Who Needs VPN When You Have PuTTY?
I was talking with my coworkers this afternoon about Time Warner's plans to jack up rates for high-bandwith users and it got me thinking about how much of their precious bandwith I am actually using. I know that my router at home has a web browser interface where I can get that information, but I have it intentionally only allowing access from the local area network interfaces. I needed to find another way to view the site from work while making the router think that I was on the right network. What I ended up doing was using PuTTY to create a SSH tunnel from my work computer to my Linux box on the home network. I then just pointed my browser at the forwarded port on my work computer and up comes my router's web interface. Who needs VPN when you have PuTTY? Anyway, here are the exact steps that I took to do this:
- Start PuTTY
- Under Connection->SSH->Tunnels specify a source port (the localhost port you want to connect to) and a destination (IP:port) that you want to connect to on your home network.
- Source port: 8008
- Destination: 192.168.0.1:80 (or whatever IP your router is at and it's web interface port)
- Click "Add"
- Under "Session" specify the host name for your SSH server that lives on your internal network, but is exposed via port forwarding on your router with port 22.
- Click "Open"
- When prompted, enter your username and password for your SSH server.
- Now just pull up your favorite web browser and navigate to http://localhost:8008. You should see the page just like you would if you were sitting at home.
Consider Your Hotel Network Hostile
As I'm preparing to take my trip to New York for the OWASP AppSec Conference, I came across a timely article on the risks involved with using a hotel network. The Center for Hospitality Research at Cornell University surveyed 147 hotels and then conducted on-site vulnerability testing at 50 of those hotels. Approximately 20% of those hotels still run basic ethernet hub-type networks and almost 93% offer wireless. Only six of the 39 hotels that had WiFi networks were using encryption (see my blog on why are people still using WEP for why this is necessary). What does this mean for you, Joe User? It means that both your personal and company information is at risk any time you connect to those networks. The next time you're surfing the web, start paying attention to all of the non-SSL links (http:// versus https://) that you visit. Then, think about the information that you are passing along to those sites. Are you signing in with a user name and password? Entering credit card information? Whatever it is, you better make sure that it's something that you wouldn't feel bad if it wound up on a billboard in Times Square, because that's about how risky your trasmission could be.
Before you get too concerned, there are a few things you can do to try to prevent this. First, DO NOT visit any links where you transmit information unencrypted. This is just asking for trouble. Since many man-in-the-middle type attacks can still be used to exploit this, my second suggestion is to use some sort of VPN tunnel. Whether it's a corporate VPN or just a freebie software VPN to your network back home, this allows you to encrypt all traffic over the untrusted hotel network. Make this your standard operating procedure anytime you connect to an untrusted network (not just a hotel) and you should keep your data much safer. Lastly, please be sure to have current firewall and anti-virus software on the computer you are using to connect to the untrusted network. The last thing you want is to get infected by some worm or virus just by plugging in to the network.
One other thing that I think that deserves mentioning here is that if you don't absolutely have to use the internet on an untrusted network, then don't do it. Obviously, there are times when you need access to do work, pay bills, etc, but if you can save those tasks until you reach a more familiar (and hopefully safer) network, that is far and away the best way to keep yourself and your data safe.
Next Generation Firewalls
I went to a Lunch n Learn last week sponsored by PaloAlto Networks and Fishnet Security talking about what PaloAlto calls the "next generation firewalls". PaloAlto boasts having Nir Zuk, principal engineer at Check Point and one of the developers of stateful inspection technology, as it's founder and CTO. Their product, the PA-4000, Series Firewall, takes an application centric approach to traffic classification and they claim that this helps it to more accurately identify both traditional and emerging applications. This enables it to facilitate true application access control and broad threat prevention. They claim that it is:
- The only firewall to classify traffic based on the accurate identification of the application, not just port/protocol information.
- The only firewall to identify, control and inspect SSL encrypted traffic and applications.
- The only firewall to provide graphical visualization of applications on the network with detailed user, group, and network-level categorization by sessions, bytes, ports, threats and time.
- The only firewall with real-time (line-rate, low latency) protection against viruses, spyware and application vulnerabilities based on a stream-based threat prevention engine.
- The only firewall with line-rate, low latency performance for all services, even under load.
- The only firewall to offer a true in-line transparent deployment option for seamless integration into an existing network infrastructure.
While the presentation itself tended to focus more on analyzing internal user's connections outbound toward the internet and it seems to do that fairly well, it didn't cover external users connecting inbound to web applications and things like that so I started asking questions about the firewall's ability to act as a WAF (Web Application Firewall). I was told that it will do some things like inspection for XSS and SQL Injection, it does not function as a true WAF. I wasn't even expecting that much so kudos to them.
All-in-all, I tend to believe the hype that this is the next generation of firewalls and while PaloAlto is the first player in the field, I'm sure others will soon follow. The firewall is one of the oldest network security devices out there and PaloAlto has definitely put forth a product that changes the way people will look at them. We think about protecting our networks on an application level and not on a port level so why should our firewalls do things any differently? That said, with this being such a new technology, I'm skeptical of how it works in the real world and am quite certain that it won't be long before hackers find creative ways in and users find even more creative ways out.