Thursday, April 02, 2009

firewall-wizards Digest, Vol 36, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: PCI DSS & Firewalls (david@lang.hm)
2. Re: PCI DSS & Firewalls (Marcus J. Ranum)
3. Re: PCI DSS & Firewalls (Marcus J. Ranum)
4. Re: PCI DSS & Firewalls (Potter, Albert (Al))
5. Re: PCI DSS & Firewalls (AMuse)
6. Re: SIP dictionary attacks (Lord Sporkton)


----------------------------------------------------------------------

Message: 1
Date: Thu, 2 Apr 2009 11:29:57 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.1.10.0904021127210.28893@asgard.lang.hm>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Thu, 2 Apr 2009, Paul D. Robertson wrote:

>> The standard is not the leading instrument here, it's the experience and
>> common sense of the assessors. The PCI doc merely serves as a checklist
>> to demonstrate to the PCI council that requirements have been fulfilled.
>> Either verbatim, or in any other shape or form that still fulfills the
>> desired goal.
>
> The banks, CEOs and IT workers I've all talked to see it as a checklist to
> compliance, or more importantly a checklist to not getting sued. Avoiding
> the stick is the goal- and those who actually want the carrot look at the
> standard and say "This doesn't help me." That's bad, because the people
> most likely to know what's wrong in an environment are those who're most
> familiar with it. The desired goal is not getting sued...
>
> Also, we all know that businesses like efficiency and that time costs
> money- so are you going to check the box or are you going to write out an
> exception and justify it?

worse yet, are the auditors going to accept the exception, or are they
going to say "I don't care, the standard says X, they know more than you
do"

I've seen this happen with other things, where what we were doing was safe
(or safe enough) in our opinion, but management got tired of fighting with
auditors and told us to change to shut them up.

>> If you have to be compliant and look at the PCI requirements document,
>> and say "this is sad" or "that is not defined", talk to a decent QSA. He
>> can help make this a less confusing and painful experience.
>
> That doesn't make them any less sad or more defined. This is the best the
> multi-billion dollar payment card industry can do?

worse yet, you end up getting a personal opinion of the QSA, next year you
may deal with a different one who has a different opinion.

David Lang


------------------------------

Message: 2
Date: Thu, 02 Apr 2009 13:28:12 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49D503BC.6020905@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Frank Knobbe wrote:
>> I also agree with Marcus that it's the Pen Tester's Employment
Security
>> Act..
>
> Wouldn't you want to test your security controls periodically?

Of course. That's part of good engineering. But...

Good engineering says that you have structural elements that
should have various known and measurable capabilities. In
security, that would mean that you have a security design,
and that design would call out specific properties of how
the system should work and should behave. Yes, you'd want
to test to verify that the system was still working in
accordance to its design.

That's exactly the opposite from periodically flinging
poop at it and seeing if it still smells like a rose
afterward. Pardon my metaphor. :) The idea of pen testing
IS TO SIMULATE AN ATTACK
well, your design ought to be such that no known attacks
will work against it. Put differently
THERE SHOULD BE NO KNOWN POINT OF ATTACK
If that's the case, then simulating an attack, using
all the known tricks in the bad guy's arsenal - is
utterly stupid. If what you were to do was to perform a
top to bottom verification that the system's implementation
was still in accordance with its specifications
then that's a "design review" coupled with an "implementation
test" or "design oriented implementation review" - doing
that sort of test would require a completely different
set of tools from what a pen tester uses, and it would
be performed with a system design document in hand, from
the "inside" toward the "outside."

Of course the bad guys are innovating too, and it's very
much worth keeping track of what they're up to and updating
designs and plans accordingly. But - again - that doesn't
need pen testing; that needs periodic design reviews in
the face of newly uncovered forms of attacks. I.e.: your
system should be proof against SQL injection attacks; and
your code should have been carefully reviewed and tested
to be in accordance with that design. If you want to do a
"pen test" at that point, they should be looking at your
source code, not badpacketing you or whatever silliness.
If the bad guys invent a new form of attack, then it's
time to review your design to see how it resists that
form of attack: defend against general CATEGORIES
not SPECIFIC INSTANCES.

The pen testing paradigm is intellectually bankrupt.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com


------------------------------

Message: 3
Date: Thu, 02 Apr 2009 13:53:17 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49D5099D.90108@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Paul D. Robertson wrote:
>I can set up a gazillion systems with holes that
> a pen test won't ever find- pen testing as a stipulated requirement is
> silly- there are lots of ways to ensure your security that actually work,
> pen testing at best should be an option in conjunction with stronger
> methods like configuration auditing of security devices.


More to the point, if your system is configured at all
sanely, it should be resistant to all the known attacks
to which it's likely to be subject. So a pen test, that
tries all the known attacks is completely worthless.

Of course, the pen testers dodge this issue by
unleashing unknown attacks. Which - TA-DA! - work.
That way they can show their "value" and keep the
customer scared of being vulnerable. But that breaks
the logic of the first premise.

How do you get around that? By designing to prevent
CATEGORIES of attacks, rather than INSTANCES. That
means systemic design-time review and a system that
is designed with trust in mind. Not surprisingly, if
you build your systems that way, you'll find that the
pen testers have to bend over backwards to find a
way they can still yell "GOTCHA!" (by doing stuff
like the leave-a-USB-key-on-the-exec's-bmw trick)

Pen testing is about as valuable as homeopathy. I.e.: if
there's a security equivalent of a placebo, pen testing is
it.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com


------------------------------

Message: 4
Date: Thu, 02 Apr 2009 18:30:25 +0000
From: "Potter, Albert (Al)" <apotter@icsalabs.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: firewall-wizards@listserv.cybertrust.com
Message-ID:
<BDCFD9B395C4234F98409E10C78B841874B827@ASHEVS011.mcilink.com>
Content-Type: text/plain; charset="utf-8"

</lurk>

Chris hits the nail on the head. The DSS is about helping the clewless make measureable progress in a better direction and giving management (C and board level) the motivation and justificatio to spen money on security and to induce their staffs to get moving.

Is it perfect? No, but it is regularly revised (the DSS) and has a mechanism to get better.


AL
<Lurk>

----- Original Message -----
From: firewall-wizards-bounces@listserv.cybertrust.com <firewall-wizards-bounces@listserv.cybertrust.com>
To: Firewall Wizards Security Mailing List <firewall-wizards@listserv.cybertrust.com>
Sent: Thu Apr 02 08:35:15 2009
Subject: Re: [fw-wiz] PCI DSS & Firewalls


> Paul D. Robertson <paul@compuwar.net>,Wednesday, April 1, 2009 9:09:40 PM

> Is it just me, or do the PCI DSS "standards" for firewalls look like

> someone played "I have a CISSP" buzzword bingo?


Nope, not just you. ;~)

The DSS (and regulatory tools in total) are not bits-und-bytes technical artifacts, they are human engineering technical artifacts. The idea being to find a way to move people in a desired direction an achievable distance. The funcational DNA in PCI is not what gadgets to use how, it's "if it's done wrong there are legal ramifications at the executive level".

One of our folks did PCI for Walmart, and when the CEO sent out a note saying (sic): "Listen to this guy or you're fired" it proved that PCI worked. It reduced the prospect of spending in the future the millions of man-hours we have spent in the past arguing with people that maybe they should at least consider changing default passwords.

Now, is PCI enough (or complete)? Apparently not (go ask Heartland). But if we can get people doing the things in the DSS for starters, at least they'll be evolved beyond gills and flippers when we get there to talk about actual security.

-chris



_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090402/200d57dc/attachment-0001.html>

------------------------------

Message: 5
Date: Thu, 02 Apr 2009 11:58:53 -0700
From: AMuse <amuse@foofus.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49D50AED.5060707@foofus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Isn't the point of pen-testing to take up an attackers' perspective and
hit all your defenses to see if you missed something or misconfigured
something? I mean, unless you're the only person who set up 100% of
your infrastructure, how are you to know that someone didn't
accidentally leave telnet open? If you didn't write 100% of the webapps
your company is using, how are you to know they don't have SQL injection
flaws?

Marcus J. Ranum wrote:
> Frank Knobbe wrote:
> >> I also agree with Marcus that it's the Pen Tester's Employment
> Security
>>> Act..
>>
>> Wouldn't you want to test your security controls periodically?
>
> Of course. That's part of good engineering. But...
>
> Good engineering says that you have structural elements that
> should have various known and measurable capabilities. In
> security, that would mean that you have a security design,
> and that design would call out specific properties of how
> the system should work and should behave. Yes, you'd want
> to test to verify that the system was still working in
> accordance to its design.
>
> That's exactly the opposite from periodically flinging
> poop at it and seeing if it still smells like a rose
> afterward. Pardon my metaphor. :) The idea of pen testing
> IS TO SIMULATE AN ATTACK
> well, your design ought to be such that no known attacks
> will work against it. Put differently
> THERE SHOULD BE NO KNOWN POINT OF ATTACK
> If that's the case, then simulating an attack, using
> all the known tricks in the bad guy's arsenal - is
> utterly stupid. If what you were to do was to perform a
> top to bottom verification that the system's implementation
> was still in accordance with its specifications
> then that's a "design review" coupled with an "implementation
> test" or "design oriented implementation review" - doing
> that sort of test would require a completely different
> set of tools from what a pen tester uses, and it would
> be performed with a system design document in hand, from
> the "inside" toward the "outside."
>
> Of course the bad guys are innovating too, and it's very
> much worth keeping track of what they're up to and updating
> designs and plans accordingly. But - again - that doesn't
> need pen testing; that needs periodic design reviews in
> the face of newly uncovered forms of attacks. I.e.: your
> system should be proof against SQL injection attacks; and
> your code should have been carefully reviewed and tested
> to be in accordance with that design. If you want to do a
> "pen test" at that point, they should be looking at your
> source code, not badpacketing you or whatever silliness.
> If the bad guys invent a new form of attack, then it's
> time to review your design to see how it resists that
> form of attack: defend against general CATEGORIES
> not SPECIFIC INSTANCES.
>
> The pen testing paradigm is intellectually bankrupt.
>
> mjr.


------------------------------

Message: 6
Date: Thu, 2 Apr 2009 12:08:32 -0700
From: Lord Sporkton <lordsporkton@gmail.com>
Subject: Re: [fw-wiz] SIP dictionary attacks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a1bf75ae0904021208x72ed2c94h74403dbe37fdee33@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

I'm using openbsd as my firewall, in which there is a connection/time
feature. I can set it to block any ip that makes X connection with in
X time. for instance if someone connects to my ssh port more than 3
times in 30 seconds, they get blocked, since your on sip, you could do
like say, anyone connecting more than 5 times in 5 minutes gets
blocked, sip usually doesnt have that many connections, it just
connects then its up sorta thing.

I believe there is a version of this in iptables, but ive never seen
it in a hardware firewall.

That is at least how i solved the problem you face.

2009/4/1 Paul D. Robertson <paul@compuwar.net>:
> Well, besides losing my voice which has given me a little time to catch up
> on things, one of my problems last week was a successful dictionary attack
> against a SIP extension with an eight digit password.
>
> Obviously, I've changed the passwords and lengths, but I did want to make
> sure folks knew that there were active attacks out there, and they're
> obviously scanning for systems randomly, since the system in question was
> only recently moved to a new IP address space. ?The initial scans came
> from a box in China (surprise!)
>
> Anyway, all I've found for blocking outside of static IP address ranges is
> a bunch of check the logs and react stuff for Linux. ?I'm starting to
> think IPS might actually have a use- time to Google for snort inline sutff
> I suppose.
>
> Attackers made about calls out to people telling them they owed money.
> Calls were initiated from Europe, Asia and the US. ?Likely from
> compromised hosts.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson ? ? ?"My statements in this message are personal opinions
> paul@compuwar.net ? ? ? which may have no basis whatsoever in fact."
> ? ? ? ? ? Moderator: Firewall-Wizards mailing list
> ? ? ? ? ? Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 5
***********************************************

No comments:

Post a Comment