firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PCI DSS & Firewalls (Bill McGee)
2. Re: PCI DSS & Firewalls (hermit)
3. Re: PCI DSS & Firewalls (Marcus J. Ranum)
4. Re: PCI DSS & Firewalls (Paul Melson)
5. Re: SIP dictionary attacks (Joe Nall)
----------------------------------------------------------------------
Message: 1
Date: Fri, 03 Apr 2009 09:23:17 -0600
From: Bill McGee <bam@cisco.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, <mjr@ranum.com>
Message-ID: <C5FB8605.1AFCE%bam@cisco.com>
Content-Type: text/plain; charset="iso-8859-1"
Yikes!
Wouldn?t it be nice if we all lived in Marcus? world? Perhaps we ought to
just mandate that everyone scrap their current networks and have Mr. Ranum
come in and redesign them from the ground up. We would clearly end this
issue of security breaches once and for all.
In the meantime, we really ought to be helping folks move from WHERE THEY
ARE to WHERE THEY NEED TO BE, even if it?s in incremental baby steps, based
on ability, budget, and sensitivity to risk. This is the world that Chris
and I live in, and until Marcus? parallel universe overtakes our own, this
is the battle we all must fight.
Is that a nod for mediocrity? Hardly. The reality is that, incompetent or
not, many IT managers are doing the best they can with what they have, with
real constraints on what they can do next, and need our help within that
context. Short of a Ranum dictatorship, we really need to recognize that
wide-eyed idealism, however well-intentioned, is never a reasonable
replacement for dealing with the vagaries of the reality we actually
inhabit.
-bill
On 4/3/09 8:31 AM, "Chris Blask" <chris@blask.org> wrote:
>
> Marcus J. Ranum <mjr@ranum.com>, Friday, April 3, 2009 9:06:53 AM
>
>> > Chris - you're better than this. Stop being an apologist for
>> > mediocrity.
>
>
> I wouldn't put it that way myself, but I also wouldn't argue the fine points
> of the definition. We live in a world of varying perfection and - while it is
> a wonderful thing to effect perfection where possible - it falls on us to
> devise solutions that also have a positive impact on mediocrity and even,
> where possible, function in the presence of incompetence. It wouldn't be
> defensible for me to take this position unless there were others out there
> railing for perfection, but we're never short of such voices in our field.
>
>> > All of us understand that you can do a half-assed job, or that
>> > you can throw up your hands and say "things suck but I'll do the
>> > best that I can in the circumstances." We all know that. But
>> > please don't adopt defeatism as policy.
>
>
> I leave it for others to judge, but I would hope that accepting defeatism is
> not a descriptive that would apply to me. Rather, I would say that I accept
> situations the way they are when I show up and do what I can to improve them.
> Whether it is accurate to say that a given situation sucks is a qualitative
> judgement that really requires a great deal of insight into the back story
> regarding how it got to the current state, and whether through lack of
> patience or attention span (I embrace my ADD) I only care about the past as it
> applies to the options for the future.
>
> Sure I often find myself in the position to be accused of 'defending
> mediocrity', but it's not in the context of giving up and accepting defeat.
> It's just the only way I know to limit the options I focus on to the ones that
> could actually appear in the real world.
>
> -chris
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090403/21925261/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 3 Apr 2009 08:27:48 -0700 (PDT)
From: hermit <hermit921@yahoo.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <235111.6464.qm@web32701.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
I suspect my company is similar to many - a penetration test that succeeds in getting to sensitive information is the only way to get management's attention. Otherwise, "of course we are secure. No one has broken in" is the honest belief of managers at all levels. No, they don't do log analysis. Yes, that makes pen testing a political tool rather than a technical tool, but it sure does help those of us who see security as more than an assertion by people with no security training or experience. Nothing else works.
hermit921
--- On Thu, 4/2/09, Darden, Patrick S. <darden@armc.org> wrote:
> From: Darden, Patrick S. <darden@armc.org>
> Subject: Re: [fw-wiz] PCI DSS & Firewalls
> To: "Firewall Wizards Security Mailing List" <firewall-wizards@listserv.icsalabs.com>
> Date: Thursday, April 2, 2009, 12:30 PM
>
> Hmmm, no I don't think so.
>
> Network auditor would take care of regular stuff (e.g. your
> example of
> an open telnet service).? Nessus, nmap, etc.?
> Irregular stuff will be
> there no matter what, if someone knowledgeable enough
> spends enough time
> looking.
>
> Pen Testing has no real purpose that I can see.... Other
> than as a scare
> tactic to put someone in their place, get more money for
> security from
> admin, shame your IT department, or etc.? It is more
> of a
> social/political tool than a security instrument.
>
> --Patrick Darden
>
>
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com
> [mailto:firewall-wizards-bounces@listserv.icsalabs.com]
> On Behalf Of
> AMuse
> Sent: Thursday, April 02, 2009 2:59 PM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] PCI DSS & Firewalls
>
> Isn't the point of pen-testing to take up an attackers'
> perspective and
> hit all your defenses to see if you missed something or
> misconfigured
> something?? I mean, unless you're the only person who
> set up 100% of
> your infrastructure, how are you to know that someone
> didn't
> accidentally leave telnet open?? If you didn't write
> 100% of the webapps
> your company is using, how are you to know they don't have
> SQL injection
> flaws?
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 3
Date: Fri, 03 Apr 2009 12:14:29 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Bill McGee <bam@cisco.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49D643F5.9020806@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Bill McGee wrote:
> Short of a Ranum dictatorship, we really need to
> recognize that wide-eyed idealism, however well-intentioned, is never a
> reasonable replacement for dealing with the vagaries of the reality we
> actually inhabit.
Gosh, and what glorious realities they are, Bill!!! I hate to burst
your vision of polishing turds until they gleam like diamonds,
but - just in case it had escaped your notice - the approach you
are advocating does not work. Trying to patch failed designs until
they're adequate has resulted in a 15 year run-up of vulerabilities
and the enshrining of weekly patches as "how to run production
systems." The approach you are advocating has resulted in
security experts whose best recommendations for preventing
desktops from being utterly owned is: "run 2 or 3 different AV
or anti-malware scanners and hope one of them catches it." Doing
the best you can with what you've got has resulted in an
environment where it seems every website has so many SQL
injection holes that they're using 64-bit numbers to count
them all. These are not "vagaries in reality"; they are
"epic fail"!
I take the position on these lists of being an idealist, because
it's simply ridiculous to point at the status quo and say
"that's good enough." Or worse, "we can fix it."
You also don't seem to understand that the longer we continue
pursuing failed doctrines, the worse it'll be - and the more
expensive it'll be - when/if we ever decide to really fix
things. Take, for example, all the companies that are now
scrambling around trying to figure out "where _is_ our
important data, anyway?" I bet they wish they'd thought
things through a bit more carefully 15 years ago! And, they're
going to wind up expending the same amount of effort to fix
the problem - with interest.
You seem to think that we're able to work with what we've got
but you don't understand that what we've got already isn't
working. Call me an idealist, will you? Are there any idealists
on this list who seriously think things are getting better?
If you fly aircraft regularly, you should be glad that the
people who design them are uncompromising and don't settle
for "doing the best with whatever they've got."
It's not "wide-eyed idealism" to advocate design techniques
that WORK and that you've seen work in the real world. I'm
not just blowing smoke; the techniques that I (and some of
the other wide-eyed idealists on this list) advocate result
in systems with much higher times between failure, and
dramatically reduced maintenance costs. The web site
with the enumerated connectivity on the backend that I
mentioned in my email yesterday? Because of its architecture,
it ran without a software upgrade on any of its backend
systems for 4 years. It's not wide-eyed idealism to consider
the TCO of a system as well as the costs to field it.
Wide-eyed beats the hell out of short-sighted in both
theory and practice.
"Ranum dictatorship"?? You should be so lucky.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 4
Date: Fri, 3 Apr 2009 16:36:27 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: <mjr@ranum.com>, "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000901c9b49b$e13ad6b0$a3b08410$@com>
Content-Type: text/plain; charset="us-ascii"
Marcus J Ranum wrote:
> More to the point, if your system is configured at all
> sanely, it should be resistant to all the known attacks
> to which it's likely to be subject. So a pen test, that
> tries all the known attacks is completely worthless.
In the sense that it could add value to an organization that has configured
their systems "at all sanely," I agree. It's no help. But in the context of
baseline standards enforcement, which is what PCI-DSS tries to do, that's
the whole point. You've made their case: to make sure that systems are
resistant to all the known attacks.
At the end of the day, offensive security (scanning, pen-testing, auditing,
etc.) is testing. And some testing is ALWAYS better than no testing. Show
me a company that doesn't require testing before moving a system into
production and I'll show you a company that can afford lots of downtime.
Security has to play by these rules, too. How do you know your design is
effective? Test it.
> Not surprisingly, if
> you build your systems that way, you'll find that the
> pen testers have to bend over backwards to find a
> way they can still yell "GOTCHA!" (by doing stuff
> like the leave-a-USB-key-on-the-exec's-bmw trick)
This annoying trait has to do with the fact that most pen-testing is
outsourced to third-parties. While I understand the need for independence,
internal testers are usually better and far less afraid of admitting they
didn't find a "hole" by the simple fact that they aren't under the same
pressure to report findings every time. They don't have to.
You see this played out again in many companies' move to internal audit
teams, who then become the interface to the third party auditors. I suspect
for organizations that do this with pen-testing, they have the same
experience.
PaulM
------------------------------
Message: 5
Date: Fri, 3 Apr 2009 18:48:48 -0500
From: Joe Nall <joe@nall.com>
Subject: Re: [fw-wiz] SIP dictionary attacks
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <839776F5-987D-4A52-AB61-1F69B3FFFA20@nall.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On Apr 2, 2009, at 2:08 PM, Lord Sporkton wrote:
> I'm using openbsd as my firewall, in which there is a connection/time
> feature. I can set it to block any ip that makes X connection with in
> X time. for instance if someone connects to my ssh port more than 3
> times in 30 seconds, they get blocked, since your on sip, you could do
> like say, anyone connecting more than 5 times in 5 minutes gets
> blocked, sip usually doesnt have that many connections, it just
> connects then its up sorta thing.
>
> I believe there is a version of this in iptables, but ive never seen
> it in a hardware firewall.
fail2ban can do this with iptables
joe
>
> That is at least how i solved the problem you face.
>
>
>
> 2009/4/1 Paul D. Robertson <paul@compuwar.net>:
>> Well, besides losing my voice which has given me a little time to
>> catch up
>> on things, one of my problems last week was a successful dictionary
>> attack
>> against a SIP extension with an eight digit password.
>>
>> Obviously, I've changed the passwords and lengths, but I did want
>> to make
>> sure folks knew that there were active attacks out there, and they're
>> obviously scanning for systems randomly, since the system in
>> question was
>> only recently moved to a new IP address space. The initial scans
>> came
>> from a box in China (surprise!)
>>
>> Anyway, all I've found for blocking outside of static IP address
>> ranges is
>> a bunch of check the logs and react stuff for Linux. I'm starting to
>> think IPS might actually have a use- time to Google for snort
>> inline sutff
>> I suppose.
>>
>> Attackers made about calls out to people telling them they owed
>> money.
>> Calls were initiated from Europe, Asia and the US. Likely from
>> compromised hosts.
>>
>> Paul
>> -----------------------------------------------------------------------------
>> Paul D. Robertson "My statements in this message are personal
>> opinions
>> paul@compuwar.net which may have no basis whatsoever in fact."
>> Moderator: Firewall-Wizards mailing list
>> Art: http://PaulDRobertson.imagekind.com/
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 9
***********************************************
No comments:
Post a Comment