Wednesday, March 30, 2005

New National Centers of Academic Excellence in Information Assurance Education

Related to my previous post, I decided to see what was happening with the National Security Agency's National Centers of Academic Excellence in Information Assurance Education (CAEIAE) program. I read that today the NSA and Department of Homeland Security jointly announced severeal new schools had met the criteria to be National Centers of Academic Excellence in Information Assurance Education. One of them is my alma mater, the US Air Force Academy. I am glad to see USAFA join this group, since it was embarassing to see the ground-pounders of West Point already in the CAEIAE program! :)

Thoughts on New Cyber Security Report

Today I skimmed the latest report from the President's Information Technology Advisory Committee (PITAC) titled Cyber Security: A Crisis of Prioritization (.pdf). This Government Computer News Story summarizes the reports findings. Briefly, they are the nation's critical infrastructures remain vulnerable to attack, and federal security research and development funding is misallocated. PITAC estimates "there are fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional experience in the field." I agree with this claim; it is very difficult to find anyone with deep and broad security degrees and experience I would trust to teach future practitioners.

I was pleased to see the report list the following as some of its ten research priorities, as they are near to my own interests:

- Monitoring and Detection. Regardless of progress made in the preceding research areas, unanticipated events will still occur. When they do, tools to monitor and understand what is happening are needed to enable the proper deployment of appropriate defensive measures. The ability of current tools that monitor irregular network activity to rapidly identify the underlying cause is primitive. The current advantage that adversaries enjoy will increase as they become more knowledgeable and as the Internet becomes larger and more complex. Research subtopics include:

-- Dynamic protection that can react when attacks are detected, possibly by increasing monitoring activities
-- Global scale monitoring and intrusion detection
-- Monitoring of systems to ensure that they meet declared security policies
-- Better tools based on improved models that characterize "normal" behavior
-- Real-time data collection, storage, mining, and analysis during a crisis
-- Usable presentation interfaces that allow operators to better understand incidents in progress

- Cyber Forensics: Catching Criminals and Deterring Criminal Activities. The rapid arrest and conviction of criminals is a primary goal of law enforcement and also serves as a deterrent. When potential criminals believe there is a strong chance that they will be caught and convicted, they are more reluctant to commit crimes. Current capabilities to investigate cyber crime, identify perpetrators, gather and present evidence, and convict criminals are woefully inadequate. Compounding the problem, we do not really know how to deter cyber crime. Very few of the thousands of cyber criminals active today are being caught. There is a pressing need to develop new tools and techniques to investigate cyber crimes and prosecute criminals. Robust cyber forensic methods are also needed that will prove capable of withstanding the burden of proof in court, whether employed to prosecute criminals or exonerate the innocent. Research subtopics include:

-- Identifying the origin of cyber attacks, including traceback of network traffic
-- Identifying attackers based on their behavior
-- Collecting evidence in uncooperative network environments
-- Tracing stolen information used in the growing traffic in fraud, identity theft, and intellectual property theft, including tools and protocols for recovering trace evidence from volatile and incompletely-erased computing media, disks, cell phones, PDAs, and embedded systems
-- Tools and protocols to search massive data stores for specific information and indicators, possibly while the data stores are in use
-- Fundamental research to develop forensic-friendly system architectures that are more amenable to investigation when incidents occur

I intend to keep my eyes open for institutions looking for researchers to pursue these areas.

Tuesday, March 29, 2005

Cisco Routers Run Tcl

This morning I was reading The State of the Scripting Universe by Lynn Greiner. That article features interviews with leaders in the development communities for Perl, PHP, Python, Ruby, and Tcl. The article pointed me towards a reference titled Dynamic Languages — ready for the next challenges, by design by David Ascher. While reading this second article I was surprised by this statement:

"Tcl is part of Cisco's IOS router operating system, and as such is included in all high-end Cisco routers and switches."

What's that? Tcl on my router? A quick Google for "tcl cisco ios" revealed two helpful resources: Cisco IOS Scripting with Tcl by Cisco and TCL'ing Your Cisco Router by Peter J. Welcher. Cisco's document revealed that Tcl 8.3.4 was introduced in Cisco IOS 12.3(2)T. Sure enough, it's on my Cisco router:

gill#sh ver
Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M),
Version 12.3(11)T3, RELEASE SOFTWARE (fc4)
gill(tcl)#puts "Hello world"
Hello world


Peter Welcher's article expands on Cisco's document to show some of what can be done with Tcl on the Cisco router.

This absolutely blows my mind, and I can't believe I haven't heard of this before. I found a 2001 email mentioning the Tcl shell as "undocumented," although there is a reference in the Cisco IOS Configuration Guide Master Index, Release 12.1. Imagine what might be possible with this; you might be able to run arbitrary code -- Sguil even? -- on Cisco routers.

