firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: State of security technology for the enterprise (Chris Hughes)
2. Re: State of security technology for the enterprise
(Paul D. Robertson)
3. Re: State of security technology for the enterprise
(Paul D. Robertson)
4. Re: State of security technology for the enterprise
(Marcus J. Ranum)
5. Re: State of security technology for the enterprise
(Paul D. Robertson)
6. Re: State of security technology for the enterprise (Brian Loe)
7. Re: State of security technology for the enterprise
(david@lang.hm)
8. Re: Email Scams, Telemarketing, and Identity Theft
(Marcus J. Ranum)
----------------------------------------------------------------------
Message: 1
Date: Thu, 30 Apr 2009 12:27:33 -0400
From: "Chris Hughes" <chughes@l8c.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <EDB032DD67C34165A5B4F08A1D6CF3D7@Acer>
Content-Type: text/plain; charset="us-ascii"
Point taken on chasing new technologies, however, with new methods of
controlling access and thwarting attacks I stand to gain advantage where I
am currently vulnerable.
Good point on zones/architecture. Since I was responsible for building the
network I was sure to take security into account. The problem with internal
firewalling was the vast array of services offered and the churn of
development and implementation. Development was hampered by programmers who
were not network aware. New services are continually being brought online.
I am a team of one for security and there are nearly 150 servers and nearly
200 services riding on them. This is an organizational issue I don't expect
to be resolved here. However it's worth mentioning when you consider UTM
could potentially make it all more manageable for folks in the same boat as
me.
I share your thoughts on the vendors. So far Juniper is my favorite. I
just looked at Fortinet today in a webex and it looks ok. (Fortigate)
-------------------------------------------------------------------
From: "miedaner" <miedaner@twcny.rr.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: "Firewall Wizards Security Mailing List"
The underlying architecture is very important to providing control.
Build in security zones, dmz, transit, low to high zones.
>From layer 1-7 as you move from low to high zones controls should increase
and each zone should be setup to detect problems.
Less is more, permit few, deny all.
You can buy all the gadgets you want but in the arms race that has been
occuring for as long as I can remember, you will never ever be ahead of the
enemy, or clueless user, unless you don't allow it by default.
That being said my experience
Cisco is weak
Love Netscreen/Juniper
ISS is expensive and since IBM took them over is getting weaker
Palo Alto seems promising
Sidewinder is good
DPI is a marketing term to me
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of Chris
Hughes
Sent: Wednesday, April 29, 2009 9:31 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] State of security technology for the enterprise
Hello all.
I am currently developing a strategy for evolving the security for my
enterprise network. Currently I protect the core network (servers and
services) and internet with inline sensors, use HIDS on all client machines
(which performs event correlation with the inline sensors) content
filtering, use of AV on all hosts, SSL and IPSec VPN and spamfiltering on
the edge.
In reviewing the latest offerings I see that there are new and potentially
immature technologies that may be the direction I need to look. These
include:
DPI (deep packet inspection) firewalls
Content filtering on the firewall
SSL proxying with decryption for filtering abuse and data leak
DLP - related to ssl filtering but with the addition of protecting data at
rest from leaving the network.
VMWARE/Hypervisor sensors to protect my virtual infrastructure
The vendors offerings I am reviewing include:
Cisco
ISS
Juniper
Fortinet
Palo Alto
If I omitted serious contenders from my list please bring them to my
attention. I also have a feature matrix I am willing to share if anyone is
interested.
Cisco has point product solutions for the most part but Juniper, Palo Alto
and Fortinet are combining some of the new abilities into a single
appliance.
I am looking for conversation on the newer technologies as well as
thoughts of combining them on a single albeit clustered/HA appliance versus
separate solutions for each function. Another thing I wrestle with is
single vendor solutions versus hybrid solution that offers some dioversity
and a system of checks and balances.
Of particular interest is DPI. From what I read this will be a major
advance that really grants security admins control at the firewall that they
never had before.
Please share your thoughts.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/200904
29/1749774d/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 39
************************************************
------------------------------
Message: 2
Date: Thu, 30 Apr 2009 16:54:57 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904301653180.4359-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 30 Apr 2009, Chris Hughes wrote:
> Point taken on chasing new technologies, however, with new methods of
> controlling access and thwarting attacks I stand to gain advantage where I
> am currently vulnerable.
You're assuming that "new technologies" will enhance your ability to
secure a particular vector. That's not always true, and new stuff often
increases the complexity of the defensive device, which can actually make
you more vulnerable rather than less.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 3
Date: Thu, 30 Apr 2009 17:06:52 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904301656590.4359-100000@bat.clueby4.org>
Content-Type: TEXT/Plain; charset=US-ASCII
On Thu, 30 Apr 2009, Chris Hughes wrote:
> "mainstream" as missing the mark. The problem is, on an enterprise level,
> most companies are not willing to look at open source solutions or vendors
> they have never heard of. They want brand names that can be supported by a
> wide audience of engineers.
I've never seen that level of reluctance at any large enterprise I've
worked or consulted for. In fact, in these economic times, "it's free" is
a lot more palatable than "you need to spend $10,000." I'd gently suggest
that the security "sale" for the requirement isn't being done well enough
if you can't choose best of breed open source tools- especially if the
argument is "wide audeience of engineers." If your "wide audience" is
that narrowly focused, then I'd suggest removing the term "engineer" from
their titles and substituting "monkeys!"
> My purpose was not to offend you or become viewed as ignorant. My purpose
> is to solicit opinions on these technologies which appear to me and the
> folks I deal with as "new". I will look at IBM's offering as you suggest.
"Deep packet inspection" has been on the market as such for a number of
years as the challengers to "stateful packet inspection" looked for their
own marketing term. The "problem" with DPI is that to do it right, you
basically have to mimic the fragmentation, ordering and reassembly of an
IP stack, then know what to look for as "bad"- by the time you've written
all of that, you may as well have written a real proxy where you know the
effects of that and you've got a mature implementation that's been in the
field for years- so the code bugs are hopefully already addressed. We've
all seen how well proxies adapted to "new" stuff, and DPI has had the same
set of issues- the problem isn't so much the buzzword as the amount of
work necessary to do a good job coupled with the brain-deadedness of most
application protocols (security is not addressed in this document...)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 4
Date: Thu, 30 Apr 2009 17:12:23 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49FA1437.7030306@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Paul D. Robertson wrote:
> "Deep packet inspection" has been on the market as such for a number of
> years as the challengers to "stateful packet inspection"
...And nobody has ever done an adequate job of explaining what is
stateful about SPI or particularly "deep" about DPI. As one of those
obnoxious guys who always did everything at Layer 7, it seems more
like an argument about who's the tallest kid in the shallow end of
the pool.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 5
Date: Thu, 30 Apr 2009 21:19:39 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904302114460.4359-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 30 Apr 2009, Marcus J. Ranum wrote:
> ...And nobody has ever done an adequate job of explaining what is
> stateful about SPI or particularly "deep" about DPI. As one of those
Oh, the stateful part was explained pretty well- as were the state tables,
it was the "inspection" part that was all over the map in SPI just like
in DPI...
> obnoxious guys who always did everything at Layer 7, it seems more
> like an argument about who's the tallest kid in the shallow end of
> the pool.
I get to have a proxy conversation with a bank tomorrow, because *all*
their literature for their ACH service requires "unrestricted Internet
access" with (at least according to the manuals, no place to even put a
proxy for the HTTS or FTP methods.) *sigh*
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 6
Date: Thu, 30 Apr 2009 20:33:43 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904301833h1f8466afi6a6bf82e419ff169@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Apr 30, 2009 at 8:19 PM, Paul D. Robertson <paul@compuwar.net> wrote:
> I get to have a proxy conversation with a bank tomorrow, because *all*
> their literature for their ACH service requires "unrestricted Internet
> access" with (at least according to the manuals, no place to even put a
> proxy for the HTTS or FTP methods.) ?*sigh*
>
> Paul
It's been awhile since I dealt with ACH - but I had thought that there
were "new" and "strict" requirements concerning such transactions
these days?
An argument against government intervention no doubt.
But what private association - or "body" of some sort - has worked
well in such things (dietetics association?)?
------------------------------
Message: 7
Date: Thu, 30 Apr 2009 21:04:51 -0700 (PDT)
From: david@lang.hm
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.1.10.0904302057560.5928@asgard>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Thu, 30 Apr 2009, Paul D. Robertson wrote:
> On Thu, 30 Apr 2009, Chris Hughes wrote:
>
>> "mainstream" as missing the mark. The problem is, on an enterprise level,
>> most companies are not willing to look at open source solutions or vendors
>> they have never heard of. They want brand names that can be supported by a
>> wide audience of engineers.
>
> I've never seen that level of reluctance at any large enterprise I've
> worked or consulted for. In fact, in these economic times, "it's free" is
> a lot more palatable than "you need to spend $10,000." I'd gently suggest
> that the security "sale" for the requirement isn't being done well enough
> if you can't choose best of breed open source tools- especially if the
> argument is "wide audeience of engineers." If your "wide audience" is
> that narrowly focused, then I'd suggest removing the term "engineer" from
> their titles and substituting "monkeys!"
oh, this level of reluctance is very definantly alive and well, even in
these economic times. I've got folks insisting that I rip out the working
opensource equipment and replace it with 'real' firewalls (which turns out
to mean Cisco equipment. it looks like they are going to force the
Sidewinders to be removed as well)
David Lang
------------------------------
Message: 8
Date: Thu, 30 Apr 2009 23:41:52 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Email Scams, Telemarketing, and Identity Theft
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49FA6F80.9040505@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sam Golden wrote:
> I have had my home phone number in the National Do Not Call Registry,
> https://www.donotcall.gov/, since it's inception and I have received few
> if any telemarketing phone calls.
>
> Within the last week, however, I have received more than a dozen calls.
> After brushing the first few off, I became curious and started to ask
> the callers why they were calling me. The results were startling.
>
> Each of the first three callers I asked stated that they had received an
> email from me requesting that they call me. Knowing that I hadn't done
> so, I asked for the email address. They stated they received an email
> from Goldensaaaa@gmail.com <mailto:Goldensaaaa@gmail.com>. This
> apparently legitimizes their calling me.
Want to guess who sent it to them?
There's cut-outs in most spam/telemarketing laws that say you
can request calls or that it's OK if there's a "prior business
relationship." It usually takes the telemarketers a few
months to figure out a way around each new law. After all,
their important message is, um, important.
After thinking it over for a few years (seriously) I've
concluded that spam and telemarketing are OK and I will
accept any amount of them as long as I still have free
speech. I don't, of course - in the US there are considerable
laws curtailing same (see 18 US 2257a for example) and the
FBI spends a lot of time and taxpayers' money going
after certain kinds of speech rather than others that
fall under the same laws. So, with spam and telemarketing
we're dealing with a social failure; the police won't
protect us and we are not given the tools to protect
ourselves. (And the phone companies will cheerfully
sell us caller-ID but then sell telemarketers the ability
to block it) Ultimately, this kind of imbalance will
continue as long as it's profitable.
> Now, while telemarketing is annoying, it started me thinking about the
> implications. Anyone can search various public archives such as 411.com
> <http://411.com> and find a phone number for a name. Anyone can create
> a gmail account as long as they can read the "captcha". Is some "evil"
> telemarketing company hiring lots of people to generate lots of mail
> accounts and then offer these to faux-legitimize telemarketing phone calls?
Yes. That's probably what's happening. Although the
telemarketers may simply optimize by not bothering
to do it, until someone complains - THEN - send the
"please call me" fake email.
> Should I be paranoid?
Was that a serious question? I checked the date of your
post and it wasn't April 1. Did you seriously ask the
firewall-wizards if you should be paranoid?
The answer is, "of course not!" It's not paranoia
if you've ALREADY got a brain-leech installed in you
and the orbital mind control lasers are making you
dance like a puppet.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 37, Issue 1
***********************************************
No comments:
Post a Comment