firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. [Fwd: Question] (Marcus J. Ranum)
2. OSSEC log parsing for Watchguard (Paul D. Robertson)
3. Re: [Fwd: Question] (AMuse)
4. Re: [Fwd: Question] (Chris Blask)
5. Re: [Fwd: Question] (Marcin Antkiewicz)
6. Re: [Fwd: Question] (Brian Loe)
7. Re: [Fwd: Question] (Chris Blask)
----------------------------------------------------------------------
Message: 1
Date: Wed, 08 Apr 2009 16:14:44 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49DD05B4.8050106@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I just thought I'd send this along to the list, because it had
me laughing into my coffee. My friend Olaf is not a security
practitioner. He's not even an IT guy. He's an artist and a
professional photographer.
I just love the way that any person with a brain who
encounters this internet security stuff can immediately
cut to the core of the problem as Olaf does below:
-------- Original Message --------
Subject: Question
Date: Wed, 8 Apr 2009 08:41:39 -0400
From: Olaf S <lightdesigner@---->
Reply-To: lightdesigner@----
To: Ranum Marcus <mjr@ranum.com>
So, I'm watching a piece on the news this morning that "hackers" from
China, Russia, Korea and maybe others have got into the computers that
control the electrical grid. My question is why the fuck are these
computers connected to the internet?
Olaf S
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 2
Date: Wed, 8 Apr 2009 15:57:48 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: [fw-wiz] OSSEC log parsing for Watchguard
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <Pine.LNX.4.44.0904081556560.2920-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Has anyone got OSSEC parsing Watchgaurd logs? If so, care to share your
rules?
Thanks,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 3
Date: Wed, 08 Apr 2009 13:08:21 -0700
From: AMuse <amuse@foofus.com>
Subject: Re: [fw-wiz] [Fwd: Question]
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49DD0435.4060905@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Marcus: Sadly he's exactly right in asking that! Of course the answer
is simple.. broadband over powerline. The hidden downside is the
electrical grid IS the internet! ;)
Marcus J. Ranum wrote:
> I just thought I'd send this along to the list, because it had
> me laughing into my coffee. My friend Olaf is not a security
> practitioner. He's not even an IT guy. He's an artist and a
> professional photographer.
>
> I just love the way that any person with a brain who
> encounters this internet security stuff can immediately
> cut to the core of the problem as Olaf does below:
>
> -------- Original Message --------
> Subject: Question
> Date: Wed, 8 Apr 2009 08:41:39 -0400
> From: Olaf S <lightdesigner@---->
> Reply-To: lightdesigner@----
> To: Ranum Marcus <mjr@ranum.com>
>
>
>
>
> So, I'm watching a piece on the news this morning that "hackers" from
> China, Russia, Korea and maybe others have got into the computers that
> control the electrical grid. My question is why the fuck are these
> computers connected to the internet?
>
> Olaf S
>
>
>
------------------------------
Message: 4
Date: Wed, 8 Apr 2009 13:16:21 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] [Fwd: Question]
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <652858.79344.qm@web33805.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Marcus J. Ranum <mjr@ranum.com> wrote:
.d.
> I just love the way that any person with a brain who
> encounters this internet security stuff can immediately
> cut to the core of the problem as Olaf does below:
A lot of it doesn't require us to actually show up and write a thesis to fix, that's for sure. But the real answer for Olaf is twofold, sure, part one is a knee-slapper but part two is a chin-scratcher:
1/ They shouldn't be but someone screwed up.
and/or
2/ If it's not a screwup (HMI with a live modem, etc...) then it may be that the control system network is connected to the corporate network, and that one is connected to the Internet. Even where this is absolutely necessary for business purposes, and has been implemented at least reasonably well, it is at best a struggle between those who want to protect and those who want to disrupt. Frankly, many of these sites have not put enough effort into security to compensate for their busines needs for external connectivity.
It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with.
