Cloud Computing On Trial: A Defense of Cloud Computing By Robert Wahlstedt

Abstract: There has been hesitancy for people to gain the benefits of cloud computing because of a preconceived notion that data on server owned by another person is insecure. While it is true that there have been cases where law enforcement issues a subpoena to the service provider but if the information were on a server internal to the organization, then it would be also susceptible for the subpoena. However, let us not throw away the baby with the bath water. In this presentation, we look at the disadvantages of small to medium-sized businesses hosting common applications such as an email server or a customer relationship databases as compared to having the services hosted through a subscription and talk about how companies who providing hosting services now have IAAS to improve the process of their clients.

White paper:

Many medium-sized and smaller companies do not have a staff dedicated to a single application. Email is one such example. Email, one would argue is an application essential to any organization regardless of factors such as geographic, size of company, or business sector. Many governmental employees here in Washington State begin the day checking email. This is the first objective they do each day. Currently there are two ways of organizations to give the infrastructure for email. There is an on premise solution as well as a hosted solution at a service provider such as Microsoft, Zoho, or Google. Let us talk about the on premise solution first. With Microsoft exchange, one would have to set up an edge transport server providing mail flow, antivirus, and mail flow rules. The edge server is not behind the DMZ. There is a cost of anti-spam solutions and gateways. Google used to create an anti-spam solution called Postini that filtered incoming mail only from the years 2007 to 2013. Companies such as Symantec provide Symantec Mail Security 7.5 for Microsoft Exchange protection that can do in going and outgoing email scanning. This is good in the way that it provides for a way for when spam comes in using an IP address instead of using a domain name, thus removing the potential for a man in the middle attack. Some legislators argue that privacy is one of the reasons why they want the host of the email servers in-house. This seems redundant because they also provide email retention for when of an emergency. There is also a DAG, a database availability group providing high availability in case a node crashes. Most system administrators believe in making routine backups, this is necessary. Hosted exchange offers a way of outsourcing responsibilities of providing email services while keeping the company at a safe distance from the daily maintenance such as providing updates. Microsoft does not have a rolling release. For example, the latest release of Microsoft Exchange, at the time of this writing is Microsoft Exchange Server 2016. Google encouraged their clients to use the hosted Google apps platform because they realized that many organizations were unable to devote the attention needed to keep up their email server settings. One of the most important reasons to used hosted email is security. With security gateways, should a legitimate email be marked as spam, it is very hard to retrieve. For example, a special sandboxed environment in product made by Symantec or Intel security can hold the email. It is simple with Microsoft Office 365 or Google apps because the email shows up in the junk folder on the same interface. Spam is more than just a nuisance; here are some companies that were hacked during phishing attacks.

Another security consideration is the security surface of having an email server run on a server hosted within an organization’s network. Some smaller organizations attempt to avoid the complications of

having a virtualized environment such as openstack, VMware, or Hyper-V by hosting the email server on their main server, often their domain controller. Email headers themselves are revealing. They reveal subnet the email is running in, the default gateway, and the NetBIOS name of the sending machine should the email originate from an email client such as Microsoft Office Outlook client.

This trivializes the reconnaissance phase of a cyber security event. We need WinRM to work properly. Think about it for a while, a file originating from an unknown host, being able to execute provided the system credentials on clients such as Mozilla Thunderbird. CVE-2014-8634, CVE-2014-8635, MFSA 201501, are vulnerable to cross-site request forgery when passing a sendBeacon request because it lacks an origin E-2014-8638, MFSA 2015-03, are vulnerable to cookie injections CVE-2014-8639, MFSA 2015-04. Perhaps more troubling even when running swift files embedded in emails can invoke plugins running under system credentials and a person with the system administrator's credentials installed Adobe flash for Mozilla or sometimes an automated processes started by the administrator runs the install. While outside providers cannot catchall instances of spam or malicious emails, they have most likely seen a great number of emails from the sending host; even should it be an unreliable bot. Having an email server requires opening up firewalls on the DMZ on ports 25 TCP, 53 UDP DNS. The book Hacking for Dummies explains that these are among the most commonly hacked ports.

TCP port 22 – SSH (secure shell)

TCP port 23 – Telnet

TCP port 25 – SMTP (Simple Mail Transfer Protocol)

TCP and UDP port 53 – DNS

TCP port 80 – HTTP (Hypertext Transport Protocol)

TCP port 443 -- HTTPS (HTTP over SSL)

TCP port 110 – POP3 (Post Office Protocol version 3)

TCP and UDP port 135 – Windows RPC (Windows remote procedure call)

