Basic Networking, TCP/IP and Security
CYBER SECURITY BASICS
- EXTREME NETWORK BASICS IN 11 CONCEPTS
- TCP/IP NETWORKING - SO WHAT?
- PUBLIC WIFI HYGIENE
- CONFIGURING ROUTERS
- PUBLIC KEYS INFRASTRUCTURE (PKI) AND ENCRYPTION
- OAUTH
EXTREME NETWORK BASICS IN 12 CONCEPTS
Down the Rabbit Hole We Go
-
(1) A network is a any group of computing devices that can electronically communicate with each other: why would computers want to communicate with each other?
-
(2) Connection types include wireless (WiFi or LTE) or wired (Ethernet): which ones do you use?
-
(3) The global internet is a public network provided by Internet Service Providers (ISPs): what ISP(s) do you use?
-
(4) Local area networks (LAN) are private networks isolated from public networks with a firewall border: what places have LANs?
-
(5) LAN devices are growing exponentially: what devices have been added to your network in the last 3 years?
A Matter of Trust
-
(6) LAN networks, under control by a network administrator, are trusted
-
(7) Public networks, outside the security perimeter and control of the network administrator. are untrusted
-
(8) Networks that can’t be positively identified as trusted nor untrusted are Unknown
Hardware
-
(9) Switches hub and manage transmissions between LAN ethernet devices.
-
(10) Access Points hub and manage transmissions between WiFi devices.
-
(11) Routers manage the virtual network interconnecting devices on the LAN and beyond without regard to how they are physically connected.
-
(12) Clients connect to other Clients and Servers also known as Hosts to exchange data: what are some examples of clients and servers?
TCP/IP NETWORKING - SO WHAT
Why
- Allows dissimilar computers to communicate with each other
- Has error control to verify data exchanged accurately
- Worldwide agreed upon protocol allowing connection to any visible computer
- Best effort = inexpensive
Layered Anatomy of A Network Device
-------- COMPUTER --------- CLIENT OR SERVER
| |
| browser |
| email | facetime | APPLICATIONS
| | | | |
| 25| 80| 16393| | ports
| ...\ | /.....\ | /... |
| ----- ----- |
| | TCP | | UDP | | PROTOCOL MODULES
| ----- ----- |
| \ / |
| ------ |
| | IP | | ROUTING
| --*--- 10.0.0.2 | IP addr
| / |
| ---- / |
| |ENET| | MEDIA ACCESS CONTROLLER (MAC)
| --@- 08-00-39-00-2F-C3 | MAC addr
| \ |
-------\-------------------
|
--o---------- ROUTER
----------o SWITCH/AP o------- ETHERNET OR WIFI NETWORK
------o------
| GATEWAY
-----X======== ISP
Ethernet
- Ethernet routes data to a network client or server (host) with a 48-bit Media Access Control (MAC) address
- 12 hexadecimal digits each 0-h acting as unique serial number (08:00:20:11:ac:85)
- first 6 digits is registered vendor code
- Remainder assigned by the vendor at manufacturing stage
- Every Ethernet device in the world has a unique address specified and managed by the Institute of Electrical and Electronics Engineers (IEEE)
WiFI 802.11
Protocol | Speeds (Mbit/s) | Range | Band | Year |
---|---|---|---|---|
802.11b | 2.4-11 | 35 m | 2.4g | 1999 |
802.11a | 5 - 54 | 35 m | 5g | 1999 |
802.11g | 2.4 - 54 | 38 m | 2.4g | 2003 |
802.11n | 2.4 - 600 | 70 m | 2.4/5g | 2009 |
802.11ac | 5 - 3,466.8 | 35 m | 5g | 2013 |
802.11ax | up to 10,530 | 10 m | 2.4/5g | 2019 |
802.11ay | up to 20,000 | 10 m | 2.4/5g | 2020 |
Internet Protocol (IP)
Main functions
- packetization - chunking large transmissions like files into small easy to send packets
- every packet has
- type TCP or UDP
- source and destination address
- port for application connection
- sequence number for proper transmissions re-assembly re-transmission requests
- address management
- routing - responsible for forwarding packets along to their destination
IP Addressing
IPv4 (1981)
- 32-bits long - 4 dot-separated decimal numbers between 0 and 255 like 10.0.0.1
- bytes 1-3 identify the Autonomous System (AS) of the ISP
- Remaining bytes identify the host
- All IP addresses on the same network must be unique
- All addresses are assigned and coordinated globally by Internet Assigned Numbers Authority
- Special address blocks for private networks (192. 10. 169.)
