secure, I was wondering what the current state of the art in 'Intranet' security is. Are there any novel new concepts out there. Or do you just put up a VPN and hope for the best?"

two alternatives:

[TheSHAD0W]

If it's a web app, you could make it available via https and give people usernames and passwords. ssl is a pretty secure solution, despite the recent exploits; and if you keep up with your patches, forwarding port 443 to your web server won't be an awful security problem. Your largest issues will be insecure passwords and brute-force attacks on them.

Alternatively you could add VPN access to your intranet, allowing remote users to log in via an encrypted tunnel. This would have benefits and drawbacks over the above method; it would be more secure, but less accessible. (You may not consider this a bad thing.) The key, if done correctly, would be more secure than a password a user could remember, but it might also be treated less securely and stolen from a remote machine.

Some potential options

[RedPhoenix]

Prefix everything I have to say with "Nothing is perfectly secure", and keep in mind that poking holes in security concepts is often a lot easier than implementing something effective, efficient, and that makes sense from a business perspective.

Some potential options are:
* Authentication / Confidentiality - Application layer
- Consider using an authentication scheme for access to portions of your web site - this can be through self-generated X.509 certificates, distributed to your users for example. Such certificates have the advantage of providing both authentication, and encryption at the application layer.

* Authentication / Confidentiality - network layer
- A VPN is a step in the right direction I suspect. Something like the openvpn suite may be appropriate. If you wish to use openvpn for authentication as well, you'll probably need to find a relatively secure mechanism to distribute key data.

You may wish to consider making up a 'autorun' CD for each user, which contains the key data, establishes the vpn link, copies the x.509 key to the appropriate location in the users browser config files, and connects to your application. If your end-users are windows machines, it should be relatively easy to automate. If you have unix boxes at the user level, then you may be able to get away with something a little less streamlined.

In this setup, your 'CD' becomes your key. When your user wants to access the 'work application', they pop the CD in their drive, and wait for a connect. You may wish to overlay password access controls on either your openvpn or http server, in order to guard against loss of a CD implying access to your network. In addition, auditing access to your network is a critical (if somewhat difficult) part of your security profile.

Alternatively, you could investigate:
* hardware tokens, or SecureID related technology. Many of these systems use usb these days, so there's less of a problem with lack of card readers like there used to be.. It really depends on how much you really want to spend.
* Dial up. This is becoming more and more difficult though - often, a user will have a modem and ADSL/Cable link active at the same time, so without additional security controls, you effectively have an uncontrolled gateway to your network.

However, in summary, I'd recommend:
* Application level identification (and possibly encryption). Potentially x.509 certificates, or strong passwords.
* Network level identification and encryption (potentially something like openvpn, but not using the zero-configuration options)
* Some form of effective auditing in lieu of an effective certificate revocation service.

Again... security is very much a marriage of risk, threat, and cost. Some of the above solutions are probabably worth considering in low threat environments, where cost is an issue, and the number of users is easilly manageable. When you have a high threat environment, or where money is not an issue, then a more 'packaged' solution would probably be appropriate.

Red.

Outthink the intruder...

[SealBeater]

Whatever security mechanism you decide on, and I would probably recommend ssl or ipsec tunnels, remember to think in layers. Secure the host machine, and I would personally recommend the Bait and Switch Honeypot system. From the freshmeat entry, "The Bait and Switch Honeypot System combines the snort Intrusion Detection System (IDS) with honeypot technology to create a system that reacts to hostile intrusion attempts by marking and then redirecting all "bad" traffic to a honeypot that partially mirrors your production system. Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data, while your clients and/or users are still safely accessing the real system." Monitor the IDS in real time, keep up on patches, you should be good to go. You can get it here [sourceforge.net].

SealBeater

Read the OWASP guide

[Rich Dougherty]

The Open Web Application Security Project [owasp.org] have a guide [owasp.org] to help those who want to improve the security of their web applications. I've had a skim and it looks pretty good. They claim two million downloads, so other people must think so too. :-)

If you're feeling lazy, you could do worse than reading their list of the top ten web application vulnerabilities [owasp.org].

Re: "How secure is secure?"

[bobv-pillars-net]

The Australian lesson:

If it's cheaper and easier to walk away with the hardware than to crack in over the wire, then the NETWORK security manager has done an adequate job...

Honestly and no joke, that's how I curb my paranoia. I take a look at the physical security and say, "Well, at least I'm doing better than THAT," and stop worrying so much.

Re:Hire Someone

[lanswitch]

And if you are interested in becoming a professional, or you don't have the funding, look at www.cert.org . They have a lot of information about security, ranging from a vulnerability-database to complete worked-out methods for data-protection.