Search This Blog

Tuesday, April 16, 2013

firewall-wizards Digest, Vol 64, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Dave Piscitello)
2. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Marcus Ranum)
3. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Dave Piscitello)
4. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing (Bill Kyle)
5. Proxy advantage (Paul D. Robertson)
6. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Magos?nyi ?rp?d)
7. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing
(Stephen P. Berry)


----------------------------------------------------------------------

Message: 1
Date: Sat, 13 Apr 2013 11:30:32 +0200
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<CADLVL0+bAce+j4JTysfd1_mpAote2qPOX2j10JX_fdaDP9WuVg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I suspect that a composite of what Stephen, Kyle and I constructed
yields a reasonable analog for the current and sad state of affairs.

On Sat, Apr 13, 2013 at 3:01 AM, Kyle Creyts <kyle.creyts@gmail.com> wrote:
> For one, the ship's hull is supposed to have "leaks" because water is
> supposed to flow through the hull, this is how this particularly strange
> ship operates and provides the passengers with essentials to do their
> duties.
>
> Otherwise we'd keep it out of the water. (ha ha, air gap)
>
> However, as security folk, we're rather concerned about things that are
> toxic to the passengers coming in with the water...
>
> Unfortunately, to most of the systems we use to filter hull intake and
> output, protecting the passengers and their belongings, the toxic materials
> tend to look a lot like water.
>
> Most of these filters don't even know what the toxins are today. They're
> mostly throwback technology from a time before toxins, which only had to
> know the difference between water, seaweed, and sand. They know what water
> typically looks like, and they'll keep out the seaweed and sand, but we've
> told them that we want to let water in.
>
> Some newer systems are a bit better about filtering out the toxins, but they
> frequently cost quite a bit, and most ships continue to run without them in
> place.
>
> Of course most of the passengers can't distinguish either.
>
> In spite of people running around and announcing the dangers of toxins,
> nobody really seems to know how to teach the passengers to identify them,
> and most of the passengers are in too big of a hurry to care; drinking one
> glass of water with toxins in it probably won't kill them. Besides, many of
> them have filters on the faucets. Even if most of the faucet filters can
> only catch toxins they've seen before...
>
> Some passengers even bring toxins with them onto the ship.
>
> As others have mentioned, this whole process is only one of many
> responsibilities of those responsible for it, if they are even still with
> the ship. There are only so many engineers on the boat, they usually have to
> be trained to maintain this process or clean up toxins, and they have a lot
> of other systems to care for.
>
>
>
> On Fri, Apr 12, 2013 at 1:33 AM, Dave Piscitello <dave@corecom.com> wrote:
>>
>> Stephen,
>>
>> I think your premise - that we are comfortable with this architecture
>> - is wrong, at least for this choir.
>>
>> Your analog also only looks at one dimension of the problem space.
>>
>> - the ship hull is compromised
>> - the pumps are working because someone thought to enable this
>> automation, and he's now serving on another ship
>> - much of the crew are not competent to deal with the crisis, and
>> don't have the time to fully assess the damage because they are
>> distracted by requests to solve far less critical issues so that other
>> of the ship's services remain in operation for the passengers
>> - the passengers pay no attention to the warnings, alarms, and have no
>> clue as to how to abandon ship
>>
>> I suspect that few on this list are comfortable with this scene. The
>> pump is there for many because it's keeping the ship afloat while we
>> patch and re-think how to prevent future hull breaches. Part of
>> re-thinking is coming up with better monitoring (of hull integrity)
>> and AWS; part is raising competencies among crew, and part is raising
>> security awareness among passengers. All of these require the
>> captain's approval and the captain has to empower the officers.
>>
>> On Thu, Apr 11, 2013 at 8:46 PM, Stephen P. Berry <spb@meshuggeneh.net>
>> wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> >
>> > John Michealson writes:
>> >
>> >>Check Point's gateway based AV went cloud based last fall. It has over
>> >> 6M
>> >>signatures. They also have AntiBot, which has hundreds of millions of IP
>> >>and hosts classified. They are reclassifying 50k sites/hosts a day with
>> >>their ThreatCloud, and ThreatEmulation is in EA. Their Application
>> >> Control
>> >>has 4900 apps defined locally and 300K in the cloud. Combined with
>> >>education these are very effective tools.
>> >
>> > Perhaps I just have a bad attitude, but I'm imagining a ship with a
>> > great jagged hole below the water line and a very high output bilge
>> > pump that's almost but not quite keeping up with the flooding. The ship
>> > doesn't sink -immediately-, and hey that is a pretty impressive pump.
>> > But
>> > I'm not sure that I'd say that the pump is a very effective tool,
>> > because
>> > the task I'm actually concerned with isn't---or, I would argue shouldn't
>> > be---pumping water out, which the pump does quite well, but rather with
>> > keeping the ship seaworthy by keeping the water from getting in in the
>> > first place, and the pump doesn't do that at all.
>> >
>> > I'm not trying to badmouth Checkpoint here. I'm sure their product is
>> > wonderful for what it is. But I find it distressing how comfortable
>> > we've become with living with network architectures that are perpetually
>> > in a state of failure. That are designed failed. You speak in glowing
>> > words
>> > of the monumental efforts expended by Checkpoint. But while I can
>> > admire
>> > all that hard work, when I see as system that -needs- this sort of
>> > heroic
>> > effort -on an ongoing basis- just to continue functioning, I see a
>> > system
>> > that is fundamentally broken.
>> >
>> >
>> >
>> > - -spb
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: GnuPG v1.4.10 (GNU/Linux)
>> >
>> > iQEVAwUBUWcEsR+T8Ptkg9h9AQI4swf/SAXPVaI8DXdOZ7OaUpcBUe6t2Y6ZQCGX
>> > 9VB0F2/3pyTWWdcVNUcDMVAiasgF1Pc/uHEhGFbFJNB13ubiUDsvQmjwJMkhN5fk
>> > GRT1eJLQrwSjAhzpwnQxTnQQQxwGBlaCb9Lo3db/PMZcxwFaYjzWncthZ6tX9YW5
>> > IOD1Th0fvOEEJvtl+imqYanWUC2HXFJPP+F2f8eswOv2EI80C38EnTd/+Bn6vRcW
>> > PkCKJO3RCwRjdDACIlS/bx4aMrt36M/bbGgF+mRtn3NNNHqeGkMQV490b8pvRlxM
>> > DfeH/RAdUdOMQ7PVRCJAEKreI268ywabltzOya5MPBhY3RjRgJeBJQ==
>> > =JaqR
>> > -----END PGP SIGNATURE-----
>> > _______________________________________________
>> > firewall-wizards mailing list
>> > firewall-wizards@listserv.icsalabs.com
>> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
>
> --
> Kyle Creyts
>
> Information Assurance Professional
> BSidesDetroit Organizer
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 2
Date: Fri, 12 Apr 2013 23:26:07 -0500
From: Marcus Ranum <mjr@ranum.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <5168DE5F.10900@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

> I suspect that few on this list are comfortable with this scene. The
> pump is there for many because it's keeping the ship afloat while we
> patch and re-think how to prevent future hull breaches. Part of
> re-thinking is coming up with better monitoring (of hull integrity)
> and AWS; part is raising competencies among crew, and part is raising
> security awareness among passengers. All of these require the
> captain's approval and the captain has to empower the officers.
>

Meanwhile, many of the ship-builders have staked their oars and declared
that they will never go to sea again, but - of course - their customers are
welcome to try out the very inexpensive "cloud ship" offering that "ought to
work just fine." More or less. Have a nice trip.

mjr.

--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com



------------------------------

Message: 3
Date: Mon, 15 Apr 2013 13:53:07 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Marcus Ranum <mjr@ranum.com>, Firewall Wizards Security Mailing
List <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<CADLVL0L_30uhyOM_bq8qb4DTUyycuARB5VO73YHv4A40QuWRPA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Cloud is simply the current incarnation of server (LAN/farm, data
center, virtualization...). I really don't see that the security
issues have changed all that much (evolved maybe), or approaches to
solving them.

Look at us. We are in the "Lather, rinse, repeat" business. I recently
quoted firewall-wizards threads from 2007 on DDoS in an article. We
were discussing a 2000 SANS report encouraging egress address
filtering.

Still comes down to willingness to spend, will to execute. Too little of both.

On Sat, Apr 13, 2013 at 12:26 AM, Marcus Ranum <mjr@ranum.com> wrote:
>> I suspect that few on this list are comfortable with this scene. The
>> pump is there for many because it's keeping the ship afloat while we
>> patch and re-think how to prevent future hull breaches. Part of
>> re-thinking is coming up with better monitoring (of hull integrity)
>> and AWS; part is raising competencies among crew, and part is raising
>> security awareness among passengers. All of these require the
>> captain's approval and the captain has to empower the officers.
>>
>
> Meanwhile, many of the ship-builders have staked their oars and declared
> that they will never go to sea again, but - of course - their customers are
> welcome to try out the very inexpensive "cloud ship" offering that "ought to
> work just fine." More or less. Have a nice trip.
>
> mjr.
>
> --
> Marcus J. Ranum CSO, Tenable Network Security, Inc.
> http://www.tenable.com
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


------------------------------

Message: 4
Date: Mon, 15 Apr 2013 14:40:40 -0400
From: Bill Kyle <Bill.Kyle@jhu.edu>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <E1300398-9135-460A-830E-80737F71E7AF@jhu.edu>
Content-Type: text/plain; charset=us-ascii

In a former lifetime in the mid-nineties while at DEC installing Marcus' SEAL firewall for customers, I always did egress address filtering. It was best practice then and it's still best practice now. And, people still haven't learned how to configure their DNS servers. Until we can get the basics correct at this level we'll have a hard time discussing the home users getting "their act together."

--
Best regards,
Bill Kyle

"In one respect at least the Martians are a happy people; they have no lawyers."
>From "A Princess of Mars"
- Edgar Rice Burroughs
On Apr 15, 2013, at 1:53 PM, Dave Piscitello <dave@corecom.com> wrote:

> Cloud is simply the current incarnation of server (LAN/farm, data
> center, virtualization...). I really don't see that the security
> issues have changed all that much (evolved maybe), or approaches to
> solving them.
>
> Look at us. We are in the "Lather, rinse, repeat" business. I recently
> quoted firewall-wizards threads from 2007 on DDoS in an article. We
> were discussing a 2000 SANS report encouraging egress address
> filtering.
>
> Still comes down to willingness to spend, will to execute. Too little of both.
>
> On Sat, Apr 13, 2013 at 12:26 AM, Marcus Ranum <mjr@ranum.com> wrote:
>>> I suspect that few on this list are comfortable with this scene. The
>>> pump is there for many because it's keeping the ship afloat while we
>>> patch and re-think how to prevent future hull breaches. Part of
>>> re-thinking is coming up with better monitoring (of hull integrity)
>>> and AWS; part is raising competencies among crew, and part is raising
>>> security awareness among passengers. All of these require the
>>> captain's approval and the captain has to empower the officers.
>>>
>>
>> Meanwhile, many of the ship-builders have staked their oars and declared
>> that they will never go to sea again, but - of course - their customers are
>> welcome to try out the very inexpensive "cloud ship" offering that "ought to
>> work just fine." More or less. Have a nice trip.
>>
>> mjr.
>>
>> --
>> Marcus J. Ranum CSO, Tenable Network Security, Inc.
>> http://www.tenable.com
>>
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



------------------------------

Message: 5
Date: Mon, 15 Apr 2013 17:13:30 -0400
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: [fw-wiz] Proxy advantage
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <E1AF9C28-F3FD-4C01-8A40-0FBB6BF50D20@compuwar.net>
Content-Type: text/plain; charset=us-ascii

I've always railed against DNS tunneling. It seems to be rearing its ugly head again. Today with all the in-band HTTP attacks, it once again seems the major advantage of a proxy server is not having to pass DNS down to the client. Should this be a best practice?

Paul
--
President and Chairman, FluidIT Group
Moderator, Firewall-Wizards
http://pauldrobertson.net
http://pauldrobertson.com
@compuwar

------------------------------

Message: 6
Date: Tue, 16 Apr 2013 08:13:37 +0200
From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <516CEC11.60907@magwas.rulez.org>
Content-Type: text/plain; charset=ISO-8859-1

On 04/15/2013 07:53 PM, Dave Piscitello wrote:
> Cloud is simply the current incarnation of server (LAN/farm, data
> center, virtualization...). I really don't see that the security
> issues have changed all that much (evolved maybe), or approaches to
> solving them.

You are right, if you look at cloud solely as a new technology.
And as with any new technology, security won't be a real priority until
the basics aren't straightened out.

But cloud is also a business model (as in 'public cloud'), where
the model of relationships and incentives is wildly different to what we
were accustomed to.
And this model does not help to have watertight security.



------------------------------

Message: 7
Date: Mon, 15 Apr 2013 20:57:56 -0700
From: "Stephen P. Berry" <spb@meshuggeneh.net>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: spb@meshuggeneh.net
Message-ID: <20130416035756.D710B23CA62@ushiro.meshuggeneh.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dave Piscitello writes:

>I think your premise - that we are comfortable with this architecture
>- is wrong, at least for this choir.

Well, the recommendations are coming from the list. If you're going to tell
me that sometimes we recommend things that we're none too happy about,
I understand. But I still think it's a problem. We would reduce the
number of real-world information security problems by -at least- a factor
of ten if we simply stopped doing things that we, collectively, know are
wrong. I don't say that casually, and I think it's one of those things
that is a) profoundly shocking, and b) steadily getting worse rather than
better.

And here, as before, I mean `we' in the collective sense, all
network/information security types out there working. I'm not trying to
single out anyone on the mailing list, and I'm not trying to exclude
myself. My argument is that the -structural- security of our networks
is, as a general rule, getting worse and worse and no matter how much
we tell ourselves it can't be helped and no matter how many spiffy
quote security unquote quote appliances unquote we allow vendors to
sell us this is still the fundamental reality.


As far as virtualisation goes, I think it's a profound missed opportunity.
In principle things like AWS AMIs make doing minimal footprint, application-
specific OS installs with everything unnecessary turned off, central logging,
behaviour-based auditing based on a known-good baseline, and all those other
things that used to be comparatively expensive to do much MUCH more
straightforward. But of course this isn't how, as a rule, virtualised
deployments are architected because doing things this way just isn't
even in most organisation's decision tree.

I reallise that I'm probably doing two stupid things here: preaching to
the choir, and complaining about a problem instead of fixing it. But
this is something that I feel like I've spent years and years throwing
effort at it (professionally, in contributing open source code to the
community at large, in mentoring other sysadmins/network admins, participating
in SAGE back when they were still a going concern, and so on) and things
just keep getting worse and worse.


- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBUWzLrB+T8Ptkg9h9AQIc4ggAlwZcxqcCzEqBWc+RJZB+YqajnZcLOOFC
FiXpK0ZdazVw6sAqpwaWTbF6+O+rJp8TlzxSBm4H/PdJqBWYI5VPv2QQ7rQGKw7i
JPj18BmItLllL0OYFzeBMOc7Q6+UHYeh2kr1Fwba9qEzR6hfYPV8zCzU0LwBRlAi
4fb74PBDDJQ/kb2dzrBfYL8tyNi+gGMTscv3KtCwbPMk7KnwFQJdXsqgCINeXeUR
zxeW84zs19CVVIhCg0zjd5WncwswdGlwu+6DL6TfceJWYehJvODJZOMKyMo0DADc
OAfBDBfKnrV4hQIh2Jahr8s1fn5F7zRkSc8XPx1AyMQoA4n/DXJpDg==
=Pdx/
-----END PGP SIGNATURE-----


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 64, Issue 7
***********************************************
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)