- Limits the number of addresses to 2^32 IP addresses - 4.29 billion
- All IPv4 address blocks have all been allocated
IPv6 (2017)
- 128-bits long as 3ffe:1900:4545:3200:f8ff:fe21:67cf:13de
- There are 2^128 Internet addresses (340,282,366,920,938,000,000,000,000,000,000,000,000) or enough that every molecule in the known universe can have its own address.
User Datagram Protocol (UDP)
- connectionless datagram delivery service
- Does not guarantee delivery
- reduced overhead allows for streaming or interactive applications like Netflix or FaceTine
Transmission Control Protocol (TCP)
- TCP is a connection-oriented datagram delivery service
- Guarantees error-free delivery
- preferred by network applications that require this feature like email
- When a TCP based application (email) wishes to communicate it evokes the computer’s TCP module to establish a connection to the destination (email server) initiating a virtual circuit.
- When the virtual circuit is live the TCP module handles the key functions packetization and error control
Ports
- Network applications flow data in/out of ports dedicated to that service.
- Servers and client applications waits and listens for its port.
- Most port numbers are dedicated to specific applications. like 80 for web services
- There are 65,535 ports each for TCP and UDP modules
Network Configuration Commands
- Network configuration
$ ifconfig
- For just one interface
$ ifconfig en0
- List Open Files
$ lsof -Pn -i4
- Connection speed test
- Internet route to server
$ traceroute google.com
- Domain host information
$ whois google.com
PUBLIC WIFI HYGIENE
- The digital economy continues to drive everywhere demand for WiFi access
- Users demand convenience features that automatically connect them to these networks using stored passwords
- Among these requirements lurks serious personal security threats
- Basic awareness of the hazards and vigilance are all required to avoid entanglements.
The Essentials
- Beware of unknown networks completely open not requiring assigned usernames/passwords.
-
Anonymous or lightweight authentication like supplying just and email means sinister actors could be present
- Trusted or closed networks restrict access to only known users with individualized credentials.
-
When only user credentials are required, this is called single-factor authentication.
- Just because a network looks official asking for credentials does not guarantee it’s authentic or safe.
A Pineapple You Can Trust
- Beware of public single-factor WiFi networks.
- Access points with authentic looking sign-on screens are easy and inexpensive to duplicate.
-
These rogue devices, known as Pineapples, are named for the traditional sign of hospitality.
- They impersonate legitimate networks luring unsuspecting WiFi seekers into giving up their credentials.
-
Since most use the same username/passwords, credentials, everywhere, the bandits also get the Amazon account, the bank account, and more.
-
Often, the rogue device will pass the user onto the Internet providing the expected experience but with a man in the middle capturing every byte the user sends and receives.
- Convenience features that remember and automatically enter WiFi access single-factor credentials puts users in harm’s way without their knowledge.
-
Identity theft isn’t a good trade for convenience.
- A better way to assure security, for both parties, is an additional authentication step.
-
Multi-factor Authentication requires additional challenges beyond single-factor authentication entry.
- A common two-factor system challenges unrecognized computers to further authenticate by entering a code sent to another device like a mobile phone designated by the user
-
While the additional layer is better, if both devices are compromised, it’s useless.
- More secure - 2-Factor Authentication (2fa)
- Challenge of information known to both parties only
- A user selected image presented for verification after initial authentication is impossible for a Pineapple to know.
- Lastly, life and work styles that require frequent use of open networks should inoculate with a live virus checking application that scans network traffic real-time for sinister activity and quarantines potential damage.
Take-aways
- Use only trusted networks
- Don’t use the same credentials for anything
- Insist on multi-factor authentication
The Rest of the Story
White is the New Black
- Effective cyber security agents, whether exploiting or defending, are hackers using the same skills and tools to further their objectives
- The security industry refers to White Hats as those who work to recognize and mitigate electronic threats
-
Black Hats work to detect and exploit electronic threats for social, political or profit motivations.
- Network infiltration happens for three reasons.
- Retrieve digital assets like emails and credit card numbers;
- Deposit digital assets, like a small well-hidden program, bot, with a particular mission;
- Create mischief to cause damage or service interruption.
