I saw this interesting post this moring (courtesy of digg). It seems that a group (the majority of) Canadian ISPs have agreed to implement a "Clean Feed" type content filtering solution that would inspect and filter traffic coming to and from their customers. The objective of the Canadian project seems to to be completely legit; in that these ISPs are tyring to protect their customers from content that the government would otherwise find illegal. The target here as I read it is to filter kiddie porn and otehr such badness.
Things to look at to learn more about Clean Feeds include cybertip.ca , the Internet Watch Foundation in the UK, and the Censorware Project.
Technical note: This content filtering technology used to be something that could be enabled on a Firewall. I recently learned that security feature images on some routers now (or soon will) have similar capabilities.
"On the Firewall" is a online journal on the subject of network Firewalls and all things Internet security.
November 25, 2006
November 10, 2006
I'm Down
It has been and will be quiet here for a little while while my body undergoes some surgically assisted repairs.
September 28, 2006
modsecurity & Web Application Firewalls
Browsing the security news the other day I noticed that Thinking Stone, the commercial company behind the other wise open source web application Firewall modsecurity has been acquired (by Breach Security) .
If I got it right this guy (Ivan Ristic) has created just about the perfect answer to the "how do I defend my web servers" problem. modescurity is a "intrusion detection and prevention" system for web apps that can easily be deployed (with it's own Apache server).
He also has a great answer to yet another problem; how do I check what's going on in an SSL tunnel?. Given that modsecurity deploys on Apache the external clients SSL sessions terminate on the modsecurity box. Very neat.
I think the only objection one could throw in front of modsecurity is the inevitable "does it scale"? It looks like it has a nice GUI and the web site shows some good reports. Seems like if you deploy this and run into a performance barrier you would need to add additional modsecurity servers; scaling them like additional web servers. It would be interesting to figure out if the management and reporting scales?
If I got it right this guy (Ivan Ristic) has created just about the perfect answer to the "how do I defend my web servers" problem. modescurity is a "intrusion detection and prevention" system for web apps that can easily be deployed (with it's own Apache server).
He also has a great answer to yet another problem; how do I check what's going on in an SSL tunnel?. Given that modsecurity deploys on Apache the external clients SSL sessions terminate on the modsecurity box. Very neat.
I think the only objection one could throw in front of modsecurity is the inevitable "does it scale"? It looks like it has a nice GUI and the web site shows some good reports. Seems like if you deploy this and run into a performance barrier you would need to add additional modsecurity servers; scaling them like additional web servers. It would be interesting to figure out if the management and reporting scales?
August 27, 2006
PIX unintentional Password Mod Vulnerability
Earlier this week Cisco posted a security advisory regarding a vulnerability in the PIX Firewall. The short of it is that if you store passwords locally and change the configuration there is a chance that the passwords will not be written to flash memory correctly. The outcome is that you will be locked out of your PIX.
The vulnerability affects all PIX running version v7 code [up to and including v7.0(5) and v7.1 up to and including v7.1(2.4)]. If you are running v6 PIX OS you are fine. If you are running an ASA appliance you are running v7 code. This also impacts the v3.1(x or any) train of the Firewall Service Module. If you are using RADIUS or TACACS+ and have configured your PIX for remote authentication (usernames and passwords are defined on the AAA or ACS server) it looks like you are OK also.
The data affected is the passwords stored by either the passwd, username, or enable password commands. This data can be corrupted during a crash or if two users are trying to change the configuration using any management console (CLI, ADSM, PDM) at the same time. The trigger is when you save the password (write memory or equivalent). Apparently this bug writes some other, non random value into flash memory.
So if you were already really smart and using RADIUS or TACACS+ and an ACS server you are OK. Otherwise you may need plan for some network down time and to re-read those the PIX password recovery procedure.
My take on this is that there is very little room for an attacker to exploit this vulnerability. This is the type of problem that causes the Firewall Admin to hurt themselves by corrupting the locally stored password through normal use or maintenance.
The vulnerability affects all PIX running version v7 code [up to and including v7.0(5) and v7.1 up to and including v7.1(2.4)]. If you are running v6 PIX OS you are fine. If you are running an ASA appliance you are running v7 code. This also impacts the v3.1(x or any) train of the Firewall Service Module. If you are using RADIUS or TACACS+ and have configured your PIX for remote authentication (usernames and passwords are defined on the AAA or ACS server) it looks like you are OK also.
The data affected is the passwords stored by either the passwd, username, or enable password commands. This data can be corrupted during a crash or if two users are trying to change the configuration using any management console (CLI, ADSM, PDM) at the same time. The trigger is when you save the password (write memory or equivalent). Apparently this bug writes some other, non random value into flash memory.
So if you were already really smart and using RADIUS or TACACS+ and an ACS server you are OK. Otherwise you may need plan for some network down time and to re-read those the PIX password recovery procedure.
My take on this is that there is very little room for an attacker to exploit this vulnerability. This is the type of problem that causes the Firewall Admin to hurt themselves by corrupting the locally stored password through normal use or maintenance.
August 05, 2006
Great Port List Reference
I saw this list of TCP and UDP port numbers (from Wikipedia) up on digg this afternoon. Good stuff with good references.
July 31, 2006
The Surf At Work Page...
Just when I was starting to think that there was nothing good on digg anymore I came across this post about "How to Bypass Firewall Restrictions A.K.A. The Surf At Work Page". This is great stuff. The point of this paper is to explain the use of encrypted tunneling as a means of getting through a Firewall or filtered environment. The paper was originally written in 2002 and last updated in March of 2006 but the principles[ that are put forward here are all correct all still work. All Firewall Admins should read this paper. This is the type of stuff that can get through your Firewalls and filters.
July 04, 2006
Breaking the Great Firewall of China?
CNet dot com reports that a group of computer experts have broken the Firewalls used by the Chinese government to restrict IP traffic going in and out of the country. Interestingly enough the attack is launched from the outside. To their additional credit the team from the University of Cambridge reported their findings to the Chinese Computer Emergency Response Team.
May 10, 2006
Good article on FTester
If you haven't looked at "HowtoForge" it's a neat site that's valuable to bookmark and check regularly.
There is a good article up there titled "How To Test Your Linux-Distro Firewall", that gives a brief introduction to FTester. FTest is a security policy enforcement point (think Firewall or IDS) testing tool based on a couple of Perl scripts.
Anybody out there in the world that has been working with the PIX for more than ten years will tell you that this isn't a new idea. The PIX developers originally developed tools to do this (using PIX appliances) about ten years ago. Those tools were used for testing and never left Cisco (or did they?) and were called Hoover and Hooker. Hoover was named after the vacuum company because it was a powerful packet sniffer. Hooker was a packet injector named after the then popular TV cop show character played by William Shatner (after Star Trek and before ST: The Motion Picture). Well, at least that's what we told people when they asked.
There is a good article up there titled "How To Test Your Linux-Distro Firewall", that gives a brief introduction to FTester. FTest is a security policy enforcement point (think Firewall or IDS) testing tool based on a couple of Perl scripts.
Anybody out there in the world that has been working with the PIX for more than ten years will tell you that this isn't a new idea. The PIX developers originally developed tools to do this (using PIX appliances) about ten years ago. Those tools were used for testing and never left Cisco (or did they?) and were called Hoover and Hooker. Hoover was named after the vacuum company because it was a powerful packet sniffer. Hooker was a packet injector named after the then popular TV cop show character played by William Shatner (after Star Trek and before ST: The Motion Picture). Well, at least that's what we told people when they asked.
ICE References
ICE = Interactive Connectivity Establishment
"The Interactive Connectivity Establishment (ICE) draft, developed by the IETF's MMUSIC working group, provides a framework to unify the various NAT traversal techniques. This enables SIP-based VoIP clients to successful traverse the variety of firewalls that may exist between a remote user and a network."
The above is from a good intro article that appeared in Network World magazine online.
The ICE draft is here.
The ICE wiki page from VoIP-info.org
"The Interactive Connectivity Establishment (ICE) draft, developed by the IETF's MMUSIC working group, provides a framework to unify the various NAT traversal techniques. This enables SIP-based VoIP clients to successful traverse the variety of firewalls that may exist between a remote user and a network."
The above is from a good intro article that appeared in Network World magazine online.
The ICE draft is here.
The ICE wiki page from VoIP-info.org
May 08, 2006
MS Vista to shrink need for Personal Firewalls and Host Intrusion Prevention?
ZDNet has an article on a new Yankee Group report out today that says Microsoft's new Vista operating system will have improved security capabilities and "significantly shrink" the market for add-on anti spyware and personal firewall software. "Yankee Group expects Vista to significantly shrink the aftermarket for antispyware and desktop firewalls," analyst Andrew Jaquith wrote in the report. I saw Jaquith present at this spring's RSA conference in San Jose, CA and I think he is one of the better analysts covering the computer and network security industry right now.
May 05, 2006
BlogThis! Firefox extension seems broken...
I don't know if anyone else is seeing this but the BlogThis! extension that I frequently use with Firefox seems broken. If you use it and try to port a entry either as a draft or published to your blog you may see the word "null" in the link field. When I see that BlogThis! isn't working and there is no blog entry.
I wish I had noticed this sooner. I lost some interesting blog entries over the past couple of weeks and I think it is due to this problem.
I wish I had noticed this sooner. I lost some interesting blog entries over the past couple of weeks and I think it is due to this problem.
March 24, 2006
Cisco Keynote @ RSA: Chamber's Victory Lap | Security Incite: Analysis on Information Security
Mike Rothman wrote this article about John Chamber's Keynote @ RSA. I was there and I thought the talk was one of the best I heard or saw but let me be really clear with my disclaimer that John is my boss. Check it out.
I was going to post an post RSA article (that I am STILL working on). In short it was agood conference and show. The presentations that I thought would be valuable were not and many of the analyst's presentation that I thought would be light technically were actually good.
I was going to post an post RSA article (that I am STILL working on). In short it was agood conference and show. The presentations that I thought would be valuable were not and many of the analyst's presentation that I thought would be light technically were actually good.
March 03, 2006
Another good article on SSH
This FAQ type tutorial originally appeared up on digg and is more commercial that the previous SSH article I referenced.
February 19, 2006
Ten Things that You Can Do to Secure Your LinkSys Router
1. Change the router password.
2. Update the Linksys router firmware.
3. When using DHCP reduce the number of addresses.
4. Turn off services and pass throughs that you don't use.
5. Turn off SNMP on Linksys
6. Turn off wireless if you are not using it
7. If you are using wireless, change your SSID to some word that you and your family know.
8. If you are using wireless, use wireless security.
9. On your PC be sure to use an E-Mail scanner.
10. If you are going to be away from home for more than a few days turn off your cable modem.
#1 - No one should be using "admin" as their Linksys router password! Make sure you change it. A good practice is to write the new password on a sticky note or a label and attach it to the bottom of the Linksys device. Security purists would probably say this is a horrible idea but if a hacker is looking at your router they're in already. This way it is there if you ever forget it.
#2 - Check the Linksys website to make sure that the firmware that you are using is the latest. Many very common problems can be resolved just by updating the firmware.
#3 - By default Linksys sets the number of connections allowed on many of their devices to 50. That's usually at least 45 too many. Count the total number of devices that you own that can use the Internet connection and add either 1 or 2 to that number and use it to set the maximum connections. You want to always add one or two to let the Linksys router a little time to recycle a recently used address.
#4 - If you don't think you are using it; turn it off. Case in point would be multicast. Most folks out there shouldn't use multicast over the Internet. Turn it off.
#5 - Make sure that SNMP (Simple Network Management Protocol) is turned off.
#6 - If your Linksys router is equipped with wireless and you are not using it; turn it off.
#7 - Change your SSID. This is the "passphrase" that devices that attach to your wireless have to use. You don't want someone who can intercept your signals to be able to figure out where they are coming from based on the SSID. Don't use your family name or your street address.
#8 - If you are using wireless; use wireless security. Even though WEP can be cracked (data can be captured, analyzed, and de-coded) it is still hard enough to do that most attackers will move on to an easier target. And there is no shortage of easier targets.
#9 - Electronic mail (e-mail) has to be able to get through your Linksys device and to your computer. Make sure that you use some e-mail scanner to make sure that the e-mail messages you receive don't have viruses and worms embedded or attached. My favorite is PC-cillin from Trend Micro.
#10 - You can be sure that your home is safe from the threats of the Internet if you are not connected. If you are going to be away for a day or too use the "standby" button on your cable modem or just turn it off.
2. Update the Linksys router firmware.
3. When using DHCP reduce the number of addresses.
4. Turn off services and pass throughs that you don't use.
5. Turn off SNMP on Linksys
6. Turn off wireless if you are not using it
7. If you are using wireless, change your SSID to some word that you and your family know.
8. If you are using wireless, use wireless security.
9. On your PC be sure to use an E-Mail scanner.
10. If you are going to be away from home for more than a few days turn off your cable modem.
#1 - No one should be using "admin" as their Linksys router password! Make sure you change it. A good practice is to write the new password on a sticky note or a label and attach it to the bottom of the Linksys device. Security purists would probably say this is a horrible idea but if a hacker is looking at your router they're in already. This way it is there if you ever forget it.
#2 - Check the Linksys website to make sure that the firmware that you are using is the latest. Many very common problems can be resolved just by updating the firmware.
#3 - By default Linksys sets the number of connections allowed on many of their devices to 50. That's usually at least 45 too many. Count the total number of devices that you own that can use the Internet connection and add either 1 or 2 to that number and use it to set the maximum connections. You want to always add one or two to let the Linksys router a little time to recycle a recently used address.
#4 - If you don't think you are using it; turn it off. Case in point would be multicast. Most folks out there shouldn't use multicast over the Internet. Turn it off.
#5 - Make sure that SNMP (Simple Network Management Protocol) is turned off.
#6 - If your Linksys router is equipped with wireless and you are not using it; turn it off.
#7 - Change your SSID. This is the "passphrase" that devices that attach to your wireless have to use. You don't want someone who can intercept your signals to be able to figure out where they are coming from based on the SSID. Don't use your family name or your street address.
#8 - If you are using wireless; use wireless security. Even though WEP can be cracked (data can be captured, analyzed, and de-coded) it is still hard enough to do that most attackers will move on to an easier target. And there is no shortage of easier targets.
#9 - Electronic mail (e-mail) has to be able to get through your Linksys device and to your computer. Make sure that you use some e-mail scanner to make sure that the e-mail messages you receive don't have viruses and worms embedded or attached. My favorite is PC-cillin from Trend Micro.
#10 - You can be sure that your home is safe from the threats of the Internet if you are not connected. If you are going to be away for a day or too use the "standby" button on your cable modem or just turn it off.
February 11, 2006
Good article on getting started with SSH
Great article with notes and references on getting started with SSH by Kimmo Suominen. He's writing for people that using Linux but explains some of the technology behind SSH making it easier to understand. For more information about SSH see the FAQ. He also covers SCP for file transfers (and mentions my favorite WinSCP)
January 11, 2006
Running someone else's firmware on your Linksys Router?
In case you didn't know you can run firmware developers by folk's other than Linksys on a Linksys router. Why? The best answer to this question is that these other developers are adding features that Linksys just doesn't have in their firmware. Like what? Most often it's support for advanced crypto (AES cypher) or routing (protocols other than RIP). Here's a link to an article by Eric at Roachfiend that goes into more detail about why.
Who should be thinking about this? From what I've seen this is something that just a handful of Linksys users might even consider and still fewer should do. If the feature that you want isn't in a Linksys router it is probably because it doesn't belong there. Case in point AES. Using AES to encrypt data over the wire is great and much more secure than DES or 3DES. The problem is that it's computationally harder and therefore to be done quickly you need a bigger, faster processor. My message is that if you want AES or advanced routing; buy a real router.
If you are still interested in doing this; more power to you. Experiment with it. My suggestion would be to make sure that you have another router of some sort to fall back on if the Linksys becomes wedged (i.e. the lights are on but it stops working) and can't be reset right away.
To learn more about the firmware choices that are out there see this article over on Linksysinfo.org.
Who should be thinking about this? From what I've seen this is something that just a handful of Linksys users might even consider and still fewer should do. If the feature that you want isn't in a Linksys router it is probably because it doesn't belong there. Case in point AES. Using AES to encrypt data over the wire is great and much more secure than DES or 3DES. The problem is that it's computationally harder and therefore to be done quickly you need a bigger, faster processor. My message is that if you want AES or advanced routing; buy a real router.
If you are still interested in doing this; more power to you. Experiment with it. My suggestion would be to make sure that you have another router of some sort to fall back on if the Linksys becomes wedged (i.e. the lights are on but it stops working) and can't be reset right away.
To learn more about the firmware choices that are out there see this article over on Linksysinfo.org.
January 02, 2006
Top 10 ways to protect DNS
Something that I think everyone using the Internet should be concerned about is protecting the Domain Name System or DNS. Without DNS this blog, Google, all my other work, and everything else would be a series of IP addresses in dotted decimal notation.
While I'm not usually a fan of thinking found on Tech Republic (I have a link to a link sometimes to yet another link to some content problem) they do justice to this topic in this article.
Here is a link to the original article where I found this over at ZDNet: Top 10 ways to protect DNS | ZDNet Government Blog | ZDNet.com.
While I'm not usually a fan of thinking found on Tech Republic (I have a link to a link sometimes to yet another link to some content problem) they do justice to this topic in this article.
Here is a link to the original article where I found this over at ZDNet: Top 10 ways to protect DNS | ZDNet Government Blog | ZDNet.com.
Subscribe to:
Posts (Atom)