-chris
>> From: Olaf S <lightdesigner@---->
> So, I'm watching a piece on the news this morning that "hackers" from
> China, Russia, Korea and maybe others have got into the computers that
> control the electrical grid. My question is why the fuck are these
> computers connected to the internet?
------------------------------
Message: 5
Date: Wed, 8 Apr 2009 15:16:27 -0500
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7ed5f2120904081316t2c3ca379j364e8d7e06430b07@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
> Marcus: Sadly he's exactly right in asking that! ?Of course the answer is
> simple.. broadband over powerline. ?The hidden downside is the electrical
> grid IS the internet! ?;)
With the advancement of automated metering, it will be wireles too!
Tesla rejoices.
------------------------------
Message: 6
Date: Wed, 8 Apr 2009 16:48:23 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904081448x257911eeid2aaf4d63ee8ffd2@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Apr 8, 2009 at 3:16 PM, Chris Blask <chris@blask.org> wrote:
>
> A lot of it doesn't require us to actually show up and write a thesis to fix, that's for sure. ?But the real answer for Olaf is twofold, sure, part one is a knee-slapper but part two is a chin-scratcher:
>
> 1/ ?They shouldn't be but someone screwed up.
>
> and/or
>
> 2/ ?If it's not a screwup (HMI with a live modem, etc...) then it may be that the control system network is connected to the corporate network, and that one is connected to the Internet. ?Even where this is absolutely necessary for business purposes, and has been implemented at least reasonably well, it is at best a struggle between those who want to protect and those who want to disrupt. ?Frankly, many of these sites have not put enough effort into security to compensate for their busines needs for external connectivity.
>
> It's not as simple as saying "they shouldn't be connected to anything". ?Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. ? The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with.
>
> -chris
I don't know how many of you have worked with process and control
networks, let alone SCADA networks at a power producer. I do know that
I have. In both cases there is generally only ONE need for the two
networks to ever touch physically or logically - data logging reports.
This should always be done with the data logger placed into a DMZ. The
DMZ should not allow anything from the A network into the B network or
vice versa. No connections should originate from the DMZ. This has
been done and works well. Often you don't even run anti-virus on the
process control or SCADA networks as there's VIRTUALLY no way for them
to get a virus.
Frankly, if you're told there's a business "need" for access to the
process network call BS on who ever is saying it. I've done that in my
current position three times. The plant managers just can't understand
how it can be so expensive for them to watch operations from their
homes because, "the last place I worked the just used that program
called PCAnywhere...."!!
------------------------------
Message: 7
Date: Wed, 8 Apr 2009 20:47:40 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] [Fwd: Question]
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <285902.6504.qm@web33806.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Brian Loe <knobdy@gmail.com> wrote:
> I don't know how many of you have worked with process and control
> networks, let alone SCADA networks at a power producer. I do know that
> I have. In both cases there is generally only ONE need for the two
> networks to ever touch physically or logically - data logging reports.
> This should always be done with the data logger placed into a DMZ. The
> DMZ should not allow anything from the A network into the B network or
> vice versa. No connections should originate from the DMZ. This has
> been done and works well. Often you don't even run anti-virus on the
> process control or SCADA networks as there's VIRTUALLY no way for them
> to get a virus.
What you are saying is that these networks *do* in fact connect to the Internet by way of the business networks...
...but that you did it intelligently.
That there's my point.
The definition of "not connected to the outside world" is either black (not/air gap/can't-get-there-from-here) or important shades of gray (like you said/PCAnywhere/HMIs with modems/...).
I had a very interesting knock-down-drag-out whiteboard argument with a control system VAR over whether the network they had installed in a sensitive context was connected to the outside world or not. His opinion - "it absolutely is not" - was eventually clarified to "ok, it certianly is, but it's not a problem because we have a PIX 515 between them". Not "A PIX configured with a DMZ to only allow the necessary and logical traffic...", just "a PIX installed".
None of this will make Olaf completely happy...
-chris
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 14
************************************************
No comments:
Post a Comment