Distributed Denial of Service (DDOS)
- Lure unsuspecting users to download virus bots from legitimate looking websites and emails
- At a pre-set time, all devices activate and begin streaming random data to a specific site.
- Live up to their name by using many computers (distributed) to overwhelm (deny) a resource (service) to impede commerce or other activity for protest or ransom.
-
DDoS attacks have been a favorite exploit since the beginning of the Internet because the devastation leveled is significant against the simplicity of execution.
- NEW: DDoS to Bitcoin (DDoS2B), leverages an unregulated international currency for certain and untraceable ransom attacks
- Previously, Black Hats had to enter the international cat and mouse game of using PayPal to get their ransom demands.
Doesn’t Discriminate
- Attacks aren’t limited to big corporations
- Black Hats target smaller businesses by infiltrating and locking down every document it can find
- An unlock key is offered, usually a few Bitcoins (~$3,500) and up
-
No payment: A time bomb will permanently destroy all files.
- Many attacks retrieve information or press trusted devices into creating trouble.
- Nothing prevents Black Hats from depositing potentially damaging files like kiddie porn onto unsuspecting computers.
Hacking Through the Wall
- The more recognized form of security breaches popularized by Matthew Broderick in Ferris Bueller’s Day off (changing grades) and War Games (activating the game Thermonuclear War) involves gaining access to a trusted network from outside over the Internet.
- Corporate perimeters are protected by firewalls allowing only authentic and credentialed access
- The Black Hat probes the edge looking for defects to exploit allowing them to enter
- Free and sophisticated programs have been freely available on the Internet since 1995 Kali Linux
Social Engineering
- Non electronic methods can be simpler and less time-consuming
- Small hard to detect devices about the size of pack of cigarettes costing less than $35 placed inside a corporate location on the network can cause a ruckus.
- Unsophisticated social engineering gets the rogue device onto the network
- Posing as a copier serviceman entering the business on the excuse of a routine inspection
- attaches the device to the back of a copier and jack it right into LAN - few would notice it
- After running for some period, the serviceman returns and retrieves their device now full of valuable information
- The less outgoing may just have the appliance phone home the collected information at a particular time.
Getting Ready For A Much Larger Picture
- The Internet of Things (IoT) will add another 20-billion devices to the Internet by 2020 (Gartner - 2015)
- These devices will slip into beneficial and crucial parts of our lives
-
Inexpensive, low powered, single purpose and many, these devices are an ideal platform for sinister activity to infiltrate and exploit.
- A few Examples
-
A DDoS attack in October 2016 used Samsung smart refrigerators as unwitting accomplices. Thousands of refrigerators were programmed to join forces simultaneously and overwhelm key Internet address resolvers slowing down network performance for many.
-
Western Digital cloud-connected backup hard drives recently created an inadvertent attack. All their drives, upwards of 100,000, had a bad line of code. Simultaneously, they all went to work trying to connect to a mistyped web address overrunning key Internet functions in the process.
-
- As discussed, threat awareness is key to not being a mark for Black Hats. Common sense vigilance not succumbing to sketch WiFi networks or allowing convenience to outwit your identity will make you a less attractive target.
MAC Spoofing
- Hacker monitors (sniffs) network traffic identifying the MAC address of a computer with network privileges
- Most wireless systems allow some kind of MAC filtering to allow only authorized computers with specific MAC IDs to gain access and utilize the network
- Add software allowing a computer to pretend it has any MAC address and the hacker just hijacked a legitimate connection
Network injection
- Inject bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
Caffe Latte attack
Defeats WEP. It is not necessary for the attacker to be in the area of the network using this exploit. By using a process that targets the Windows wireless stack, it is possible to obtain the WEP key from a remote client. By sending a flood of encrypted ARP requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.
802.11 Security
- Wired Equivalent Privacy (WEP) standard was the original encryption standard but due to numerous deficiencies, the Institute of Electrical and Electronics Engineers (IEEE) deprecated it in 2003.
- Wi-Fi Protected Access (WPA2) addresses WEP deficiencies using a long random passwords up to 14 random letters or 5 randomly chosen words passphrases.
- WPA Enterprise provides Remote Authentication Dial-In User Service (RADIUS) centralized Authentication, Authorization, and Accounting (AAA) based authentication using 802.1X
- WPA Personal uses a pre-shared Shared Key (PSK) to establish the security using an 8 to 63 character passphrase.
