MOVEIT: SECURE BY DESIGN BY JONATHAN LAMPE, GCIA, GSNA

Transcription

1 MOVEIT: SECURE BY DESIGN BY JONATHAN LAMPE, GCIA, GSNA The MOVEit DMZ server, MOVEit clients, and FIPS validated MOVEit cryptographic software products by Ipswitch File Transfer have been designed from the beginning to provide secure, end-to-end encrypted exchange and storage of sensitive data in file, message, and Web form posting formats, using a wide variety of popular public standards and protocols. They are not FTP products with grafted-on security features, nor are they proprietary file transfer programs with open standards support added on. The modular design of the MOVEit products and their support for HTTPS-based communications enables them to be deployed in a modern network architecture, without resorting to pass-through proxies, proprietary VPNs, odd firewall rules, or other methods that employ non-standard network entities. Together, the MOVEit products can be used to provide a complete enterprise-level secure data transfer, processing, and storage solution. This paper uses a series of commonly accepted security best practices to help illustrate how MOVEit products are secure by design. These are drawn from the June 2004 Engineering Principles for Information Technology Security report written by the US National Institute of Standards and Technology (NIST). NIST is responsible for developing standards and guidelines that provide adequate information security for US Federal government agencies. As part of this, NIST has developed a series of Federal Information Processing Standards known as FIPS (FIPS 140 covers cryptographic modules, with FIPS being the most recent, and stringent, version of this standard). NIST, together with the Canadian government s Communications Security Establishment, manages the Cryptographic Module Validation Program (CMVP) that tests products for FIPS compliance. NIST s Engineering Principles publication covers cryptography, software engineering and network design, with a focus on achieving defense in depth through the use of system level security principles in the design, development, and operation of IT systems. NIST Special Publication A Engineering Principles for Information Technology Security (A Baseline for Achieving Security) Revision A can be found online at: TREAT SECURITY AS AN INTEGRAL PART OF THE OVERALL SYSTEM DESIGN. When designing the MOVEit products we took a paranoid perspective regarding the Internet and the operating systems and associated programs our products would utilize. To this end we adopted a defense-in-depth architecture. Below are some examples, as implemented in our MOVEit DMZ secure data transfer and storage server software. 1

2 The security of the files handled by MOVEit DMZ does not depend on the security, or lack thereof, of the OS that it runs on. By design MOVEit DMZ is not able to push files, which means it cannot be used to push malware into trusted networks if it is ever compromised. Least privilege authorization is implemented for tight administrative control over what users can and cannot do. MOVEit DMZ s virtual user interface helps implement least privilege by providing tight administrative control over what users can and cannot see, including command options, files, folders, logs, and user information. MOVEit DMZ uses a separate file and folder/directory naming convention than that used by the underlying OS (another benefit of the virtual interface). Exclusive use of FIPS 140 validated encryption for transport and storage. All files received by MOVEit DMZ are stored using its built-in AES encryption, so they cannot be read, and executables cannot be run, by untrusted parties. These examples, and others, are explained in greater detail later in this paper. MOVEit DMZ server provides a secure exchange-point that Web browsers as well as MOVEit and third-party secure file transfer clients can upload to, download from, and store files, messages, and Web form data on. MOVEit DMZ runs on Windows 2003 or 2000 Server on a DMZ segment attached to a network firewall. The product supports HTTPS, FTPS and SFTP based encrypted data transfers, and includes built-in FIPS validated cryptography to provide its unique 256-bit AES encrypted data storage. These capabilities enable MOVEit DMZ to provide secure end-to-end encrypted data transfer, without the need to use third-party encryption programs. ENSURE THAT DEVELOPERS ARE TRAINED IN HOW TO DEVELOP SECURE SOFTWARE. A majority of our MOVEit developers have one or more current security certifications from the respected SANS (SysAdmin, Audit, Network, Security) Institute. SANS ( provides information security training and certification on a global basis and runs the Internet Storm Center, the Internet s early warning system. In addition, the MOVEit products have been built and are maintained by developers with strong technical and security training and experience. All of them hold at least a four year degree in engineering or computer science, and have on average ten years of postcollegiate development experience. Finally, all Ipswitch File Transfer developers and support staff are company employees; none are offshore or contract workers. We build and support all of our own products. ASSUME THAT EXTERNAL SYSTEMS ARE INSECURE. MOVEit DMZ were created to run on Windows servers, so from the beginning we designed MOVEit DMZ so its security was not dependent on that of the underlying OS. To this end we developed (and FIPS validated) our own cryptography platform, as well as our own file transfer plumbing and secure setting storage. By not leaving data in the clear on disk or in memory, and by strongly encrypting data when storing it, MOVEit DMZ is designed to survive an intrusion against the OS. One result is that MOVEit DMZ servers were not affected by the release of CodeRed and related malware. MOVEit Central runs easy-to-setup, scheduled and event-driven automated file transfer tasks that can pull files from source systems, run processes against them, and push them to destination systems. MOVEit Central typically resides within a trusted network and is used to move files between MOVEit DMZ and local systems, and between them and remote systems. It does this using HTTPS, FTPS, SFTP, and S/MIME encrypted transfers, FTP, and SMTP/POP3 transfers, and copying to networks and local file systems. MOVEit Central can optionally process file data, trigger command line utilities, and run programs with COM interfaces and other interpreted scripts such as Perl. MOVEit Central runs as a service on Windows XP, 2003, 2000 and NT 4.0 Server. 2

3 USE BOUNDARY MECHANISMS TO SEPARATE COMPUTING SYSTEMS AND NETWORK INFRASTRUCTURES. The following depicts a common network design that provides this type of separation. External users are not allowed to connect from the Internet to systems on either of the trusted internal networks, and, Internal users on the trusted networks are not allowed to connect to systems across the Internet (except through a Web proxy server). Under this approach, transferring a file across the Internet requires an internal client to push the file to a server on the local DMZ segment and then a separate client (with permission to connect out to the Internet) to pull the file from the server and push it to a remote server where it can then be downloaded into the remote trusted network. With MOVEit products this can be accomplished as follows: On a scheduled, event-driven or ad hoc basis a client (MOVEit Central, MOVEit API, MOVEit Freely, or a Web browser using MOVEit Wizard) would push the file over an HTTPS, FTPS, or SFTP encrypted link to the MOVEit DMZ server on the local DMZ segment. Arrival of the file on MOVEit DMZ would trigger its automatic scheduled or event-driven download by a MOVEit Central client located on the local DMZ segment, which would then push the file to the remote server using SFTP, FTPS or HTTPS. MOVEit DMZ and MOVEit Central provide the option of sending to the sender, the recipient, and/or an administrator about the final status of the transfer. PROTECT INFORMATION WHILE BEING PROCESSED, IN TRANSIT, AND IN STORAGE. Most secure file transfer products focus, almost exclusively, on protecting data in transit. Unfortunately, files are usually much more vulnerable when stored on a publicly accessible secure file transfer server than while in transit, even over the Internet. When a secure transfer client encrypts and sends a file to a secure file transfer server, the server receives, decrypts, and stores the file. If the file was unencrypted at the time it was encrypted for transmission, then that will be stored unencrypted on the server. This means the file can be read by anyone who gains access to the server. 3

4 MOVEit DMZ server eliminates this storage vulnerability by automatically re-encrypting each file it receives, before writing them to disk. This approach also eliminates the need to use PGP or other third-party file encryption programs (and the associated headaches that come with distributing such programs and managing their encryption keys). To secure files in transit, MOVEit DMZ server and the Windows-based MOVEit clients use Microsoft s FIPS validated SSL encryption libraries. To secure files in storage, MOVEit DMZ server uses the 256-bit AES encryption and the SHA-1 libraries in its builtin FIPS validated MOVEit Crypto cryptographic module. To secure files when processing them between transfer and storage encryption, MOVEit DMZ uses the smallest possible buffers in order to prevent the exposure of large chunks of sensitive information in memory. The MOVEit Central client also comes with a built-in copy of MOVEit Crypto, which it uses to protect its configuration information. MOVEit Crypto modules are FIPS validated, Intel-based private key software products for Linux and Windows. Each is a fast, compact, dynamically linked library that provides an API to AES Encryption, SHA-1 Hashing, HMAC-SHA-1 Keyed Hashing and Pseudo-random number generation (as well as to non-fips MD5 Message-Digest Hashing and HMAC-MD5 Keyed Hashing). The MOVEit Crypto products can be licensed on a standalone basis for use by database, application and systems programmers. MOVEit DMZ server and MOVEit Central super-client each use built-in copies of MOVEit Crypto. PROTECT AGAINST ALL LIKELY CLASSES OF ATTACKS; IMPLEMENT LEAST PRIVILEGE. MOVEit systems are designed to protect against Web, FTP, and SSH attacks from Internet users, as well as against MySQL and Windows networking attacks from internal users and rogue administrators on the local console. Careful data scrubbing is a key component in how MOVEit DMZ servers defend themselves against Internet attacks, but the principle of least privilege is equally important to their defense capabilities. Least privilege means giving users the smallest, most restricted set of permissions necessary to accomplish any particular task. At the operating system level, least privilege is enforced by OS security policy and NTFS permissions. Least privilege is controlled at the application level by a tight system of user and group privileges, which are organized into security profiles for easy administration. The following are a just few of many examples of how MOVEit products implement the principle of least privilege. By default, no one can configure or access a MOVEit DMZ server or MOVEit Central super-client except the administrator who just installed it from the console; remote access must be explicitly turned on. By default, MOVEit DMZ users are locked to specific home folders; additional access must be explicitly granted by a MOVEit DMZ administrator (and details of this change are automatically logged). By default, new MOVEit Central operator groups have no permission to edit or run any tasks; this permission must be explicitly granted. MOVEit Wizard is a free ActiveX control that provides Microsoft s Internet Explorer Web browser with a number of useful features, including an easy-to-use GUI interface to select and transfer multiple files and the ability to circumvent Internet Explorer s built-in file size and time-out limitations. MOVEit Wizard also provides the ability to do SHA-1 file integrity checks (an integral part of providing file non-repudiation) as well as automated file compression and the automatic resumption of interrupted file transfers. 4

