firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)
(Dragos Ruiu)
2. PCI DSS & Firewalls (Paul D. Robertson)
3. Re: PCI DSS & Firewalls (Kurt Buff)
4. SIP dictionary attacks (Paul D. Robertson)
5. Re: PCI DSS & Firewalls (Victor Williams)
6. Re: PCI DSS & Firewalls (Chris Blask)
7. Re: PCI DSS & Firewalls (Paul D. Robertson)
8. Re: PCI DSS & Firewalls (Jim Seymour)
----------------------------------------------------------------------
Message: 1
Date: Wed, 1 Apr 2009 13:31:17 -0800
From: Dragos Ruiu <dr@kyx.net>
Subject: [fw-wiz] EUSecWest 2009 CFP (May 27/28, Deadline April 7
2009)
To: firewall-wizards@honor.icsalabs.com
Message-ID: <200904011431.17796.dr@kyx.net>
Content-Type: text/plain; charset="iso-8859-1"
Call For Papers
The EUSecWest 2009 CFP is now open.
Deadline is April 7th, 2009.
EUSecWest CALL FOR PAPERS
LONDON, U.K. -- The third annual EUSecWest applied
technical security conference - where the eminent figures
in the international security industry will get together
share best practices and technology - will be held in
downtown London at the Sound Club in Leicester Square
on May 27/28, 2009. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world
security experience will be presented in a series of
informative tutorials.
The EUSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from
informative tutorials on key developments in security
technology, and collaborate and socialize with their peers
in one of the world's most most important technology
hubs and scenic cities. The timing of the conference
allows international travelers to travel to Berlin for
FX's Ph-Neutral on the weekend, and Rennes the
following week for SSTIC.
We would like to announce the opportunity to submit
papers, and/or lightning talk proposals for selection by
the EUSecWest technical review committee. This year we
will be doing one hour talks, and some shorter talk
sessions.
Please make your paper proposal submissions before
April 7th, 2009.
Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The
conference is responsible for travel and accommodations for
the speaker (one speaker airfare and one room). If you
have a proposal for a tutorial session then please email
a synopsis of the material and your biography, papers
and, speaking background to secwest09 [at] eusecwest.com .
Only slides will be needed for the paper deadline, full text
does not have to be submitted - but will be accepted if
available.
The EUSecWest 2009 conference consists of tutorials on
technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security
work: security product vendors, programmers, security
officers, and network administrators. We give preference
to technical details and new education for a technical
audience.
The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while
educating and highlighting advancements in security
products and techniques. The focus is on innovation,
tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed
up by a technical presenter - either giving a valuable
tutorial and best practices instruction or detailing
significant new technology in the products.
Paper proposals should consist of the following
information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one
paragraph description.
6. Reason why this material is innovative or significant
or an important tutorial.
7. Optionally, any samples of prepared material or
outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences
where this material has been or will be
published/submitted.
Please include the plain text version of this information
in your email as well as any file, pdf, sxw, ppt, or html
attachments.
Please forward the above information to secwest09 [at]
eusecwest.com to be considered for placement on the
speaker roster, or have your lightning talk scheduled. If
you contact anyone else at our organization please ensure
you also cc the submission address with your proposal or
it may be omitted from the review process.
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 ?http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp
------------------------------
Message: 2
Date: Wed, 1 Apr 2009 20:09:40 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: [fw-wiz] PCI DSS & Firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <Pine.LNX.4.44.0904012007500.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Is it just me, or do the PCI DSS "standards" for firewalls look like
someone played "I have a CISSP" buzzword bingo?
Do the PCI folks _really_ think "stateful inspection" is the answer, and
isn't that a Checkpoint trademark anyway?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 3
Date: Wed, 1 Apr 2009 18:33:13 -0700
From: Kurt Buff <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a9f4a3860904011833o2b035b99j857729a7b3a23df7@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Wed, Apr 1, 2009 at 18:09, Paul D. Robertson <paul@compuwar.net> wrote:
> Is it just me, or do the PCI DSS "standards" for firewalls look like
> someone played "I have a CISSP" buzzword bingo?
>
> Do the PCI folks _really_ think "stateful inspection" is the answer, and
> isn't that a Checkpoint trademark anyway?
>
> Paul
Heh.
Can't answer any of your questions, but I'd have to say that it SI (or
SPI, as I've often seen it) is indeed a trademarked term, they haven't
defended it very well.
Kurt
------------------------------
Message: 4
Date: Wed, 1 Apr 2009 20:41:58 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: [fw-wiz] SIP dictionary attacks
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <Pine.LNX.4.44.0904012037220.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Well, besides losing my voice which has given me a little time to catch up
on things, one of my problems last week was a successful dictionary attack
against a SIP extension with an eight digit password.
Obviously, I've changed the passwords and lengths, but I did want to make
sure folks knew that there were active attacks out there, and they're
obviously scanning for systems randomly, since the system in question was
only recently moved to a new IP address space. The initial scans came
from a box in China (surprise!)
Anyway, all I've found for blocking outside of static IP address ranges is
a bunch of check the logs and react stuff for Linux. I'm starting to
think IPS might actually have a use- time to Google for snort inline sutff
I suppose.
Attackers made about calls out to people telling them they owed money.
Calls were initiated from Europe, Asia and the US. Likely from
compromised hosts.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 5
Date: Thu, 02 Apr 2009 07:25:52 -0500
From: Victor Williams <bwilliam13@windstream.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49D4AED0.70206@windstream.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Amen.
