Search This Blog

Friday, April 30, 2010

firewall-wizards Digest, Vol 48, Issue 17

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewall best practices (Marcus J. Ranum)
2. Re: Firewall best practices (Mathew Want)
3. EUSecWest Amsterdam 2010 Call For Papers (short deadline May
5 - conf June 16/17) (Dragos Ruiu)
4. Re: Firewall best practices (Bruce B. Platt)
5. Re: Looking for firewall mgmt solution (ArkanoiD)
6. Re: Firewall best practices (ArkanoiD)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Apr 2010 15:28:04 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall best practices
To: ArkanoiD <ark@eltex.net>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <4BD88C44.50905@ranum.com>
Content-Type: text/plain; charset=KOI8-R; format=flowed

ArkanoiD wrote:
> The problem is, it doesn't necessary needs to be root CA.

Everyone forgets that SSL was only really intended to solve a
fairly limited problem. That problem being, namely, "how can
Verisign and RSA monetize their patents on PKI?" - if you
want to understand why SSL is the way it is, you need to consider
what it was designed to do; then everything makes sense.
As I said earlier, I'm boggled that nobody has fixed it.
Consider that a measure of how much standards bodies are
really worth and how much customers care.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com

------------------------------

Message: 2
Date: Thu, 29 Apr 2010 11:37:30 +1000
From: Mathew Want <imortl1@gmail.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<q2t36fbfcc31004281837xe5586d2el998144ae236f1e89@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Cian,

I agree that it would generate a warning but the issue you then have
is users go "Huh?, what?" and click on allow anyway.

To quote a presenter at a security course I attended "If the user is
given the choice between security and seeing a dancing snowman, the
snowman wins every time!".

The "advantage" that SSL had for the general populous for nonEvil(tm)
purposes was that we could say that if the little padlock was there
when they went to their internet banking site that their data was
safe*. These new technologies, although neccessary for a host of other
reasons such ad data leakage, covert communications etc etc etc
unfortunately push the responsibility for the security of personal
data closer to the people that it important to. Unfortunately they are
the least able to deal with it in general and as much as we TRY to
teach them ( and I do really try). We do try to protect users from
themselves, but there is only so much we can do.

I am not saying that the MITM function is not without its merrit (in
whatever form you see as the best for security) but it does then pose
other interesting positions to consider.

Just my $AU0.02 worth!

M@

* Yes I know "safe" is a relative term in this context, but youget the idea! :-)

On 28 April 2010 18:13, Cian Brennan <cian.brennan@redbrick.dcu.ie> wrote:
> On Tue, Apr 27, 2010 at 11:12:40AM -0500, Fetch, Brandon wrote:
>> Too late:
>> http://files.cloudprivacy.net/ssl-mitm.pdf
>>
>> And these devices are already in deployment...now, imagine one of these with a wildcard certificate running at a coffee house, or at the aggregation point within a provider's CO POP...
>>
> Where it would generate cert errors for every user?
>
> These only make sense where you can install the proxy's wildcard cert on all of
> the client machines. Neither coffee houes, nor ISPs can do this.
>
>> -----Original Message-----
>> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of John Morrison
>> Sent: Tuesday, April 27, 2010 5:45 AM
>> To: Firewall Wizards Security Mailing List
>> Cc: mjr@ranum.com; Firewall Wizards Security Mailing List
>> Subject: Re: [fw-wiz] Firewall best practices
>>
>> My understanding of https (and other PKI-based encryption) is that
>> only the holder of the private key can decrypt the data encrypted with
>> the other (public) key in the pair. My view is that the firewall can
>> only decrypt and inspect https traffic if it is acting as the server
>> to the external client. It can't intercept and decrypt https traffic
>> destined for another device - the real server. If it did https would
>> be worthless. Any hacker could buy such a firewall to sniff and
>> decrypt all https traffic.
>>
>> On 23 April 2010 20:18, ?<david@lang.hm> wrote:
>> > On Fri, 23 Apr 2010, Martin Barry wrote:
>> >
>> >> $quoted_author = "Marcus J. Ranum" ;
>> >>>
>> >>> That's why firewalls need to go back to doing what they
>> >>> originally did, and parsing/analyzying the traffic that
>> >>> flows through them, rather than "stateful packet
>> >>> inspection" (which, as far as I can tell, means that
>> >>> there's a state-table entry saying "I saw SYN!")
>> >>
>> >> Marcus, are you referring to DPI or proxies or both or something else
>> >> entirely?
>> >>
>> >>
>> >>> If the firewall doesn't understand the data it's passing,
>> >>> it's not a firewall, it's a hub.
>> >>
>> >> If an application emulates HTTPS traffic and is proxy aware, how do you
>> >> tell
>> >> the difference?
>> >
>> > There are firewalls on the market that can decrypt HTTPS traffic (and I
>> > believe be configured to block any traffic that they can't decrypt)
>> >
>> > David Lang
>> > _______________________________________________
>> > firewall-wizards mailing list
>> > firewall-wizards@listserv.icsalabs.com
>> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>> >
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>> This message is intended only for the person(s) to which it is addressed
>> and may contain privileged, confidential and/or insider information..
>> If you have received this communication in error, please notify us
>> immediately by replying to the message and deleting it from your computer.
>> Any disclosure, copying, distribution, or the taking of any action concerning
>> the contents of this message and any attachment(s) by anyone other
>> than the named recipient(s) is strictly prohibited.
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
> --
>
> --
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
"Some things are eternal by nature,
others by consequence"