5 WHERE POSSIBLE, BASE SECURITY ON OPEN STANDARDS FOR PORTABILITY AND INTEROPERABILITY. The following examples demonstrate how the MOVEit products have been built from the beginning based on open standards. MOVEit cryptography uses the AES, SHA-1 and SSL encryption standards. MOVEit file transfer services are built on industry standard HTTP over SSL (HTTPS), FTP over SSL (FTPS) and SSH (SFTP), each of which is governed internationally by various RFC documents. MOVEit DMZ and MOVEit Central both support standard X.509 certificates. MOVEit DMZ s external authentication capabilities are based on standard LDAP, secure LDAP, and RADIUS Server protocols. MOVEit Central supports S/MIME and PGP encryption/decryption. DESIGN SECURITY TO ALLOW FOR REGULAR ADOPTION OF NEW TECHNOLOGY, INCLUDING A SECURE AND LOGICAL TECHNOLOGY UPGRADE PROCESS. New MOVEit product versions are released several times each year. Thanks to strict adherence to source code change management, security patches (though rare) are available almost immediately for new issues. The same MOVEit installation files handle MOVEit installations and upgrades; MOVEit software upgrades typically take less than five minutes. MOVEit EZ is a secure file transfer client that uses firewall-friendly HTTPS to exchange files on a scheduled, automated basis with a MOVE DMZ server. MOVEit EZ can run either as a foreground application in the tray or as a service under Windows. MOVEit EZ provides the ability to do SHA-1 file integrity checks (an integral part of providing file non-repudiation) as well as automated file compression and the automatic resumption of interrupted file transfers. STRIVE FOR OPERATIONAL EASE OF USE. Data can be securely exchanged with MOVEit DMZ servers over encrypted connections using a wide variety of MOVEit and third-party SSL and SSH-based secure FTP clients, as well as with the Internet Explorer, Mozilla, Netscape, Opera, and Safari Web browsers (with or without Java and ActiveX-based MOVEit file transfer Wizards). These provide GUI and command line solutions for manual and automated/scheduled transfers for virtually every computing environment. In addition to encrypted transfers, all MOVEit clients provide the following automated capabilities when used with MOVEit DMZ servers. SHA-1 file integrity checking (part of providing file non-repudiation) File Compression (which can provide faster transfers) Resumption of interrupted transfers (saves time when sending large files) MOVEit DMZ server and the MOVEit Central client each have interactive and programmatic management interfaces. These provide real-time configuration and monitoring. These interfaces can be accessed remotely, but only over an SSL encrypted connection and only with proper authentication and authorization. MOVEit DMZ and MOVEit Central and the other MOVEit clients are designed to provide licensees with the operational flexibility they need to securely exchange sensitive data, especially in situations where: Licensees are not in a position to dictate networking standards to their business partners, and, Their partners are standardized one any of the wide variety of popular, open transfer protocols, and clients supported by MOVEit DMZ and MOVEit Central. 5

6 MOVEit API Java client uses the MOVE DMZ server s XML API interface to provide secure, firewall-friendly HTTPS-based programmatic access to create, manage, transfer and delete files, folders, users, and permissions. MOVEit API Java is used on mainframe, Solaris, Linux and other systems. It comes with a free, precompiled, command-line FTP client interface that enables it to be driven by mainframe JCL or Unix/Linux shell script, as well as by local OS schedulers such as Cron. MOVEit API Java provides automated SHA-1 file integrity checking, file compression as well as the ability to resume interrupted file transfers. IMPLEMENT LAYERED SECURITY. MOVEit systems thrive in a modern layered security environment. Multiple firewalls, segmented network segments, and proxy servers are expected and encouraged. MOVEit supports and provides an installation template for a hardened operating system. However, rather than trusting in the security of the underlying OS, MOVEit relies on its own privilege system and FIPS validated cryptography to protect files and settings from unauthorized view and use. This means that, even if a hacker gains Windows Administrative privileges, they cannot reset MOVEit DMZ user passwords because the MOVEit DMZ userbase is its own separate system. This also means that, even if a hacker can buffer overflow or otherwise hack into the MOVEit DMZ application, they still need to come up with the right encryption keys to get access to MOVEit DMZ data. And this is not easy because every file on a MOVEit DMZ server is encrypted with its own key, those keys are encrypted, and no blanket permissions are awarded to Windows users. In addition, MOVEit DMZ s virtual file system obscures the identity of the underlying file structure. Some examples of this are its substitution of random IDs in place of file names, and its use of random folder IDs in place of actual folder names. DESIGN AND IMPLEMENT AUDIT MECHANISMS TO DETECT UNAUTHORIZED USE AND TO SUPPORT INCIDENT INVESTIGATIONS. MOVEit DMZ server and MOVEit Central client actively record file transfers, user and folder maintenance, setting changes, sign-ons, secure message posts and other actions. Interesting events (such as username locked out for too many password attempts) can trigger notices to authorized parties. Rather than write out log entries to long text files, MOVEit DMZ and MOVEit Central audit records are written to an easy-to-access ODBC database. Online audit record screening is built into MOVEit DMZ and MOVEit Central. Offline audit reports can easily be built using any number of scheduling tools, including MOVEit Central. Audit records can also be archived for permanent off-server storage. MOVEit API Windows client uses the MOVE DMZ server s XML API interface to provide secure, HTTPS-based programmatic access to create, manage, transfer and delete files, folders, users, and permissions. MOVEit API Windows is a COM component and published specification designed for use by Windows developers. It comes with a free, precompiled, command-line FTP client interface that enables it to be driven by scripts and batch files, as well as by Windows Scheduled Tasks. MOVEit API Windows provides automated SHA-1 file integrity checking, file compression, as well as the ability to resume interrupted file transfers. 6

7 IDENTIFY AND PREVENT COMMON ERRORS AND VULNERABILITIES. Most of the vulnerabilities in Internet-facing software are a result of poor input handling. Examples include buffer overruns common in many C++ programs and SQL smash problems that afflict many database applications. To avoid such problems, MOVEit DMZ scrubs incoming information and formats it in such a way that the data can safely pass between the various MOVEit components. To help thwart potential attackers the MOVEit products avoid providing hinting information such as version numbers and internal code. For example, MOVEit DMZ s product name and version number are not revealed to unauthorized users via the FTPS (SSL) or SFTP (SSH) interfaces, and MOVEit DMZ can be configured to hide this information from users of its Web interface. This makes it more difficult for intruders to figure out what they are attacking (and thus how best to attack it). While it does not directly rely on the underlying Windows operating system, MOVEit DMZ does attempt to protect the OS. For example, the MOVEit DMZ installation instructions work with and recommend the use of automated OS security tools such as: URLScan IIS Lockdown Tool Windows Security Policies IPSec Windows Automatic Update MOVEit DMZ documentation includes sample configurations for most of these tools. The product also comes with its own SecAux tool that automatically locks down over a hundred additional Windows settings (for example: permission to use the command-line utility, based on operational preferences). MOVEit Freely is a free command-line FTP and FTP over SSL (FTPS) Windows client that can exchange files with servers that support those methods, including MOVE DMZ. MOVEit Freely provides automated SHA-1 file integrity checking, automatic file compression, as well as the ability to automatically resume interrupted file transfers. For additional information, please contact the Ipswitch File Transfer division at Ipswitch 10 Maguire Road Lexington, MA MOVEit: (608) moveitinfo@ipswitch.com Copyright 2008, Ipswitch, Inc. All rights reserved. WS_FTP and MOVEit are registered trademarks of Ipswitch File Transfer Other products or company names are or may be trademarks or registered trademarks and are the property of their respective holders. 7