Working for a .com e-commerce company, it is the most frustrating thing
dealing with this standard. There is some specifics on some sections,
and a lot of vagueness in others...the application firewall requirement
being the one that ticks me off the most.
If you are reading PCI DSS 1.1, then yeah, "stateful inspection" was the
answer. If you're reading PCI DSS 1.2, "application firewall" is the
answer. But, they don't define what the "application firewall" is
supposed to do and what it's supposed to block/stop/log. I have demo'ed
no less than 8 "application firewalls" in the last year, with only two
of them actually logging/blocking anything bad. Additionally, there are
"application firewalls" out there that do nothing more than match IDS
signatures and block them.
PCI DSS is pretty sad. They could have taken another
already-established standard with some brains behind it and adopted it
instead...just said, you must follow "OrgA" standards for system
hardening and auditing and whatnot...called it a day.
Paul D. Robertson wrote:
> Is it just me, or do the PCI DSS "standards" for firewalls look like
> someone played "I have a CISSP" buzzword bingo?
>
> Do the PCI folks _really_ think "stateful inspection" is the answer, and
> isn't that a Checkpoint trademark anyway?
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> Moderator: Firewall-Wizards mailing list
> Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
------------------------------
Message: 6
Date: Thu, 2 Apr 2009 06:35:15 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <449677.11596.qm@web33807.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
> Paul D. Robertson <paul@compuwar.net>,Wednesday, April 1, 2009 9:09:40 PM
> Is it just me, or do the PCI DSS "standards" for firewalls look like
> someone played "I have a CISSP" buzzword bingo?
Nope, not just you. ;~)
The DSS (and regulatory tools in total) are not bits-und-bytes technical artifacts, they are human engineering technical artifacts. The idea being to find a way to move people in a desired direction an achievable distance. The funcational DNA in PCI is not what gadgets to use how, it's "if it's done wrong there are legal ramifications at the executive level".
One of our folks did PCI for Walmart, and when the CEO sent out a note saying (sic): "Listen to this guy or you're fired" it proved that PCI worked. It reduced the prospect of spending in the future the millions of man-hours we have spent in the past arguing with people that maybe they should at least consider changing default passwords.
Now, is PCI enough (or complete)? Apparently not (go ask Heartland). But if we can get people doing the things in the DSS for starters, at least they'll be evolved beyond gills and flippers when we get there to talk about actual security.
-chris
------------------------------
Message: 7
Date: Thu, 2 Apr 2009 09:31:37 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904020922500.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 2 Apr 2009, Chris Blask wrote:
> Nope, not just you. ;~)
>
> The DSS (and regulatory tools in total) are not bits-und-bytes technical
> artifacts, they are human engineering technical artifacts. The idea
> being to find a way to move people in a desired direction an achievable
> distance. The funcational DNA in PCI is not what gadgets to use how,
> it's "if it's done wrong there are legal ramifications at the executive
> level".
But they fail at that level in so fars as they don't help small and
mid-sized companies know what they really need to do- does a small compay
with 5 servers *really* need to seperate every single function onto its
own system? Does anyone actually seperate DNS from Active direcotry for
instance?
> One of our folks did PCI for Walmart, and when the CEO sent out a note
> saying (sic): "Listen to this guy or you're fired" it proved that PCI
> worked. It reduced the prospect of spending in the future the millions
> of man-hours we have spent in the past arguing with people that maybe
> they should at least consider changing default passwords.
But the buy in is to check the boxes so they don't get fined- and the
boxes are checkable by interpretation. Outside of a few basic
requirements, things are vague, ambiguous and not helpful at all- frankly,
it's the worst "standard" I've seen in ~25 years of computer security- and
I've rarely seen good ones.
I also agree with Marcus that it's the Pen Tester's Employment Security
Act..
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 8
Date: Thu, 2 Apr 2009 11:13:00 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090402151300.20967E15B@jimsun.linxnet.com>
I haven't read this thing, but...
"Paul D. Robertson" <paul@compuwar.net> wrote:
>
> does a small compay
> with 5 servers *really* need to seperate every single function onto its
> own system?
[snip]
"Small company?" *Any* company. Yeah, some operating platforms don't
handle walking and chewing gum at the same time well, but others do.
So now somebody's saying that I need to take tried-and-true solutions
that have been both economical and have worked well for years, and
increase both the cost and complexity of my network services
because...?
I've got a box here that is usually just loafing along while playing:
. Main fileserver of 1TB+ - both NFS and SMB
. Primary DNS
. LAN DHCP/BOOTP server
. Primary LDAP server
. WLAN RADIUS server
. Internal NTP server
. SQL (PostgreSQL and MySQL) servers
. Intranet (web) server
. Primary inside mailserver (incl. POP3)
. Print server
. "Root" for internal self-signed certs
. TFTP server
. Internal FTP server
. CVS server
Thing runs 24x7x52 and so far has only come down for power failures
that exceeded the UPS' capacity, patches or to occasionally haul it out
back to blow the dust out.
Like I said: I haven't read the docs to which this thread refers, but
if I'm inferring from Paul's comment correctly: This thing is
suggesting I'd have to replace this one under-loaded server with... 14
or more?!?! Good luck convincing my management of that!
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 2
***********************************************
No comments:
Post a Comment