Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. OpenBSD IPSEC VPN question (David Lang)
2. Re: Linked-in and its Phishing-like contacts option!
(
lordchariot@embarqmail.com)
3. Re: firewall-wizards Digest, Vol 64, Issue 3 phishing (David Lang)
4. Re: Proxy advantage (David Lang)
5. Re: Linked-in and its Phishing-like contacts option! (David Lang)
----------------------------------------------------------------------
Message: 1
Date: Mon, 29 Apr 2013 04:39:04 -0700 (PDT)
From: David Lang <
david@lang.hm>
Subject: [fw-wiz] OpenBSD IPSEC VPN question
To: Firewall Wizards Security Mailing List
<
firewall-wizards@listserv.cybertrust.com>
Message-ID: <
alpine.DEB.2.02.1304290435120.18827@nftneq.ynat.uz>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
I'm seeing some odd reports on the rsyslog mailing list where someone is climing
that when using an IPSEC VPN on OpenBSD they have to explicitly set the source
IP address for all connections out from the firewall (tunnel endpoint) or else
the connection won't go through the tunnel. The person reporting this is
proposing modifications to rsyslog to have it force the local IP address for
outbound connections as a work-around for this problem
This sounds very wrong to me, but can anyone speak up who knows this OS?
It seems to me that a VPN that requires all applications to be modified to set
the outbound source IP before the VPN will be used is a very broken VPN. This
does not mesh well with the reputation that OpenBSD has.
David Lang
------------------------------
Message: 2
Date: Tue, 30 Apr 2013 12:20:39 -0400
From: <
lordchariot@embarqmail.com>
Subject: Re: [fw-wiz] Linked-in and its Phishing-like contacts option!
To: "'Firewall Wizards Security Mailing List'"
<
firewall-wizards@listserv.icsalabs.com>
Message-ID: <001401ce45be$a7e9c020$f7bd4060$@
embarqmail.com>
Content-Type: text/plain; charset="UTF-8"
> I'm honestly not sure how we could block this stuff in a web-proxy, or be
> alerted by an IDS rule short of just blocking the sites.
> (Maybe this will start more discussion. How would one try this?)
I have a lot of requests from customers to try to make the web read-only. The main use cases are for social network, blogs/wikis, and commenting on posts. The fundamental ways to do this are to 1) have MITM SSL decryption, and 2) block the POST method for specific sites. Most commercial proxies can do this and even squid does SSL MITM.
By blocking POST to certain categories of sites and only allowing the POST for the */logon pages, users can view all the facebook/twitter/youtube they want, but can't write anything outbound to the site. It's pretty effective.
e?
_____________________________________
From:
firewall-wizards-bounces@listserv.icsalabs.com [mailto:
firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Bruce Platt
Sent: Friday, April 26, 2013 7:41 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Linked-in and its Phishing-like contacts option!
I have a love/hate relationship with these as well. I was only tempted down this perfidious path a few years ago when a set of my Grandchildren asked me to get a Facebook account so we could interact that way as they live on the other coast from me. I started disliking it within five minutes when a former employer sent me a request to "friend" him. Then it became an issue of who can I not be "friends" with among my contemporaries.
Same with Linked-In, same with Twitter.
Up to this point I'm just addressing the personal inconvenience aspect of it, which is why I chose Crispan's post to which to reply.
But, the larger issue is really the risk of exposing all sorts of personal / corporate information in a variety of unwitting ways. This is the part I hate. We've had many discussions about the risks of allowing people to use social media web sites from work. It's a losing battle. Entering one's email password is just one, and Linked-In is not the only villain. I just made some flight reservations yesterday. The airline website offered to add the reservation to my Calendar. Not let me download a .cal file, but to directly insert it into my calendar. Uh, no. Not today.
But, this now get's added to our list of worst practices and meet's Paul's criteria of being part of overall operational security. I'm honestly not sure how we could block this stuff in a web-proxy, or be alerted by an IDS rule short of just blocking the sites. (Maybe this will start more discussion. How would one try this?)
Mix these with BYOD, and it makes a daunting task indeed.
Cheers
--
+------------------------------------+
Bruce B. Platt, Ph.D.
V.P. Research
ei3 Corporation
136 Summit Avenue
Montvale, NJ 07645
Phone: +1-201-802-9080 ext. 404
Facsimile: +1-201-802-9099
On Fri, Apr 26, 2013 at 12:53 AM, Crispin Cowan <
crispin@crispincowan.com> wrote:
I boycott all social media. I?m not opposed to social networking, but I am opposed to some
dot.com monetizing my relationships; I do all my social networking via open protocols like e-mail, and having a beer with a friend ?
I broke this rule once, joining LinkedIn 5 years ago, because I needed a job. LinkedIn was a total failure at getting a job, but attending ToorCon and having a beer with someone I met there worked. I deleted my LinkedIn account when I got tired of the ?Foo wants to connect with you? spam. I?m still getting LinkedIn spam.
Screw social networking web sites. I don?t have a FaceBook page or a Twitter account, and never will.
Funny, I never envisioned myself as Clint Eastwood yelling at kids to get off my lawn, but here I am ?
Sent from Windows Mail
From: Gautier . Rich
Sent: ?Thursday?, ?April? ?25?, ?2013 ?9?:?28? ?PM
To: Firewall Wizards Security Mailing List
Thoughts? I?m wondering why User Operational Security falls under the realm of Firewall Wizards.. Other than that, I?d say ? They?re not alone by any stretch of the imagination, and plenty of users seem to be perfectly willing to accept the risk (or be unaware of it). However, not much you can do on the firewall side other than turning off webmail access...
Richard Gautier, CISSP
Enterprise Architect, Federal Group
650 Massachusetts Avenue NW
Suite 510
Washington, DC 20001
Office: (571) 226-8828 | Cell: (703) 231-2156
rgautier@drc.com |
www.drc.com
From:
firewall-wizards-bounces@listserv.icsalabs.com [mailto:
firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Mathew Want
Sent: Monday, April 22, 2013 7:30 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Linked-in and its Phishing-like contacts option!
Hiya all.
Has anyone else noticed the option to see who else they know is connected on Linked-in? Have you noticed that if you click on the outlook button it asks you for your WORK EMAIL PASSWORD!!!!!
Bloody hell! It's not like the job of getting users to not submit this information to other sites isn't already hard enough without this!!! The "can't put brains in pumpkins " department must be having a field day over this.
Am I the only one that think this is a touch negligent on the part of Linked-in? Or should I just accept that it is corporate facebook, accepts that they have the dame moral fibre and move on?
Maybe I am expecting too much? Thoughts?
--
Regards,
M@
--
"Some things are eternal by nature,
others by consequence"
________________________________________
This electronic message transmission and any attachments that accompany it contain information from DRC? (Dynamics Research Corporation) or its subsidiaries, or the intended recipient, which is privileged, proprietary, business confidential, or otherwise protected from disclosure and is the exclusive property of DRC and/or the intended recipient. The information in this email is solely intended for the use of the individual or entity that is the intended recipient. If you are not the intended recipient, any use, dissemination, distribution, retention, or copying of this communication, attachments, or substance is prohibited. If you have received this electronic transmission in error, please immediately reply to the author via email that you received the message by mistake and also promptly and permanently delete this message and all copies of this email and any attachments. We thank you for your assistance and apologize for any inconvenience.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Mon, 29 Apr 2013 08:15:02 -0700 (PDT)
From: David Lang <
david@lang.hm>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 64, Issue 3
phishing
To: Firewall Wizards Security Mailing List
<
firewall-wizards@listserv.cybertrust.com>
Cc: Marcus Ranum <
mjr@ranum.com>
Message-ID: <
alpine.DEB.2.02.1304290812320.28665@nftneq.ynat.uz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Mon, 15 Apr 2013, Dave Piscitello wrote:
> Cloud is simply the current incarnation of server (LAN/farm, data
> center, virtualization...). I really don't see that the security
> issues have changed all that much (evolved maybe), or approaches to
> solving them.
Except with the "Cloud" you as an organization give up a lot of the tools that
have been used in the past to secure things.
Plus, you have the DevOps approach being misinterpreted by management to mean
"engineers can do everything, they can bypass those annoying ops and security
folks to get things done"
It's going to be an interesting few years as everyone learns that you still need
admins and security folks in the cloud.
David Lang
------------------------------
Message: 4
Date: Mon, 29 Apr 2013 08:25:09 -0700 (PDT)
From: David Lang <
david@lang.hm>
Subject: Re: [fw-wiz] Proxy advantage
To: Firewall Wizards Security Mailing List
<
firewall-wizards@listserv.cybertrust.com>
Message-ID: <
alpine.DEB.2.02.1304290819430.28665@nftneq.ynat.uz>
Content-Type: text/plain; charset="iso-8859-15"; Format="flowed"
If you start with the premise that the only thing that's a firewall is a packet
filter, especially with deep packet inspection being optionsl, then you are
going to be in rather bad shape.
I have run a fairly large organization with proxy firewalls (800+ people, 100+
separate networks), it can be done. In some areas it bypasses whole classes of
problems.
Even for user desktops you can do it, but you need to get a good proxy, not just
install squid and think that you've gained a lot.
Yes, it breaks some things, but rather than there being 10% 'good' apps, it's
more like 1% completely broken apps, and 20% apps that need special
configuration (the vast majority of this 20% are not desktop apps, and if you
are willing to look at other tools rather than sticking with fighting to make a
tool work that's not proxy friendly, it's usually not a big problem)
Remember that you will need to do SSL MITM with your proxy, so you will need to
deploy your own CA certs on desktops.
David Lang
On Tue, 16 Apr 2013, Magos?nyi ?rp?d wrote:
> On 04/15/2013 11:13 PM, Paul D. Robertson wrote:
>> I've always railed against DNS tunneling. It seems to be rearing its ugly head again. Today with all the in-band HTTP attacks, it once again seems the major advantage of a proxy server is not having to pass DNS down to the client. Should this be a best practice?
>
> It seems like a good idea, which is easy to execute. I see you ending up
> with either hundreds of angry end-users who were using non-http
> applications, or carefully migrating thousands of them one-by-one to a
> new AD domain which does not know about your real DNS servers. And after
> two months busily analysing http proxy logs to figure out how much of
> your users were connected to the C&C.
> Okay, I am exaggerating, and I do think that the idea is worth a
> thought. Just wanted to point out that
> 1) there are exceptions, and this is without exception
> you will still have to provide internet dns to them, and have the
> measures against dns tunneling.
> And yes, it is much easier if you know that > 10 lookup/min is either
> your http proxy, or a reverse proxy.
> 2) you will still be hit by http reverse proxies
> And yes, you can at least have the opportunity to control them from a
> central point, as before.
>
> On a general level:
>
> The best practice would be to proxy everything, and let in only the
> traffic which adheres to the respective standards, the firewall
> understands and finds harmless.
> Let's see how it works out in real world:
> 1. Adheres to standards
> Maybe 10% of the current traffic? Proprietary protocols and protocol
> extensions, misimplementations, horrific web pages, etc.
> 2. The firewall understands it
> Your average packet filter is ignorant to nearly anything which is
> not needed for pushing the traffic through the device.
> Your average proxy firewall, which knows a bit more about the basic
> protocols, so it can stop some attacks on that level.
> And there are the toolkit firewalls (I know only Zorp as an instance
> of this kind), which know all the ins and outs of the basic protocols,
> can do anything with them, and relatively easy to teach them higher
> level ones. But they need a lot of tuning to get to the level which
> really gives better protection than an average firewall.
> There are high-level gateways (like the xml proxies) which may
> understand things even on layer 7, but know only very few protocols, and
> in most cases only a subset of them.
> And there are the ESBs, which can do anything with the cost of
> configuration complexity - nearly like a toolkit firewall, but maybe for
> less protocols - , but have a distinct use case, which is not about
> security.
> 3. the firewall finds it harmless
> If adheres to standards and we understood it, then we alredy know
> whether it is harmless. With protocols and passive contents it is easy,
> and we can proof that we understood the content by disassembling and
> reassembling it (this is what Zorp and ESBs do).
> But active content (from software updates through pdf/word documents
> to javascript) is another thing. We either trust them based on the
> provider of content, deny them, try to get some assurance, or use some
> kind of sandbox (from the one built in to the web browser/java vm to
> malware isolation products). They are either unacceptable from the
> business perspective (deny), inherently insecure (most of the malware
> detection stuff violates the "default deny" principle), have extensive
> operational burden (maintaining trust related database/ensuring leakless
> sandboxen), or all of the above.
>
> Once upon a time we optimistically assumed that if enough operators deny
> non-adhering, potentially harmful content, providers of such content
> will adhere to safe standards. It turned out to be a dream.
>
> _______________________________________________
> firewall-wizards mailing list
>
firewall-wizards@listserv.icsalabs.com
>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 5
Date: Mon, 29 Apr 2013 08:29:27 -0700 (PDT)
From: David Lang <
david@lang.hm>
Subject: Re: [fw-wiz] Linked-in and its Phishing-like contacts option!
To: Firewall Wizards Security Mailing List
<
firewall-wizards@listserv.cybertrust.com>
Message-ID: <
alpine.DEB.2.02.1304290828210.28665@nftneq.ynat.uz>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
On Fri, 26 Apr 2013, Gautier . Rich wrote:
> Yes, that's what I meant...turn off Webmail access entirely - I was mostly
> kidding - but if it's something that you can afford to do [users all have
> working VPNs, e.g.] - it would reduce a great deal of risk. ;)
when you say turn off webmail, do you mean to cut off access to public webmail
servers from inside your network? or do you man to not run things like OWA that
expose your company mail to the Internet?
David Lang
> Oh, and can that guy who gave the "God, whatever you do, don't fire your
> network geek" speech please come and give a motivational speech here?
>
> Richard Gautier, CISSP
> Enterprise Architect, Federal Group
>
> 650 Massachusetts Avenue NW
> Suite 510
> Washington, DC 20001
> Office: (571) 226-8828 | Cell: (703) 231-2156
>
rgautier@drc.com |
www.drc.com
>
>
> -----Original Message-----
> From:
firewall-wizards-bounces@listserv.icsalabs.com [mailto:
firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Jim Seymour
> Sent: Friday, April 26, 2013 11:39 AM
> To:
firewall-wizards@listserv.icsalabs.com
> Subject: Re: [fw-wiz] Linked-in and its Phishing-like contacts option!
>
> On Wed, 24 Apr 2013 19:26:01 +0000
> "Gautier . Rich" <
RGautier@drc.com> wrote:
>
>> Thoughts? I'm wondering why User Operational Security falls under the
>> realm of Firewall Wizards..
>
> I think of it this way: Firewall security, in and of itself, doesn't get the job done. You may have the most bullet-proof border the world has ever seen, but, unless that bullet-proof-ness means essentially blocking everything, both incoming and outgoing, it will not be enough. A layered defense is mandatory. One of those layers is end-user operational security.
>
> Our goal is to protect the organizational jewels, no?
>
> Besides: We've pretty-much beaten stateful/deep-packet inspection vs.
> application proxy to death, no? :)
>
>> ... plenty of users seem to
>> be perfectly willing to accept the risk (or be unaware of it).
>
> Both, IME.
>
>> However, not much you can do on the firewall side other than turning
>> off webmail access...
>
> Turning off webmail access? How would one accomplish that, exactly, without essentially turning off web access entirely?
>
> As for LinkedIn: I've received so many LinkedIn emails reported as spam at work that they've occasionally been there. I may have them listed on my mailserver at home, for the same reason. (Possibly so. Can't say as I've seen LinkedIn spam for a while.)
>
> This nonsense of them asking for "work email password" is grounds, in _my_ view, to block them entirely. That's intolerable. I'm going to see if I can do that.
>
> But I'm old school. I don't believe convenience, golly-gee-whiz-bang, and _especially_ "social networking" ought to trump security. Generally my bosses tend to agree. (Esp. ever since a couple of the Big Guys attended some-or-another network security briefing, which incl. a retired FBI agent, and were told that "whatever your network security is, it's probably not good enough" and "for God's sake, whatever you do, do not lose your network geek" ;).)
>
> Regards,
> Jim
> --
> Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <
http://jimsun.LinxNet.com/contact/scform.php>.
> _______________________________________________
> firewall-wizards mailing list
>
firewall-wizards@listserv.icsalabs.com
>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> ________________________________
>
> This electronic message transmission and any attachments that accompany it contain information from DRC? (Dynamics Research Corporation) or its subsidiaries, or the intended recipient, which is privileged, proprietary, business confidential, or otherwise protected from disclosure and is the exclusive property of DRC and/or the intended recipient. The information in this email is solely intended for the use of the individual or entity that is the intended recipient. If you are not the intended recipient, any use, dissemination, distribution, retention, or copying of this communication, attachments, or substance is prohibited. If you have received this electronic transmission in error, please immediately reply to the author via email that you received the message by mistake and also promptly and permanently delete this message and all copies of this email and any attachments. We thank you for your assistance and apologize for any inconvenience.
> _______________________________________________
> firewall-wizards mailing list
>
firewall-wizards@listserv.icsalabs.com
>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 64, Issue 17
************************************************