Speaking of Tcl, the newest versions of Salvatore Sanfilippo's Hping rely on the language. I reported on this last year. Salvatore has been working on a Tcl interpreter called The Jim Project, which he says "will likely merge with Hping." Salvatore is also writing a book on Tcl, some of which is online as TCLWISE: An introduction to the Tcl programming language.

Monday, March 28, 2005

Steve Andres of Special Ops Security emailed me to report his company's release of SQLrecon, Chip Andrews' successor to SQLping. SQLrecon is another .NET application that I tested on my Windows 2000 laptop. You can use SQLrecon to discover servers offering Windows SQL Server, and learn a little bit more than a port scanner might say.

The tool is very easy to use. By default, the tool is easy to use. Specify a range of IPs in the boxes and start the scan. Results appear in the window at right:

SQLrecon provides plenty of customization via options as well.

Thank you to Special Ops Security for releasing this free and helpful tool!

Sunday, March 27, 2005

FreeBSD 5.4 Schedule Updated

This weekend the FreeBSD 5.4 Release Schedule was updated to reflect "facts on the ground." The candidate earlier labelled "PRERELEASE" is now noted as "5.4-BETA1", and the comments state:

"First public test release build. Note that the release build name is 5.4-BETA1 but RELEASE name remains 5.4-PRERELEASE. This is because the name BETA often confuses the users who are using the STABLE branch."

"5.4-RC1" is slated for 31 March, but then we read the "First release candidate" is scheduled for 2 April. 5.4 is listed as having a 19 April availability date.

This information is a lot more specific than what I see from most commercial operating systems. :)

Latest Snort and IDS News

Last week saw several developments involving Snort. First, Sourcefire published the Open Source Snort Rules Consortium (OSSRC) charter (.pdf). The document states:

"The stated goals of the OSSRC are to:

- Establish metrics and standards for Open Source Snort rule development and documentation.
- Provide a forum for the sharing of research and information for the development of effective Snort Rules.
- Ensure continuous support for a Snort Ruleset licensed under the GPL."

Sourcefire and Bleeding Snort will hold most of the power in the new group:

"One representative from each of the founding member organizations, Sourcefire and Bleeding Snort, will serve in the role of co-chair of the OSSRC. Co-chairs will serve as managers of the OSSRC, working as they deem necessary to uphold the mission of the OSSRC. They will hold veto power over any vote of the membership, though any such veto may be overturned by a vote of three-quarters (_) of the membership."

I'm not sure why I see "(_)" several times in the document, but I reproduced it above.

To get involved, become a general member:

"The primary role of general members will be to share research information, rule development, testing facilities, etc with the consortium. In addition, they will be provided the opportunity to discuss and vote upon proposals introduced or sponsored by the officers. Proposals may be passed by a simple majority of the voting members of the OSSRC."

I plan to join the OSSRC. If you'd like to as well, email jennifer dot steffens at or matt at infotex dot com.

The second piece of Snort news is a Bleeding Snort announcement: Demarc is now sponsoring the Bleeding Snort project. According to news on Demarc's Community Portal:

"Demarc is pleased to announce our official sponsorship of the Bleeding Snort Project. Bleeding Snort has long proven itself as an authority in cutting edge snort rules. Demarc is proud to add the support of our Threat Research Team behind this project and we're excited to be able to help Matt and the rest of the Bleeding Snort team continue their excellent work in creating and bringing together the most up to date Snort-based rules for the entire security community."

I guess it took three weeks for Demarc to realize they weren't getting any traction with their initiative to maintain a separate Snort rule base. Their so-called "Demarc Certified Open Signatures" are still posted without appropriate copyright notices, as far as I can tell.

The last bit of Snort news comes in the form of a new Gigabit IDS Group Test from The NSS Group. You would think that at least six year's worth of commercial Web presence would merit a more modern Web page and less underlining of all text! In any case, their new report is interesting as only products from Sourcefire and ISS are mentioned. Why? The report states:

"For this significant group test we invited all the major vendors in the Network IDS market place (if anyone reading this is a vendor who was not invited, please do let us know). Five agreed to take part and be tested using our latest methodology, including:

Internet Security Systems, Inc.

Sourcefire, Inc.

Three of the five devices submitted for testing failed one or more of the tests and were not awarded NSS Approved. They do not appear in this report, leaving the two listed above, both of which achieved NSS Approved status. Others were not able to submit products in time for this round of testing, and will thus be included in Edition 4."

I would like to know which three failed, although I guess NSS is letting them save face by remaining anonymous. I intend to take a close look at the NSS testing methodology when I have more time.

