Thursday, June 21, 2007

Latest Plane Reading

Tuesday afternoon I flew from Washington Dulles to San Jose, to teach at USENIX 2007.

En route I read a few interesting articles that I'd like to mention.

  • When I saw NWC mention the Omni Virtual Network Service, I thought something cool might be on hand. Their Web site states:

    The migration to blade chassis-based virtual servers has created a new blind spot in the enterprise: the traffic between virtual servers in the same blade chassis. This “invisible traffic” never crosses any network segment where it can be easily captured. As a result, engineers have little or no visibility into the traffic among virtual servers...

    A new addition to the OmniAnalysis Platform, the Omni Virtual Network Service is a lightweight traffic-capture service that enables IT engineers to capture and analyze traffic on virtual servers...

    The Omni Virtual Network Service is a small, lightweight service that runs on any Windows XP or Windows 2003 virtual server.


    Oh... so Omni implemented remote capture, which I blogged about in 2003 as implemented on Winpcap, and only works on Windows. Oh well.

    Incidentally, a quick check of VMware Server 1.0.2 build-39867 showed that when VM 1 pings VM 2 with all NICs in bridged mode, VM 3 cannot see the ICMP traffic. Does this mean VMware Server is no longer a hub like I described a year ago? Watching the physical Linux interface of the host OS showed two copies of each packet, however.

  • The same issue of NWC mentioned the NetXen 10G Ethernet Expansion card, saying:

    The NetXen adapter offers dual-channel 10GbE connectivity at a cost of less than $550 per port, and provides bonus dual- or quad-gigabit ports, depending on the chip. But what makes the NetXen line really interesting is the investment protection it offers through its field-programmable and IO-virtualization capabilities. Already supporting RDMA, iSCSI and TCP/IP off-loading, the NetXen Protocol Processing Engine can be reprogrammed to handle changed or new protocols, like iSER and iWARP, through a simple driver update.

    The NetXen Website confirms this:

    The fully-programmable architecture of the Intelligent NIC® protects network equipment investments in the face of rapidly changing market needs and evolving protocols. It is the only solution on the market whose functionality can be changed completely in firmware.

    Are you thinking what I'm thinking? Say it with me: NIC rootkit -- or how about a NICkit?

  • Recently I've been blogging about CALEA. I found the diagrams in this Procera Networks marketing slick helped me understand some of the different approaches, like traditional CALEA (top diagram) vs Procera's approach (bottom diagram):

  • Speaking of CALEA, I got a chance to read a new paper by my favorite covert channel and traffic analysis guru Steven Murdoch -- Sampled Traffic Analysis by Internet-Exchange-Level Adversaries. Basically, there's a good chance that Tor users monitored at an Internet eXchange (IX) can be identified via sampled traffic analysis. Renting a botnet is still your best means to stay anonymous, apparently.

  • Finally, I also read Inadvertent Disclosure – Information Leaks in the Extended Enterprise (.pdf) by M. Eric Johnson and Scott Dynes. This very interesting paper described the authors' search for sensitive documents on P2P networks. My only problem was the dreadful repeated misuse of terms like threat, when risk was probably the right term to use. A sentence like this encapsulates much of my frustration:

    While these searches could be seen as benign, they would also uncover sensitive files and thus the expose [sic] vulnerabilities that could still represent a threat to the institution and its customers.

    Vulnerabilities never represent a threat to anyone. Almost all the places where the authors say "threat" they really mean risk. For example:

    We also characterize the threat of loss...

    That should read "We also characterize the risk of loss..."

    In this example an application is mischaracterized as a "threat."

    This next breed of file sharing systems has proven to be far more difficult to control and a much larger security threat.

    Applications which offer services are not threats. Applications may offer vulnerabilities which can be attacked and exploited by threats, but the application is not the threat itself -- the application is a target.


Expect more reports from the flight back to NoVA.

8 comments:

Anonymous said...

Is the whole CALEA just for for voIP traffic? Will a network tap presence be enough to let them stick their big brother boxes? Can't seem to get the real answer from askcalea.net.

Anonymous said...

From what I heard "virtual" security was the big topic at the Gartner security conference in DC a couple of weeks ago. So now we need "virtual" IDS/IPS, firewall, session capature.......

A whole new "virtual" security niche market will open up for vendors and consultants.....

Thomas

PS Congrats on the job at GE! I presume you've been very busy in the last 2 months since there have been no NoVaSec meetings.

Marcin said...

Thanks for mentioning the paper on inadvertent disclosure of information on p2p networks. It's just what I've been looking for.

Richard Bejtlich said...

CALEA also applies to IP traffic like email, Web browsing, etc.

Joe said...

Rich,

Are you still in San Jose?

dre said...

Oh... so Omni implemented remote capture, which I blogged about in 2003 as implemented on Winpcap, and only works on Windows. Oh well.

Richard, you may have forgot that you wrote about http://rpcap.sourceforge.net in the last chapter of your book, TToNSM:BID.

Also - last I checked the Winpcap rpcapd was able to compile under Unix operating systems of varying types without much (if any) porting issues such as linking libraries or fixing includes.

NIC rootkit -- or how about a NICkit?

Why write a NIC based rootkit when you can just own every browser and DNS server? Intelligent adversary.

Speaking of NIC advancements, have you seen the Cat6k new FPM stuff for the SUP32PISA? 8KB deep packet inspection!

Cisco has failed on the WiFi front over and over again... RLDP is just pathetic. They are working on 802.11w for Vista/CCXv5, which is very important - but we're probably not going to see anything from them for at least the next year.

Basically, there's a good chance that Tor users monitored at an Internet eXchange (IX) can be identified via sampled traffic analysis. Renting a botnet is still your best means to stay anonymous, apparently

Botnet owners get caught and busted all the time. Users of tor are not safe, and they haven't been for quite some time. However, tor users that use tor to go to an SSL proxy effectively save themselves from most of the basic types of investigations or eavesdropping.

Both Tor and P2P are interesting failures at anonymity and privacy, but new things will start to take their place. I2P is working on a blogging network called Syndie (a similar concept to FreeNet), and at least one of the P2P networks is starting to use GPG to protect their sessions and information (I think it's eDonkey, but I could be wrong).

dre said...

More on rpcapd for Linux/Unix:
winpcap.mirror.ethereal.com
www.pawelko.net

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.