Monday, July 04, 2005

Initial Thoughts on Innominate mGuard PCI

Several weeks ago I mentioned the Innominate mGuard PCI. This is a PCI card that features a firewall and other security devices on the PCI board itself. In its simplest configuration, you simply insert the NIC into a free PCI slot on a system. By default the mGuard acts as a filtering bridge that lets traffic leave the protected system but denies unsolicited inbound connections.

The mGuard appears to be a 266 MHz CPU running some version of Linux. I like the idea of an independent, hardware-based device implementing access control. The mGuard could be used to both filter unwanted inbound or outbound traffic in a completely transparent manner. Alternatively, you can configure the mGuard to log traffic but pass everything.

I would like to thank Innominate for mailing me a demo mGuard card all the way from Germany. I find the self-contained Innominate mGuard professional to be fairly novel as well. You simply insert this device between your workstation, laptop, or server, and it provides the same filtering found in the PCI version. This is a great hardware-based access control solution for anyone on a hostile network. ISPs could consider shipping these to their customers!

While I was perusing the mGuard's logs, I found an odd connection:

uptime 0 days 01:01:38.37870 klogd: fw-out-ACCEPT IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0
SRC=192.168.2.77 DST=205.156.51.200 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=1304 DF PROTO=TCP
SPT=56925 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0

This is an FTP control channel connection to 205.156.51.200 (tgftp.nws.noaa.gov). I could not account for this activity, but I did have full content logging data enabled on my NSM sensor. Here is the session as decoded by Tcpflow:

205.156.051.200.00021-069.243.018.066.56925: 220-WARNING

205.156.051.200.00021-069.243.018.066.56925: 220-
220-This is a United States Government (NOAA) computer system, which may be
220-accessed and used only for official Government business by authorized
220-personnel. Unauthorized access or use of this computer system may
220-subject violators to criminal, civil, and/or administrative action.
220-
220 tgftp.nws.noaa.gov FTP server ready.

069.243.018.066.56925-205.156.051.200.00021: USER anonymous

205.156.051.200.00021-069.243.018.066.56925: 331 Guest login ok, send your complete
e-mail address as password.

069.243.018.066.56925-205.156.051.200.00021: PASS freesbie@freesbie.livecd

205.156.051.200.00021-069.243.018.066.56925: 230-Please read the file README.TXT

205.156.051.200.00021-069.243.018.066.56925: 230- it was last modified on Mon Aug 19 13:36:34 2002 - 1049 days ago
230 Guest login ok, access restrictions apply.

069.243.018.066.56925-205.156.051.200.00021: TYPE I

205.156.051.200.00021-069.243.018.066.56925: 200 Type set to I.

069.243.018.066.56925-205.156.051.200.00021: CWD /data/observations/metar/decoded

205.156.051.200.00021-069.243.018.066.56925: 250 CWD command successful.

069.243.018.066.56925-205.156.051.200.00021: SIZE YSSY.TXT

205.156.051.200.00021-069.243.018.066.56925: 213 413

069.243.018.066.56925-205.156.051.200.00021: MDTM YSSY.TXT

205.156.051.200.00021-069.243.018.066.56925: 213 20050704155232

069.243.018.066.56925-205.156.051.200.00021: PASV

205.156.051.200.00021-069.243.018.066.56925: 227 Entering Passive Mode (205,156,51,200,254,91)

069.243.018.066.56925-205.156.051.200.00021: RETR YSSY.TXT

205.156.051.200.00021-069.243.018.066.56925: 150 Opening BINARY mode data connection
for YSSY.TXT (413 bytes).

205.156.051.200.00021-069.243.018.066.56925: 226 Transfer complete.

205.156.051.200.00021-069.243.018.066.56925: 221 You could at least say goodbye.

I see that this was caused by a weather applet running on FreeSBIE, the FreeBSD live CD with which I was testing the mGuard PCI. This is completely benign, but I was not expecting to see a program perform a FTP connection on its own. This is the power of collecting NSM data -- you can figure out what is happening, once you know where to look. You also don't have to know what to look for before you start collecting data -- just grab as much as you can.

8 comments:

Chris Barker said...

REALLY dissapointing post. Its nice that your sniffer caught the app you were running, but why run a distro with unknown apps for testing to begin with. Also its a bit hard to "trust" a reccomendation for a firewall device that does nothing to differentiate itself from many other el-cheapo packet filters.

Scott said...

"ISPs could consider shipping these to their customers!"

Ship a a PCI card to customers who barely have a clue, maybe if it was a USB device that would be one things. But not a PCI card....

Richard Bejtlich said...

Chris,

This was not a "recommendation." Nowhere do I suggest anyone buy one of these devices.

I ran a live CD because I needed a Web browser to connect to the mGuard's HTTPS administration GUI. I've used FreeSBIE before, so it's hardly "unknown." I thought the traffic I noticed made a good example.

I would like to what is wrong with running IPTables on Linux? If it works, why not use it?

Richard Bejtlich said...

Scott,

If you follow the sentences above you'll see I suggested ISPs provide the self-contained version -- not the PCI one.

Scott said...

Opps my bad :) See what happens when you post before the coffee is done brewing.

Joe said...

Richard,

REALLY good post. Nice demonstration of real-life NSM.

PCI firewalls are an interesting idea. Obviously they aren't for everyone, but thanks for the write-up. I don't think anyone has bothered to review one of these before.

Anonymous said...

Have you tested the PCI or mguard together as a point to point vpn with AES or 3DES IPsec? Im interested in a pair of mguard's for a vpn running 8mbit of streaming video over .g wifi. The devices have to be transparent for the ip camera to work, there is no os or pc running.

Richard Bejtlich said...

Negative -- they sent one PCI product and that was it.