Monday, 24 September 2018

Securing Network Traffic With SSH Tunnels

Introduction to SSH Tunnels

Secure Shell, or SSH, is used to create a secure channel between a local and remote computer. While SSH is commonly used for secure terminal access and file transfers, it can also be used to create a secure tunnel between computers for forwarding other network connections that are not normally encrypted. SSH tunnels are also useful for allowing outside access to internal network resources.
To create an SSH tunnel, you need:
  • Target server offering network services (http, vnc, etc.) to the client
  • SSH server listening for connections from the client
  • SSH client configured to forward traffic from a local listening port, through the SSH server, to the target server
The SSH server may be running on the same machine as the target server, or on a different machine. Network communications between the SSH server and the target server are NOT encrpyted by the SSH tunnel (see diagram below), so if the servers are running on different machines, ideally they should be located together on a secure network.
SSH Tunnel Diagram
Configuring an SSH server(link is external) is beyond the scope of this article, but popular options include OpenSSH(link is external) for unix-based systems and Bitvise SSH Server(link is external) for Windows. The SSH server will need to have access to the listening port on the target server. Common SSH clients(link is external) include OpenSSH(link is external) and PuTTY for Windows(link is external).

Scenario - Connecting to an insecure service

In this scenario, a client wishes to connect to a service that does not natively use encryption, but does not want the traffic to be sent unencrypted through the Internet. The environment for this scenario:
  • Target server: VNC service is listening on port 5900 at IP address 1.2.3.4
  • SSH server: SSH service is listening on port 22 at IP address 1.2.3.5
  • Client machine: SSH and VNC clients installed

Creating the SSH tunnel using PuTTY:

  1. Open the PuTTY client user interface
  2. In the Session window, under "Basic options for your PuTTY session", enter the IP address and listening port for the SSH server:
    PuTTY SSH client
  3. In the left-pane, select Connection->SSH->Tunnel
  4. Under "Options controlling SSH port forwarding", enter the following settings (see screen shot):
    • Source port: Pick an arbitrary port not in use on your client, the example uses 15900.
    • Destination: IP address and listening port for the target server, 1.2.3.4:5900
    • Leave "Local" and "Auto" radio buttons selected
  5. Click "Add" to save these settings
  6. Click "Open" to create the SSH tunnel. Enter your username and password for the SSH server when prompted.
PuTTY SSH client

Creating the SSH tunnel using OpenSSH:

The following command can be used to create the SSH tunnels using the OpenSSH client:
ssh -L 15900:1.2.3.4:5900 1.2.3.5 -N
The option 15900:1.2.3.4:5900 specifies the local port, 15900, to be forwarded to the remote port, 5900, on the target server, 1.2.3.4. The local port can be any arbitary port not in use on the client. Enter your SSH username and password when prompted, unless you have configured your SSH server for public key authentication.

Connecting to the service through the tunnel:

To connect to the service on the target server, configure your client to connect to the client machine using the local listening port defined in the SSH tunnel configuration. Use the local loopback address, 127.0.0.1 (see screen shot). Traffic will be forwarded through the SSH tunnel to the target server.
VNC

Alternative -- use a client that natively supports SSH tunnels:

Some clients for unecrypted network services, such as FTP, VNC, etc., natively  support connections using SSH tunnels. In this case, there is no need to manually create the SSH tunnel using an SSH client such as OpenSSH or PuTTY. Just enter the SSH server information directly into the VNC client supporting SSH tunnels. This screen shot example uses the TightVNC client:
TightVNC
While the example above demonstrates SSH tunnels for VNC, a popular service often configured without requiring encryption, these same settings can be used to conenct to other network services when replacement with an alternative that supports encyrption natively is not an option.

SQL Injection vulnerability email notification from security@berkeley.edu

Security Contacts that receive a SQL Injection vulnerability notice are responsible for identifying and notifying any stakeholders about the SQL Injection attack including functional owners, developers, system administrators, and database administrators in order to determine the vulnerable and potentially compromised resources.
Immediate action must be taken to address any confirmed SQL Injection flaws discovered:
  • Once a person responsible for coordinating remediation is identified, please respond to the notice so that Information Security and Policy can work directly with the coordinator to ensure full remediation
  • Coordinate an investigation of potentially vulnerable web pages and resources amongst developers or other stakeholders
  • A review of web, application, and database logs may reveal the point of vulnerability and source of attacks
  • Develop a plan to remediate any confirmed SQL Injection flaws and prevent future attacks
Additionally, if your system stores, processes, or transmits sensitive data such as Protection Level 1 or Protection Level 2 data as described in the Berkeley Data Classification Standard, you should immediately reply to the security notice (to security@berkeley.edu(link sends e-mail)(link sends e-mail)) and notify the Information Security and Policy office.

How to protect a web site or application from SQL Injection attacks

Developers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database.
This can be accomplished in a variety of programming languages including Java, .NET, PHP, and more.
Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base:
Additionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:
  1. Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors.
  2. Utilize the  when provisioning accounts used to connect to the SQL database.  For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges. In many cases, these privileges can be managed using appropriate database roles for accounts.  Never allow your web application to connect to the database with Administrator privileges (the "sa" account on Microsoft SQL Server, for instance).
  3. Do not use shared database accounts between different web sites or applications. 
  4. Validate user-supplied input for expected data types, including input fields like drop-down menus or radio buttons, not just fields that allow users to type in input.
  5. Configure proper error reporting and handling on the web server and in the code so that database error messages are never sent to the client web browser. Attackers can leverage technical details in verbose error messages to adjust their queries for successful exploitation.

String Data Type

char(x): This data type is space padded to fill the number of characters specified. Here x is the number of characters to store.
varchar(x): This type got its name from Varying Characters. This data type doesn’t pad unnecessary space. Here x is the number of characters to store
text: This type is used to store long textual information.
Few numeric data type has syntax of data_type(x). Here x is meant for precision value.

Date Time Data Type

datetime: This data type is used to store complete date and time information. The date to be stored has range from 01/01/1753 to 12/31/9999. This data type takes 8 bit for storage purpose. This data type is also termed as timestamp in few database systems.
date: This data type is used to store only date information.
time: This data type is used to store only time specific information.
Few numeric data type has syntax of data_type(x). Here x is meant for precision value.

Numeric Data Type

Few numeric data type has syntax of data_type(x). Here x is meant for precision value.
SQL Database Numerica Data Types

SQL Database Data Types

DATA TYPES represents the type of data an object is holding. Data Types are defined for columns of a table, local/global variables, input/output arguments of procedures etc..
Each database system (MS SQL Server, MYSQL, DB2, Oracle etc.) have its own long list of data types but several data types are common in most of them. This article will list down common data types across various database systems.

SQL Server Services and Tools

  Microsoft provides both data management and business intelligence (BI) tools and services together with SQL Server. For data management, S...