Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: stopping bots from phoning home (Paul D. Robertson)
2. Re: stopping bots from phoning home (mason@schmitt.ca)
3. Re: The home user problem returns (Mason Schmitt)
4. Re: stopping bots from phoning home (Kevin)
5. RE: Cisco Remote Access VPN Problem (Firewall-Wizards)
6. Re: The home user problem returns (Mason Schmitt)
--__--__--
Message: 1
Date: Wed, 7 Sep 2005 23:02:05 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
To: mason@schmitt.ca
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] stopping bots from phoning home
On Wed, 7 Sep 2005 mason@schmitt.ca wrote:
> It was a good suggestion then and it's a good one now, but my boss has
> said that despite the obvious technical merit, he's not going for it.
> He's concerned about an increase in support costs and negative customer
> experiences with people phoning in that forget/don't understand the
> repercussions of their choice. Or worse, leave us for the competition
It seems to me that it wouldn't be that difficult to put the opt-in's
behind a cafe-style gateway and let them click to enable when they get a
new applicaiton- we *have* to get past joe idiot having unlimited access
since they can't secure their systems.
> without even phoning us, because they decide to use some new app that they
> just downloaded and find that it doesn't work and their friend down the
> street says, well it works fine on my dsl connection!
Under what circumstances would he consider it? What sort of
support/technology would make him decide to make it better?
[snip]
>
>
> > If you can get your customers to use an IRC proxy, great- it might be sort
> > of interesting to look at doing a transparent proxy and just sending up a
> > screen that asks for a specific response prior to continuing the
> > connection- I'd be *really* interested in your results though, espeically
> > with the newer IM clients that do IRC.
> >
>
> I have given this some thought and talked it over with others here and we
> think that your variation on the original idea is an improvement. Largely
> due to the fact that popular IM clients, such as Trillian, that kind of
> support IRC, wouldn't allow for authentication and some servers have a
> limit on the number of connections from a single IP. So, rather than run
> all connections through a proxy, we thought that perhaps we could just
> watch for IRC connections to be established (really easy with the
> packetshaper and doesn't require sniffing). When we see a connection
> established, have a bot kick off that logs onto the server the connection
> was made to and initiate a direct chat request to the user that just
> logged on. The bot would ask a question and if it didn't get a response,
> it would block IRC traffic for that IP and send an email to our ticket
> system so that we know who is infected.
That's a pretty neat idea- though you'll have to sniff the screen to see
who they log in as and a quick /nick race would suck- I expect that'd not
be an issue for most IRC users- though the bot connection might upset a
server owner or two (I can think of one network where it'd be seen as
hostile unless it was pre-approved.)
>
> There's probably a less convoluted way of approaching this (if you have
> one, let me know), but this is doable without having to do much
> programming.
It'd be kind of interesting to hand out DNS for irc.* addresses and NAT
that address outbound for anthing other than "standard" IRC ports- those
could hit a proxy - if it's a transparent proxy you might be able to get
past the address issues- surely it'd be easier to just pre-register folks
who *know* they'll use IRC and Web-gateway anyone else if they try to get
out via IRC (if all their connections go to "You're infected unless you
really just fired up a chat client, do *splat* to get out" instead of the
Web, you're likely to have less support issues.
> The big question is, whether it's worth the effort or not. I'm not sure.
> It increases the complexity of our network while only focusing on the
> current fad in spyware/trojans/bots (what do we call these things now?) of
> using IRC. Currently there are bots (settled on bots), that once on the
> host, will talk over http, p2p, or IM in order to get their instructions.
> IRC is the current dominant method, but not the only one.
We have to solve the bot problem, this is a start...
>
> I'm more inclined to take a broader proactive approach, but could use some
> guidance concerning some of my current half thought out ideas. I'll send
> these ideas along in my next email.
>
> > You know, if we could get rid of the home user problem, all our lives
> > would get easier...
> >
>
> Then there wouldn't be an internet and that would suck. But, I know what
> you mean...
>
> > Personal firewalls that block outbound connections are a good thing- you
> > might want to see if your marketing folks can do something akin to the
> > AOL and DSL provier firewall packages- marketing always has money that
> > techs don't...
>
> Ha! You wouldn't believe the support problems that we have with people
> that choose to install firewalls that ask them to make choices. I think
> that having a firewall on the box that can see which program is trying to
> connect is great! ...if there is a person interacting with it that
> understands some basics. When the person using the computer has no idea
> what the little pop ups are talking about and doesn't really want to know,
> they just blindly click ok, because clicking ok means that they are more
> secure right? We have had plenty of support calls where the customer is
> angry that our mail server is down... when in reality, they clicked ok
> when the window asked if they wanted to block pop3...
