Category: Uncategorized

Microsoft, Cisco, Checkpoint, Symantec, Nortel, SonicWall, NAI, Juniper/Netscreen, and others, have, in the past eighteen months started manufacturing firewall appliances that implement Deep Packet Inspection (DPI). In general, the DPI engine scrutinizes each packet (including the data payload) as it traverses the firewall, and rejects or allows the packet based upon a ruleset that is implemented by the firewall administrator. The inspection engine implements the ruleset based upon signature-based comparisons, heuristic, statistical, or anomaly-based techniques, or some combination of these.

Deep Packet Inspection promises to enhance firewall capabilities by adding the ability to analyze and filter SOAP and other XML messages, dynamically open and close ports for VoIP application traffic, perform in-line AV and spam screening, dynamically proxy IM traffic, eliminate the bevy of attacks against NetBIOS-based services, traffic-shape or do away with the many flavors of P2P traffic (recently shown to account for ~35% of internet traffic), and perform SSL session inspection.

Deep Packet Inspection essentially collapses Intrusion Detection (IDS) functionality into the firewall appliance so that both a firewall and an in-line IDS are implemented on the same device. Many of these products have recently been shown to be vulnerable to exploitation of software defects in their DPI inspection engines, however. The data suggest that the addition of these enhanced functions to firewalls may, in fact, weaken, rather that strengthen network perimeter security.

Traditionally, firewalls have provided a physical and logical demarcation between the inside and the outside of a network. The first firewalls were basically just gateways between two networks with IP forwarding disabled. It fails closed – that is, if the firewall crashes in some way, no traffic is forwarded between interfaces. One of these, the Gate, or packet-screening device, relied upon the kernel to pass packet headers to a user-space program, screend, which informed the kernel whether or not to forward the packet. IP packet filtering firewalls all share the same basic mechanism: As an IP packet traverses the firewall, the headers are parsed, and the results are compared to a ruleset defined by a system administrator.

A stateful inspection firewall registers connection data and compiles this information in a kernel-based state table.

Several firewall vendors, including Check Point, Cisco, Symantec, Netscreen, and NAI have integrated additional application-level data analysis into the firewall. Checkpoint, for example, initially added application proxies for TELNET, FTP, and HTTP to the FW-1 product. Cisco’s PIX fixup protocol initially provided for limited application parsing of FTP, HTTP, H.323, RSH, SMTP, and SQLNET.

DPI engines parse the entire IP packet, and make forwarding decisions by means of a rule-based logic that is based upon signature or regular expression matching. Promising approaches to these problems include a software-based approach (Snort implementing the Boyer-Moore algorithm), and a hardware-based approach (FPGA’s running a Bloom filter algorithm). DPI technology can be effective against buffer overflow attacks, denial of service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.

Researchers at Internet Security Systems (ISS) discovered a remotely exploitable buffer overflow in the Snort stream4 preprocessor module. Remote attackers may exploit the buffer overflow condition to run arbitrary code on a Snort sensor with the privileges of the Snort IDS process, which typically runs as the superuser.

Due to an implementation fault in VirusWall’s handling of a UUencoded file name, it is possible for a remote attacker to specify an arbitrarily long string, overwriting the stack with user defined data, and allowing a remote attacker to execute arbitrary code.

Multiple Cisco products contain vulnerabilities in the processing of H.323 messages, which are typically used in Voice over Internet Protocol (VoIP) or multimedia applications.

The bottom line is that in order to exercise sound bandwidth and security controls, organizations and service providers must be able to differentiate traffic types based upon the contents of the application payload.

http://www.securityfocus.com/infocus/1817

ITIL can be applied across almost every type of IT environment. Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL – aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support – the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.

Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs. These practices seek to proactively prevent incidents and problems.

Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.

Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services.

There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk’s most important responsibilities are monitoring incidents and communicating with users. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.

Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.

With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate.

http://www.securityfocus.com/infocus/1815

Intrusion detection systems–the primary source of warnings that attacks are under way–are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.

The mission of IDS is changing, however. Many IDS vendors are improving their products so that the IDS doesn’t simply give you the details on an event that has occurred. Instead, the system will help prevent intrusions from happening in the first place.

Even within the reporting realm, IDS is becoming more active as anomaly detection, vulnerability assessment and forensics come under the broad label of IDS’s reportable events. The growing number of attacks and attack types makes it more important for the IDS to correlate with logs and reports from other network-security components for context and ease of interpretation.

Schemes such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP) have, among many other capabilities, IDS and firewalls sharing some of the features of an IPS (intrusion prevention system), with the IDS feeding control information to a central authority, which then gives instruction to the firewall for connection reset and address blocking.

Last year, the verdict on IPSs was “don’t believe the hype.” As a piece of a multilayer security approach, an IPS can join the IDS, enterprise firewall, desktop firewall and application firewall to protect your key network assets.

For some, the blocking of even one piece of legitimate traffic is unacceptable.

As an incremental tool that can help cut down on the volume of attack traffic, intrusion prevention from vendors including Check Point Software, Internet Security Systems, Lucid Security, Radware and Tipping Point should be seriously explored in 2005.

The various governmental regulations, including HIPAA and GLB, make it business-critical for a company to protect customer and patient data from any theft or intrusions, and make it just as important that the company demonstrate that the protection is in place and effective.

Outside the conventional perimeter, software firewalls installed on mobile clients help move protection outside the bricks and mortar of the corporate boundaries, to slow the spread of mal-ware that can gain entry in Starbucks, traverse a VPN and run loose in the network core.

The intelligent integration of security functions, controlled by software that enforces intelligent policies, will be one of the great migrations of the year. Ask any vendor claiming to have an enterprise policy framework how many companies have partnered with them to let their products be queried and/or controlled by the central management console. The partnership issue should be more readily resolved by the industry giants that have introduced their own policy and access-control systems.

Both Cisco Systems with its NAC and Microsoft with NAP are building network-control frameworks on the basis of technology and products that are in the field, though neither company expects to have production deployments before the middle of the year.

At the same time, agencies and organizations have begun the work of building standards–the National Institute for Standards and Testing published ANSI INCITS 359-2004 (for role-based access control) in February 2004, and other organizations have committees beginning to look at the requirements for standards.

Although, in some ways, authentication is the boring brother-in-law of the security world, there is room for excitement as the world moves closer to the promised nirvana of single sign-on.

To comply with regulations, data must be protected from external threats and even successful intrusions cannot result in the release of protected data. Therefore, IDS and IPS must look at traffic flowing in both directions in order to defend the database and its supporting applications from giving up critical data.

Data storage devices that can take data away are also a significant concern. “Thumb drives,” small USB storage devices, have replaced floppy disks as the portable storage medium of choice for mobile professionals carrying presentations, software updates or small applications from office to office.

Instead of network security, more professionals are becoming involved in data assurance, network assurance or even business assurance, helping to protect the information against network intrusion, physical disaster or device theft.

http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=SLLOOGDEM1DNQQSNDBGCKH0CJUMEKJVN?articleId=55800918

“There is an element of appearances to security, and I don’t mean this in an unfavorable way,” says the famously unflappable de Becker, who has guarded his image as closely as the Hollywood stars he is hired to protect. “Precautions that are expected to deter often draw some of their effectiveness from appearing to be this or that.”

Once an assortment of stereotyped “geeks” and “guards” who’d been promoted up a few tax brackets, CSOs are now struggling to become—and be recognized as—businessmen and women who take a strategic view of risks across the enterprise.

On the first level are CSOs themselves—you—who are learning that to be taken seriously as executives, you have to act like your peers from other parts of the business. Just look at what eBay’s Howard Schmidt, one of the country’s most prominent CISOs, has done to his look over the years.

Closely tied with the CSO’s personal image is a second level: how other business executives and their staffs view the security department and its leader. Michael Assante, CSO of American Electric Power, is candid about the kind of forethought that goes into this transformation. “I knew that image was going to be an important part of being able to have success,” says Assante, who two years ago became the first person at AEP to have control over both corporate and information security.

“Image is 100 percent important,” says Schneier, author of Beyond Fear and a prominent observer of the security industry’s evolution. If you don’t deal with everything around the politics and socialization, you never get to the actual security.”

In other words, it’s not style over substance.

http://www.csoonline.com/read/120104/image_intro.html

For the purpose of this article, they define the EPS that can be accommodated by an SEM tool more precisely as the number of security-related events a product can receive, normalize, analyze/correlate, and display or act on in the form of results within an acceptable time frame.

This direct or indirect allusion to EPS is intended to impress the prospective buyer with the performance capabilities of the product, and, beyond that, to help buyers make informed decisions that will ultimately lead to satisfaction with their purchase. For example, a very simple part of a security policy, and one that is used by most large organizations may entail logging all successful and unsuccessful login attempts from network devices such as routers, servers, firewalls, switches, etc. So for every one of these devices listed, a log message must be generated and sent to a logging server or SEM product whenever a successful or unsuccessful login attempt is made.

A more complex policy would include the information from the simple example above and in addition, might include logging Network Address Translation (NAT) entries on firewalls and routers.

Any user traversing a firewall or router with NAT logging turned on would generate a log message for each packet/session that traverses these devices.

This policy would generate significantly more events per second, and, if the information were used correctly, would also provide an additional level of information for event correlation and detection of security threats.

In either case, as soon as each of the security devices is successfully generating the correct number of log events to reflect the policy, you are ready to determine the total EPS generated by your network.

The SEM device collects this data and normalizes the signature part of this message (“Inbound TCP Denied) into a format that is independent of the vendor originating the message. If the SEM tool is not scalable (i.e., an incremental rise in frequency and total accumulated data will slow analysis), then it probably does not satisfy the requirements: a serious network event may lag significantly behind the SEM tool’s ability to analyze the problem and convey the results to the user in a meaningful amount of time.

It is fairly easy to use a tool like Nessus in “go-asfast- as-you-can mode” to cause an IDS to produce a lot of output.

Some SEM tools have the ability to suppress data from these “noisy” devices (and to then output a message like “1500 bad messages detected from IDS ….).”.

Although this is a worthwhile feature, the heuristics used to determine whether or not to deploy it need to be intelligent enough to determine when a device is genuinely noisy and when a hacker is just trying to DOS (Denial of Service) the SEM tool by flooding it with IDS messages or causing it to ignore IDS messages in order to mask malicious network activity.

The frequency of security event messages is an important factor when evaluating SEM products, not only because of your own performance expectations under normal circumstances, but also because of the potential for security messages to be maliciously generated as part of an external attack for the explicit purpose of exceeding the SEM vendor’s abilities to handle them.

If a SEM tool advertises it can handle 40,000 EPS, then the SEM vendor should provide the ability to deploy 10 SEM devices throughout the network to distribute the workload, correlating events on each device and also across devices.

Scalability is a complex topic that requires in-depth discussion that is beyond the scope of this article.

EPS is to security what miles per hour is to a sports car. EPS is an easy concept to grasp since, in the context of SEM devices, it’s just a number used to quantify the results that can be produced by a complex real-time correlation process. Networks and their security devices generate a certain number of events per second.

In order to assure a satisfying customer experience with an SEM product, it is essential to match the EPS generated by your network with the EPS that can be correlated by your SEM purchase.

The bottom line is that SEM products with higher EPS numbers at each of the relevant transition points (reception, normalization, correlation, and display) are more likely to meet the expectations and performance requirements of most networks.

The information in this article has been written for the purpose of educating the SEM tool buyer about the decision-making process that a well-informed buyer uses when evaluating SEM tools.

These questions should be asked with respect to a configuration where one SEM tool is used, then applied to a distributed configuration where numerous SEM tools are used together to handle correlation requirements beyond the capability of one SEM tool.

How many EPS are generated by the security devices on my network?

What is the EPS of SEM tool I am considering?

What was the duration of EPS testing?

http://www.scmagazine.com/features/index.cfm?fuseaction=FeatureDetails&newsUID=7a042281-34b1-446a-9148-f58e05bd11ba&newsType=Features

This quickly adds up to a rather tidy sum for managers trying to maximize their often decreasing budgets. They believe that if they provide training for their analysts that they will lose them to other firms.

While this can be a very valid argument, it is also one on the razor’s edge – by that I mean you run the risk of your employee becoming irritated at any lack of investment in them and their future, and they simply leave.

As a security analyst, for example, you must not only stay current with technology, but also improve your core skill set.

Right or wrong, many employees believe that it is up to the employer to provide that training – and with that same reasoning, most believe it should not be the employee who pays out of pocket for these courses.

Reality dictates that most companies simply do not provide adequate training for their staff simply due to financial constraints – and in fact, it may not be important to their long-term objectives.

If you own or manage staff in a small-to-mid size company, it would pay you great dividends to set aside some money for training. These initiatives would show your next prospective hire that you are definitely serious about helping to maintain their skills and investing in them as an employee. It is largely due to the fact that because the latest worm or virus has not affected them, and thus they do not see the need to provide training for their security staff. However, we all know that the very reason they were not affected is because they had trained and competent security staff.

For the many people out there who pull double or triple duty at times, getting the latest training is even more important.

Nowadays having the system administrator deal with related technology such as routers, in addition to all his other security functions, is all too common.

Learning on the job is a good way to learn, but it still cannot replace the proper training – yet so few want to shell out the money for it.

I believe this is why you see so many network security jobs with an insanely long list of required skills, often starting with a particular certification.

http://www.theregister.co.uk/2004/11/05/cost_of_security_training/