Monday, November 28, 2011

Open Security Self-Test initiative

Hi folks!

I'd like to establish  Open Security Self-Test initiative:

It' will allow any user to make security audit of his gadget (laptop, tablet, smartphone) on free of charge and self-service basis.

Desc: Free wifi APs located in public places connected to special designed security audit server.
  • All users nearby will be able connect to this AP (all communication gonna be encrypted, password for connection will be included into AP's SSID )
  • After connection to AP, user's workstation security scan will be started and all user's trafic to Internet (or Internet emulation sandbox) will be monitored by NIDS.
  • In couple of minutes user will get  report about any security threats found on his workstation and short recommendations how to solve the problems including the links to updates/patches and free/trial anti-viruses.
  • All security audits will be done by open-source solutions (some commercial tools could be involved if  vendors will allow such usage)
  • Whole solution will work on free of charge basis.

Architecture:


Updated: 


Proposed architecture could use Cloud tendency: in this case  Security Audit Servers will be located in the Cloud and being connected by VPN to distributed across the world WiFi APs. APs will use modified firmware (OpenWrt) and tunnel all the traffic from connected users' gadgets to the Cloud.
It will definitely reduce the operation costs and give a great scalability, flexibility and reliability for whole solution.



1. Access Point (AP)

2. Security Audit Server/s  including:

  • Captive portal 
  • Firewall
  • Vulnerabilities  scanner/s
  • Network Intrusion Detection System (NIDS)
  • Internet connection or Internet emulation

Current implementation:

Nginx+ Bind+iptables+snort+ nmap +OpenVAS+tcpdump+Scripts


Usage:

1. User  connects to public AP by his laptop, tablet or smartphone. PSK for connection included in broadcasted AP's SSID. Connection encrypted.
User get IP form DHCP and all connection attempt forwarded to Captive portal

2. Users establish connection via https with Open Security Self-Test web server.
Read end-user agreement, Accept it and start the security audit:

3. Vulnerabilities scan runs against user's device:

4.  During vulnerabilities scan and mostly after it user computer get connected to Internet (or Internet emulation). All traffic between user's device and Internet intercepted and monitored by NIDS.

5. Finally, user will get brief (with option to download full) description of security problems found and recommendations how to fix it. Recommendations will include links to vendors' patches, updates and free and trial antivirus software.


During security audit process user will see progress bar and will be able surf Internet.



Current stage: Alfa-testing.  Scheduled for  first implementation on late February, Montreal, QC.

Solution could be implemented on a stand-alone basis in public places or as a part of current free-WiFi access infrastructure. Showing advertisement to a users during the scan will allow using some commercial security audit solution or ,even, make project profitable.


2 comments:

  1. Do I understand correctly: a VPN to a host doing all the job would effectively substitute WiFi AP?

    ReplyDelete
  2. VPN to Security Audit Server wouldn't substitute Wifi AP:
    1. Project target audience - unqualified users, so, for them establishing VPN is tricky.
    2. There are many VPN protocols and each OS or smartphone firmware support only limited amount of them along with vendor's specific options. So, in this case it really hard to build VPN concentrator wich will accept all VPN connection.
    4. Using NIDS will be effective only in case if all user's traffic routed to VPN. But in most case it's impossible and VPN network adapter could be easily detected by malware , so , they could avoid detection.

    ReplyDelete