Saturday, April 30, 2011

[SECURITY] [DSA 2227-1] iceape security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2227-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
April 30, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-0065 CVE-2011-0066 CVE-2011-0067 CVE-2011-0069
CVE-2011-0070 CVE-2011-0071 CVE-2011-0072 CVE-2011-0073
CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078
CVE-2011-0080 CVE-2011-0081

Several vulnerabilities have been found in the Iceape internet suite, an
unbranded version of Seamonkey:

CVE-2011-0069 CVE-2011-0070 CVE-2011-0072 CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0080 CVE-2011-0081

"Scoobidiver", Ian Beer Bob Clary, Henri Sivonen, Marco Bonardo,
Mats Palmgren, Jesse Ruderman, Aki Kelin and Martin Barbella
discovered memory corruption bugs, which may lead to the execution
of arbitrary code.

CVE-2011-0065 CVE-2011-0066 CVE-2011-0073

"regenrecht" discovered several dangling pointer vulnerabilities,
which may lead to the execution of arbitrary code.

CVE-2011-0067

Paul Stone discovered that Java applets could steal information
from the autocompletion history.

CVE-2011-0071

Soroush Dalili discovered a directory traversal vulnerability in
handling resource URIs.

The oldstable distribution (lenny) is not affected. The iceape package only
provides the XPCOM code.

For the stable distribution (squeeze), this problem has been fixed in
version 2.0.11-5.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.14-1.

We recommend that you upgrade your iceape packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk28IWoACgkQXm3vHE4uylrDDgCg1ZXfEbX8VEDGzDuv1SEmoC6V
5KEAoJ3cyOzWZW636lNOfKblmUtlqlxq
=hCFE
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20110430145224.GA3694@pisco.westfalen.local

Friday, April 29, 2011

Keep IT costs low. Replace your legacy applications now.

Special Notification from NetworkWorld and HP for NetworkWorld Customers Only

How to transform aging applications and infrastructure?

Applications are at the heart of innovation for businesses and governments. But today many enterprises struggle with too many applications, some of which are aging and inflexible. That diminishes their ability to deliver the products and services customers and citizens' demand.

HP can help you gain control over legacy applications, inflexible processes and infrastructure that impede their responsiveness and slow progress. And that can help them grow and innovate.

To get started on an application transformation journey—a key step to becoming an Instant-On Enterprise—HP offers:

  • Applications Transformation Experience Workshop, a unique, slide-free workshop helps enterprises clarify their current situation, develop a clear understanding of enterprise drivers, challenges and ongoing modernization initiatives then form a picture of what an application transformation journey should look like.
  • Applications Modernization Assessment to find out the impact that modernization can have on their organization.
  • TCO challenge to see how much cost, businesses & governments can save through an application infrastructure refresh.

    To learn more about HP's Application Transformation solutions, download the "HP Application_Transformation Solution brief" or visit us at www.hp.com/go/applicationtransformation




  • When you subscribed to Network World, Network World Newsletters, Network World Events or NetworkWorld.com you indicated that you wished to receive relevant 3rd party information via email. If you wish to discontinue receiving this type of message simply go here.

    Network World, 118 Turnpike Road, Southborough, MA 01772

    Security Management Weekly - April 29, 2011

    header

      Learn more! ->   sm professional  

    April 29, 2011
     
     
    Corporate Security
    1. "ZTE Sues Huawei in China for Patent Infringement Over 4G Tech"
    2. "Workplace Deaths in Bethesda, Hostage Crisis in Silver Spring Prompt Workplace Safety Seminar" Maryland
    3. "Advocates Say Domestic Violence Spills Into Workplace"
    4. "Report Finds Workplace Violence Still a High Risk, but Awareness Growing"
    5. "France Telecom Employee Burns Self to Death Outside of Workplace"

    Homeland Security
    1. "Bomb Kills at Least 14 in Morocco"
    2. "Egypt Gas Pipeline Bombing Halts Flow"
    3. "Lawmakers Under Threat"
    4. "Taliban Jailbreak Rattles Afghan South"
    5. "WikiLeaks Exposes Guantanamo Documents"

    Cyber Security
    1. "PlayStation Hackers May Have Stolen Data From 75 Million Users, Sony Says"
    2. "Visa: Payment Card Industry Needs to Work Smarter, Not Harder, to Increase Security"
    3. "Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks"
    4. "Defining Enterprise Security Best Practices for Self-Provisioned Technology"
    5. "DHS Chief: What We Learned From Stuxnet"

       

     
     
     

     


    ZTE Sues Huawei in China for Patent Infringement Over 4G Tech
    Reuters (04/29/11) Yee, Chyen Lee; Yuntao, Huang

    ZTE Corp has filed a patent infringement case against Huawei Technologies Co., regarding a fourth-generation long-term evolution (LTE) technology. This suit follows a similar legal challenge made by Huawei against ZTE in Europe for trademark infringement. Huawei claims that ZTE infringed on a series of patents for data card and LTE technology. The suit also claims that ZTE also illegally used a trademark registered to Huawei on some data card products.