- The PSK may also be entered as a 64 character hexadecimal string
- Weak PSK passphrases can be broken using off-line dictionary attacks by capturing the messages in the four-way exchange when the client reconnects after being deauthenticated
- Wireless suites such as aircracki-g can crack weak passphrases in less than a minute.
CONFIGURING ROUTERS
Configuration
Hardware
- LAN Ethernet ports to these Fast Ethernet (10mBps/100MBps) Gigabit (1000Mbps or 1GBps) and 10G (10,000, MBPS or 10G) ports
- Upstream Internet port
Software
- Router Access Username / Password change this
- Service Set Identifier (SSID) - for the wireless network up to 32 keyboard characters
- SSID Broadcast — When wireless clients look for wireless networks to connect to, they detect the SSID broadcast by the router
- Channel Width — 40 MHz or 20MHz or 20 MHz x 2 bonded channels
- Band - more available channels and less chance of interference on the 5 GHz band
- Channel - most automatically choose the on with the least collisions and interference
- Security Mode The 5 GHz and 2.4 GHz networks can use different security options WPA (Wi-Fi Protected Access)
- DHCP (Dynamic Host Configuration Protocol)
- automatically assigns IP address to each network attached and authenticated computer or device
- Change the starting address for the DHCP server
- change the number of users (253 maximum).
- DHCP reservations assign a unique, fixed IP address to selected network devices, a good way to manage devices like printers and web cameras for consistent address access and device port forwarding.
- Distributed Domain Name Service (DDNS)
- allows remote access to a web camera, file server from the internet by configuring a domain name for your network, when the ISP changes addresses to prevent this type of access
- Sign up for DDNS service at either www.dyndns.org or www.tzo.com
- Universal Plug and Play (UPnP) allows devices connected to a network to discover each other and create working configurations without having to create configured network setup like web cameras and printers.
- Demilitarized Zone (DMZ)
- MAC filtering allows only specified MAC addresses onto the network [allow or prohibit]
- Stateful Packet Inspection Firewall blocks malicious activity like IDEnT (Port 113) scan requests used to probe for weaknesses. Web filters sift and block ActiveX, Java, or cookie setting notorious as attack planes.
- Port forwarding
- routes traffic from the internet pointing to specific port or ports onto specific local network devices
- set port forwarding for a single port, multiple ports, a range of ports e.g. BitTorrent peer-to-peer file sharing on port range 6881 to 6889
Increase Wireless Performance
- Locate router at center of desired coverage area center as high as possible
- Don’t locate new metal objects, reflective surfaces, electronics, motors, fluorescent lights, or walls
- Reduce obstructions between access point and devices
- There may be other environmental variables so experiment with placement to increase poor performance
- Network Mode—Your choice depends upon the clients that will connect to your network. If all of your devices are 802.11ac capable, you can select and 5.8gHz only upgrade devices if necessary.
PUBLIC KEYS INFRASTRUCTURE (PKI) AND ENCRYPTION
Hashing Cryptography
- Computer memory is comprised of slots known as bits. Each slot holds a 1 or 0 also known as on or off
- Eight bits strung together is known as a byte allowing for 256 (28) unique combinations used to store characters and numbers.
- Eight, 16, 32 and 64-bit computers describe the amount of bytes the architecture can process in parallel.
-
The example below is how the word blockchain is stored byte for byte
B L O C K C H A I N 01100010 01101100 01101111 01100011 01101011 01100011 0110100 01100001 01101001 01101110 - Computer search relies on hashes to organize and speed operations
- Hash Functions convert random-length computer data, such as a list of names, into fixed length strings
-
When comparing, computers can locate a match faster from data in hash tables than the random data itself.
- To find Joey’s GPA, the search term (Fatone) is hashed then compared against the pre-set hash table of students returning his record and GPA 2.11.
-
This same function can be used beyond names and search terms to hash larger blocks of information such as email messages or digital files.
- Cryptographic hash functions use number theory to scramble or encode blocks of bits locked with a key.
- Only the matching key will un-encode the block.
-
Encryption level is expressed in key-length equating to the number of random attempts necessary to stumble on a the key.
- In the case of the table above, encoding with an 8-bit key only requires 255 (28 − 1) tries to decode the entire table, hardly secure.
- Stretching the key out to 512-bits extends the tries to a number 1,340,780,793 with 154 0’s (2512-1).
- For scale, the known universe is said to contain a number of 10 with just 81 0’s (1082) atoms.
