Security World: firewall-wizards Digest, Vol 36, Issue 17

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: SCADA (Anton Chuvakin)
2. Re: SCADA (Brian Loe)
3. Re: SCADA (Marcus J. Ranum)
4. Re: SCADA (Steven M. Bellovin)
5. Re: SCADA (Marcus J. Ranum)
6. Re: SCADA (Bertolett, Richard)
7. Re: SCADA (Sam Golden)
8. Who stay focused? (was: [Fwd: Question]) (Jean-Denis Gorin)

----------------------------------------------------------------------

Message: 1
Date: Tue, 14 Apr 2009 09:06:09 -0700
From: Anton Chuvakin <anton@chuvakin.org>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<b2591e2e0904140906v5c3a4295y1b60fafbda0dc8d7@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

> We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet.
>...
>We have some owners of these networks that would like the firewalls to be more open.
>...
> How do you answer this without just saying NO?

I refuse to believe this is not "Ranum-bait" :-)

--
Anton Chuvakin, Ph.D
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org

------------------------------

Message: 2
Date: Tue, 14 Apr 2009 11:17:47 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<3c4611bc0904140917h553c7620rb8669ed3849f7887@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas@rl.gov> wrote:
>
> We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open. ?Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network. ?We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately.
>
> How do you answer this without just saying NO?
>
> Thank you,
>
> Dave

You just say no. Their MS updates aren't important. If its truly
segregated from the corporate network, their machines do not need
antivirus. A SCADA network should not even connect to your corporate
network for ANYTHING - or vice versa. We have a data logger system
that needs to be able to talk to both networks, it's in a DMZ with TWO
firewalls between the corporate network and the control network.
Traffic is not allowed to pass between networks, ONLY to and from that
system and only on the designated ports for the data logging
application (which isn't the same on both networks).

With the latest news of China breaching our power (SCADA) networks you
would think people wouldn't be so stupid as to ask for this kind of
access!

------------------------------

Message: 3
Date: Tue, 14 Apr 2009 11:08:11 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: 'Firewall Wizards Security Mailing List'
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <49E4B4EB.9000702@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Kaas, David D wrote:
> How do you answer this without just saying NO?

You might start by pointing them to all the articles
from last week, about the (insert favorite asiatic threat here)
who are all over the power grid's SCADA systems: "they did
what you want to do."

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com

------------------------------

Message: 4
Date: Tue, 14 Apr 2009 12:26:18 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: anton@chuvakin.org
Message-ID: <20090414122618.27519205@cs.columbia.edu>
Content-Type: text/plain; charset=US-ASCII

On Tue, 14 Apr 2009 09:06:09 -0700
Anton Chuvakin <anton@chuvakin.org> wrote:

> > We have a few SCADA and process control networks firewalled from
> > our corporate network which is connected to the Internet.
> >...
> >We have some owners of these networks that would like the firewalls
> >to be more open. ...
> > How do you answer this without just saying NO?
>
> I refuse to believe this is not "Ranum-bait" :-)
>
See
http://voices.washingtonpost.com/securityfix/2009/04/report_china_russia_top_source.html?wprss=securityfix
on scanning for SCADA systems.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

------------------------------

Message: 5
Date: Tue, 14 Apr 2009 11:27:55 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <49E4B98B.2090907@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Brian Loe wrote:
> We have a data logger system
> that needs to be able to talk to both networks, it's in a DMZ with TWO
> firewalls between the corporate network and the control network.

BTW - I know your data logging application is not syslog, but - in
case the problem ever comes up for someone on this list, I've published
the source for "plog" on my website. It's in my code archives on:
http://www.ranum.com/security/computer_security/code/
"Plog is a promiscuous syslog listener. It sucks UDP syslog packets up
off a network, rips the message screaming and kicking out of the packet
body, and stuffs it into /dev/log. This program supports a bare minimum
of options. Be very careful you do not use plog to inject messages into
a syslog server that forwards the messages to a loghost over a network!
It will hurt! (the good news is you'll get lots of log messages..)"

Oddly, plog works faster than regular UDP syslog on some systems,
because the bpf implementations are sometimes faster than the UDP
stack.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com

------------------------------

Message: 6
Date: Tue, 14 Apr 2009 12:54:06 -0500
From: "Bertolett, Richard" <Richard.Bertolett@ci.austin.tx.us>
Subject: Re: [fw-wiz] SCADA
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<A5FFDDD97FE159439232FF96C6F873FCA16952@AWMAIL.austinwater.com>
Content-Type: text/plain; charset="iso-8859-1"

While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's position either.