Surely that's all fixable in a once-a-month web presentation with Q&A-
that'd probably cost less than after-the-fact support calls- if you
include post-infection costs.
I'd also potentially be good for retention- this is worth more thought.
> We do what we can to help out these people and sometimes that means having
> them bring their pc in so that we can get a look at it. Often we tell
> them that they would be better off with a common home firewall. The crazy
> thing is that I know that many of the large ISPs (not sure if I should
> name names or not) have it as part of their level1 tech support flow chart
I'm all for naming if it's done in terms that protect from malicioius
lawsuits. We need to start differentiating between people adding to the
problem and people trying to solve it.
> to ask the customer to disable the firewall and leave it like that! That
> really chaps my ass. If these big ISPs weren't so careless, I wouldn't
> have so many problems... nor would the rest of the net for that matter.
> Oh well, finger pointing isn't going to get me anywhere.
>
I dunno- it might- if we can change it into a change in practices.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
--__--__--
Message: 2
Date: Wed, 7 Sep 2005 20:42:07 -0700 (PDT)
Subject: Re: [fw-wiz] stopping bots from phoning home
From: mason@schmitt.ca
To: "Kevin" <kkadow@gmail.com>
Cc: "mason@schmitt.ca" <mason@schmitt.ca>,
firewall-wizards@honor.icsalabs.com
> We take this a step further -- let all traffic that hits the blocks talk
> to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
> quarantine the source host.
Do you use bopm or something like that on your sandbox ircd?
> If enough sites start doing this, the Zombie Masters will find a
> new C&C channel for their 'bots, perhaps SSL web sites on TCP/443...
>
They already have plenty. The most disturbing of which are p2p overlay
networks that are setup just for controlling these bots. ie - not
gnutella, fastrack, etc.
> I'm not sure that an explicit proxy solution will fly in a public ISP,
> customers just are not going to be comfortable with having to jump
> through hoops when they're used to just being able to click on the
> "live chat" button on their brokerage or Invader Zim webboard and go
> right into a conversation. Most of the time the user doesn't even know
> they are using IRC!
I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
Or Invader Zim webboard for that matter ;) Are you sure? Can you give me
a real example?
> I don't know that the situation can be made to suck any less for a
> public ISP. I've been in that boat, am glad to be back on dry land.
Sometimes it's horribly frustrating. Other times, I seriously enjoy the
challenge. Being a lone sysadmin at a small ISP means that I get to play
with all the toys :)
--
Mason
--__--__--
Message: 3
Date: Wed, 07 Sep 2005 21:37:47 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: David Lang <david.lang@digitalinsight.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
David Lang wrote:
> very interesting ideas, but you mail client is doing some very strange
> things to your text (one word per line is not easy to read)
>
Whoa! I've never seen that before.
I'm using thunderbird and it's the only MUA that we use at my company.
My apologies if everyone else on the list saw the same thing. It _is_
fairly difficult to read sentences with one word per line...
--
Mason
--__--__--
Message: 4
Date: Wed, 7 Sep 2005 23:43:56 -0500
From: Kevin <kkadow@gmail.com>
To: "mason@schmitt.ca" <mason@schmitt.ca>
Subject: Re: [fw-wiz] stopping bots from phoning home
Cc: firewall-wizards@honor.icsalabs.com
On 9/7/05, mason@schmitt.ca <mason@schmitt.ca> wrote:
> > We take this a step further -- let all traffic that hits the blocks tal=
k
> > to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
> > quarantine the source host.
>=20
> Do you use bopm or something like that on your sandbox ircd?
We just run a very basic IRCd, modified to generate a log event for
each PRIVMSG, JOIN, NICK and other similar command issued by
any client. We can also look at the original destination IP they
addressed, and check this against a list of known C&C channels.
My customer base is very sensitive about even giving the
impression of "port scanning", so we have to learn as much as we
can from the sessions they initiate towards our infrastructure.
> > I'm not sure that an explicit proxy solution will fly in a public ISP,
> > customers just are not going to be comfortable with having to jump
> > through hoops when they're used to just being able to click on the
> > "live chat" button on their brokerage or Invader Zim webboard and go
> > right into a conversation. Most of the time the user doesn't even know
> > they are using IRC!
>=20
> I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
> Or Invader Zim webboard for that matter ;) Are you sure? Can you give m=
e
> a real example?
The first "real" user who complained had clicked through from JDate,
and suddenly found himself chatting with 37 instances of SDBot...