Two Keys Are Better Than One
- To transact encrypted information, a coordinated 2-key system is necessary using public and private keys.
-
The public key is distributed as a reference while the private key is used for decryption.
- A postal box is a good analogy.
- The public key corresponds to the box address where anyone can deposit a letter.
- Only the corresponding private key can open the box and get the letter.
- Another benefit of this system is digital signature confirming sender authenticity.
- Since the public and private key are created together, they can verify each other.
- Digital signatures also ensure a tamperproof letter like a wax seal on the envelope
- Public key cryptography itself can’t guarantee that the key is authentic, has not been tampered with or replaced
-
Public key infrastructure (PKI) fixes this by including a third party that creates the key pairs together providing certification.
- Elliptic Curve Digital Signature Algorithm, ECDSA
- introduces another critical dimension, assigning a value on a randomly curved plot to “sign” data so other parties can verify the authenticity of the signature without the ability to un-encode the block.
- Security Through Cryptographically Unbreakable Arithmetic Computers processes (hash) data to speed operations
- Hashing converts mixed random length data, like names or GPAs (right), into fixed length strings easily consumable by computers.
-
Adding a step, scrambling the data, while hashing adds a layer of security rendering the data unreadable without the unscrambling process (key).
- Cryptographic hash functions use number theory to hash (or sign) blocks of data with random keys of various lengths.
- The number of guesses required to stumble across the key expresses the level of key security.
Hashcash Proof of Work
- Dr. Adam Back, 1997 proposal to use distributed computing to combat denial of service (DoS) attacks and curb spam email sourced Hashcash and Proof of Work principles upon which blockchain operates and is secure in addition to being unique and sustainable.
-
First socialized in the 1990’s as a solution to the exploding problem of spam popular because there is such a barrier to sending millions of email messages per day.
- The solution is to speed bump computer data processing enough to curb the ability to carry out mass malicious acts
- For example, imposing computer cycles to create 1 second delay per email sent, for the legitimate user, would pass unnoticed.
- The speed bump severely limits spam messages sendable each day (to around 85K) or requires massive investment to get the needed daily volumes.
- Profits will never cover the extra costs.
Block Chain (Distributed Ledgers)
- Blockchain uses the hashcash proof of work concept. Mining costs of procuring, running and resourcing a node are relatively modest.
- Money is made by expending about 10 minutes worth of computing resources competing to solve (chain blocks or charging transaction fees.
- The block chaining process at the same time certifies every block across all nodes and updates all wallets.
- Miners running these nodes (over 5,000) competing globally creates a level of diversity making cooperation impossible.
- Compromising the system requires an impossibly larger and much more coordinated mob of “dark” miners to overwhelm a system that reinvents itself every ten minutes.
Domain Name System - a “Root” of all Evils
-
The Domain Name System (DNS) is a Yellow Pages for the World Wide Web, a directory that resolves easy to use domain names (www.google.com) into the numeric computer addresses necessary to connect to a service (173.194.219.113).
- Serving millions of queries per minute, internet performance relies on the global network of DNS facilities to be easily accessible with ultra fast service. Its strength is also its weakness in a number of ways.
- DNS has become a popular exploit for those who wish to cause mischief by overwhelming them with queries slowing or denying this vital service.
- DNS can be hacked or impersonated redirecting a browser to a phony site.
- To illustrate, during a coup in July 2016 in Turkey
- Government ordered all DNS entries for Facebook, Twitter and YouTube removed
- this effectively blocked the service unless the IP addresses were known.
- Other countries and corporate networks routinely use the same process to limit access to certain websites.
Secure Sockets Layer (SSL)
- To mitigate the impersonated exploit, SSL has been available since 1995 to establish authenticity for websites.
- SSL has improved to close gaps and add features such as Transport Layer Security (TLS) encrypting the browser <> website data change.
- SSL starts with a TTP point of trust. Acting as a network notary, trust is in the form of a the Certificate Authority (CA) with two functions:
- Verify and issue digitally signed certificates only to the authentic site owners
- Embed software in browsers to recognize and authenticate their issued certificates on connected sites
- The function uses a standard called X.509 public key infrastructure (PKI) dictating how the handshake between the browser and website takes place.
- This is big business. Browsers recognize SSL certificates from over 1000 Certificate Authorities (CAs) such as RSA and GeoTrust (nee Symantec, nee Verisign, nee Equifax) in the business.
