December 24, 2005
PIX Firewall Documentation
This is a link to all PIX Firewall documentation from version 2.7 through 7.0.
December 19, 2005
Happy Holidays
If you have a moment (and are looking for a laugh) please take a look at my personal online holiday greeting to everyone in the IT business.
As the year draws to a close I have a lot to be thankful for. I find it's a good time to think about those who are less fortunate. If you can spare some money (it doesn't have to be much) these folks could sure use all of our help.
Happy holidays!
As the year draws to a close I have a lot to be thankful for. I find it's a good time to think about those who are less fortunate. If you can spare some money (it doesn't have to be much) these folks could sure use all of our help.
Happy holidays!
December 15, 2005
Common Vulnerabilities and Exposures - CVE
The list of Common Vulnerabilities and Exposures or CVE creates a list of standardized names for vulnerabilities and other information security exposures. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. In the past if a vulnerability was discovered on one platform, say Windows and then also found in Linux it might have a different name or title while essentially being the same issue. This highlights a problem in the use of the word "vulnerability" in the security world today.
To many It professionals a "vulnerability" refers to any fact about a computer system that is a security concern in their network environment. The CVE web site cites the TCP/IP finger protocol as an example. Since the finger service reveals user information, many network operators put in place security policies that disallow finger from being run on some systems. That makes sense at the edge where finger service might be exploited, but there might be real uses for finger in other parts of the network. But because of the issue at the edge finger would be considered a "vulnerability" and described as such in that networks security policy.
Rather than referring to this as a vulnerability even though given different use cases different use cases this may not be considered to be vulnerabilities by everyone. So CVE introduces the term "exposure" to allow a service to be identified as potentially creating a security issue without necessarily being a problem.
CVE defines vulnerabilities and exposures like this:
To many It professionals a "vulnerability" refers to any fact about a computer system that is a security concern in their network environment. The CVE web site cites the TCP/IP finger protocol as an example. Since the finger service reveals user information, many network operators put in place security policies that disallow finger from being run on some systems. That makes sense at the edge where finger service might be exploited, but there might be real uses for finger in other parts of the network. But because of the issue at the edge finger would be considered a "vulnerability" and described as such in that networks security policy.
Rather than referring to this as a vulnerability even though given different use cases different use cases this may not be considered to be vulnerabilities by everyone. So CVE introduces the term "exposure" to allow a service to be identified as potentially creating a security issue without necessarily being a problem.
CVE defines vulnerabilities and exposures like this:
A universal vulnerability is a state in a computing system (or set of systems) which either:
- allows an attacker to execute commands as another user
- allows an attacker to access data that is contrary to the specified access restrictions for that data
- allows an attacker to pose as another entity
- allows an attacker to conduct a denial of service
- allows an attacker to conduct information gathering activities
- allows an attacker to hide activities
- includes a capability that behaves as expected, but can be easily compromised
- is a primary point of entry that an attacker may attempt to use to gain access to the system or data
- is considered a problem according to some reasonable security policy
December 12, 2005
Inexpensive Cisco Network Log Analysis
I saw a reference to an article titled Inexpensive Cisco Network Log Analysis by Mark Lachniet over at LinuxSecurity.com this morning. The log analysis article is well written and describes setting up Kiwi Syslog, configuring a PIX Firewall for syslog; and then configuring Sawmill log analyzer to provide reports based on the logged data.
Reading through the article the PIX configuration had one issue: the author omitted the "logging on" command that enables the logging process on the PIX.
If you are thinking of running Kiwi and the Sawmill analyzer I'd suggest starting out with a PIX Firewall that is at the same location as the syslog server. The PIX can generate quite a lot of log data and I'd suggest learning what your PIX will log given your network, users, and applications before trying to setup logging from a remote location.
Reading through the article the PIX configuration had one issue: the author omitted the "logging on" command that enables the logging process on the PIX.
If you are thinking of running Kiwi and the Sawmill analyzer I'd suggest starting out with a PIX Firewall that is at the same location as the syslog server. The PIX can generate quite a lot of log data and I'd suggest learning what your PIX will log given your network, users, and applications before trying to setup logging from a remote location.
December 01, 2005
How to configure your PIX Firewall for SSH
This (or click on the title above) is a paper I wrote on how to configure the PIX for SSH. It's really very easy to do.
