Network Security for MAC-OS X - security

I have a new set up for software development for iOS devices. I am using MACs for the development and the company may grow from three employees right now to 20 in near future. I want to make the MACs secure so that the client code is safe and does not leave office.
Few ways I can think of a notorious employee trying to do that is
Get it on USB-key/External-Disk
Burn it on CD/DVD
Transfer it to a bluetooth device
Transfer it to Infra-Red Device
Email it as an attachment
Upload it to Dropbox or any such service
FTP to a remote server
To handle this one by one I need to do following
Disable USB access to user accounts (only admin allowed to insert a new device). But often times we need to stick in iphone/ipod touch to do on-device testing. How can I restrict the devices or get notified when someone tried to put a foreign device in any of the USB slots?
Disable CD/DVD write functions except for admin. Can I do this?
Disable bluetooth access. And if someone tries to pair a device, can I get notified or maitain a log?
Wireless keyboard and mouse use Infra-Red (IR) technology. How can I limit these devices?
Need to block all outgoing emails except company emails. Can I keep a tab on all outgoing traffic (may be by file size) so that I know some one is trying to up-load a file?
Again disable access to such website. But then every 15 days a new service springs up. How do I tackle this?
Disable ftp outgoing services. Can I do this?
Importantly is there a monitoring software that will allow me to do this? I don't mind paying. But since this is a start-up I cannot spend a fortune on this. And of-course I prefer open source solutions for the control it gives me to extend and scratch my specialized itch :)
Finally I hope I wont be judged as a bad boss or something. I am all for developer freedom but we are into consulting business and protecting client code takes priority.
Thanks for your time and looking forward to your help.
Dev.

If you don't trust your developer not to run off with your source code, don't hire them. They can find a way around your "solution"
If you can't trust any developers to not steal your source code, work alone. Anything known by two people is no longer a secret.

Related

Looking for tips in firewall app creation

I'm trying to create a VERY simple firewall. For basically my own educational purposes, since I only know how to program in dos batch, if you can call that programming. I have a lot of computer experience, but no classic coding knowledge. Google pointed me at visual templates studio so I downloaded that and visual studio 2017 community. And found myself completly confused. I'm scared to click stuff :)
Anyway this is the idea:
First part of program is checking if it is in startup folder. If it is, it should start itself from there. If not, it should copy itself there and start itself. I beleive shortcut to that folder is shell:startup I have no idea about best practices, and don't care about them, this is only for me to get educated.
Second part is blocking all possible protocols on all possible network adapters (hidden, merged, bluetooth, don't care, all of them). After this part executes, a wireshark check should be mute. Absolutely nothing. Zip. Nada traffic.
Third part is having a taskbar icon and if clicked opening a window where I could add some simple exceptions. TCP+UDP ports incoming or outgoing or both.
It should be a dead silent app. No notifications of any kind. Mute.
So, if anyone has any tips to get me started in the right direction, I'd be gratefull. I'm still learning what buttons do in visual studio :)
This is not an appropriate project for your current skill level.
However, if you want to attempt it anyway, you will want to acquaint yourself with the Windows Firewall with Advanced Security API.
Note that using this API will not make network sniffer tools like Wireshark report no activity, as 1) these tools observe traffic before firewall rules are applied; and 2) some network traffic, like ARP and DHCP, is required to join a network at all.

Firewall Security

My company just moved office to a new building and the Internet company came to install the internet (fiber). The problem is that the telco company installed the router in the basement of the building (which it happens to be the parking of the building also). That means that the internet router for my company is at the basement, wide in the open. The router has 3 free ports, that means that potentially anyone that walks-by at the parking can plug-in a laptop and get into our network (not only use the internet but try to hack into our file servers, etc...). We are a software company.
Did we try to get router upstairs? Yes but after several discussions with the telco company, it seems we have no choice with this setup. Therefore, does anyone recommend a good solution to protect our network? First thing comes to mind is to purchase a Firewall Hardware box and plug that inside our office from the internet cable that comes from the wall. Would that be the best solution? And if yes, any recommendations for a not too expensive firewall hardware? Thanks a lot.
As far as I'm aware, modern routers nowadays should already have port security features built-in. So, optimistically, you may not need to purchase a hardware firewall.
On the other hand, if you can afford to lock the router into a frame/cage, that's also a mean of physical access control. Installing a security camera near the router is another option.
One possible solution for your case is using packet filtering.
It is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination IP addresses, protocols and ports.
A product that can suit your needs is Ixia's PacketStack. Its packet filtering capabilities can be used without any packet loss, you can anipulate traffic anyway you want - deduplicate, stamp and trim. You can hide or overwrite sensitive or personally identifiable information before providing the data to analysis tools.

What's the most reliable way to detect if the user is logging in from a different device than usual?

I suspect we're all familiar with how facebook and google and the like detect if you're using a different device than usual, I was wondering what the most reliable way to do this is?
I'm talking about the old 'It looks like you're signing in from a different device', and then when you confirm etc, it usually sends you an email and asks whether you want to trust this device or not.
Obviously one could just set a cookie, one that maybe get's checked and logged each visit, but what about when the user signs out? Do we keep the cookie?
Is there any other reliable method to 'trust' a 'device' other than setting cookies? Or is this the best/most reliable way to do it?
The most reliable way to detect a device change is to create a fingerprint of the browser/device the browser is running on. This is a complex topic to get 100% right, and there are commercial offerings that are pretty darn good but not flawless. I worked at one of those companies several years ago.
There is now at least one open source fingerprinting project Client JS. I have not used it, but it seems to cover the bases.
Just setting a cookie is not very reliable because on average users clear cookies about every 30-45 days unless you use a network that attempts to re-set the cookie (paid services). Even those are not flawless.
Just using the IP address is useless. Some devices legitimately have many IPs in a short period of time (laptop at home, work and Starbucks or most any mobile device), while sometimes a single IP is shared by a large number of users (all the folks at Starbucks or behind a corporate proxy server).
UPDATE
Thoughts on your similar hash code.
It is a complex topic to get right. I had a small team for a few years. We got pretty darn good, but you can never be 100% accurate even when people are not intentionally trying to trick you.
If the CPU changes, it's probably a different device.
The same physical device can have many user agents. Each browser on the device has a different user agent, and privacy mode of browsers have different user agents with far less entropy.
Fonts doesn't change very quickly for a given physical device, though it's not a great source of entropy on mobile devices (few fonts installed, and typically all the same ones for a given type of device).
OS is generally stable, until it suddenly changes. Does it matter in your case if every device appears to be a new device when it updates to Windows 10?
Color depth will be pretty stable. If the user installs a new graphic card, this may change. Does that matter in your case?
If you can accept thinking some devices are new when in fact they are the same and vice-versa, this type of similarity hash may work for you. Note that you can never use this type of fingerprint to uniquely identify a device for a purpose that requires positive identification such as access to secure data. It's great for making probabilistic decisions such as serving an appropriate ad.

How to create a secure "call home" suport capability for an instrument?

I'm an embedded engineer (not a network guru) building a piece of Linux-based equipment (a portable measurement instrument) that is normally not connected to the Internet, but we need to make it possible for the equipment to "call home" for support, including updates and troubleshooting, in a manner that compromises neither the product's security, nor the customer's network security nor our own company network.
The "call home" capability will be completely controlled by the user, perhaps by pressing a physical button to activate it, after the equipment has been connected to whatever network the customer chooses to use. For prototype and demonstrations systems, this network could be at someone's home or office or even via a phone connection (the equipment will contain only a wired Ethernet port, and the customer would need to provide a wired AP if WiFi access is desired).
Making the connection should require no per-call configuration at the user's end, nor within our box, so I'm thinking we can require the customer to provide DHCP, and not much else. We can also require the customer to first contact us before pressing the "call home" button, so we can have our support interface up only when needed.
When a unit does "call home", it merely makes a connection to a company system, doing nothing else until an engineer (well, me) directly connects to it. Other than the existence of the connection, we should get no (or minimal) information about the network the customer is using. So I'm thinking some kind of SSH connection, but that's as far as I have gotten.
If possible, it should "feel" as if I'm connecting locally, as if the unit were on my desk (perhaps with much more latency, loss, and minimal bandwidth).
But I have no idea whatsoever how to make an SSH connection (if that's the right tool to use for this) as two separate halves: The remote unit "calls" somewhere, presumably on one of our company systems, then that system notifies an engineer (me) that a "call home" has been initiated, then waits for the engineer to connect, forming the other half of the connection.
The connection need not identify the remote system (make, model, serial number, version, etc.): I'd do that manually after logging in securely.
If needed, I can create a new system on our end (Linux, BSD, Windows, whatever, physical or VM) that can be dedicated to just this function. I can get at least one static port mapped out to our corporate WAN, if needed (but something I'd prefer to avoid, if possible).
Ideally, I'd also like for there to be minimal information in the equipment itself, so that possession of the equipment by an adversary (or competitor) could not compromise customer or company networks, other units, nor the call-home technique itself. From what little I know, I'd guess a hostname or IP address, a port number, and a key would be needed, but less would be better!
I'd also like the system to require manual intervention at both ends, with minimal automation that can be buggy or be compromised. Once we implement and test the initial system, automation could be added as our experience with it, and confidence in it, grows.
That's about as far as my thinking has taken me. Beyond this, I'm pretty much clueless. Am I on the right track? What pieces am I missing? Is this already a popular thing to do, and I simply don't know what it is called? How simple and stupid can this capability be made for a couple of prototype systems?
EDIT: If it wasn't obvious already, please assume I'm a networking idiot who can be trusted only to follow an explicit recipe, and not much more. KISS applies!
Disclaimer: as long as no "real" answer is there I just provide my more or less theoretical thoughts with hope it helps.
Without reading in detail, I found http://www.vdomck.org/2005/11/reversing-ssh-connection.html to reverse a ssh-connection. If that is easy to follow (it should be easy, just ssh -R basically, see also http://www.brandonhutchinson.com/ssh_tunnelling.html) it means your remote device could connect to your network (and "Pete" is your Partner at the customer). The problem is that initiating a ssh-connection without user/password requires a authentication- private key on that device (so in non-friendly hands).
You could place a dumb ssh-server with no private data and no special access and even the password you could set just for that single connection (and tell your partner "Pete" via phone), let your phantasie play a bit to get a static half "ImGenious$%" and a dynamic half "1243" so you can give a short easy dynamic half over phone.
Then from that dumb ssh-server you can connect to your device as in the article.
I would suggest the call home functionality uses SSH to connect to your office. This requires your customer's network provides DHCP, Internet access and DNS capability. It also requires them to allow outbound connections on port 22. The latter is possibly an issue for some security minded customers who want to prevent unknown egress of data.
You will need a certificate for your SSH server so the certificate is valid for the domain name you choose. You will also need to make sure the SSH client on the server is configured to accept the signature of your server.
It sounds like the number of devices you will be maintaining is relatively low. For this reason, I would suggest generating unique public/private key pairs for each device. You can then load the public key into your server so logins are accepted via keys only.
If a device is compromised or stolen, you can delete the appropriate key from your server. The device will not be able to login again. The private key on the device only has value because you have decided to accept the associated public key on login. Remove this and it has no value. The added benefit is that you can identify a device by the key it has used to login (e.g. you can associate each key with a different user). You can then tie up the login with the information about the device/customer that you store on your systems.
If you use reverse SSH you can have the device connect in. Once you're ready, you can use the reverse part to connect through the tunnel that the device and your server have already setup to perform the maintenance.

Remote browser access to Windows CE/Mobile/Embedded emulators?

My company has a Compact Framework.NET WinForms application which runs on rugged handhelds manufactured by companies like Motorola, Intermec and Psion. These are expensive devices with built-in barcode scanners that are used in harsh conditions.
The configuration of the handheld application is managed by business users through our web site. The devices pick up the configuration when they sync from within the handheld application. Field workers use the handhelds, business users use the web site.
The business users have expressed the desire to, for lack of a better description, configure and preview or even fully use the actual handheld application through a web browser. They want to make configuration changes in the web site and immediately see what the impact will be in the handheld, without having to have a physical device (again, the devices are quite expensive). They want to be able to create training materials or conduct sales meetings and be able to demonstrate the application to their customers without having a physical device on hand.
Microsoft offers several Device Emulators, but they are probably too complex for business users. They are developer tools. One idea might be to somehow use the emulators within virtual machines possibly in conjunction with Terminal Services or even some kind of clever screen capture/VNC to show an emulated device in a browser. I suspect running emulators in the fashion may not exactly be a scalable solution, however. Also, only one emulator at a time on a single machine can be "cradled" and connected to network.
I'm looking for any suggestions which might help me meet the business users' requirements.
Thanks.
The only thing I can think of offhand is not that simple, but would probably be useful (and certainly the only "true" way for them to test).
I'd create a service that works like the Remote Display app (part of the WinMo Developer power tools, also ships with Platform Builder for CE), in fact it might just use that app (the source code for it actually ships with Platform Builder, so the eval version of PB would get you that source).
You would then create a web interface that acts as a "shell" for that service, marshalling the display image out to a web page and image clicks back as mouse events to the device.

Resources