firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. In search of Firewalls KPIs (Marcin Antkiewicz)
2. Ruxcon 2010 Final Call For Papers (cfp@ruxcon.org.au)
3. Re: covert timing channel data (Melissa Stockman)
4. Re: covert timing channel data
(travis+ml-firewalls@subspacefield.org)
5. Re: a cutting-edge open-source network security project
(travis+ml-firewalls@subspacefield.org)
----------------------------------------------------------------------
Message: 1
Date: Thu, 19 Aug 2010 00:45:54 -0500
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: [fw-wiz] In search of Firewalls KPIs
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<AANLkTi=9kqcY-Q1u3Odds-e7gBcuMenb--DH8+3vSe4x@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
> I am in search of the essential KPIs to be monitored for Juniper Netscreen Firewalls. After the identification of these KPIs,
> I want to go ahead for capacity planning & performance optimization of these firewalls. Any piece of advise will help!
Saumitra,
KPIs are metrics. Good metrics should be Specific, Measurable,
Actionable, Relevant, and Timely (SMART people call it).
A simple way of looking at firewall metrics is by placing them into
environmental,operational and strategic categories.
Environmental measurements deal with power/cooling consumption, rack
footprint, cabling/media, location, power sources, etc.
Operational stats deal with capacity
(disk/CPU/states/licenses/interface queues), performance
(pps/drops/sessions/logging),
errors (interface/fw denies/routing), rates of change for rule
management, traffic flows/volume, admin logins, trouble tickets.
Strategic focus on the architecture - environments/rules/objects per
firewall, count and types of environments, capacity to process
traffic and accept new rules (licenses/interfaces), amount of
troubleshooting and rework, sw/hw lifecycle information, etc.
Each of the bins may measure similar information, but the resolution
or ratios may be different. For example, from operational
point of view, I may want to know how many trouble tickets were opened
in last hour, and last 5 minutes. When working on
the strategic plan, I will look for the number of tickets following
scheduled and unscheduled changes, total ticket counts, rework,
time to resolve and no. and type of SMEs required to close tickets.
Once you have the categories full of ideas for metrics, see if they
fit the SMART mantra. For example, the temperature of 30
CPUs is not very useful. A trend is better, but still does not tell
you whether the machine is busy, or overheating. A ratio of
current temperature to baseline is better, especially if connected to
some form of load indicator. High load, cold CPU is not good.
Similarly, hot CPU on idle firewall indicates some kind of work is
being done that you may not be aware of.
Once the metrics look to be specific and actionable and..., find out
5-7 questions that people who want to know what firewalls do
really want answered. These will be simple (no. of sessions) or very
complex (soft and hard cost of rule addition in the X regulated
environment). These will be your KPIs - they are supposed to show your
progress or contribution to the company's strategic goals.
If you are faced in a much simpler case, with a few firewalls and few
environments, the same rules apply.
- measure trivial counters: CPU, memory, states, flows/bytes, denies,
loglines. Establish a baseline.
- classify objects by importance, label according to internal grouping.
- collect data from change control/ticketing system
- ask questions, see if there are numbers required to answer them.
"What is the cost of adding a new network", "at what percentage
of known max are we currently running", "what causes the largest rate
of denied connections", "how often clusters master node changes".
- translate the question in terms of the gathered data.
--
Marcin Antkiewicz
------------------------------
Message: 2
Date: Fri, 20 Aug 2010 12:13:21 +1000 (EST)
From: cfp@ruxcon.org.au
Subject: [fw-wiz] Ruxcon 2010 Final Call For Papers
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20100820021321.86DB489C2@ruxcon.org.au>
RUXCON 2010 FINAL CALL FOR PAPERS
Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.
This year the conference will take place over the weekend of 20th and 21st of November.
Ruxcon will be held at CQ, Melbourne, Australia.
The deadline for submissions is the 10th of October.
What is Ruxcon?
Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring together the individual talents of the best and the brightest security folk within the Aus-Pacific region, through live presentations, activities, and demonstrations.
Ruxcon's unique approach to running a security conference ensures that the conference is accessible to all levels of the security industry. Ruxcon aims to be the most interesting, thought provoking, and relevant information security conference in Australia.
The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security.
Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community.
For more information, please visit http://www.ruxcon.org.au
Presentation Information
Presentations will be 50 minutes in length, and should be fully supplemented with slides and any other relevant material.
Presentation Submissions
Ruxcon would like to invite people who are interested to submit a presentation.
Topics of interest include, but are not limited to:
������* Mobile Device Security
������* Virtualisation, Hypervisor and Cloud Security
������* Malware Analysis
������* Reverse Engineering
������* Exploitation Techniques
������* Rootkit Development
������* Code Analysis
������* Forensics and Anti-Forensics
������* Embedded Device Security
������* Web Application Security
������* Network Traffic Analysis
������* Wireless Network Security
������* Cryptography and Cryptanalysis
������* Social Engineering
������* Law Enforcement Activities
������* Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)
Submissions should thoroughly outline your desired presentation subject. Accompanying your submission should be the slides you intend to use or a detailed paper explaining your subject.
If you have any enquiries about submissions, or would like to make a submission, please send an e-mail to
presentations@ruxcon.org.au.
The deadline for submissions is the 10th of October.
If approved we will additionally require:
����1. A brief personal biography (between 2-5 paragraphs in length).
����2. A description on your presentation (between 2-5 paragraphs in length).
Contact Details
Presentation Submissions: presentations@ruxcon.org.au
General Enquiries: ruxcon@ruxcon.org.au
------------------------------
Message: 3
Date: Fri, 20 Aug 2010 01:52:11 +0300
From: Melissa Stockman <melissa.stockman1@gmail.com>
Subject: Re: [fw-wiz] covert timing channel data
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, melissa.stockman1@gmail.com
Message-ID:
<AANLkTimY90+s_TXras-UD7Gm9QVMTmPPDgBLJbf6AiiE@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Thanks Travis but again this is not the data that I'm looking for.
The timing attacks described in your link are based on a single malicious
entity extracting data from a non compromised system by looking at timing
information.
The type of covert channel that I'm simulating has two malicious entities (a
sender and a receiver). One residing on a higher level security system and
one residing on a lower level security system. The entity on the higher
level security system (the sender) secretly exfiltrates data (such as a
file) to the lower level security system (the receiver) by signaling the
bits of the file in a morse code-like fashion with the tcp interarrival
times. In its most basic format signalling a 1 with a certain delay
threshold and a 0 otherwise.
For example, the sender could be on a secure system and could be ftp-ing a
certain uninteresting file while secretly sending another highly sensitive
file encoded in the tcp delay times which the receiver would be monitoring.
As I mentioned, I have written the code to do this but the main objective of
my research is not to create covert timing channels but rather to detect
them. I am looking for specifically others who have written tcp covert
timing channels which are impervious to detection by regular statistical
analysis (distributions, entropy, regularity, e-similarity) and who would be
willing to lend me their data.
Regards,
Melissa
On Thu, Aug 19, 2010 at 10:11 PM,
<travis+ml-firewalls@subspacefield.org<travis%2Bml-firewalls@subspacefield.org>
> wrote:
> On Sat, Jul 24, 2010 at 07:05:10PM +0300, Melissa Stockman wrote:
> > I'm doing research on covert timing channel detection [...]
> > Does anyone know where I can find such data?
>
> This is my timing side-channel link collection:
>
> http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4
>
> I should probably break that section up into remote & local, but I'm
> already 3 levels deep :-)
>
> I'd definitely check out "remote timing attacks are practical", I think
> that one has the most information for your case.
>
> You might want to check out Bernstein's AES attacks, or a statistician,
> to characterise the distributions you're looking at.
>
> I asked on NANOG a few months ago, but didn't get any good network
> latency information.
>
> BTW, "least amount of time" isn't a good measure. It turns out that's too
> unstable... 1st to 5th percentile measurements are much more stable.
> --
> A Weapon of Mass Construction
> My emails do not have attachments; it's a digital signature that your mail
> program doesn't understand. | http://www.subspacefield.org/~travis/
> If you are a spammer, please email john@subspacefield.org to get
> blacklisted.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100820/2b9b3636/attachment-0001.html>
------------------------------
Message: 4
Date: Thu, 19 Aug 2010 12:11:56 -0700
From: travis+ml-firewalls@subspacefield.org
Subject: Re: [fw-wiz] covert timing channel data
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20100819191156.GM29728@subspacefield.org>
Content-Type: text/plain; charset="us-ascii"
On Sat, Jul 24, 2010 at 07:05:10PM +0300, Melissa Stockman wrote:
> I'm doing research on covert timing channel detection [...]
> Does anyone know where I can find such data?
This is my timing side-channel link collection:
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4
I should probably break that section up into remote & local, but I'm
already 3 levels deep :-)
I'd definitely check out "remote timing attacks are practical", I think
that one has the most information for your case.
You might want to check out Bernstein's AES attacks, or a statistician,
to characterise the distributions you're looking at.
I asked on NANOG a few months ago, but didn't get any good network
latency information.
BTW, "least amount of time" isn't a good measure. It turns out that's too
unstable... 1st to 5th percentile measurements are much more stable.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john@subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100819/e5971cf5/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 19 Aug 2010 11:48:33 -0700
From: travis+ml-firewalls@subspacefield.org
Subject: Re: [fw-wiz] a cutting-edge open-source network security
project
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20100819184833.GL29728@subspacefield.org>
Content-Type: text/plain; charset="us-ascii"
Let the heresy begin! ;-)
On Thu, May 20, 2010 at 04:57:04PM -0700, Darren Reed wrote:
> * Have you ever wanted to troubleshoot some networking problems,
> only to realize that your own firewall prevents your test packets
> from getting through?
> I don't need DFD for this and if I'm using un*x software as my firewall,
> I probably need to be looking at a whole lot of things to understand
> what's going wrong (or right.)
Well, I was thinking of packet scrubbing in particular, with min-ttl
restrictions, because that can wreak havoc with traceroute. Being
able to easily turn it off for an IP for a quick traceroute is handy.
> * Have you ever wanted to block attackers from communicating with
> you at all?
> Any good IPS software should do this..
Any good Boeing 747 can already get you where you need; why would
anyone be interested in a free solar-powered engine?
Also, not all adversaries are conducting network attacks; perhaps you
want to block people who are crawling your web site based on some
weblog parser's threshhold rules, or block spammers from talking to
you based on some UBE-detection software, or redirect a user with a
given User-Agent field to a special web site that tells them they've
been infected by some spyware.
> I think port-knocking, as a security mechanism, has already been debunked.
Please first read these, so you'll understand my position, then feel free to
present your argument:
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc11.9 (para 1)
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc7.5 (para 3)
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc35.4
http://www.cipherdyne.com/fwknop/
> Running peer-to-peer from behind a NAT usually requires something that
> does UPnP.
I already posted (to the DFD list) a simple python sniffer that
detects bittorent and makes the appropriate rule changes. It could be
done a lot better, but it's < 100 lines of python.
> There are tools out there (like miniupnpd) that already do
> this. Using DFD for this is a not likely to go anywhere because support
> for it isn't already built into bit-torrent tools (unlike UPnP.)
I honestly haven't looked into UPnP... I should, especially if there's
open-source software for it (as I assume miniupnpd is). Is it defined
by an RFC?
> * Have you ever just wanted to make a temporary rule that expires
> after a certain amount of time?
> If there is really a desire to do this, then it should be natively
> supported by the firewall software. (I've recently added this to
> ipfilter.)
Perhaps, but I find it easy to do with any firewall.
> * Have you wanted to make a simple change to the firewall rules and
> easily revert it, without logging in an editing a file?
>
> I think every un*x firewall allows you to do this. If the current
> thought is that it is "too hard" to do right, then I'd like to know how
> DFD thinks it can make it easier.
I won't go into details here, but you end up writing a script that
defines the allowable changes to the rulesets - that is, you define
what rule changes are allowed within your security policy.
It doesn't, generally, allow arbitrary rule changes - if you have
that, you're right, you might as well log in and run firewall commands
directly, or edit firewall config files directly.
I really need to put up a better transcript; I think this would clear
up a lot of confusion for people who don't have the time to go play with
it.
If you're on an OpenBSD system, there's an example script that you can
run in test mode as non-root:
$ ./keeper_example.py --test --port 8008 &
$ nc -v -v localhost 8008
nc: connect to localhost port 8008 (tcp) failed: Connection refused # IPv6
Connection to localhost 8008 port [tcp/*] succeeded!
Your wish is my command.
dfd_keeper>
The program should be self-explanatory (start with help). Perhaps
I'll post a transcript online. I'd include one here, but with the 30+
line example ruleset it quickly get tedious. Also I really need HTML
markup to emphasize what has changed, and distinguish user input,
prompts, and output. My actual production systems tend to have
200-300 line rulesets.
This feedback certainly helps me understand where I'm doing a bad job
of explaining things.
> For example, if you want to insert a
> rule at a specific point, you somehow need to convey that regardless of
> whether or not DFD is used. For very simple rule sets, making a change
> is simple. But as firewall rules grow, making a simple change becomes
> more fraught.
Yes, that is exactly the problem I attempted to address. And if you
have several things attempting to change rules at once, things get
really hairy.
DFD provides a central choke point, where we define allowable changes
(ones that do not break our security policy), and its single-threaded,
single-process nature also provides locking so that each change is
atomic, even with multiple concurrent clients.
> * Have you ever wanted to have a queue of the last N blocked hosts,
> so that you don't end up with a ton of outdated perjorative rules?
>
> Again, that sounds like something that should be supported natively by
> the firewall. (I've added it as something to add to ipfilter in the
> future.)
But DFD does it now, and the concept applies to any firewall, and it doesn't
involve lots of additional kernel level code.
> * Have you ever wanted to do all of these at one time without the
> different systems stepping on each other's changes?
>
> That's the only real bit of value here. But use of rsync over ssh can be
> just as effective.
Hmm... how would you coordinate that among the various IDS, sniffers,
and other components? Would they all have root level access to your
firewall, and synchronized copies of your ruleset?
> For example, above it says "have you ever wanted to have a queue of the
> last N blocked hosts" but it seems to provide nothing to support adding
> a host to that queue. For some reason, the thought is that
> adding/removing rules is the thing to do. au contraire. The rules define
> my security policy, what changes is the set of IP#'s that I want to
> apply segments of my security policy to.
I do have set-like variables which contain IP addresses, but at
current none of them are anything but pf lists.
What is cool about them is if you remove all the IPs, the rule
automagically disappears from the ruleset. If you add one, the rule
reappears and the set of IPs appears as an IP address, and if you add
more it uses the { IP1, IP2 } list syntax. Over time pf has made the
syntax more flexible, so I believe you can now have singleton lists
without problem, but at the time I wrote it, that was not the case.
Also, when I started this project, I found most tools adding rules to
block individual IPs, and of course then you want to trim your
ruleset. But at least with pf, it seems that you can add and remove
to sets quite easily, and the penalty is not nearly as severe as if
you were adding large amounts of rules.
I need to revisit the lists vs. tables issue. Table support isn't
quite what it could be in dfd_keeper.
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email john@subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100819/115de789/attachment.pgp>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 52, Issue 7
***********************************************
No comments:
Post a Comment