Network security

[Bill_G]

As the industry progresses into ip products that use the public internet to transport voice and control traffic, radio techs will find themselves becoming IT techs more and more. And that means having to learn about network security to prevent outside interests from drilling into the system. An ounce of prevention is better than a pound of cure is the phrase of the day.

Do not create, and delete default user accounts named admin or administrator. Come up with an administrator level account name that you can remember but that nobody else might use like Bill_G_Top_Dude_Rodeo_Clown. That's your highest level access, it's easy enough to remember and type in, and the probability of a someone figuring it out are pretty small.

Come up with a sophisticated and complex password. B177_g_t09_dud3_r0d30_c70wn ain't bad. Make a password strategy and stick to it so you can remember it when you don't have your laptop with the login scripts, and you forgot the printed system manual back at the shop.

Turn off all service on the untrusted side of your firewall including icmp. No http, no telnet, no ssh, no ping. Be dark so that the port probe bots never find you. If possible, reassign one of these services to a non-standard port so you can remote access. Or do all your work via l2tp into a dedicated firewall appliance.

[bezking]

That's all good stuff Bill. Some other things:

* Disable "guest" or public-access accounts on all systems unless they are specifically required.
* Restrict non-technical users' ability to install software onto company computers. A trojan on one machine can quickly spread to other parts of the network. (can you even imagine if you have to explain why you needed to clean Blaster off of a dispatch console?)
* If you are a network administrator, do not use your administrator account for anything except tasks which require it. Do your day-to-day stuff with a standard account and only sign in as an admin as needed.
* Secure your Wi-Fi networks with at least WPA2, preferably RADIUS. Though it's even more preferable to not have any Wifi access to a network that transfers critical communications traffic.

Building on what Bill said, in an ideal world, nothing should be discoverable or accessable from the outside. Use end-to-end VPN with strong encryption for anything you do need to see from other sites and you should be relatively safe.

If managing any Windows network, Group Policy in concert with Active Directory is your friend. Learn how to use it, how it works, and what the various policies do.

[RFguy]

Heck, I though system security meant a high quality deadbolt lock and a hihg fence with barbed wire.

I guess times are a changin'

[wavetar]

I agree, we're becoming more & more I.T. based all the time. In fact, I've recently moved into a different job position, and for my 'replacement', we're looking for a lot more 'official' I.T. background vs RF than I had.

Network security is big business & difficult to lock down completely...even with my relatively rudimentary I.T. skills, with easily available tools like HIREN's Boot CD, Wireshark & the ability to change MAC addresses on a $40 router, few networks are actually 'safe'.

[3-of-2-unimatrix-1]

"Network security is big business".

Yes, that sums it up quite nicely.

Never mind the fact that:

(a). The typical Motorola 7.x system employs a PRIVATE closed backhaul network
(NOT the "public" internet).

(b). The core software communicates in a proprietary protocol.

What is the "worst case" scenario of a "network" breach ? Seems it's no worse than
the 'old days', of someone cutting a tone control audio pair (done by sloppy telco
guys many times!).

Yup, let's sell firewalls, encryption, issue dozens of passwords, and villainize
some imaginary "evil hacker". All in the name of bamboozling some clueless city
council by putting them into "CYA" panic mode (if you don't do this and this and
this - and pay us a few million bucks for it, some bad guy will crash your brand
new radio system !). In another realm, I'd call this a "protection" racket.

Not one person has been able to refute the ultimate end game, worst case
scenario. Site or console goes down. BFD man. It's happened when someone
cuts fiber, or unplugs a T1. Any "bad guy" who wants to crash a system will
do that first, rather than "hack" a router (and do what ? access a stream of
proprietary op codes ?)... puhleeeze... the simple path is usually the most effective.

Heck, go to the site, and cut the coax to the antenna.

But "network security" is big business. Scare the customer, scare the attorneys,
get that sale (even though the odds of the threat may not even exist).

[MassFD]

I do not think anyone here is talking about system backhauls on Motorola networks that never leave the Headend or Dispatch point.

They are talking about the Console end that may be on workstations that are on the local LAN and have connection to the internet. Various other devices and many manfacturers have devices that are on a local LAN. We had a vendor come in and tell us "just buy a PC from Staples and one of these boxes and you can dispatch for everyone in the county"

Sounds Safe but is riddled with security problems, I cannot beleive any other dept in my county bought into this "Net" but they have.

I think the theme here is be network safe and know how you can be hacked, not to cause the agencys to spend millions to cure the problems.

Better protect that coax

[tvsjr]

Wow. I really hope you're not a system admin. Either way, allow me to strike you with the clue-bat.

"Network security is big business".

Yes, that sums it up quite nicely.

Never mind the fact that:

(a). The typical Motorola 7.x system employs a PRIVATE closed backhaul network
(NOT the "public" internet).

Really? So you're saying *every* (not just typical) Moto 7.x system is completely air-gapped from the public Internet? No VPN connections, no dual-interface machines, NOTHING? Funny, I know that one to be absolutely incorrect.

Ahoy, the cluebat!
http://en.wikipedia.org/wiki/Bradley_Manning
Manning had access to SIPRnet - the government takes the security of such networks so seriously that even allowing a network cable to transit within a certain number of *feet* of a non-classified network is a critical breach. He still managed to download hundreds of thousands of documents and leak them to the public. Network security doesn't just mean keeping the evil-bad external hackers out.

http://en.wikipedia.org/wiki/Stuxnet
Stuxnet was purposely targeted at a closed, air-gapped network. It was still a very successful threat.

(b). The core software communicates in a proprietary protocol.

So? Microsoft SMB was proprietary before the Samba team black-box reverse engineered it. Ditto the PC BIOS. Motorola's control channel was proprietary until Trunker came out. EDACS even used "encryption" (very lame encryption) in the form of ESK - it's easily decoded. Do you really think someone with enough determination couldn't decipher the data stream?

What is the "worst case" scenario of a "network" breach ? Seems it's no worse than
the 'old days', of someone cutting a tone control audio pair (done by sloppy telco
guys many times!).

In the old days, malware was typically about rendering a box inoperable. Haha, I pwned j00r b0x! These days, it's quite a different story. Good malware is very quiet, very slow-moving, and very hard to detect, typically employing multiple layers of protection to out-wit the various malware detection tools. It's not about pwning t3h b0x! any more... it's about interception of data, minor manipulation of data, extortion, etc. This isn't a few l33t scr1pt k1dd13s trying to piss people off... this is a business. Organized crime, state-sponsored espionage, etc. Go read some of the data leaked from HBGary by Anonymous.

Until you understand the reasons for the existence and proliferation of malware, you'll never understand the need for network security. In short - the threats are real, and they are becoming even more real with every passing day. Look at the unprecedented amount of interaction between the NSA and, well, really anyone outside their world... creating SELinux, promotion Defense in Depth and other strategies for threat mitigation, etc.

[Bill_G]

Ha! Somebody woke up cranky this morning! As MassFD correctly pointed out, I was talking about systems that face the public internet, and there are a growing number of them. DSL is very cost effective, and with so much new digital product coming out, it is natural to backhaul the remote sites via the internet rather than invest in point to point microwave. Similarly, it is also natural to use the customers enterprise that they have already invested in rather than build out a private segment. This means that radio techs must gain some expertise in layer three configuration and the inherent security issues that come with the internet.

Our company has crossed the 100 mark of large systems with more than 100 users that utilize the internet for transport between geographical locations. Some of these systems are spread around the world. From power generation to warehousing, from manufacturing to corporate security, from transportation to healthcare to private fire fighting, despite the popularity of the cellphone, the requirement for ability to talk from one to many still exists. And internet technology has made that possible. You become the telephone company. You determine the routes. You determine which wide area sites connect to which dispatch, and whom has access to which resources.

Radio work has always involved being a bit of Jack-of-all-trades. That hasn't changed. There is a new trade we must master.

[tvsjr]

Ha! Somebody woke up cranky this morning!

Not really... I get cranky when I'm told my profession is a trumped up version of the mob's "protection plan"

[3-of-2-unimatrix-1]

Ha! Somebody woke up cranky this morning!