Thursday, March 24, 2005

IISFA Announces Vendor-Neutral Forensics Certification Test

Today I received an email from James A. Moore, International Vice Chairman (sounds impressive) of the International Information Systems Forensics Association (IISFA). The IISFA is the governing body for the Certified Information Forensics Investigator (CIFI) certification. I mentioned this organization and cert in June and November 2003.

Since I don't see any notice of this news on the IISFA Web site, here's the significant parts of Mr. Moore's email:

"I am very pleased to formally announce the final release date of the Certified Information Forensic Investigator examination through Thompson Prometric.

The exam will be available at over 2500 testing centers worldwide on April 18th, 2005. The exam fee will be $150 USD and registration for the exam will be completed through the Thompson Prometric website located at The exam will be 125 random questions with a minimum passing score of 70%. Results to the candidate will be immediate. The IISFA will receive monthly reports and certifications will be sent out on a monthly basis...


1) This test is open to anyone. However, only active members in good standing who pass the exam will be awarded the CIFI. CIFIs must maintain CEUs to keep their certification current.

2) The testing centers are not IISFA locations. Thompson Prometric is an independent testing entity.

3) All testing centers are proctored and required picture ID for candidate prior to taking the exam.

4) You may take the exam as many times as you wish, however the examination fee is $150 USD for each instance.

5) The exam is available worldwide in dozens of countries, however, the test is only in English as this time.

6) There are study suggestions on the IISFA website ( and several CIFI study guides in preparation by various IISFA members.

7) Currently there are approximately 100 CIFIs in the world that have taken the exam or grandfathered. There is still opportunity to be one of the very first CIFIs with a low badge number.

8) Badges are available by purchase from a third party. This vendor is not part of IISFA and all transactions are between the vendor and the purchaser. All certifications are verified by the vendor before they will complete the transaction and create your badge. Each badge will be stamped with your badge number.

9) James Moore (me) is not the Director of Certification. I am not the correct person to ask about your certification status (present grandfather applicants excluded), your badge status, how to study for the exam, and so on. You need to direct those inquires to the Director of Certification and Director of Education.

10) There is a committee who will maintain the exam question pool and will review it twice per year. All members will be under non-disclosure and must be CIFIs. If you wish to join that committee, contact the Director of Certification (Dione Hodges).

11) No, James Moore does not get residuals, funds, compensation, free trips, or thanks you for the exams from any party living or dead, real or imagined. All exam fees go to Thompson Prometric and the IISFA. However, donations to the James Moore Vacation fund are warmly welcomed (please send cash only).

This marks a new phase in the development of the CIFI as the leader in our field. I'm very proud to see this event come to pass. Thanks to all those who helped."

I support the CIFI because it is a vendor-neutral forensics certification with a Code of Ethics. The CISSP Code of Ethics is the only reason I support that certification. I took advantage of the IISFA's original grandfathering option in 2003 to acquire the CIFI. The GIAC Certified Forensics Analyst (GCFA) requires candidates to adhere to its GIAC Code of Ethics. I attended the first SANS Forensics, Investigation, Response and Education (SANSFIRE) in 2001, the precursor to the GCFA, but never tested for any SANS certification.

For an in-depth discussion of the merits of forensics certification, consider reading Computer Forensics: The Need for Standardization and Certification (.pdf) by Matthew Meyers and Marc Rogers.

Wednesday, March 23, 2005

Review of The Art of Intrusion Posted just posted my four star review of The Art of Intrusion. This may be one of my more controversial opinions, so you may want to read the whole review to get my entire take on the book. Here is the beginning of the review:

"Over two years ago I read and reviewed The Art of Deception also by Mitnick and Simon. I thought that book was 'original, entertaining, [and] scary.' Those same adjectives apply to The Art of Intrusion (TAOI). While I also add 'disappointing' and 'disturbing' to the description of TAOI, sections of the new book make it an absolute must-read. If you want to understand the consequences of systematic, long-term compromise of your enterprise, you must read and heed the lessons of TAOI."

Monday, March 21, 2005

Red Cliff Releases Web Historian

On Friday, security consultancy Red Cliff posted an announcement of their new Web Historian tool. Web Historian parses Web browser history files and presents the information in a manner useful to a host-based forensic investigator. The program requires the Microsoft .NET Framework and runs only on Windows systems.

Prior to using Web Historian, I had used Scott Ponder's IE History and Keith Jones' Pasco. Previously IE History was free, but required sending an email to the developer. Now IE History costs $50 and is "limited to Law Enforcement and Corporate Security." Web Historian improves upon Pasco, and the new tool probably benefitted from Keith Jones' input, as he now works for Red Cliff.

