Thursday, February 16, 2006

What the heck is ZAP?

As if there weren't already too many three leter acronyms, Secure Computing goes and invents a new, apparently meaningless, TLA:

Secure Computing Releases Zero-hour Attack Protection (ZAP) Technology

16 February 2006

A major challenge facing the security industry today is defending against new zero-hour attacks and rapidly emerging attack variants that are continually released before patches or attack signatures are available.

Secure Computing Corporation has unveiled its Zero-hour Attack Protections (ZAP(tm)) security technology for the Sidewinder G2(r) Security Appliance. The latest release of the Sidewinder G2 Security Appliance is scheduled to ship in the first quarter of 2006, and differentiates Secure Computing from traditional firewall/UTM products by stopping zero-hour attacks automatically without waiting for anti-virus or IPS signature updates.

ZAP technology is based upon the positive security model, which allows only legitimate network traffic and denies everything else. "Negative model" security technologies like IPS gateways are extremely useful, but they allow everything through the gateway unless they recognize known viruses and attacks. The positive security model is therefore superior at preventing unknown attacks because it automatically eliminates exposure to many types of attacks-unknown as well as known. ZAP technology combines over 200,000 attack signatures with a positive security model for maximum protection.

Secure Computing's ZAP technology also includes other key defense-in-depth security techniques working simultaneously in the Sidewinder G2, including:

  • SecureOS(r) self-defending platforms with patented Type Enforcement(r) technology - a preeminent example of the positive security model

  • Event monitoring, analysis, and notification using the Sidewinder G2(r) dashboard and Security Reporter(tm)

  • Traditional signature-based attack protections, including over 200,000 threat signatures

"Even with recent technological advancements, negative-model countermeasures have significant limitations when it comes to preventing unknown attacks," said Mark Bouchard of Missing Link Security Services. "The approach of enumerating all legitimate traffic and then denying everything else dramatically reduces an organization's attack surface area by inherently eliminating exposure to all sorts of attacks- unknown as well as known."

T. Paul Thomas, senior vice president of marketing and corporate strategy at Secure Computing added "The only way to defend against this accelerating threat is to deploy products based on the positive model of threat mitigation."

And in English this means what exactly?

Thursday, February 02, 2006

"Management vs. IT staff" by Patrick M. Hausen

I found great wisdom in this post by Patrick M. Hausen
to firewall-wizards:

They prevent intrusions, don't they? No, I'm not blaming any CEO for not knowing better - with the notable exception of the CEOs of companies selling IT security products or services. Even VPs of IT or whatever they may be called need not know much technical detail if the company is big enough to justify several levels of management hierarchy.

But I do blame CEOs for making decisions on certain products a "strategic" issue and part of their domain at all!

IMHO this is one of the main reasons for many bad products in the field. Remember MS ads: "The network that doesn't need an admin ..."

Stuff like that makes me want to bang my head against a wall.

I'm not old enough to have real experience here, but my impression is that in-house expertise and knowledgeable employees were valued much higher 20 years ago than they are now.

Current management schools seem to focus on "processes" and "standard products" with the explicit goal of making employess replaceable. Once the processes are perfect, you might as well hire monkeys for the job.

There seems to be a deep distrust in the people that run the IT departments and their opinions on technical subjects.
In jumps salesrep of $VENDOR claiming "Box XY will solve all your problems automatically and think of all the money to save, when you are not dependent on expensive expert workers anymore".

IMNSHO specifically investing in human beings instead of products is the only way to save us in the long run. Not only in IT security, but many of the problems we are facing today in Western European societies are (again IMHO) a direct result of preferring automation and fancy technology over people. Politicians and managers alike seem to have a big fear of relying on somebody.

Make the streets safer? Don't buy surveillance cameras and face recognition software - hire more intelligent and motivated cops and treat and pay them well enough to stay motivated and not prone to bribing.
Problems with public education? Use computers at elementary school?
Bull! Hire motivated teachers.