Security, particularly cyber-security, is best implemented in layers. So yes, you do need an anti-virus system, and yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from doing things on SCADA computers that they should not be doing. But easy should never be a driver in security decisions, it is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection bandwidth usage.

That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas delivery, unfortunately, you can't just 'sneakernet' all the reporting data. SCADA historical data in raw form is like drinking from a fire hose. So you have to distill it some way, and push it into a DMZ and then out to a database server on the business network some way, so it can be combined with other data, sliced and diced, and mushed into reports. Why couldn't the connections allowed thru the firewall be outgoing only? Then you need to make sure the destination server on the business network is secure of course, but you're already doing that, yes?

There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, maybe not. But that is a cost of basic security.

Rick Bertolett
Austin Water Utility

-----Original Message-----
From: firewall-wizards-bounces@listserv.cybertrust.com [mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Brian Loe
Sent: Tuesday, April 14, 2009 11:18 AM
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] SCADA

You just say no. Their MS updates aren't important. If its truly segregated from the corporate network, their machines do not need antivirus. A SCADA network should not even connect to your corporate network for ANYTHING - or vice versa. We have a data logger system that needs to be able to talk to both networks, it's in a DMZ with TWO firewalls between the corporate network and the control network.
Traffic is not allowed to pass between networks, ONLY to and from that system and only on the designated ports for the data logging application (which isn't the same on both networks).

With the latest news of China breaching our power (SCADA) networks you would think people wouldn't be so stupid as to ask for this kind of access!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 7
Date: Tue, 14 Apr 2009 14:26:44 -0400
From: Sam Golden <samsonspecial@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5b8c0a770904141126o66d64dc9o87879fc957a9e572@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.cybertrust.com [mailto:
> firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Brian Loe
> Sent: Tuesday, April 14, 2009 11:18 AM
> To: Firewall Wizards Security Mailing List
> Cc: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] SCADA
>
> On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas@rl.gov>
> wrote:
>
> How do you answer this without just saying NO?
>

I have no idea of what the SCADA networks are to which you refer.

What I do know is that not all SCADA networks are critical infrastructure
networks that messing-with would cause a "Great Blackout of 1965" or worse.

Some SCADA networks control one little machine which makes something.

Protecting the National Critical Infrastructure is different from protecting
that one little machine.

And so, one treats access to these two differently according to the risks
and benefits of the access requested.

Regards,

Sammy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090414/532bd118/attachment-0001.html>

------------------------------

Message: 8
Date: Tue, 14 Apr 2009 20:22:25 +0200
From: Jean-Denis Gorin <jdgorin@computer.org>
Subject: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <1239733345.49e4d46128dda@imp.free.fr>
Content-Type: text/plain; charset=ISO-8859-1

Hi Paul

> From: Paul D. Robertson
> Sent: Tuesday, April 14, 2009 5:34 PM
>
[...]
> Once again, I'd like to publicly state that if you want to see
> interesting threads on the list, you have to de-lurk and
> start some. If nothing else, it'd change the Pix/Interesting
> ratio...

So, I'll start a new one ;)

Why am I now a long time lurker? Mainly because I have quit the infosec field!

After 10 years in the infosec field, 5 years ago I decided to quit infosec and
came back to infosys architecture, my original field.
>From early 90's to begin of 00's [0], I lived the raise of firewalls and DMZs...
and their doom: the eBusiness application model where Internet application where
only a front-end to internal infosys!

In those years, I concluded that there was no way to achieve a good security
awareness because people (IT people or users [1]) didn't (or didn't want to)
have a global view of IT or infosys.
And the marketing buzz words of that time were enought to convince people to
stay singleminded (and buy a 'lucky stone' firewall to protect themselves).

So, my question is: among all of you, old timer firewall wizards, how many stay
focused to infosec (and had kept a global view [2] of infosys) ?

For them willing to know why I'm still lurking FW-wiz as I have quit the field,
I'm just trying to assess how fast the IT world will collapse in case of a major
security threat... (I already know who will survive this, and how ;) ).

JDG

[0] Not Y2K compliant, so what?!?
[1] Or 'lusers' for the BOFH fans ;)
[2] Global, but not unfocused!
--
Reality is that which, when you stop believing in it, doesn't go away.
Philipp K. Dick

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest, Vol 36, Issue 17
************************************************

Security World

Search This Blog

Tuesday, April 14, 2009

firewall-wizards Digest, Vol 36, Issue 17

No comments: