I was just working on CISSP Quiz #2 for the website when I started to recall my first day at my first security job. When I look back now, I realize each task could be mapped to confidentiality, integrity, and availability. The three core information security concepts of the CISSP.
My manager gave me the following tasks:
* Generate my own public and private key in order to gain SSH access to customer firewall
* Figure out how many subnets and servers are located behind a firewall
* Obtain the latest firewall image file
Back then, I didn’t question anything, I just did my job to the best of my ability. The fact of the matter was that I had no idea what I was doing, or how I was supposed to do it.
Generating a Public and Private Key
How do I generate a public and private key? Doesn’t that involve cryptography? I didn’t even know where to begin. All I knew was that the public and private keys were some really long string of numbers and letters. I had no idea who, how, or what could generate them.
And what did he mean by SSH access? The only thing I remembered from college was that SSH used port 22, and it was recommended over Telnet as it was more secure. I had no idea why it was secure, but I just knew that it’s better to use it over anything else. Frankly, I barely even knew what Telnet meant, or how to use it.
Eventually a fellow co-worker, Victor, who had started the same day at the company as I did, helped me out. He showed me that we can use a program called PuTTY to generate a public and private key. We then send the public key to our manager, and keep the password-protected private key on our own machine.
Somehow this process will allow us to login to the firewall. We were told never to tell anyone our private key; however, I had no idea why, just that I should.
Subnets and Servers Behind a Firewall
After logging into the firewall, I was presented with the command line interface. For seasoned Linux users, the command line is like a second home.
But I was a life-long Windows user who tried everything in my power to never go near a command line, it was just too intimidating. The thing about the command line was that everything has to be done from memory, so looking at the command line at work, I had NO idea what to type to get started. All I knew was that typing “dir” listed everything in a directory, and that typing “pwd” showed which directory I was presently in.
How the heck do I figure out what networks are behind a firewall using the command line? What do they even mean by “behind a firewall”? I had never felt so helpless and stupid at a job.
I was whispering around to the other security engineers and trying to avoid asking Victor again, I didn’t want him to think I was a total newbie, which I absolutely was.
I decided to suck up my dignity, and asked him for help again.
“Hey Victor man, sorry, can you help me one more time? What does the manager mean to find the networks behind this firewall? How do we do that from here?”
Luckily, Victor was a very patient and nice engineer. “Oh sure, it’s simple man, just type in “netstat –rn”. That will show you all the routes to the networks behind the firewall.”
I shot him a fake but appreciative “Gotcha!”, and typed in the command. The output looked something like this:
Kernel Routing Table Destination Gateway GenMask Flags Metric Ref Use 127.0.0.1 0.0.0.0 255.255.255.255 1 192.168.1.0 0.0.0.0 255.255.255.0 1 0.0.0.0 192.168.1.1 0.0.0.0
At the time, I had no idea what was going on with this output. All I knew was that 192.168.1.0 was a private IP address that couldn’t be used on the Internet, and that 127.0.0.1 IP was a loopback address and it was local to my computer. That was the extent of my knowledge.
I emailed the manager the above output, and hoped he wouldn’t ask any further questions.
He didn’t.
Obtain Latest Firewall Image
The firewall was a Cisco ASA, and it needed to be upgraded from version 9.0(1) to 9.1(2).
Easy enough.
Go to the Cisco website, login with company credentials, and navigate to the desired image. Easy.
I download the file to my desktop, launched the Cisco web GUI, upload image to the firewall, and shot an email to my manager proudly notifying that all assigned tasks have been completed.
Manager replies “You uploaded it to the customer’s firewall already? Did you check the hash of the Cisco image?”
Whoops. My day went from being really stressed, to an all-out panic attack.
My throat suddenly became really dry at the thought of uploading a compromised file onto the only security device protecting a customer’s corporate environment, on my first day at the job!
“I didn’t check it on the device, but I saw that it had one on the official Cisco website where I downloaded it from.” I was trying to sound like I knew what I was talking about. I barely knew what is actually meant by “hash”, much less how to check for it.
“You need to compare if that hash on the website matches the same hash on the image you uploaded to our customer’s firewall. It most likely will be the same, but just good to make sure.”
My manager’s chilled out response eased the high stress level. It was a good lesson for the future on how to make others feel comfortable during an uncomfortable time.
After checking the MD5 checksum on the website with the one generated on the firewall, the hash signatures matched.
Phew.
Confidentiality, Integrity, and Availability
Looking back, the three tasks assigned to me on my first day was a great introduction to the three core information security principles: confidentiality, integrity and availability. It was also a great way to relate CISSP exam concepts to the real world.
Confidentiality Generating the public and private keys for SSH access to the firewall was an example of using asymmetric encryption. When an SSH session takes place, the firewall and a SSH client (PuTTY) will exchange public keys to encrypt session information, and private keys to decrypt.
Cryptography upholds confidentiality, as in the confidentiality of my SSH connection to the firewall.
Integrity Not only was I reading in my CISSP study guides about the importance of integrity, but I also learned a lesson from my manager as well. He was a smart guy, and if he said to check the hash as a good security practice, I was going to do it every single time from now on.
The CISSP lesson here it’s important to check the hash of a file to make sure it has not been changed in transit. A hash is meant to confirm that data has not changed. If you hash a file, and send that file to someone else along with the hash, they can use the same hashing algorithm on the file to make sure both files generate the same hash.
If you use the MD5 algorithm on the word “CISSP”, you will always get the following hash: F46E64C568BD8816A2CA95835E2A2584
If it doesn’t generate the above output, it isn’t the word “CISSP”.
You can check it for yourself.
Availability Making sure how many different networks and servers are behind the firewall was a way to plan for availability. My manager probably did some research on his own to figure out how many specific servers were in each network though, because in hindsight, I don’t think just handing him the output of “netstat –rn” was what he had in mind for my task. All that did was tell him how many networks were protected by the firewall, not specific machines. Each network can contains 254 private assignable IP addresses, no way all those were assigned.
By knowing how many specific servers there were in a network, it was easier to figure out infrastructure load balancing and HA architecture, both of which uphold A in CIA, Availability.
Hope this anecdote helped you understand the CIA as well!
Thanks for reading!