- The X.509 PKI handshake and ongoing data exchange creates vulnerabilities.
- Even CA’s have been compromised forcing 1000’s of sites to reissue SSL certificates that were silently redirecting browsers to bogus sites and other hacks.
OAUTH 2.0 (OA)
How it Works
- Ratified in October of 2012, an authorization framework governing secure permissioned data exchange.
- RFC-6749 OAuth 2.0 Authorization Framework OCT2012
- OpenID (OID) covers credential management
Convenience
- makes this function very popular
- For instance, a Google account holder uses their credentials to log into OpenTable reservation site.
- When a reservation is set, the reservation flows back to the user’s Google calendar and emails it to the rest of the party.
- The benefit to OpenTable is leveraging Google as a trusted third party and eliminating the risk of maintaining customer credentials.
- The benefit to the consumer is one set of credentials to remember and the unilateral ability to revoke or limit OpenTable functions at any time from the Google platform.
- The benefit to Google is deeper usage of their platform from enhanced applications.
Here are the steps taken to establish an OA link:
- OpenTable registers with Google to activate site to site OA functionality.
- User establishes desire to link Google and OpenTable with permitted functions
- Google distributes user specific keys to OpenTable and user for secure handshake and data transfer
- There’s no dispute that improper OA implementation is insecure and credible opinions cite that, regardless of implementation, OA has risks.
- This prompted a 71-page paper detailing over 90 risks and concerns from Deutsche Telekom, IBM, Oracle Corporation and other concerned IETF members. RFC-6819 OAuth 2.0 Threat Model and Security Considerations JAN 2013.
Vulnerabilities
- CAs have been compromised forcing 1000’s of sites to reissue certificates that were silently redirecting browsers to rogue sites and other hacks like these:
- Heartbleed exploits a bug in the TLS OpenSSL library (in use on 17% of all secured websites) using a feature called heartbeat, a signal exchanged to prevent idle sessions from needing to renegotiate a secure handshake. The bug allowed hackers to retrieve unauthorized bits of memory from the target server. It was so pervasive it got its own logo.
- POODLE, a Man-in-the-middle (MITM) attack, exploits a feature of TLS that gracefully downgrades the session to an earlier version of SSL to allow out-of-date browsers to continue to use the site (got to keep ringing the cash register). Hackers positioned between the browser and website took over the sessions during the fallback handshake.
- RFC 7457 Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS) (2015) details a full list of vulnerabilities.
- This transactional vulnerability is compounded with the exposure of a single point of trust, the CA.
-
The CA may be trustworthy but placing all trust in a single, third party entity is risky as they can be breached, spoofed or otherwise compromised.
- The problem is too large for browser side vigilance.
- The industry was informed and a patch for Heartbleed was issued on April 7, 2014.
-
Six weeks later, 800,000 servers (about 8%) were still not patched.
- There are solutions but they rely on establishing verified relationships with every device and application.
- PKI keys are created for each device and application creating formal 1:1 relationships.
- The CA provides the key generation and protocol so the devices can communicate with each other.
- While highly secure, this just doesn’t scale beyond tightly controlled ecosystems such as an enterprise where every device and user identity can be authenticated and managed.
- Therefore, identity based on trusted third parties is scalable but has unacceptable vulnerabilities only addressable with impractical 1:1 unique key exchanges.
Best Practices
For Users
- Verify site secure by the address starting with HTTPS and indicated in browser by key or lock icons
- Use free browser and site check tools from Semantic and Qualys SSL Labs
For Providers
- Private information including resources, credentials, authorization codes, access and refresh tokens transmit across encrypted TLS tunnels.
- Load balancing servers terminates the tunnel short of the resource server leaving a vulnerable gap. IETF draft OAuth 2.0 Security: Going Beyond Bearer Tokens recommends app-to-app encryption
- Use latest TLS and cipher suites as recommended by NIST FIPS SP 140-2, Annex A
- Use only the RFC 6749 Authorization Code Grant Model (sec 4.1)
- enable authentication direct to authorization server eliminating shared client credentials
- authorization server transmits access token direct to client removing browser from exposure
- *support direct application access and refresh token exchange
- Use signed JSON Web Tokens for authorization and authentication requests [RFC7523](https://tools.ietf.org/html/rfc7523
- Limit access token time-to-live and number of access token requests reducing brute force attacks
- Use signed JSON Web Tokens for authorization and authentication requests