What Model & Version of Linksys Hardware?
If you are trying to upgrade the firmware on your Linksys router and you are not sure which version of the hardware you have make sure to look at the label on the bottom of the router. The version number of the router is right next to the model number.
November 30, 2005
Good Disclosure...
I think that Konstantin Gavrilenko from Arhont Ltd.- Information Security did an outstanding job of documenting a Cisco PIX TCP Connection Prevention vulnerability. Cisco's response to this vulnerability announcement is here. He has documented what could be termed a resource attack on the PIX; forcing the Firewall to expend unnecessary resources reacting to a scripted packet. This attack could potentially slow user connections through the Firewall and in the extreme worst case possibly cause the Firewall to reload but does not expose the protected network. Gavrilenko has done an excellent job of communicating this issue that his work uncovered. I think even novice PIX Admins will be able to understand his findings.
I'd strongly suggest that all PIX Admins read the report and also go over the Cisco response. This is the first response that I've seen since PIX OS v7 came out. Cisco PSIRT present work arounds for both the v6.x and v7.x PIX operating systems. The vulnerability can best be exploited by an attacker on a inside interface.
One caution after reading the Cisco response; the first work around suggests that issuing a "clear xlate" or "clear local-host" will allow the PIX to pass connections again. I hope that most PIX Admins will appreciate that "clear xlate" will affect all connections going through the PIX were "clear local-host ..." only clears a single connection. Admins should use the "clear xlate" with caution on production networks.
I'd strongly suggest that all PIX Admins read the report and also go over the Cisco response. This is the first response that I've seen since PIX OS v7 came out. Cisco PSIRT present work arounds for both the v6.x and v7.x PIX operating systems. The vulnerability can best be exploited by an attacker on a inside interface.
One caution after reading the Cisco response; the first work around suggests that issuing a "clear xlate" or "clear local-host
November 22, 2005
Updated SANS top Twenty Vulnerabilities
The folks over at SANS.org released version 6 of their Top Twenty List of Critical Security Vulnerabilities today. When SANS started publishing their lists I always advised security analysts and in particular Firewall admins to strongly consider these vulnerabilities when creating and maintaining Firewall rules. Some time back the folks that compile the list started breaking out Windows vulnerabilities from others. Something that is new to the list this year is that the SANS team has further structured the list so as to look at Windows, networking, and cross platform ( or web application) vulnerabilities.
November 18, 2005
Black Hat no more?
I don't know if anyone saw this coming; Black Hat was acquired by CMP Media for about $10 million dollars. I know that when you look at the web site Black Hat lists consulting services available but I had never actually read anything about work they might have done. The Black Hat conference is the premiere annual security event. I think everyone is asking the question will Black Hat be able to maintain it's edge as part of a much larger (and seemingly much more conservative) media company? What's next, Ozzie Osbourne's music library being acquired by the Osmonds?
October 31, 2005
Linksys Default Number of IP Addresses
When setting up a Linksys router; and by that I mean any Linksys router you may notice that by default the setup program turns on DHCP and allows the DHCP server to allocate up to 253 IP addresses. For many folks this number should be in the range of 1 to 3. I have 8 PCs, two network printers, two wireless access points, and a network storage device and I manage to use only 8 IP addresses (OK, some of those devices are behind another Firewall and others are behind a VPN router). Things to think about here are if you have any non PC type devices that might attach to the Linksys. For example I have the family Tivo box set up with a wireless network interface and that uses an address. IP phones might also fall into this category.
October 02, 2005
About Resetting that Linksys Router
If you find that you have to reset your Linksys router on a weekly basis you really need to check to make sure that it is running the latest firmware.
Using your web browser enter "www.linksys.com". (Note to Linksys) Be patient as sometimes this page takes up to a minute to load even on the fastest broadband connections. Look under the "Support" drop menu and select "Downloads". There you will find a drop down menu were you select the type of Linksys router you have and then click on "View Downloads". Once completed you'll be looking at the support page for your model of router. Select "Firmware" to view the specific firmware files that are available. If there is a version of firmware that is more recent than that running on your router, select and download it. Be careful as sometimes the different options on these pages look like different versions of firmware (each says "Download Firmware" below the item). I noticed for my router that the 3 files were #1 - the firmware, #2 - a firmware install utility, and #3 - the release notes for that version of firmware.