Not really... I get cranky when I'm told my profession is a trumped up version of the mob's "protection plan"

It pretty much is, (and I have, the - in my opinion - overrated, CISSP certificate, eh like big deal, pay
some industry "family" big bucks to buy their material, pay for the exam, and you're now "made" and
can extort, I mean, get "respect" when asking for $$$ from customers or employers).

All the examples you speak of, are irrelevant to the threat against an LMR system. It is a RADIO system
FIRST and foremost, not a bank data processing facility ! Say it, L-M-R ... RADIO ..

Not saying security is unnecessary. However there is a point of diminishing returns (particularly on a
closed network). For instance, SNMPv3 between routers. Is that really necessary on a closed network?
Someone forgot the passphrase, uh oh, we're now down hard for hours trying to find it. Where as before,
it was just a simple box swap, and site would be up in no time. The original failure ? crypto module.
Yep, I guess 'securing' that closed link between a secure facility and a secure site was very critical. Never
mind the fact, it was carrying AES encrypted radio traffic to begin with. Can't be too careful nowadays
can we ? Bottom line, site failure due to "security" hardware failure, that wasn't even necessary, given
the actual (non existent) "threat" to those links.

Comments from anyone who's business is predicated on pushing "network security" is, by definition - biased.

By the way, some of us are DEFCON and Blackhat attendees from the old days on the strip (when hotels would
throw us out each year). So we're quite familiar with zero days, etc. (ie. not impressed with your lecture on
"evil hackers").

Again, these are LMR systems - not a HIPAA applicable data processing network.

My comments are directed at CLOSED (ie. private 10.x.x.x IP) - LMR - RADIO - networks.

[Bill_G]

Ha! Somebody woke up cranky this morning!

Not really... I get cranky when I'm told my profession is a trumped up version of the mob's "protection plan"

Sorry. I was referring to 3-2-1. You were fine, and did a good job explaining the necessity.

[tvsjr]

My comments are directed at CLOSED (ie. private 10.x.x.x IP) - LMR - RADIO - networks.

So, it's your contention that we should simply not connect the LMR - RADIO - network to the public Internet, and all will be OK? Even if a site or system goes down (and, again, it's not about denial of service these days), no problem?

Again - I really hope you aren't a sys-admin. If you are, please let me know where so I can make sure I don't live there.

[MassFD]

For years we have been refining our systems with things like lightning protection, redundant power supplys etc.

As the systems devolped they are now doing much more than the old 2 wire tone remote ever did and we as techs have now had to change our focus from explaining to telco what is wrong with the line they just said "Tests OK" to understanding and protecting I.P. networks.

Is 2 of 3 sugjesting that everything should just stop, we should stay analog. God that conversion to 25khz in the 60s was a pain now they want 12.5 or less.

Public safety systems demand a lot from us and we have to deliver 24-7, would 2 of 3 accept that his cell phone did not work because the providers network was hacked? I do not think so. Public safety demands much more and we have to do what ever we can to provide reliable systems.

[Bill_G]

All the examples you speak of, are irrelevant to the threat against an LMR system. It is a RADIO system FIRST and foremost, not a bank data processing facility ! Say it, L-M-R ... RADIO ..

The reason I brought the subject up is because that week my email got flooded with notifications from dozens of firewalls of multiple login failures from proxies originating in Korea and China. The speed and number of the attempts indicate a script or bot sniffing ports. If they had been successful, I doubt they knew what they were attempting to break into since, as you point out, it is just a radio system. The real problem was the open networks in these two nations that allowed someone to use them to launch their "attack". On my side, the worst that could have happened would have been elevated frame loss causing "bubble" in a conversation. As it was, the sites were not in use at the time, and nobody noticed.

In total, six networks were used to probe our ports to find a way in over five days despite my attempts to run deep and dark. OTOH, my password strategy worked. That was the intent of this thread - to pass on that even LMR systems are subject to "attack" and we, as a plain old radio techs, need to prepare for it. People shoot at the antennas and microwave dishes on our towers too. They shoot the locks off our gates. They have rounds that penetrate poured concrete. Now, not only do I have the occasional crazy with military grade weapons out in the woods, I have people someplace somewhere firing off their keyboards trying to snoop around. It makes the job interesting.