'nuff said.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit

Saturday, January 14, 2006

Never ascribe to malice...

Slashdot posted to WMF Vulnerability is an Intentional Backdoor? as Napoleon Bonaparte? or Robert J. Hanlon?(:

Quoth uncle mole
Never ascribe to malice that which is adequately explained by incompetence. Napoleon Bonaparte

This is most commonly referred to as
Hanlon's Razor, and a direct attribution to Napoleon has yet to be discovered.

And then there is "Marshall's Axiom": :

Never ascribe to incompetence that which can adequately be explained by laziness.

Which I think is an even better explanation for how the WMF vulnerability came about.

Wednesday, October 05, 2005

Don't work in a cubicle farm

The original article, isn't bad, but was easily slashdotted.

Slashdot posted to When to Leave That First Tech Job as :

TheOriginalRevdoc writes
Take advice number one: "don't work in a cubicle". You'll be looking a long time for a job that comes with its own office. Most corporations, especially, make sure that offices only go to managers above a certain rank. That's just how it is.

I'd suggest that this would better be be phrased as "Dont work in a cubicle farm".

Grouping a team of 3-6 cow-orkers who have shared job responsibilities together in a open plan group of cubicles can enhance productivity.

Building a huge cattle pen to house 10-30 employees with mostly unrelated duties, especially if any of them have jobs that require a lot of time on the phone, is counter-productive.

All it takes is one loud-voiced joker with an exaggerated sense of his own funniness to crash the productivity of everybody else.

Wednesday, September 28, 2005

Sidewinder and Squid and Selecting an application proxy firewall

On 9/27/05, jrdld2 wrote:

A month or two back I heard that SC were planning to drop squid. For myself, I'd rather they wouldn't.

Secure sent the official EOL notice for Squid in late August, I have faint hope they will change their mind.

Squid support in Sidewinder has always been marginal at best, and the functionality of the Squid proxy is crippled by TE. For example, cache_peer queries fail because the packet cannot be sent, triggering a TE event in the G2 audit log.

Worse yet, Sidewinder has been perpetually stuck on 2.4.STABLE6, not exactly the best vintage of Squid :)

The HTTP proxy logging is very poor by comparison,

In my personal opinion, G2's HTTP proxy logging is very poor by comparison to a "Speak & Spell" with leaky alkaline batteries not changed since 1978.

and traffic seems to be slower.

That is an interesting observation -- Going from Gauntlet 6.0's http-pdk to Squid, I've had a few users make the opposite claim, that traffic seems to be slower under Squid than under a non-caching HTTP "application proxy" such as Gauntlet.

I do know that if you are trying to do any access control based on the destination domain (without paying for a SmartFilter license), Sidewinder's request processing can be massively degraded, whereas Squid can handle literally hundreds of destination pattern match ACLs with little or no performance loss.

Squid also has some functionality which is useful in our own particular setting.

Ditto here. One of the biggest issues we have (an issue of which Secure is well aware) is the lack of support for ftp-over-http in the current Sidewinder HTTP proxy. We worked with TIS and NAI for years to get this feature working correctly in Gauntlet.

Additionally, we have a relatively large cache hierarchy deployed with a mix of commercial and freeware caches interconnected with ICP, and are faced with tearing down the entire infrastructure because SCC, our sole corporate-standard proxy firewall vendor, cannot (will not) support the ICP protocol, and is dropping what limited Squid support they have today. This hurts, this makes me feel that I may have been remiss in recommending a move to Sidewinder G2 when we were forced to migrate off of the (stable as a rock) Gauntlet product.

I made this recommendation based in a large part on the understanding that the best features of Gauntlet would be incorporated into Sidewinder.
I guess "best features" was code for "as much of the customer base as we can retain (by any means necessary)."

Live and learn.

Are there any others out there who would like to see squid stay?

Sunday, September 18, 2005

Toshiba's continued interest in fuel cells

Toshiba announced further fuel cell prototypes, including versions built into MP3 players. This is similar to the prototype they showed just over a year ago.

These are filled with 195-proof methanol, diluting it down to just 20 proof (ten percent) in the reaction chamber. In traditional fuel cells, methanol delivers power most efficiently when it is mixed with water in a 3 to 6% methanol concentration, but this would require a large fuel tank containing less methanol than windshield wiper fluid.

Toshiba has repeatedly postponed the launch of
fuel cells for laptops, and recently stated that the product
won't reach the market until at least 2007. Ms. Suzuki, Toshiba spokeswoman for international media relations, said the main reasons for the latest delay are regulations that prohibit passengers from bringing methanol onto airplanes.

There are very few production fuel cell products on the retail market today, on exception being Jadoo Power Systems, which run on Hydrogen.

Wednesday, September 14, 2005

The Hackers of the Lost RAID (OpenBSD 3.8 pre-orders open)

OpenBSD 3.8 is now available for pre-order.

Puffiana JonesAmong other changes, ifstated is now official, DVD Fileystems can be read, and the broken USB thumb drive support is unbroken.

That, and I expect a kick-ass release song.

Wednesday, September 07, 2005

Relativity and the "Enterprise Year"

shek has an interesting observation on the Enteprise Year (EY).

EY explains so many things, including most Dilbert strips.

In my opinion, the ratio of EY to Calendar Years is directly proportional to the number of layers of management.

By the same formula, the EY for a sole proprietorship is a tiny fraction of a human year. Sort of like a mayfly.

Tuesday, August 02, 2005

Evolutionary security?

Posted to Techdirt:

What if they developed security software that was programmed to increased its security and complexity with every attempt to break into it? What if Cisco had did this and that they could go throught the Streisand effect and actually end up with a more formidable product intentionally? Maybe with every break-in, the code would change and build upon itself from the last attempt? This almost sounds as if it should exist already...

Sounds neat, but goes against how exploits are developed.

Let's say that I want to take over Cisco 7200 class transit routers, one of the most common peers in the current BGP cloud. Do I start launching random attacks against live Internet routers at randomly selected universities?


What I do is go out on eBay and dovebid and pick up a a few variants of the Cisco router I'm targeting, plug them into my 100% isolated from the Internet test lab, and start my cheap imported Russian hackers pounding away at them.

So after a few weeks I have a tried and true exploit, without overtly committing any crime, and without giving Cisco or any researcher with a sniffer on the backbone any sign of what I am developing.

The term "0day" is generally used to refer to such an exploit only when it has been developed to fruition without even the underlying vulnerability being exploited having been revealed to the vendor nor the public.

Sunday, July 10, 2005

Tear down what firewall?

Slashdot posted to Tear Down the Firewall as Re:Too smart for their own good:

My suggestion was that if you finds yourself slacking with regards to security procedures, you've effectively eliminated the inner wall. If the outer wall is breached, so is the inner one, by virtue of the fact that you're slacking. If the benefits of slacking (with respect to productivity, convenience, etc.) are sufficient, you should just harden the firewall and ditch the internal security processes. If maintaining security is a serious issue, you should do your damn job and implement the security processes. The fact that you have a firewall is no excuse for being sloppy, and sloppiness will bite you in the ass when the firewall fails.

That sounds great, but doesn't reflect the reality in large corporations.

One team runs the big honking edge firewalls, and takes their job seriously. They regularly strengthen the walls, and comission tiger-team testing to verify the belief that the perimeter walls are as secure as they can be for the budget available.

Another team (or six teams, or sixteen teams) run the various internal networks and servers and desktops. These are the ones who will start slacking off because "we have a firewall", and getting sloppy in locking down the internal devices.

Sure, the perimeter team can rant and rave about how while their firewall is great, it is not a panacea and the internal groups need to take up their share of the load, but this is little more than a CLM.