    Workplace Deaths in Bethesda, Hostage Crisis in Silver Spring Prompt Workplace Safety Seminar
    Gazette.Net (04/28/11) Ruoff, Alex

    The Greater Bethesda-Chevy Chase (Md.) Chamber of Commerce is holding a workplace safety seminar on May 3. During the event, police officers and business owners will present tips and procedures that will help employers keep their workers safe. One thing that companies can do to prevent workplace violence is to perform background and reference checks on job candidates, said Elise Ambrose, the owner of a company that helps employers perform such checks. Ambrose will be one of the speakers at the seminar. The event is being held in the wake of several incidents of workplace violence in Montgomery County, Md., which is the county where Bethesda and Chevy Chase are located. Among those incidents was the murder of an employee at the lululemon athletica store in Bethesda on March 11. The employee is believed to have been killed by one of her colleagues. In January, an employee at Suburban Hospital in Bethesda allegedly killed his supervisor. In addition, three people were taken hostage at the Discovery Communications building in nearby Silver Spring last September.


    Advocates Say Domestic Violence Spills Into Workplace
    WABE (04/28/11) Wirth, Michelle

    Domestic violence, which affects 25 percent of women, can have an effect on the workplace. According to advocates for domestic violence victims, domestic violence can result in high rates of absenteeism, increased health care costs, and lower rates of productivity. Susan Rodriguez, a spokeswoman for the Partnership Against Domestic Violence (PADV), said that it is important that companies raise awareness about this problem so that they send the message to employees that they care. In order to do this, companies should develop policies to deal with domestic violence and the workplace and should provide managers and employees with prevention training to help them identify victims of workplace violence. Kaiser Permanente in Atlanta was able to identify at least seven cases of domestic violence after providing such training last year. One case involved a woman who was being abused and stalked by her husband. The company moved the employee and provided the woman's family with counseling, resulting in a successful outcome for the situation, said Linda Boatwright, the company's director of employee and labor relations. However, other domestic violence victims are not as lucky, as homicides are the second leading cause of death among women in the workplace.


    Report Finds Workplace Violence Still a High Risk, but Awareness Growing
    Security Director News (04/26/11) Stelter, Leischen

    The recently-released 2011 Workplace Violence Fact Sheet shows that workplace homicides are the third leading cause of death at workplaces. The fact sheet noted that there are an average of 590 workplace homicides each year, meaning that more than 5,900 people have been killed while at work over the past 10 years. Those numbers do not include attempted workplace murders or suicides that happen at work, said Barry Nixon, the founder and executive director of the National Institute for the Prevention of Workplace Violence. Nixon added that the number of incidents of workplace violence appears to be on the decline, thanks in part to decisions by the government and a number of organizations to boost funding for security. In addition, Nixon noted that companies seem to be learning that preventing acts of workplace violence is better than simply reacting to such incidents, as more companies are asking his organization with help in developing preventative and proactive programs. Nixon said that there is more that companies can do to prevent acts of workplace violence, including engaging in regular and direct communications with employees about their role in preventing workplace violence, and training supervisors to properly handle employee concerns about the potential for violence.


    France Telecom Employee Burns Self to Death Outside of Workplace
    BetaNews (04/26/11) Conneally, Tim

    The rash of suicides that has taken place over the last several years at France Telecom-Orange continued on Tuesday when a 57-year-old employee set himself on fire at the company's Merignac-Pichey branch. The man, who had worked for France Telecom for 30 years, is the second employee to kill himself this year and one of more than 50 who have taken their own lives since 2008. Many of the suicides have been committed by employees whose positions were eliminated as part of France Telecom's transition from the public sector to the competitive deregulated market. The French Supreme Court launched an investigation into the rash of suicides at France Telecom, as well as allegations of employee harassment, last year.




    Bomb Kills at Least 14 in Morocco
    Associated Press (04/29/11)

    At least 14 people were killed on Thursday when a bomb went off in a café that is popular with tourists in Marrakech, Morocco. The bombing, which took place in Marrackech's Djemma el-Fna square, which is one of the country's top tourist attractions, also injured at least 23 people. Among the casualties were at least 11 foreigners. It remains unclear who was responsible for the bombing, which blew off most of the café's façade. A Moroccan government spokesman said that the country breaks up cells linked to al-Qaida in the Islamic Maghreb on a regular basis and has foiled several terrorist plots, though nothing led the government to believe that an attack was coming on Thursday. Morocco has been largely peaceful since a 2003 terrorist attack in Casablanca that killed 33 people, though there has been some terrorist activity since then. In April 2007, for example, two suicide bombers attacked the U.S. consulate in Casablanca. In Niger, al-Qaida in the Islamic Maghreb kidnapped four Frenchmen last year. The group is still holding the hostages.


    Egypt Gas Pipeline Bombing Halts Flow
    Wall Street Journal (04/28/11) Mitnick, Joshua; Bradley, Matt

    Bedouins are believed to have been responsible for an attack on a natural-gas pipeline in Egypt's Sinai peninsula on Wednesday. The attack was carried out by five masked gunmen who infiltrated a measuring station located outside a town in Sinai. The attackers then placed a bomb on the pipeline that subsequently exploded. No one was injured in the attack, though the explosion cut off natural gas supplies to Israel and Jordan. The attack could be an indication that the political turmoil in Egypt has given Bedouins, who have been fighting an open war with Egyptian police for several years now, an opportunity to attack government targets. The bombing could also make it more difficult for Egyptian security forces to protect pipeline infrastructure. The Sinai Peninsula has become increasingly lawless since Egyptian police left the region following the anti-government protests that took place in the country in January. Bedouin leaders said that police have only returned to one city in North Sinai, and that the rest of the northern part of the region is still essentially lawless. However, a North Sinai security official said that police have returned to all areas of the peninsula.