I dutifully notified my superiors and my customer of the event, whom in turn notified the proper people with the proper acronyms, and I got an atta boy for being pro-active and far thinking. Customers love it when you look out for their interests, and they show their appreciation with return business.

[Bill_G]

For years we have been refining our systems with things like lightning protection, redundant power supplys etc.

As the systems devolped they are now doing much more than the old 2 wire tone remote ever did and we as techs have now had to change our focus from explaining to telco what is wrong with the line they just said "Tests OK" to understanding and protecting I.P. networks.

Is 2 of 3 sugjesting that everything should just stop, we should stay analog. God that conversion to 25khz in the 60s was a pain now they want 12.5 or less.

Public safety systems demand a lot from us and we have to deliver 24-7, would 2 of 3 accept that his cell phone did not work because the providers network was hacked? I do not think so. Public safety demands much more and we have to do what ever we can to provide reliable systems.

Compound the problem with budgetary constraints coupled with the necessity to keep up with current technology, and every opportunity to cut costs becomes an imperative. By using a combination of closed systems where possible, and the internet where necessary, we can complete coverage over a wide area without making elected officials wonder where they will get the funding.

[tvsjr]

The reason I brought the subject up is because that week my email got flooded with notifications from dozens of firewalls of multiple login failures from proxies originating in Korea and China. The speed and number of the attempts indicate a script or bot sniffing ports. If they had been successful, I doubt they knew what they were attempting to break into since, as you point out, it is just a radio system. The real problem was the open networks in these two nations that allowed someone to use them to launch their "attack". On my side, the worst that could have happened would have been elevated frame loss causing "bubble" in a conversation. As it was, the sites were not in use at the time, and nobody noticed.

I'd love to hear more details, via PM if you'd prefer.

There are quite a lot of automated detection scripts that seem to originate from eastern Europe and APAC... some simple "security by obscurity", like changing what ports you listen on, can keep you off their radar. This does nothing in the way of preventing a determined hacker, of course.

I have sites at tier-1 colo facilites that routinely see a megabit sustained in continuous "discovery" probes - all of which gets dropped straight to the bit bucket. Some active security - give them a little honeypot, then shun them in the firewall - can be interesting as well.

If you don't have any APAC customers, consider adding a deny */* rule for all traffic originating from the APNIC-assigned /8 networks. It's not perfect, but again, it can keep you a bit lower profile.

[Bill_G]

They were attempting to telnet in as admin incrementing port numbers on each try. Started low and worked high well up into the :65000 range dwelling on each one long enough to make four attempts. Of course, the attempts failed, but then the firewall blasts out emails to me. Thousands of them. Simultaneously from several sites. It was a mess to clean out my inbox. I sent copies of the logs to the customer and our IT guru who are much more acquainted with this than I am. It happened over and over again for several days, and then stopped. They reviewed my work, bumped up the level of encryption, and gave me kudos. But, I got lucky. I am a novice at this kind of thing.

[tirish101]

"Just an LMR system"

Just an LMR system that law enforcement officers rely on to keep them safe on a daily basis.

For example: The Federally run IWN system in the Seattle area uses the public internet network to send traffic to and from the master site. The FBI, the IRS, the ATF, the Coast Guard, and several other local and federal agencies share this radio system. Are you suggesting they dont need to protect their system from hackers trying to listen in on radio conversations, just because it's "Only a radio system"? The threat isnt taking the whole system down, the real threat is someone hearing something they shouldnt.

[tvsjr]

The IWN system uses public Internet as backhauls? I very seriously doubt that...

[tirish101]

It sure does. I used to work for the FBI, as one of the guys who maintained the system.

I'm not "tirish". I just use his logon

[tvsjr]

It surprises me that a. the Moto infrastructure would tolerate the variable latencies and packet loss present on a public Internet connection between sites and the master and that b. you would be on a public forum discussing it.