You can install the firmware on your router from a PC that is connected to the Linksys device. If you use the install utility from the Linksys website you can push the new firmware onto the device. You can also use the "Firmware Upgrade" choice off of the Linksys Administration menu to pull the new firmware file from that same connected PC.
Using your web browser enter "www.linksys.com". (Note to Linksys) Be patient as sometimes this page takes up to a minute to load even on the fastest broadband connections. Look under the "Support" drop menu and select "Downloads". There you will find a drop down menu were you select the type of Linksys router you have and then click on "View Downloads". Once completed you'll be looking at the support page for your model of router. Select "Firmware" to view the specific firmware files that are available. If there is a version of firmware that is more recent than that running on your router, select and download it. Be careful as sometimes the different options on these pages look like different versions of firmware (each says "Download Firmware" below the item). I noticed for my router that the 3 files were #1 - the firmware, #2 - a firmware install utility, and #3 - the release notes for that version of firmware.
You can install the firmware on your router from a PC that is connected to the Linksys device. If you use the install utility from the Linksys website you can push the new firmware onto the device. You can also use the "Firmware Upgrade" choice off of the Linksys Administration menu to pull the new firmware file from that same connected PC.
September 28, 2005
How to Reset a Linksys Router
If you ever find yourself locked out of your Linksys router don't worry. Resetting a Linksys router back to it's default factory configuration is easy.
#1 - Prepare for the reset by removing any Ethernet connections attached to the router.
#2 - Locate the reset button on the back of the router. If you press and release the reset button the router restarts.
#3 - Press and hold the reset button while you count to 10. At "10" continue pressing the switch and turn off the power to the router (turn off the switch or pull the power plug). Count to 10 again. Turn the power back on. When any of the LEDs (lights) on the front of the router turn on (the power LED should turn on first) then let go of the reset button.
#4 - Connect one PC back to the Linksys router via the Ethernet. This PC should be set up to acquire an IP address via DHCP. After connecting the PC it should have an IP address with 30 seconds. You can check to see if the PC has an IP address using the command "IPCONFIG" at a DOS prompt. By default the Linksys will set it's IP address to 192.168.1.1. You can verify this by typing "IPCONFIG" and looking at the IP address of the default gateway (it should be 192.168.1.1).
#5 - Open a browser and enter the URL "http://192.168.1.1" (without the quotes). If asked for a username leave that field blank. If asked for a password enter "admin".
# 6 - The first thing you should do is to change the default password on the Linksys router. The next thing is write the new password down. If you've lost or forgotten the password for your router let me suggest taping the new password to the bottom of the unit. This is not the most secure means of recording this information; but if your router is locked inside your house you have already removed much of the associated risk.
#7 - The next thing you should do is check the Linksys web site to find out if you are running the latest version of Linksys firmware.
#1 - Prepare for the reset by removing any Ethernet connections attached to the router.
#2 - Locate the reset button on the back of the router. If you press and release the reset button the router restarts.
#3 - Press and hold the reset button while you count to 10. At "10" continue pressing the switch and turn off the power to the router (turn off the switch or pull the power plug). Count to 10 again. Turn the power back on. When any of the LEDs (lights) on the front of the router turn on (the power LED should turn on first) then let go of the reset button.
#4 - Connect one PC back to the Linksys router via the Ethernet. This PC should be set up to acquire an IP address via DHCP. After connecting the PC it should have an IP address with 30 seconds. You can check to see if the PC has an IP address using the command "IPCONFIG" at a DOS prompt. By default the Linksys will set it's IP address to 192.168.1.1. You can verify this by typing "IPCONFIG" and looking at the IP address of the default gateway (it should be 192.168.1.1).
#5 - Open a browser and enter the URL "http://192.168.1.1" (without the quotes). If asked for a username leave that field blank. If asked for a password enter "admin".
# 6 - The first thing you should do is to change the default password on the Linksys router. The next thing is write the new password down. If you've lost or forgotten the password for your router let me suggest taping the new password to the bottom of the unit. This is not the most secure means of recording this information; but if your router is locked inside your house you have already removed much of the associated risk.
#7 - The next thing you should do is check the Linksys web site to find out if you are running the latest version of Linksys firmware.
Subscribe to:
Posts (Atom)