------------------------------

Message: 3
Date: Thu, 29 Apr 2010 23:49:46 -0700
From: Dragos Ruiu <dr@kyx.net>
Subject: [fw-wiz] EUSecWest Amsterdam 2010 Call For Papers (short
deadline May 5 - conf June 16/17)
To: firewall-wizards@honor.icsalabs.com
Message-ID: <201004292349.46437.dr@kyx.net>
Content-Type: text/plain; charset="iso-8859-1"

EUSecWest CALL FOR PAPERS

AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and technology
- will be held in downtown Amsterdam at the the Melkweg Multimedia
Center near Leidseplein on June 16/17, 2010. The most significant new
discoveries about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world security
experience will be presented in a series of informative tutorials.

The EUSecWest meeting provides international researchers a relaxed,
comfortable environment to learn from informative tutorials on key
developments in security technology, and collaborate and socialize with
their peers in one of the world's most scenic cities - a short walk
away from several large hotels and the Leidseplein entertainment and
shopping district, conveniently close to many famous museums,
convenient transport, Vondel Park, and a plentitude of restaurants and
bars.

This year the first evening party will feature a special musical guest
star. We will announce the performer(s) shortly.

The EUSecWest conference will also feature the availability of the
Security Masters Dojo expert network security sensei instructors, and
their advanced, and intermediate, hands-on training courses - featuring
small class sizes and practical application excercises to maximize
information transfer.

We would like to announce the opportunity to submit papers, and/or
lightning talk proposals for selection by the CanSecWest technical
review committee. This year we will be doing one hour talks, and some
shorter talk sessions.

Please make your paper proposal submissions before May 5th, 2010.

Some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible for
travel and accomodations for the speakers. If you have a proposal for a
tutorial session then please make your submission by mailing a plain
text version of the information along with any other supporting
material or formats to synopsis of the material and your biography,
papers and, speaking background to "secwest10 [at] eusecwest.com" Only
slides will be needed for the June paper deadline, full text does not
have to be submitted - but will be accepted if available. This year we
-- will be opening up the presentation guidelines to include talks not in
English (particularly Chinese) which we will offer to translate for the
speaker if they are not a native English speaker.

The EUSecWest 2010 conference consists of tutorials on technical
details about current issues, innovative techniques and best practices
in the information security realm. The audiences are a multi-national
mix of professionals involved on a daily basis with security work:
security product vendors, programmers, security officers, and network
administrators. We give preference to technical details and new
education for a technical audience.

The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showcase on-going research and collaborate with peers
while educating and highlighting advancements in security products and
techniques. The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content is tolerated, but
it needs to be backed up by a technical presenter - either giving a
valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:
1. Presenter, and geographical location (country of origin/passport)
and contact info (e-mail, postal address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational experience/background.
5. Topic synopsis, Proposed paper title, and a one paragraph
description.
6. Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences where this
material has been or will be published/submitted.

IMPORTANT:Please include the plain text version of this information in
your email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to "secwest10 [at] eusecwest.com"
to be considered for placement on the speaker roster, or have your
lightning talk scheduled. If you contact anyone else at our
organization please ensure you also forward a copy of the submission
info to the submission address else it may be omitted from the review
process.

Venue

The conference will be held at the Melkweg club at Lijnbaansgracht
234a, 1017 PH Amsterdam, The Netherlands.

By foot/bicycle

The Melkweg is located practically on the Leidseplein square, behind
the Stadsschouwburg on the right. Parking places for bicycles around
Leidseplein are limited. Any bicycles not parked inside the stands will
be removed. Locker (a secure bicycle parking facility located to the
right of the Paradiso on Weteringschans) is the best place to park your
bicycle in safety. It is open 24 hours a day, 7 days a week, and only
costs 0.50 Euro per day (and also offers a tire repair service).

By public transport

Leidseplein can be reached via trams 1, 2 and 5 (about 10 minutes from
Amsterdam Central Station) and lines 6, 7 and 10 (about 7 minutes from
the metro station Weesperplein). The bus routes 170, 171, 172 and the
late-night busses 72, 73, 74 and 78 also stop at Leidseplein. For more
travel advice, please visit www.92920v.nl.

Hotel

The conference hotel block is at the NH Amsterdam Centre,
Stadhouderskade 7, 1054 ES Amsterdam, Netherlands - 020 6851351 - The
conference block rate is 130 Euro (plus tax). The number of rooms is
limited. There are three large major hotels at this location,
including the Mariott and Eden American hotel, albeit with higher
rates. There are also a number of smaller hotels and hostels near the
venue.

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Amsterdam, Netherlands, June 16/17 2010 ?http://eusecwest.com
Tokyo, Japan November 10/11 2010 http://pacsec.jp
Vancouver, Canada March 9-11 2011 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp


------------------------------

Message: 4
Date: Wed, 28 Apr 2010 14:17:54 -0400
From: "Bruce B. Platt" <bruce@ei3.com>
Subject: Re: [fw-wiz] Firewall best practices
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Cc: mjr@ranum.com, 'Firewall Wizards Security Mailing List'
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <002d01cae6ff$1f320060$5d960120$@com>
Content-Type: text/plain; charset="us-ascii"

lordchariot said in part:

>
>... but can you imagine
>if a nefarious CA got embedded into the browser?
>
>Meh, it actually probably wouldn't make much difference anyway. Users are
>just going to click OK anyway to bypass the warning...sigh.
>
...

Capture some packets when using IE when it finds a web site using a
certificate whose entire certification path is not included in the local
machine account's "Trusted Root Certification Authorities". What happens is
both enlightening and frightening when this occurs with the wrong
certificate.

I chose not to elaborate on the consequences. I share erik's "sigh".


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------

Message: 5
Date: Thu, 29 Apr 2010 23:38:22 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Looking for firewall mgmt solution
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20100429193822.GA3921@eltex.net>
Content-Type: text/plain; charset=koi8-r

BTW they had their own firewall, NSM. It was quite feature rich and there
was opensource version. Is it officially dead now?

On Thu, Apr 22, 2010 at 08:26:42AM -0400, Rajeev Gupta wrote:
>
> Have you looked at solfsoft firewall manager solution? I am not sure
> after they got acquired by 'extraprotect/loglogic', what there status
> is but they had their product which could potentially meet your
> requirement.
>
> On Mon, Apr 19, 2010 at 7:13 AM, Morriss, Jason (NIH/CIT) [C]
> <[1]morrissj@mail.nih.gov> wrote:
>
> Hi there,
> I'm wondering if anyone can give me any suggestions. I'm looking
> for a solution for my organization that will allow us to manage
> multiple firewalls from multiple vendors using a single interface
> (preferably web based). I've looked at a couple of different
> products so far and all of them simply analyze a firewall's
> rulesets to help you optimize and cleanup a firewall. That's fine,
> but we want this software to actually do the configuration changes
> that users input as well, similar to what OPSWARE does for routers
> and switches (OPSWARE does not work with firewalls very well).
> Thanks,
> Jason
> _______________________________________________
> firewall-wizards mailing list
> [2]firewall-wizards@listserv.icsalabs.com
> [3]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>
> References
>
> 1. mailto:morrissj@mail.nih.gov
> 2. mailto:firewall-wizards@listserv.icsalabs.com
> 3. https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 6
Date: Wed, 28 Apr 2010 21:03:08 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20100428170308.GD5208@eltex.net>
Content-Type: text/plain; charset=koi8-r

_..have you seen qubes OS?

Nice thing and can be configured to do just anything.. but the problem lies
elsewhere: the percentage of people who care about security just enough
to use anything *OTHER* than Windows as their desktop OS is low enough, and
dividing that further leads us to almost non-existant fraction. That's why i
wish some of those VMs were Windows.

On Tue, Apr 27, 2010 at 06:18:40PM -0400, Paul D. Robertson wrote:
> On Tue, 27 Apr 2010, Marcus J. Ranum wrote:
>
> > scale between "nothing at all" and "utter crap" it's the SSL
> > situation. I guess that having crypto that sucks so badly that
> > it's breakable is easier than having to actually ask the question,
>
> Oh, it's much, much worse than that- you're breaking the old red/black
> network model by allowing encrypted and unencrypted packets to/from the
> same device from different security domains without compartments. But
> more importantly all the effort of the overengineered SSLcrap is that the
> entire industry focused on the wrong end of the problem. It's not the
> server that needs the protection (not to mention that still also breaks
> the traditional crypto model- but I tried to advocate around that with a
> trusted OS, "too much work" it seems *sigh*.
> >
> > In Marcus-land the way we'd do it is have crypto that didn't
> > suck, and firewall rules that permitted outgoing crypto only
> > to (say, if online banking was an authorized activity during
> > office hours) a set of supported sites. Yeah, yeah, I know,
> > Marcus-land isn't a real place...
>
> Even with sucky crypto, the combination of allowing traffic only to
> specific sites would be a *major* improvement over the status quo. Couple
> that with only allowing trusted executables (Windows Software Restriction
> Policies are still better than 98% of what's out there) and you get to a
> pretty good place pretty quickly.
>
> In Paul-land, Marcus land would have lots more beer, and Paul would be
> allowed much more access!! ;)
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> Moderator: Firewall-Wizards mailing list
> Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 48, Issue 17
************************************************

No comments: