Security World: firewall-wizards Digest, Vol 36, Issue 31

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: SCADA (david@lang.hm)
2. Re: SCADA (david@lang.hm)
3. Re: Who stay focused? (was: [Fwd: Question]) (Devdas Bhagat)
4. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Brian Loe)
5. Re: Who stay focused? (was: [Fwd: Question]) (ArkanoiD)
6. Re: SCADA (or: How I learned to love receiving FWW indigest
form) (Michael Balasko)

----------------------------------------------------------------------

Message: 1
Date: Sun, 19 Apr 2009 23:14:23 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] SCADA
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.1.10.0904192302150.12662@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Tue, 14 Apr 2009, Marcus J. Ranum wrote:

> Oddly, plog works faster than regular UDP syslog on some systems,
> because the bpf implementations are sometimes faster than the UDP
> stack.

I've been doing some testing with rsyslog recently, and with the 4.x
development branch I have had it reliably recieve udp messages at as close
to gig-e wire speed as a tuned tcpreplay could push them (IIRC it was
~300,000 messages/sec for ~256 byte messages) with no losses (over a
fairly quiet network). it can't currently write them from it's memory
buffer that fast (only ~80,000 messages/sec sustained), but you can put a
lot of memory in a dedicated log server today to handle bursts.

David Lang

------------------------------

Message: 2
Date: Sun, 19 Apr 2009 23:39:52 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] SCADA
To: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.1.10.0904192334100.12662@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Tue, 14 Apr 2009, Marcus J. Ranum wrote:

> Paul D. Robertson wrote:
>> The other side of the coin is that adding layers adds complexity and code-
>> and adding code adds bugs- so you don't *always* get a net security gain by
>> adding "protecion."
>
> You raise a problem that I've spent too much time pondering. In effect,
> it refutes the "conventional wisdom" of computer security. Which goes
> as follows:
> Item #1 - Defense in depth is good
> Item #2 - Complexity is the enemy of security
>
> If #2 is true, #1 can't be, because defense in depth adds complexity.
>
> Puzzled,

add multiple simple layers rather than trying to do everything in one very
complex system.

with the traditional firewalls architecture you add complexity in your
network to make the firewalls choke points and apply fairly simple
controls there rather than trying to implement the same protection on a
per-host bases.

or putting it another way, if each component is simple enough to be easily
understood (and checked), then you have a hope of understanding (and
checking) sets of components.

but if a single component's configuration and capabilities gets to the
point where it is too complex to be understood or checked, you have no
hope of understanding or checking your network as a whole.

defining when a component has become 'too complex' is a subjective thing,
as is determining when the arrangement of those components has become too
complex. different people will make different trade-offs.

David Lang

------------------------------

Message: 3
Date: Mon, 20 Apr 2009 16:53:02 +0530
From: Devdas Bhagat <dvb@users.sourceforge.net>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20090420112302.GC31699@tin2.nixcartel.org>
Content-Type: text/plain; charset=us-ascii

On Thu, Apr 16, 2009 at 08:09:05PM +0400, ArkanoiD wrote:
<snip>
>
> Have you noticed those? Those guys who started in early 2000s and who are
> *experienced professionals* now? They are not visionaries, nor scientists

Hey, I resemble that remark.

> (not am i, though), they are not bright minds either. You do not see them
> on any security conferences (well, actually there *are* conferences they
> attend, they are just different ones we consider boring), they do not show

Honestly, if I could afford to travel to a security conference (or two), I
would. At this point, all conference funding comes out of my pocket and
my personal budget is highly limited.

> up on any workgroups or technical commetees, they do not invent and more,
> they do not really have a clue to stay on the leading edge (how
> ridiculously does it sound when applied to our pretty conservative field,

That depends on what bits of infosec you consider bleeding edge. For
most applications, the security rules are fairly well known and attacks
don't change all that often.

If you can't fix the holes, and bandages don't work very well, you have
to give up and work on where you can make a change. My current areas of
focus are on outbound filtering (rather than inbound) and education.
Applying Postel's law to networks and networked applications is useful.

The nicest thing about the stock market collapse is that it is a glaring
example of bad things happening. "It would never happen to us" does not
apply in the real world.

Don't try and sell things because they are the right thing to do. That
doesn't work. Pointing out how their lack of security will impact operations
helps (You will be infected by a virus, it will try to propagate and consume
expensive internet bandwidth. You will be blocked for spamming.) Management
doesn't understand security, but they understand reputation.

Most people don't think in terms of worst case scenarios. That's what I
learnt from The Black Swan. We are exceptions to that rule. We think
almost solely in terms of rare, worst case scenarios. I have moved to
waiting for disaster to strike, and then recovering the pieces. Take
my advice and don't blow up, don't take my advice and blow up
spectacularly. If you are lucky, you will be too big to fail.

> but there *is* something like that). They just do their *carreer*. And
> they do it quite well, even more: they do not give a shit about who you
> are and what can you do - there are other things that count, like "did
> you have a senoir management job at company we do respect"
> (no one even cares if you performed there good enough, the signle fact
> that you were there is what that counts) and they are always welcome in
> the corporate world.
>
> So i am just a loser who did not get into that pack in time and now it
> is too late. I did not care about money much and i did not care about
> the carreer much, i just tried to do something to make this crazy world
> a little bit sane. And i failed epically. There are some positive changes

Meh. Epic failure is better than not trying at all. You never know when
success will happen. Or why. Or how.

Devdas Bhagat
--
Slumdog sysadmin

------------------------------

Message: 4
Date: Mon, 20 Apr 2009 11:26:52 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904200926x4b62f48dh3925869be48f406e@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Sun, Apr 19, 2009 at 8:21 PM, Paul D. Robertson <paul@compuwar.net> wrote:
> On Sat, 18 Apr 2009, Brian Loe wrote:
>
>> That's where the "homeland security" group of morons should be
>> applying their energies - creating regulations for how and what can be
>> connected to the country's power grid that we are ALL dependent on.
>
> Is that *REALLY* who you want drafting computer security regulations?
> "Please take off your shoes prior to booting Server 2008...."
>
> Paul

Of course not - but if not them, what other group of morons would you
have do it? This is one area where I think it could work, however,
after all any group could so long as they reach out to non-morons for
help.

I wouldn't say the same about, for instance, health care or automobile
manufacturing. :)

I believe the FBI has some talented folks and this would be a
legitimate exercise for them...right?

------------------------------

Message: 5
Date: Mon, 20 Apr 2009 21:25:44 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Devdas Bhagat <dvb@users.sourceforge.net>, Firewall Wizards
Security Mailing List <firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090420172544.GA2901@eltex.net>
Content-Type: text/plain; charset=koi8-r

Well, i guess role-based data control and entitlement management is something
that can (applying necessary frameworks like WS-* and embedding security
tokens into all data flow both in- and intersystem) change the security
landscape. If it ever will be applied properly. I doubt so.

On Mon, Apr 20, 2009 at 04:53:02PM +0530, Devdas Bhagat wrote:
>
> > up on any workgroups or technical commetees, they do not invent and more,
> > they do not really have a clue to stay on the leading edge (how
> > ridiculously does it sound when applied to our pretty conservative field,
>
> That depends on what bits of infosec you consider bleeding edge. For
> most applications, the security rules are fairly well known and attacks
> don't change all that often.
>
> If you can't fix the holes, and bandages don't work very well, you have
> to give up and work on where you can make a change. My current areas of
> focus are on outbound filtering (rather than inbound) and education.
> Applying Postel's law to networks and networked applications is useful.
>

------------------------------

Message: 6
Date: Mon, 20 Apr 2009 11:06:37 -0700
From: "Michael Balasko" <Michael.Balasko@cityofhenderson.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
indigest form)
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<9AF22D15085E7D409ED5710CBC779E9309FD0FD8@COHNTCS09.ci.henderson.nv.us>

Content-Type: text/plain; charset="us-ascii"

Eh, they do!!??

I like the bunch of "morons" known as NIST.

http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

and this should keep you busy for a while.

http://www.oe.energy.gov/information_center/reports.htm

Cisco has a whole class dedicated to it at Networkers but this can be
tortured into SCADA specific ideas

http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/EttFDIG.html

Pay Stuff-

and good book-

http://bookstore.gpo.gov/actions/GetPublication.do?stocknumber=008-022-0
0338-0

and den-

http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeI

Above links being present, I'd like to rename the morons to a group of
seriously intelligent, committed folk who happen to get a bad name from
the PR of the respective agencies they work for.:) I can assure you that
there are tons of Birkenstock wearing, long bearded multiple Ph.D
holding guys fighting the good fight who happen to work for the
government.

Enjoy the reading-

Michael Balasko

CCNP,CCSP,MCSE,MCNE

Network Specialist II

City of Henderson, Nevada

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Brian Loe
Sent: Monday, April 20, 2009 9:27 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
indigest form)

On Sun, Apr 19, 2009 at 8:21 PM, Paul D. Robertson <paul@compuwar.net>
wrote:

> On Sat, 18 Apr 2009, Brian Loe wrote:

>> That's where the "homeland security" group of morons should be

>> applying their energies - creating regulations for how and what can
be

>> connected to the country's power grid that we are ALL dependent on.

> Is that *REALLY* who you want drafting computer security regulations?

> "Please take off your shoes prior to booting Server 2008...."

> Paul

Of course not - but if not them, what other group of morons would you

have do it? This is one area where I think it could work, however,

after all any group could so long as they reach out to non-morons for

help.