TCP and UDP ports 137-139 – Windows NetBIOS over TCP/IP

We would need to open up a few of these to get the exchange server to work. In addition, I would recommend we use as few UDP ports as possible. Some people proposed that subnets provide security. We can open up Wireshark and put the computer socket going to Wireshark in promiscuous mode the network ACL is open so it can capture all packets going through the machine. This is a software change, which is a little scary. Subnets provide security only for TCP and many people use UDP for their connections because it is quick and dirty. For example, Microsoft SQL Server 2008r2 uses UDP port 1434 for the SQL Server Browser service. This service listens for incoming connections to a named instance and provides the client the TCP port number that corresponds to that named instance. When a technician creates named instances within the Database Engine, the SQL Server Browser service starts. If the client connects to a specific port of the named instance, the SQL Server Browser service does not have to run. Remember the internet works with ACL or access control list; it is possible for a person to reach Google without being a part of the same subnet. There is a common method UDP host punching. UDP hole punching is a commonly used technique employed in network address translator (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving

hosts connected in private networks, especially in peer-to-peer, Direct Client-to-Client (DCC) and Voice over Internet Protocol (VoIP) deployments. UDP hole punching establishes connectivity between two hosts communicating across one or more network address translators. Typically, an application, when it sets up direct communications between two or more communicating hosts choosing to use a third party host on the public transit network by using a UDP port. Usually normal communications traffic or when there is no significant traffic keep-alive packet traffic usually consisting of empty UDP packets or packets with minimal non-intrusive content enable once port state keep the port states open. A common example of programs which use UDP hole punching consist of Team Viewer.

Another service that is of benefit to organizations beyond email is customer related databases. If you think you do not have any SQL databases in your organization, are you using an antivirus with a hosted management system? These antivirus packages sometimes use SQL express or install another SQL database without IT remembering that these databases are in use A security researcher notes: "Our pervasive and continuing complaint with Microsoft is that all of those port 1433 and 1434's were wide open to the external Internet in the first place. Of the hundreds of thousands of vulnerable SQL servers that were quickly discovered and compromised by the SQL Slammer worm, probably NONE of them actually needed or intended to be offering SQL database services to the entire Internet. Yet Microsoft's default settings and installation made it so. Should Microsoft chose not to open those ports by default, the coding mistake would have had little effect or result."

So in essence, all one would have to do is to run Nmap to find the open SQL port with the -sU (UDP scans) While most popular services on the Internet run over the TCP protocol, enterprises depend on UDP services. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly do not ignore the protocol. Fortunately, nap can help inventory UDP ports. When a technician

scans UDP with the -sU option, it is possible to also scan for TCP protocols such as SYN scan (-sS). An UDP scan works by sending a UDP packet to every port selected by the user. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the --data, --data-string, or -data-length options are specified. Nmap determines the port is closed when an ICMP port unreachable error (type 3, code 3) returns. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. Upon no response after the scan retransmits, the scan defines the port as being open or filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (sV) can be used to help differentiate the truly open ports from the filtered ones. A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions if the probe or response is lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. However, unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts limit sending ICMP port unreachable messages. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in net/ipv4/icmp.c). Nmap detects rate limiting and slows down so to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per second makes a 65,536-port scan takes more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts. You will need to start browser service to resolve non-default instances. Additionally, opening UDP 1434 will allow resolution of the named instances by name instead of port, so you will not need to use the ports. If you are uncomfortable opening UDP 1434 long-term, or you have a DBA who is on-site and can connect locally, you may ask them to connect via SQL Server Management Studio OR SQL command and specify the server connection as follows:

tcp:servername\instancename

Prefixing with TCP will force a TCP connection. Once this is done, you may connect to your named instance and query sys.dm_exec_connections to find the port the non-default instance is running on like so:

SELECT local_tcp_port FROM sys.dm_exec_connections WHERE session_id = @@SPID.

Here is a chart from Wikipedia of TCP connectionless (UDP) as opposed to connection oriented (TCP)

An IP address (a layer 3 construct is an alias for a MAC address (a layer 2 concept)

Now that we talked about the disadvantages of on premise services let us talk about the benefits of the cloud. Of course, the concept of the TCP stack needs to rethink because of the concept of MPLS. The

multiprotocol label switching, in some instances is a smart IP sometimes, is referred to as layer two and a half. Seen commonly in an infrastructure as a service (IAAS) which offers pools of hypervisors within the cloud operating system that supports and has made the cloud able to have the capabilities to scale services up or down according to the demand of the users. It does so by managing resources such as virtual machine disk image library, raw block storage, file or object storage, firewalls, load balancers, IP addresses virtual local area networks (VLANs) and software bundles. To deploy their applications, cloud users install operating-system images as applications. A smart IP address (formerly known as elastic IP addresses or virtual IP addresses) appears as a static IP address. With an elastic IP address, you can mask the failure of an instance or software by rapidly removing the address to another instance in the cloud. It consists of a private heartbeat between nodes. It consists of machines that replicate with each other and one is on standby. Snapshots that can be reverted make replicating machines possible. There are two major benefits of running services and applications on a cluster. The first reason is to increase the availability of a service or application. The second reason is to reduce the downtime caused by maintenance. The cluster service monitoring of the service or application quickly catches errors so and the service or application so another node in the takes control within the cluster within moments. In many cases, the processes of finding of errors are so efficient that nobody will even notice.

With improvements to wireless mode AC, it will likely make IAAS faster and more reliable. Today we have the AC wireless mode which is an improved upon version of IEEE 802.11N-2009 wireless. The benefit of using N wireless is that it uses multiple antennas to increase data rates using support for multiple-input multiple-output and frame aggregation. It resolves more than what is possible using one antenna, through a technique known as special division multiplexing. The CCIE routing and switching exam cover MPLS and not for the faint of heart. Rather than taking a single group expert to do IT right, it takes many of them. The more IT professionals can collaborate and work together the better. In the book Worm by Mark Rosenbaum, I learned that there are small illicit companies so advanced that make intrusion mechanisms. Some of these mechanisms are so complicated that they indicated by investigators as nothing less than advanced persistent threats made by nation states. The defendant has no hope of resisting attacks alone, thus they should highly consider the cloud.

Works Cited:

Astorino, Joe. "Cisco CCIE Routing and Switching: MPLS." Pluralsight. N.p., 14 June 2015. Web. 17 Apr. 2016.

Beaver, Kevin. Hacking for Dummies. N.p.: n.p., 2013. Print.

C# and Determinism?" Reddit. N.p., 2015. Web. 17 Apr. 2016.

"Computer Vulnerability Note CVE-2014-8634 CVE-2014-8635 CVE-2014-8636." Vigil@nce Vulnerability. N.p., n.d. Web. 17 Apr. 2016. <https://vigilance.fr/vulnerability/Firefox-Thunderbird-SeaMonkeymultiple-vulnerabilities-15959>.

Dobre, Cristian, and Jim Bobb. "Why Blocking Incoming Traffic Does Not Block Chatting or VOIP." Stack Exchange. N.p., 5 Feb. 2013. Web. 17 Apr. 2016.

Fall, Kevin R., and W. Richard. Stevens. TCP/IP Illustrated. Boston, MA: Addison-Wesley, 2012. Print.

"Feature Guide: Amazon EC2 Elastic IP Addresses." Feature Guide: Amazon EC2 Elastic IP Addresses. Amazon, 16 Nov. 2012. Web. 17 Apr. 2016. <http://aws.amazon.com/articles/1346>.

Gibson, Steve. "GRC | Port Authority, for Internet Port 1434 ." GRC | Port Authority, for Internet Port 1434 . Gibson Research Corporation, n.d. Web. 17 Apr. 2016. <https://www.grc.com/port_1434.htm>.

Goransson, Paul, and Chuck Black. Software Defined Networks: A Comprehensive Approach. , 2014. Internet resource.

Hu, Fei. Network Innovation Through Openflow and Sdn: Principles and Design. , 2014. Internet resource.

Hynes, Corey, and Matt McSpirit. "What's New in Windows Server 2016 Preview." Microsoft Virtual Academy. N.p., n.d. Web. 17 Apr. 2016. <https://mva.microsoft.com/en-us/training-courses/what-snew-in-windows-server-2016-preview-12592#!>.

"Infrastructure as a Service." Multipath Data. N.p., n.d. Web. 17 Apr. 2016. <http://www.multipathdata.com/services/infrastructure-as-a-service/>.

Johnston, Alan B. Sip: Understanding the Session Initiation Protocol, Third Edition. Norwood: Artech House, 2009. Internet resource.

Joseph, Vinod, and Srinivas Mulugu. Network Convergence: Ethernet Applications and Next Generation Packet Transport Architectures. , 2013. Internet resource.

Kocharians, Narbik, and Peter Paluch. CCIE Routing and Switching V5.0 Official Cert Guide: Volume 1. Indianapolis: Cisco, 2015. Print

Meyers, Mike. "CompTIA Network+ Exam Prep (N10-006) Part 6: Beyond the Typical Network." Lynda.com. Lynda, 28 July 2015. Web. 17 Apr. 2016. <https://www.lynda.com/Networktutorials/CompTIA-Network-Exam-Prep-N10-006-Part-6-Beyond-Typical-Network/414775-2.html>.

Minei, Ina, and Julian Lucek. Mpls-enabled Applications: Emerging Developments and New Technologies, Third Edition. Chichester, West Sussex, U.K: John Wiley & Sons Ltd, 2011. Internet resource.

"News." Nmap: The Network Mapper. N.p., n.d. Web. 17 Apr. 2016. <https://nmap.org/>.

"Openvpn Server Port Accessibility." Networking. Stack Overflow, 22 Jan. 2016. Web. 17 Apr. 2016.

Stanek, William R. Microsoft Exchange Server 2010: Administrator's Pocket Consultant. Redmond, WA: Microsoft, 2010. Print.

"UDP Hole Punching." Wikipedia. Wikimedia Foundation, n.d. Web. 17 Apr. 2016.

Winters, Nathan, Neil Johnson, and Nicolas Blank. Microsoft Exchange Server 2013: Design, Deploy, and Deliver an Enterprise Messaging Solution. Indianapolis, Ind: Sybex, 2013. Internet resource.