    Lawmakers Under Threat
    The Hill (04/27/11) Yager, Jordy

    FBI records released under a Freedom of Information Act request show that the bureau opened, investigated, and closed at least 26 cases of alleged threats against both Democratic and Republican lawmakers last year. The number of threats against lawmakers in 2010 was the highest on record. Nearly half of those threats occurred in the weeks before President Obama signed the controversial healthcare reform measure into law in March 2010. Among the lawmakers that received threats were then-House Speaker Nancy Pelosi (D-Calif.), Senate Minority Leader Mitch McConnell (R-Ky.), and current House Majority Leader Eric Cantor (R-Va.). The families of lawmakers were also threatened. Former Rep. Walt Minnick (D-Idaho), for example, received a letter in March 2010 warning him that he risked getting shot while taking his children to soccer practice. Most of the people behind these threats were not prosecuted, in part because the FBI was unable to identify individuals who made threatening calls to lawmakers. However, some individuals who threatened lawmakers have been successfully prosecuted, including a man who threatened former Rep. John Boccieri (D-Ohio).


    Taliban Jailbreak Rattles Afghan South
    Wall Street Journal (04/26/11) Abi-Habib, Maria; Totakhil, Habib Khan

    Several hundred prisoners were freed from a prison in southern Afghanistan over the weekend by the Taliban. The prison break began shortly before midnight on Sunday, when armed Taliban militants appeared in the facility in Kandahar and urged the detainees--including a number of Taliban shadow governors and bomb makers--to follow them through a tunnel that had been built from the prison to a house about a mile and a half away. About six hours after the prison break began, guards at the facility noticed that all of the political prisoners were missing. According to the Taliban, 541 individuals--including 106 Taliban commanders--were freed from the prison, though Afghan officials put the number of escapees at 475. The escaped prisoners are believed to have dispersed throughout the region. However, Afghan security forces have recaptured 34 of the escaped inmates and have killed two others in a shootout. This is not the first time that prisoners at the facility have escaped with the help of the Taliban. The group also launched a prison break at the facility in 2008, freeing roughly 900 inmates. Canada, which oversaw security in Kandahar until 2010, subsequently took steps to boost security and train wardens at the prison.


    WikiLeaks Exposes Guantanamo Documents
    Associated Press (04/25/11)

    Several U.S. and European newspapers on Sunday published Detainee Assessment Briefs (DABs), or military detainee assessments, dealing with inmates at the Guantanamo Bay detention facility. The files were given to the news organizations by WikiLeaks, though it remains unclear whether the documents were published with WikiLeaks' consent or not. The documents contain information on more than 700 interrogations with terrorist suspects as well as information on the intelligence value and the threat posed by detainees. Among the detainees mentioned in the documents was Khalid Sheikh Mohammed, the alleged ringleader of the September 11, 2001 terrorist attacks. The documents show that Mohammed ordered a Maryland resident to kill former Pakistani President Pervez Musharraf. In addition, the documents included information about the actions of Osama bin Laden and his top deputy in the wake of the Sept. 11 attacks. The release of the documents has been criticized by several officials in the Obama administration, who said that the documents were obtained illegally by WikiLeaks and should not have been published.




    PlayStation Hackers May Have Stolen Data From 75 Million Users, Sony Says
    Bloomberg (04/27/11) Edwards, Cliff; Alpeyev, Pavel

    The personal data of tens of millions of customers of Sony's PlayStation Network and its Qriocity online service may have been compromised in a recent security breach. The breach on the PlayStation network, which provides customers with access to online games, movies, and television programs, took place from April 17 to April 19. The Qriocity service, which offers movies or music to users of Web-connected Bravia TVs and Blu-ray players in 11 different countries, was also affected by the breach because Sony had combined data about its PlayStation Network customers with Qriocity. The attack may have resulted in the theft of the credit-card data, billing addresses, and other personal information of 77 million PlayStation Network and Qriocity customers. However, there is currently no evidence that any credit card data has been taken, said Sony spokesman Patrick Seybold. The attacker or attackers are also believed to have taken users' names, e-mail addresses, birthdays, log-in information, and transaction histories. In the wake of the breach, Sony has asked a security firm to conduct a thorough investigation and to make its PlayStation Network more secure. Meanwhile, Sen. Richard Blumenthal (D-Conn.) is criticizing Sony for taking six days to notify its customers about the breach, and has said that the company should provide affected users with financial data security services and identity theft insurance.


    Visa: Payment Card Industry Needs to Work Smarter, Not Harder, to Increase Security
    Infosecurity (USA) (04/27/11)

    Visa's Ellen Richey argued at the fourth Visa Global Security Summit that the payment card industry needs to adopt smarter technologies and risk evaluations to counter the threat of evolving cybercriminals. "We need to use all the intelligence we have at our disposal," she said. Richey cited tokenization and encryption as examples of techniques to make the card data environment smaller and lower the risk of exposure. She noted that card data is safer today, with nearly 100 percent of merchants worldwide no longer storing sensitive cardholder data on their systems and 75 percent of them having verified ongoing PCI compliance. Still, Richey pointed out that consumers continue to cite security as their leading worry when using payment cards, and referred to data showing that 61 percent of consumers think that cybercriminals are one step ahead of the card industry in terms of data security and fraud. Richey said earning consumer trust is a major challenge, noting that maintaining that trust is a central goal of summit attendees. She offered three fraud prevention suggestions—the spread of smarter payment devices that include chip-and-PIN cards, more intelligent payment transaction networks, and greater adoption of cardholder authentication methods such as two-factor authentication.


    Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks
    eWeek (04/26/11) Rashid, Fahmida Y.

    Organizations face multiple information security challenges as they switch from IPv4 to IPv6, according to security analysts. The difficulties are exacerbated by the fact that some attackers are using the IPv6 address domain to inject attacks into IPv4 networks. Although many organizations have been slow to adopt IPv6, many cybercrooks have already made the switch, says Sophos' James Lyne. Many scammers are disseminating spam over the IPv6 infrastructure and taking advantage of poorly configured firewalls. Many modern firewalls are configured by default to just let IPv6 traffic go through, Lyne notes. Organizations not planning to use IPv6 traffic should be establishing rules to explicitly block IPv6 packets, according to Lyne. "From an industry standpoint, we are selling IPv6 wrong," he says, noting that there has been little discussion about how the standard's built-in features help bolster privacy. Rather, the general perception of IPv6 as being difficult to implement or confusing has made organizations vulnerable to possible attacks.


    Defining Enterprise Security Best Practices for Self-Provisioned Technology
    SearchSecurity.com (04/26/11) Wang, Chenxi

    Almost 40 percent of information workers in different organizations are using some type of self-provisioned technology, while 25 percent of companies are using some type of cloud computing, according to a new Forrester survey. The survey also found that half of enterprises currently support a minimum of two mobile platforms. Although these technologies can create risks for companies, they also can improve productivity, which means that chief information security officers have had a difficult time keeping them out of their companies. However, security and risk professionals can follow several best practices in order to mitigate these risks, including establishing or participating in a central governing task force made up of representatives from security, enterprise architecture, legal and compliance, human resources, and major business functions. This task force should work to create a set of adoption standards that include technology platforms, risk tolerance levels, and conditions for adoption. Next, security and risk professionals should use the standard employee code of conduct to develop a set of acceptable use policies or guidance for self-provisioned technologies, though these policies and guidance should include specific stipulations for the use of technologies such as social media and mobile devices. CISOs also should communicate adoption standards and acceptable use policies to employees, preferably through the existing internal communications/marketing department, though this can also be done with the help of the human resources department or through employee training. Finally, the task force may need to be advised on whether or not to use technology to perform management oversight.


    DHS Chief: What We Learned From Stuxnet
    IDG News Service (04/25/11) McMillan, Robert

    Homeland Security Secretary Janet Napolitano gave a speech to engineering students at the University of California, Berkeley, on April 25 about the Stuxnet worm, which was the first worm to target factory control systems. According to Napolitano, the lesson that needs to be learned from the Stuxnet attack is that the private sector needs to respond to cyberattacks more quickly. Napolitano noted that a rapid response is necessary because cybercriminals are using very sophisticated and innovative ways of attacking computer systems. Security expert Bob Radvanovsky, meanwhile, said that Siemens--whose equipment was targeted by Stuxnet--and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is responsible for communicating with the operators of industrial systems, could have been better about passing information about Stuxnet along to the public. Radvanovsky noted that ICS-CERT has never posted information that was not already known to those participating in his discussion list.


    Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


      ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
    Security Newsbriefs. Please click to see a sample or to contact us for more information.

    Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

    firewall-wizards Digest, Vol 57, Issue 14

    Send firewall-wizards mailing list submissions to
    firewall-wizards@listserv.icsalabs.com

    To subscribe or unsubscribe via the World Wide Web, visit
    https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
    or, via email, send a message with subject or body 'help' to
    firewall-wizards-request@listserv.icsalabs.com

    You can reach the person managing the list at
    firewall-wizards-owner@listserv.icsalabs.com

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of firewall-wizards digest..."


    Today's Topics:

    1. Re: Proxies, opensource and the general market: what's wrong
    with us? (David Lang)
    2. Re: Proxies, opensource and the general market: what's wrong
    with us? (Magos?nyi ?rp?d)
    3. Re: Proxies, opensource and the general market: what's wrong
    with us? (ArkanoiD)
    4. Re: Proxies, opensource and the general market: what's wrong
    with us? (Claudio Telmon)


    ----------------------------------------------------------------------

    Message: 1
    Date: Thu, 28 Apr 2011 18:52:16 -0700
    From: David Lang <david@lang.hm>
    Subject: Re: [fw-wiz] Proxies, opensource and the general market:
    what's wrong with us?
    To: <firewall-wizards@listserv.cybertrust.com>
    Message-ID: <503aa1e6a026995f7ce330fc715db43a@lang.hm>
    Content-Type: text/plain; charset=UTF-8; format=flowed