As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/
Kevin Kadow
--__--__--
Message: 5
From: "Firewall-Wizards" <Firewall-Wizards@govnet.gov.fj>
To: <firewall-wizards@honor.icsalabs.com>
Date: Thu, 8 Sep 2005 16:59:40 +1200
Subject: RE: [fw-wiz] Cisco Remote Access VPN Problem
=20
Yep. Tried that before. No luck :-(
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul
Melson
Posted At: Thursday, September 08, 2005 6:22 AM
Posted To: Firewall-Wizards
Conversation: [fw-wiz] Cisco Remote Access VPN Problem
Subject: RE: [fw-wiz] Cisco Remote Access VPN Problem
Static arp entries using the arp command won't help. Enabling proxy-arp
on
FE0/1 might.
PaulM=20
-----Original Message-----
Subject: [fw-wiz] Cisco Remote Access VPN Problem
Hi Folks=20
I can get the tunnel successfully established ,the client successfully
authenticated with RADIUS, SA's formed and virtual ips (from the dmz)
assigned to the remote vpn client. There's static routes present on the
2600 to route internal network traffic to the dmz gateway (ie. fw) which
subsequently has rules to route these vpn traffic inside the internal
network.
=2E.
As a workaround, i tried putting in some static arp entries on the fw ,
for these virtual ips to point to physical dmz interface of the vpn
device The ensuring result was that return traffic made it way back to
the vpn device, but then couldn't get to the actual vpn client :-(
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
--__--__--
Message: 6
Date: Thu, 08 Sep 2005 00:13:28 -0700
From: Mason Schmitt <mason@schmitt.ca>
To: Kevin <kkadow@gmail.com>
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Kevin wrote:
>>>We take this a step further -- let all traffic that hits the blocks talk
>>>to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
>>>quarantine the source host.
>
> We just run a very basic IRCd, modified to generate a log event for
> each PRIVMSG, JOIN, NICK and other similar command issued by
> any client. We can also look at the original destination IP they
> addressed, and check this against a list of known C&C channels.
>
That's a very cool approach. I imagine that I could do that for all
outbound IRC traffic, by using a snort sig. That would be easier for me
to maintain as it would be part of a more generic tool that I would
already have in place (don't have an IDS yet, but it's on my list for
sometime in the next few months).
>>I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
>>Or Invader Zim webboard for that matter ;) Are you sure? Can you give me
>>a real example?
>
>
> The first "real" user who complained had clicked through from JDate,
> and suddenly found himself chatting with 37 instances of SDBot...
>
I imagine that SDBot wouldn't make a very good date.
> As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/
>
Man, I thought you made that up!
Well, now that you have pointed this out, that pushes me back a step.
Perhaps I should approach this in a similar manner to the way that
spammassassin tackles spam. Rather than make black or white decisions
based upon a single bit of info, perhaps I should check for multiple
events and attempt to correlate them... Ugh, that sounds like a lot of
work. Maybe ossim can handle some of the event correlation for me.
Isn't that the idea behind sourcefire's 3d system? Have multiple agents
and correlate data in real time in order to block threats? I think that
multiple agent event correlation makes a ton of sense. Is anyone doing
it well (that we could afford...)?
I know that somewhere Marcus is getting ready to unfurl his IPS rant
(/me braces himself). Sorry Marcus, I honestly don't see how I can
avoid this kind of system. I actually had customers that got angry when
I tried to block spam from getting to them! They said that it was
theirs to block, not mine. We've since moved to a subscription model
for spam protection. A public ISP just cannot be run like a corporate
network, it's a totally different beast. In fact, I know a lot of
techies that would argue that ISPs should be totally transparent. In
this day and age, I consider that view to be selfish and irresponsible.
If we had a full customer base of nothing but security conscious
computer geeks, then it wouldn't be an issue, but that's not the case.
This network if full of boomers and retirees, running version of windows
other than XP SP2, that are paying us for access to the net and some of
them get upset when we call them up because they have a virus.
Marcus and most of the rest of you, please keep preaching solid security
principles to businesses and governments, but when it comes to the home
user, you're wasting your breath.
As with any security endeavour, a multi faceted or "defence in depth"
solution is the best solution. When it comes to the home user, this is
equally true. Here are a few of the issues that I see and some of my
thoughts on the matter.
User education
----------------
User education still needs to happen, but this is going to be a very
slow ship to turn around, because right now, there is just too much
flashy crap distracting everyone. Home users are getting digital
cameras and colour printers then trying to hook them up; they're getting
wireless devices and struggling with those; they've heard about free
music and movies and they want a piece of that and they want to burn
them to dvds; they want to have animated smiley faces in their email and
IM conversations; they want it to be dead easy for their cell phones to
do all sorts of things and on and on and on. Those struggling with
their new wireless router have probably never heard of WEP or WPA, and
if they have, it's likely not enough to know that WEP, WEP+ and WPA are
all eminently crackable and that such a thing as war driving exists.
The average home user downloading music and movies may have heard that
it's illegal, but that they don't see how it can be, because everyone is
doing it. They probably also don't know, that britney spears song they
just downloaded that didn't play was actually a trojan. They are
probably unaware that the free p2p app they used came with 10 pieces of
spyware that will report all sorts of interesting things to people they
have never met. What about going to a site that offers free smiley
faces? That seems innocuous doesn't it? Wrong again. Now some IE bug
has just been exploited to install more spyware.
This is all far too much for your average home user to grasp let alone
keep up with the details. I can't keep up with the details myself and I
love this stuff and do it all day everyday. The root of the home user
problem is really rampant consumerism, but fighting that battle is not
one that's going to be won by computer security people.
I think that we should start by helping people to understand that the
Internet is not some *thing* that they connect to. When they go online,
they become part of a very small world (literally - check out what small
world theory experiments have shown about the net) in which anyone
anywhere in the world, friendly or not, is able to reach their computer
in under a second. This means that the bad parts of town (any town, all
towns, all countries) are now right on your doorstep, knocking at the
doors of your bank and favourite shopping haunts and even your
government repositories of whatever information they have on you.
However, I also don't think there is reason to panic. Home users upon
hearing the preceding news, can be reassured that there are things that
they can do to protect themselves and it won't require them to learn
much about computers (a big fear for a lot of people). They can be told
that if they do the 4 steps to basic security that they have just taken
a big chunk out of the problem (firewall, antivirus....). And once you
have told them that, then you should either do it for them or have them
take it to a good tech. They can be told that a computer is like a car,
it needs regular maintenance, by a PROFESSIONAL! The current state of
computers and the security battle is too complicated for your average
home user and is getting beyond the capacity of most back yard mechanic
types too. Beyond those basic steps, it gets more difficult. Somehow
people need to learn to question. They need to start thinking about
trust and in whom they place their trust and whether that trust is
warranted. Think of p2p file sharing and clicking on links in IM from
people you have never met before.
Business and Government Education
-----------------------------------
Hopefully that's as far as home user ed needs to go right now. Now we
have business and government education to deal with. Both should be
approached in the same way that home users were approached above. Start
with some basic measures. Really, the same 4 measures apply, but just
on a larger more complicated scale and with many more possible
permutations of implementation. In addition to the fab 4, business
needs to be more familiar with the fifth Beatle - BACKUPS. As with the
home user, these basic defences start to take the edge off the problem.
In order for business to not get stupid about how they implement these
4/5 basics, they should read Marcus' "Low Carb Security" article in
LOOP. Or think of the KISS principle. Or, if you admire Einstein think
of his quote, "Things should be made as simple as possible, but not any
simpler"
Business and government also face the same issues as the home user when
it comes to questioning and trust. Think of the recent thread on this
list concerning CardSystems.
Caretakers
-------------
I don't believe in a dog eat dog world. I think that those that have
the means need to take care of those that don't.
To that end, it is my opinion that ISPs need to provide some solid front
line defences for their customers while not being so restrictive, or
more importantly unwilling to really listen to their users, as to limit
innovation and expression. ISPs have left their customers to the wolves
for too long and are now paying the price.
I also believe that the same applies to software houses. I know that
everyone pokes at Microsoft, but they really are a prime example of a
company that has left their users out to dry for a long time. They too
are now paying the price. They also appear to be taking positive action
so perhaps they will redeem themselves... _somewhat_
In both these cases, greed and willing ignorance have played major roles
in getting us to where we are now.
The standards groups and all interested parties need to keep working
diligently on really basic protocol issues such as SMTP.
And again, we come back to trust. Trust is poised to be a huge part of
the Internet infrastructure. We need functional, ubiquitous healthy
trust systems so that home users can have some means of making the trust
decisions they are faced with and which they are now completely
incapable of addressing adequately. Most of the trust issues that home
users face are not accessible to them anyway - again think of CardSystems.
Law Makers / Enforcers
------------------------
I may not think the world is a dog eat dog world, but I'm also not
stupid enough to believe that there are not scads of people out there
willing to get what they want in any way they can. This is where law
and law enforcement comes into the picture. Because we are dealing with
a global communications network, our laws and policing methods need to
reflect that.
It's getting late and I'm running out of steam, so I'll leave this
stream of consciousness here, where it ground to a halt, and say good
night. If any of you have had the patience to read this far, thanks for
reading.
--
Mason
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment