firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PCI DSS & Firewalls (Paul D. Robertson)
2. Re: PCI DSS & Firewalls (Darden, Patrick S.)
3. Re: PCI DSS & Firewalls (Paul D. Robertson)
4. Re: SIP dictionary attacks (Paul D. Robertson)
5. Re: SIP dictionary attacks (Lord Sporkton)
6. Re: SIP dictionary attacks (Paul D. Robertson)
7. Re: PCI DSS & Firewalls (Chris Myers)
----------------------------------------------------------------------
Message: 1
Date: Thu, 2 Apr 2009 14:21:42 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904021359230.4989-100000@bat.clueby4.org>
Content-Type: TEXT/Plain; charset=US-ASCII
On Thu, 2 Apr 2009, Potter, Albert (Al) wrote:
> </lurk>
>
> Chris hits the nail on the head. The DSS is about helping the clewless
> make measureable progress in a better direction and giving management (C
> and board level) the motivation and justificatio to spen money on
> security and to induce their staffs to get moving.
No- the fine is what does that, the DSS is just the artifact with which to
do it. However as a "Standard" it's worse than ICSA Firewall testing
criteria! ;-P
> Is it perfect? No, but it is regularly revised (the DSS) and has a
> mechanism to get better.
Not only is it not perfect, it's frankly about as bad as a document can
get and claim to be a "Security Standard." It *has* to have the mechanism
to get better, it really would have to try to get any worse... Are two
revisions really "regularly revised?"
Heck, the license to download it is more clear and to the point than the
document itself.
Here are some examples from the current "Standard" with my comments in
brackets.
PCI DSS Requirement:
6.5.8 Insecure cryptographic storage
[Really? They require insecure storage?]
Testing Procedure:
6.5.8 Insecure cryptographic storage (Prevent cryptographic flaws.)
PCI DSS Requirement:
5.1.1 Ensure that all anti-virus programs are capable of detecting,
removing and protecting against all known types of malicious software.
[Honestly? All TYPES? Every time?]
1.3.5 Restrict outbound traffic from the cardholder data environment to
the Internet such that outbound traffic can only access IP addresses
within the DMZ.
1.3.5 Verify that outbound traffic from the cardholder data environment to
the Internet can only access IP addresses within the DMZ.
[Really? No Web browsing from a PC from a call center? No hitting an
internal proxy server that's not on the DMZ?...]
Seriously, I'd be embarrassed to release "criteria" like the above (and
it's just a small sampling for educational purposes...)
> AL
> <Lurk>
*cough*
Isn't Verizon a QSA?
*cough*
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 2
Date: Thu, 2 Apr 2009 15:30:30 -0400
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240352627A@EX2K3.armc.org>
Content-Type: text/plain; charset="us-ascii"
Hmmm, no I don't think so.
Network auditor would take care of regular stuff (e.g. your example of
an open telnet service). Nessus, nmap, etc. Irregular stuff will be
there no matter what, if someone knowledgeable enough spends enough time
looking.
Pen Testing has no real purpose that I can see.... Other than as a scare
tactic to put someone in their place, get more money for security from
admin, shame your IT department, or etc. It is more of a
social/political tool than a security instrument.
--Patrick Darden
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
AMuse
Sent: Thursday, April 02, 2009 2:59 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] PCI DSS & Firewalls
Isn't the point of pen-testing to take up an attackers' perspective and
hit all your defenses to see if you missed something or misconfigured
something? I mean, unless you're the only person who set up 100% of
your infrastructure, how are you to know that someone didn't
accidentally leave telnet open? If you didn't write 100% of the webapps
your company is using, how are you to know they don't have SQL injection
flaws?
------------------------------
Message: 3
Date: Thu, 2 Apr 2009 14:29:06 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904021424110.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 2 Apr 2009, AMuse wrote:
> Isn't the point of pen-testing to take up an attackers' perspective and
> hit all your defenses to see if you missed something or misconfigured
> something? I mean, unless you're the only person who set up 100% of
No, it's to scare the customer into buying security.
> your infrastructure, how are you to know that someone didn't
> accidentally leave telnet open? If you didn't write 100% of the webapps
> your company is using, how are you to know they don't have SQL injection
> flaws?
If you do a configuration audit, and code audits and build applications
using proper design standards, then a pen test will give you no
incremental value.
Let's take a common and costly example: Your last administrator has the
firewall set up to allow him to SSH into your main database server- but
only from his home IP address. He was laid off last week and is
disgruntled.
Now answer these questions:
What will a remote pen test show?
What will an on-site pen test show?
What will a configuration revew show?
Given all of the above, what additional value does a pen test bring to the
table?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 4
Date: Thu, 2 Apr 2009 14:31:09 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] SIP dictionary attacks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904021429230.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 2 Apr 2009, Lord Sporkton wrote:
> I'm using openbsd as my firewall, in which there is a connection/time
> feature. I can set it to block any ip that makes X connection with in
> X time. for instance if someone connects to my ssh port more than 3
> times in 30 seconds, they get blocked, since your on sip, you could do
> like say, anyone connecting more than 5 times in 5 minutes gets
> blocked, sip usually doesnt have that many connections, it just
> connects then its up sorta thing.
That would DoS attack any external SIP phones, especially soft phones or
those on dynamically assigned addresses from typical "home" internet
providers."
> I believe there is a version of this in iptables, but ive never seen
> it in a hardware firewall.
>
> That is at least how i solved the problem you face.
That doesn't solve the problem any better than pure IP address space
restrictions and sometimes makes it worse.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 5
Date: Thu, 2 Apr 2009 12:58:01 -0700
From: Lord Sporkton <lordsporkton@gmail.com>
Subject: Re: [fw-wiz] SIP dictionary attacks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a1bf75ae0904021258sb0a89bah5e450a0d741468f0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Umm....what?
Once the sip is connected it will stay up and connected. If a sip
phone is connecting back to the sip server more than 5 times in 5
minutes you have some serious issues going on.
2009/4/2 Paul D. Robertson <paul@compuwar.net>:
> On Thu, 2 Apr 2009, Lord Sporkton wrote:
>
>> I'm using openbsd as my firewall, in which there is a connection/time
>> feature. I can set it to block any ip that makes X connection with in
>> X time. for instance if someone connects to my ssh port more than 3
>> times in 30 seconds, they get blocked, since your on sip, you could do
>> like say, anyone connecting more than 5 times in 5 minutes gets
>> blocked, sip usually doesnt have that many connections, it just
>> connects then its up sorta thing.
>
> That would DoS attack any external SIP phones, especially soft phones or
> those on dynamically assigned addresses from typical "home" internet
> providers."
>
>> I believe there is a version of this in iptables, but ive never seen
>> it in a hardware firewall.
>>
>> That is at least how i solved the problem you face.
>
> That doesn't solve the problem any better than pure IP address space
> restrictions and sometimes makes it worse.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson ? ? ?"My statements in this message are personal opinions
> paul@compuwar.net ? ? ? which may have no basis whatsoever in fact."
> ? ? ? ? ? Moderator: Firewall-Wizards mailing list
> ? ? ? ? ? Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 6
Date: Thu, 2 Apr 2009 15:06:39 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] SIP dictionary attacks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904021503490.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 2 Apr 2009, Lord Sporkton wrote:
> Umm....what?
>
> Once the sip is connected it will stay up and connected. If a sip
> phone is connecting back to the sip server more than 5 times in 5
> minutes you have some serious issues going on.
Depends on if you're doing VOIP on a cell phone where the SIP application
can't stay acitve when there's a cell call.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 7
Date: Thu, 2 Apr 2009 16:49:00 -0500
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <3DA774AA-AE2A-43FF-98B3-140C6CCD7FA6@charter.net>
Content-Type: text/plain; charset="us-ascii"; Format="flowed";
DelSp="yes"
Great Discussion, too long to recall all I would like to respond to.
I only have to say that it is not the law, so a standard is a guide.
Although some politicians have found glory from the constituency by
making it a states right. The most ignorant of which could not tell
you why PCI is important at all. Three-Fourths of the standard can be
left unread and done away with through good engineering, and the last
quarter of which is to bring layman's terms to the real culprit in the
security breach, the executive.
1. Anyone in charge of a companies security should know the
architecture and every project going on from development and testing
to install. Why pay a CSO if he and his team of underlings does not?
2. Any hole that is not base upon that architecture, development and
install should be closed, regardless of anyones opinion or preferred
habits.
3. Anyone who is installing or developing something that shows up on a
pen test that is legitimately revealed by a pen test should call the
unemployment office, if it is not on the radar of a process and
company security plan. Which is why I am in some favor of a full blown
pen test, but agree it should be unnecessary and targeted, I refer
back to item one.
4. QSA's should get their ring of fame, but are misappropriated
because of the depravity of man. If an audit shows the same breach due
to the executive who refuses to close the hole because of his
preferred ignorance, the Security team should retain their budgeted
number for the cost of the QSA and the cost should come out of the
operational budget/executive fun fund.
5. Standards that are forced, like PCI has been so egregiously forced
by law of the ignorant, as if it were a law, are doomed to fail when
the intent is only to give self regulation and a standard, before the
federal dupes in Washington get their professional lawyer hands on our
compliance. So I try to take it easy on the PCI DSS, but agree it is
not the Declaration of Independence.
Chris Myers
clmmacunix@charter.net
John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedGraphic.tiff
Type: image/tiff
Size: 18654 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090402/6040d340/attachment.tiff>
-------------- next part --------------
Go Vols!!!!
On Apr 2, 2009, at 2:29 PM, Paul D. Robertson wrote:
> On Thu, 2 Apr 2009, AMuse wrote:
>
>> Isn't the point of pen-testing to take up an attackers' perspective
>> and
>> hit all your defenses to see if you missed something or misconfigured
>> something? I mean, unless you're the only person who set up 100% of
>
> No, it's to scare the customer into buying security.
>
>> your infrastructure, how are you to know that someone didn't
>> accidentally leave telnet open? If you didn't write 100% of the
>> webapps
>> your company is using, how are you to know they don't have SQL
>> injection
>> flaws?
>
> If you do a configuration audit, and code audits and build
> applications
> using proper design standards, then a pen test will give you no
> incremental value.
>
> Let's take a common and costly example: Your last administrator has
> the
> firewall set up to allow him to SSH into your main database server-
> but
> only from his home IP address. He was laid off last week and is
> disgruntled.
>
> Now answer these questions:
>
> What will a remote pen test show?
> What will an on-site pen test show?
> What will a configuration revew show?
>
> Given all of the above, what additional value does a pen test bring
> to the
> table?
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal
> opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> Moderator: Firewall-Wizards mailing list
> Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 6
***********************************************
No comments:
Post a Comment