    On Thu, 28 Apr 2011 12:35:58 -0700, Tracy Reed wrote:
    > On Thu, Apr 28, 2011 at 08:05:20AM +0200, Magos?nyi ?rp?d spake
    > thusly:
    >> But it is not. Network perimeter defence is an industry seriously
    >> hit by marketing bullshit from some vendors, who could not come out
    >> with a decent firewall, so redefined the term to be applicable to
    >> their products.
    >
    > The proliferation of BS is a serious problem. Buzzwords are
    > everywhere.
    > It is hard to know what really provides value/security and what is
    > just
    > buzzwords and lengthening the bullet list of features to make the
    > product more attractive.
    >
    >> Doing this they came out with a definition which goes against basic
    >> security principles and empties the meaning of the word to the
    >> extent which makes nearly pointless to have "firewalls".
    >
    > I think it would be hard to make the argument that it is pointless to
    > have packet filters. How would defining a firewall as a packet filter
    > go
    > against basic security principles? You could then simply say you need
    > a
    > firewall (packet filter) AND these various other proxies and tools to
    > secure your network. Perhaps we are not really doing ourselves a
    > favor
    > by overloading the word "firewall" to such an extent?

    you are misunderstanding us.

    nobody is claiming that packet filters are not firewalls, what we are
    arguing against is the idea that is stuck in many people's head that
    firewalls are _only_ packet filters.

    I work in a banking company, and I have had arguments with architect in
    both the operations and development fields that our firewalls are wrong
    because they are trying to do more than just restrict by port, that that
    is all a firewall is supposed to do, anything else is some other type of
    device, but whatever it is, it's not a firewall.

    >> This led to a state of affairs where there is practically no
    >> discussion about a lot of important questions of network perimeter
    >> defense, because the majority of the "firewall" people are kept in a
    >> darkness about the issue to the extent that they do not have the
    >> background even to ask the right questions.
    >
    > What are some of the questions that you feel get overlooked?

    when people get the mindset that _all_ a firewall is is a packet
    filter, the only questions they ask are what ports does a particular
    tool use. If they realize that a firewall can do more, they can start to
    ask questions about what the protocol is, what enforces it, and if you
    are really lucky, what functionality does the protocol offer, and what
    subset of what is offered is really needed in this case (because I have
    yet to see a protocol defined where all functions are needed in all
    cases, outside of single-use situations). It's very common that the
    things outside of that subset can be a significant danger, but if you
    only think of a firewall as a packet filter, you don't even think of
    these sorts of questions, because your firewall couldn't possibly
    enforce anything.


    >> This means that even though those same vendors now would be in the
    >> position to implement actually meaningful features, they do not do
    >> it because they have conditioned their consumers to not think about
    >> such things.
    >
    > I think they have simply failed to educate the customer of the value
    > of
    > those features. The vendors are constantly looking for ways to
    > differentiate themselves in what has fast become a commodity market.
    > Why doesn't the customer care? If I see two boxes on the shelf with
    > the
    > same price but one seems to offer more security than the other I'm
    > going
    > to buy that one. But the additional perceived security just isn't
    > there
    > for the customer.

    you are a _very_ rare consumer. The problem is that the device that
    provides more security is either going to be slower, or more expensive
    than the device that provides less, simply based on the fact that
    implementing security requires checking things, and that takes cpu
    cycles, so you either have the same hardware, but are slower, or you
    have more expensive hardware to get the same speed.

    this ignores the fact that the big name vendors have turned the
    benchmarking game into such a fiasco that experienced people discount
    their rated numbers by about an order of magnitude to figure what they
    will really get when they start turning checking on.

    I've had management complain when I purchased proxy firewalls rated at
    8Gb/sec to connect to an internet connection slightly under 1Gb/sec,
    they ended up replacing them with Cisco devices rated at something like
    20+Gb/sec, however if you turned on logging of connections (and
    especially logging of blocked connections), it turned out that the Cisco
    devices couldn't keep up with the traffic.

    >> When you see someone trying to correct this "firewall = packet
    >> filter" nonsense, you actually see a vain attempt to correct these
    >> mistakes. Because the first step is to meaningfully discuss
    >> something is to have meaningful definitions.
    >
    > I understand and appreciate that a firewall can be more than just a
    > packet filter. But to insist that a packet filter is not a firewall
    > does
    > not seem to accomplish anything because then you have to define
    > exactly
    > what a firewall really does require to be called a firewall which can
    > get quite complicated.

    as I've stated above, many people don't accept, let alone appreciate
    that a firewall can be more than a packet filter.

    even in this thread, the subject of which is opensource proxies, the
    response from several people was "you're wrong, just look at X" where X
    is a packet filter tool.

    > The idea that all of that functionality should be in one box or
    > provided
    > by one vendor bothers me also. It seems to violate the UNIX
    > philosophy
    > of do one thing and do it well.

    things get rather complicated when you try to split the functionality
    between multiple boxes, especially if your application isn't proxy
    aware. you either end up with a bunch of boxes daisy-chained, or you end
    up with one box splitting the traffic to go to other boxes (and if you
    have NAT involved, this can get _really_ fun)

    it's also much easier to secure a smaller number of boxes.

    that's not saying that multiple systems can't work, but if you can run
    the multiple types of security on one system, why would you want to
    split them across multiple systems?

    the Unix philosophy is not one system to do one thing and do it well,
    it's one _tool_ to do one thing and do it well. If I can run many tools
    on one system (and have the processing power to do so), that's a really
    good thing, because I can then combine the tools in ways that I can't do
    if they are on separate systems.

    David Lang


    ------------------------------

    Message: 2
    Date: Fri, 29 Apr 2011 06:30:32 +0200
    From: Magos?nyi ?rp?d <mag@magwas.rulez.org>
    Subject: Re: [fw-wiz] Proxies, opensource and the general market:
    what's wrong with us?
    To: Firewall Wizards Security Mailing List
    <firewall-wizards@listserv.icsalabs.com>
    Message-ID: <4DBA3EE8.7010705@magwas.rulez.org>
    Content-Type: text/plain; charset=UTF-8; format=flowed

    On 2011-04-28 21:35, Tracy Reed wrote:
    > On Thu, Apr 28, 2011 at 08:05:20AM +0200, Magos?nyi ?rp?d spake thusly:
    >
    >> Doing this they came out with a definition which goes against basic
    >> security principles and empties the meaning of the word to the
    >> extent which makes nearly pointless to have "firewalls".
    > I think it would be hard to make the argument that it is pointless to
    > have packet filters.

    Yes, packet filters are needed to have basic domain separation. But that
    can be achieved in the routers as well.
    Yes, separation of security controls from operation is a good practice,
    but you
    1. cannot do meaningful separation without net ops anyway
    2. can designate routers to that
    Yes, there are still some possible minor functionality losses and other
    problems, but honestly I have seen complex firewall setups which would
    have been achieved better with some routers. Yes, this is not always the
    case, this is why I have used the word "nearly".

    > How would defining a firewall as a packet filter go
    > against basic security principles? You could then simply say you need a
    > firewall (packet filter) AND these various other proxies and tools to
    > secure your network. Perhaps we are not really doing ourselves a favor
    > by overloading the word "firewall" to such an extent?

    SPF technology is what goes against basic security principles, namely
    "default deny".
    I don't like to argue about words, because they are just labels, and if
    there is an agreement on the meaning of the label, it is utterly
    unimportant how the label looks like.
    This is why it would have been totally perfect to define "firewall" as
    packet filter at the beginning. (Only that firewalls were invented to do
    things which packet filters cannot.)
    But if you redefine a word to mean much less than it have meant before,
    you will have a gap.
    When the auditor recommends firewall to defend an application, it means
    "defend", which is much more than "separate mostly, but leave it wide
    open on the biggest attack vectors".


    >> This led to a state of affairs where there is practically no
    >> discussion about a lot of important questions of network perimeter
    >> defense, because the majority of the "firewall" people are kept in a
    >> darkness about the issue to the extent that they do not have the
    >> background even to ask the right questions.
    > What are some of the questions that you feel get overlooked?
    >

    Information flow control policy, labeling, the relationship of network
    perimeter defense to the enterprise data-, application-, and technical
    architecture.
    You might have noticed that DoD have invented the notion(buzzword) of
    "enclave". I haven't seen much discussion even here on how that notion
    can be interpreted for various cases in the commercial world.

    >> This means that even though those same vendors now would be in the
    >> position to implement actually meaningful features, they do not do
    >> it because they have conditioned their consumers to not think about
    >> such things.
    > I think they have simply failed to educate the customer of the value of
    > those features. The vendors are constantly looking for ways to
    > differentiate themselves in what has fast become a commodity market.
    > Why doesn't the customer care? If I see two boxes on the shelf with the
    > same price but one seems to offer more security than the other I'm going
    > to buy that one. But the additional perceived security just isn't there
    > for the customer.

    My point is exactly that the lack of customer education from vendors is
    the direct result of the marketing campaign which redefined the meaning
    of firewall:
    After saying so many times that whole classes of security functions
    doesn't belong to firewalls, it would be so inconsistent to state that
    firewalls should have those functions, that even customers in the US
    would have noticed that there is something wrong there.


    >> When you see someone trying to correct this "firewall = packet
    >> filter" nonsense, you actually see a vain attempt to correct these
    >> mistakes. Because the first step is to meaningfully discuss
    >> something is to have meaningful definitions.
    > I understand and appreciate that a firewall can be more than just a
    > packet filter. But to insist that a packet filter is not a firewall does
    > not seem to accomplish anything because then you have to define exactly
    > what a firewall really does require to be called a firewall which can
    > get quite complicated.
    >
    > The idea that all of that functionality should be in one box or provided
    > by one vendor bothers me also. It seems to violate the UNIX philosophy
    > of do one thing and do it well.

    You have a very valid point here. Do one thing and do it well. This is
    why a firewall doesn't do packet filtering or tcp session handling.
    It leaves those functions to the operating system; using, defining and
    controlling them in the same way an application uses, defines and
    controls the underlying database.


    ------------------------------

    Message: 3
    Date: Fri, 29 Apr 2011 14:26:13 +0400
    From: ArkanoiD <ark@eltex.net>
    Subject: Re: [fw-wiz] Proxies, opensource and the general market:
    what's wrong with us?
    To: Firewall Wizards Security Mailing List
    <firewall-wizards@listserv.cybertrust.com>
    Message-ID: <20110429102613.GA12161@eltex.net>
    Content-Type: text/plain; charset=koi8-r

    On Thu, Apr 28, 2011 at 06:21:35PM -0700, david@lang.hm wrote:
    > the fact that you need to direct me to use a CVS snapshot because all the
    > tarballs are too old is a realy good indicator of the problem.

    Just check out HEAD. Or, even better, I will upload new snapshot today.

    > I looked at openfwtk when it was first announced, and at that time it
    > wasn't ready to replace all the parts of fwtk that I use, so I didn't move
    > to it. i've checked back once in a while, but without seeing new releases
    > it hasn't seemed like there was anything new to test.
    >
    > I would suggest moving to git or similar DVCS so that you can create a
    > fork for developing each new feature and then as each one gets done, merge
    > it in to the main trunk rather than having to either keep development out
    > of the main repository, or have each snapshot get a fairly random state of
    > functionality between all the development.

    CVS branches are ok as well..


    ------------------------------

    Message: 4
    Date: Fri, 29 Apr 2011 10:22:45 +0200
    From: Claudio Telmon <claudio@telmon.org>
    Subject: Re: [fw-wiz] Proxies, opensource and the general market:
    what's wrong with us?
    To: Firewall Wizards Security Mailing List
    <firewall-wizards@listserv.icsalabs.com>
    Message-ID: <4DBA7555.5030506@telmon.org>
    Content-Type: text/plain; charset=ISO-8859-1

    On 04/29/2011 06:30 AM, Magos?nyi ?rp?d wrote:

    > You have a very valid point here. Do one thing and do it well. This is
    > why a firewall doesn't do packet filtering or tcp session handling.
    > It leaves those functions to the operating system; using, defining and
    > controlling them in the same way an application uses, defines and
    > controls the underlying database.

    First, let me say that I probably missed "some" discussions on this, I
    didn't really read this mailing for long time (I got bored as most
    messages were something like: how can I configure this on a PIX ;) ).
    However, to my knowledge packet filters have always been considered
    firewalls: the definition has been usually based on function (enforcing
    a security policy on network traffic) and not on technology. I also
    checked some old books, including Cheswick's and Chapman's "old
    testaments", and they all confirm that even a static/stateless packet
    filter has always been called "a firewall". Now many think that a packet
    filter it's the only kind of firewall because (almost?) every well-known
    product is a packet filter.

    Proxies have been mostly put on top of an operating system's tcp/ip
    stack, but I wouldn't say that this is a benefit, it's just simpler. The
    tcp/ip stack of an os has a lot of code that is useless for a firewall,
    be it a router or a proxy, and that could include bugs. Also, it
    executes at a high privilege, with the obvious consequences. And, it may
    lack some functionality that can be proper for a firewall, including
    detailed logging (you have logging in netfilter, but that's a firewall
    component, not part of the os functionality). A proper solution would be
    to use a user-level tcp/ip stack: some exist, but nobody uses them for
    the obvious reasons.

    Also, having more devices (e.g. separating a packet filter from a proxy,
    and from a VPN concentrator, etc.) means more complexity and more
    errors/bugs.

    I wouldn't say that most users think that blocking ports is the only
    thing a firewall should/can do. Almost every device has currently this
    basic functionality, including routers, load balancers etc., so
    companies buying an expensive firewall expect it to do something more.
    The problem is, if they know what, and if they get it or not ;)

    ciao

    - Claudio

    --

    Claudio Telmon
    claudio@telmon.org
    http://www.telmon.org

    ------------------------------

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


    End of firewall-wizards Digest, Vol 57, Issue 14
    ************************************************

    Equip the iPhone for Enterprise Productivity

    Solve specific security and management issues to maintain control and ensure compliance. Learn more >>

    ITworld

    Equip the iPhone for Enterprise Productivity

    The iPhone's popularity has generated high demand for enterprise use. But before adoption takes place, IT departments must solve specific security and management issues to maintain control and ensure compliance. Watch this video to learn how Sybase can help integrate the iPhone into your enterprise.

    View Now

    View Now!


    Learn how to make cloud an integral part of your enterprise storage and data protection strategy.
    Forward this to a Friend >>>
    SUBSCRIPTION SERVICES - You are currently subscribed as security.world@gmail.com. If you do not wish to receive future mailings from ITworld Online Resources, need to change your email or other preference, please visit: http://optouts.itworld.com/index.html?dept_id=43&emid=pyKllpH2BklbiwYMiAs0tyXjVZiIkK3IkTINkLYjHcM%3d

    If the above URL is not enabled as a link, please copy it in to your browser window to access our Subscription Page.

    View ITworld's online
    privacy policy .

    Copyright 2011 | ITworld | 492 Old Connecticut Path | Framingham MA 01701 | www.ITworld.com  

     

    Salary & Skills Trends - Green IT - SMB Cost Savings

     
     
    Discover Worldwide Business Knowledge
     
    gry arrow Latest Global Salary Survey
    gry arrow Green IT Overview eBook
    gry arrow Worldwide Skills Shortage Guide
    gry arrow Hosted Voice White Paper
     
    Welcome to this week's Friday newsletter. This week you'll find the latest global salary guide, an eBook on environmentally friendly IT, and a paper on the worldwide skills shortage. Plus, you'll learn how to cut costs with a hosted voice solution. From 2nd May our blog will be getting bigger. It will include more topical features from global experts, more local opinions on the worldwide business and IT market, and more of your diverse experiences from around the world! Check it out here: http://www.idgconnect.com/blog.
     
    Salary Update: 2011 Global Income Survey
    When considering your career, the remuneration package is an important consideration, especially in today's unsteady job market. The latest salary survey from Robert Walters details starting salaries for top industries, broken down by country and region. Read now for details of the average salaries in IT, accounting and finance, sales and marketing, HR, legal, secretarial, and more sectors in your region and across the world.
     
    Download the white paper
     
    Green Planet: ICT for a Low-Carbon Future
    According to a recent study, energy-related CO2 emissions are set to increase by 45% over the next 20 years. Companies and governments all over the world are urging us to think about the environment and to act green to help prevent this. This eBook discusses the role of IT in this initiative, reveals the impact of the telecoms and IT industries on the environment, and looks at what can be done to reduce this. Download now and learn how the IT industry can help contribute to a low-carbon future.
     
    Download the white paper
     
    Today's Market: Skills and Shortages Guide
    While many areas of the employment market remain stagnant or at a slow pace of growth, some parts are crying out for people with specific skills to fulfill the needs of the industry. This World Economic Forum report on global talent risk reveals where the skills shortages lie and how to fill in the talent gap. Click here to read about the skills shortages by industry and region.
     
    Download the white paper
     
    Hosted Voice: How to Cut Costs in your SMB
    The promise of cost savings has always been a key motivator of VoIP adoption for businesses of all sizes. SMBs can see an even greater result with hosted solutions. With a hosted voice solution, phone system functionality is hosted by the provider and accessible from any business location. For this reason, hosted voice is more flexible and easy to manage than a premise-based solution, resulting in immediate and long term cost savings. Learn about the savings and other benefits you could achieve with hosted voice solutions in this paper.
     
    Download the white paper
     

    Kind regards

    Kasey Cassells
    e-Editor
    IDG Connect

    P.S: Don't forget to look out for the changes in our blog:
    http://www.idgconnect.com/blog.

    gry arrow Forward this mailer to a Friend/Colleague
    Find us on: Facebook Facebook Twitter Twitter LinkedIn LinkedIn RSS Feed RSS Feed
    Subscribe to topical weekly email Roundups from IDG Connect.
    If you do not wish to receive any further emails click here
    Contact us if you need any assistance or additional information.
     
    IDG Connect
    IDG Connect's Privacy Policy Copyright © 2010. All rights reserved.
    IDG Connect, 492 Old Connecticut Path, Framingham, MA 01701.
    www.idgconnect.com

    EMS Financial Services launches wholesale VoIP trading platform.

    April 29, 2011 Create or Manage Your Profile
    Internet.com
    Communications Update

    Brought to you by
    An Internet.com site


    EMS Financial Services launches wholesale VoIP trading platform.

    EMS TrafficBoard provides buyers and sellers visibility, and a place to make a deal. Read more >>


    Whitepaper: Optimizing Server Management

    Sponsored by HP
    The competitive business environment is placing pressure on IT managers to simultaneously accelerate their IT capacity and maintain budget expenditures. The challenge to deliver enhanced levels of service-level agreements has become increasingly difficult due to increasingly complex infrastructures and the introduction of virtualization technologies. The HP Insight Software portfolio includes HP Insight Control and HP Insight Dynamics, which play a central role in reducing overall data center operating expenses and differentiating HP offerings from competitive offerings. Read this paper now to learn more. Click Here >>


    Vonage launches World Premium calling plan.

    Plan expands on Vonage World, providing unlimited calling to mobile phones in over 40 countries. Read more >>

    News to Know

       Vidyo plugin integrates telepresence with Microsoft Lync.
       New VoIP appliances from Cisco target small, mid-size businesses
       Cisco announces cross-platform UC.
       Verizon to offer UC service in the cloud.
       RHUB v. 4.3 now has HD VoIP capability.

    Featured Solutions

       Oracle Unified Storage

    Job Postings

    Job Title: Software Developer, Team Lead (IL)
    Company: Next Step Systems
    Location: US-IL-Des Plaines
    Stay Ahead Resources
       Red Hat Whitepaper: Need for Portability and Interoperability
       Oracle Whitepaper: Tape Technology Leaps Forward

    LG-Ericsson USA launches iPECS-LIK family of IP communications products.

    Platform encompasses IP Call Servers, endpoints, UC, unified messaging, vertical apps, and more. Read more >>

    Click here

    Blogs

    It Channel Planet Blog by Doug Kass
    Abuse of Channel Incentive Programs Costs IT Companies Up to $1.4 Billion Annually
    The Alliance for Gray Market and Counterfeit Abatement (AGMA), a non-profit organization attempting to bring gray market fraud to light whose members include Cisco Systems Inc., Hewlett-Packard Co. and Microsoft Corp., said that findings from its new study indicate that... Read more >>

     

    You are subscribed to an Internet.com newsletter as security.world@gmail.com. To unsubscribe from this newsletter, please click here.

    If you wish to be removed from all future Internet.com emails, please click here.

    To unsubscribe via postal mail, please contact us at:

    Internet.com
    Attn: Newsletter Subscription Dept.
    307 5th Ave., 14th Floor
    New York, NY 10016

    Please include the email address which you have been contacted with.