I downloaded and installed Web Historian. The program prompts the user for a Web history file to parse, or gives the option of searching a specified location for Web history files. I chose the latter option and directed Web Historian towards the c:\Documents and Settings folder where I expected to find Web history files.

After searching the folder, Web Historian presented its results in an Excel spreadsheet. It showed one tab for each Web history file it parsed. First it showed results from a history.dat file generated by Firefox.

The second tab showed Internet Explorer history.

This sort of information is incredibly useful. Web Historian is built to accommodate forensic investigations as it can parse whatever Web history file you specify, within the limits of its ability to recognize the format. I expect people to begin migrating to this new free tool as they learn more about it. Web Historian is packaged with a help file that explains program usage and other functions. Try it out!

FreeBSD 5.4-BETA1 Available

I am happy to report that FreeBSD 5.4-BETA1 has been announced. The release schedule has not yet been updated, and it doesn't seem to match the process currently underway. Looking back at the 5.3 release schedule, we see that BETA1 is the start to the FreeBSD release process. After a series of BETAs we will see RCs (release candidates). I think 5.4 is a few weeks late, so I expect to see the final RELEASE version ready in late April or early May.

Friday, March 18, 2005

Latest Pre-Reviews

I received three new Pearson imprint books yesterday that I've added to my reading list.

First is Windows System Programming, 3rd Ed by Johnson M. Hart, published by Addison-Wesley Professional. This book looks promising because it does not dwell on Windows GUI issues. Instead it focuses on core system services like the file system, memory, processes and threads, synchronization, communication, and security. The 3rd edition is updated to address Windows XP and Windows Server 2003, and it also covers 64 bit issues. I asked for this book to learn more about Windows internals and programming Windows systems. The author is said to take more of a "UNIX-like" approach to Windows programming, which should be a blessing for me.

Next is Cisco Router Firewall Security by Richard Deal, published by Cisco Press. I absolutely cannot wait to read this book, given the attention I've paid to IOS this month. This book is an exhaustive examination of the security features available in IOS 12.3. I am looking forward to trying out the firewall feature set, intrusion detection capabilities, and network-based application recognition, context-based access control, and other IOS goodies. Rather than discuss them at length in my next book, I intend to refer readers to this one.

Last we arrive at Inside Network Perimeter Security, by Stephen Northcutt, et al, published by Sams. I did not read the first edition of this book, but I am happy to see a second edition in an age where everyone says the "perimeter is dead," along with the IDS, and so on. I intend to take a close look at this book and the subjects it covers well, so as to avoid duplicating topics in my next book. Thumbing through the book it seems to be more discussion and less configuration syntax, which may make implementing its recommendations difficult. We'll see -- stay tuned for reviews at once I get to all three books. on Snort Rules

I just noticed that published an article titled Snort (rules) for sale. I was quoted after the article's author, Shawna McAlearney, read coverage on this blog. I thought Shawna's article was "fair and balanced."

Bookpool Publishes My Ten Favorite Computing Books

I mantain Listmania Lists for a variety of topics. These show books I recommend reading to become more proficient in various security skills. Recently Bookpool asked me to help celebrate their 10th anniversary by participating in their author's favorite 10 computer books from the past 10 years promotion. I hope you find my list helpful. Although I sometimes reference books I read several years ago, I was sure to include older books that had newer editions available.

Security Insights from Microsoft Security Architect

Last night I attended the northern Virginia ISSA monthly meeting. The guest speaker was Dean Iacovelli, Security Systems Architect for the Microsoft Mid-Atlantic district. His overall theme was "beyond patching." Dean supports over 200 enterprise customers, for which he serves as "security pinata." Several ISSA members took him to task for Microsoft's security failings, but I thought Dean was diplomatic and handled their mildly aggressive questions well.

Dean said that the patching approach to security is becoming a "second or third line defense, like backups. You patch regularly but hope you don't need them." As evidence he cited the decreasing window of time between announcement of a vulnerability and release of an exploit. Patches are still the best way to fix a vulnerability in broken software, so Microsoft has been pursing multiple initiatives to improve their patches.

First, Microsoft is migrating from multiple update sites (e.g., Office Update, Windows Update, and Microsoft Update Center) to a single future "Microsoft Update" site in late 2005.

Second, Microsoft realized their seven profit and loss centers support eight different software installation methods. This year they will move all software installation to two methods. Operating systems will use update.exe and applications will use MSI 3.0. This will make using Microsoft Baseline Security Analyzer, Microsoft Systems Management Server, and Microsoft Software Update Services (migrating to Windows Update Services) more predictable and effective.

Third, Microsoft has worked to make their patches better. They have a standardized naming convention to ease management. They use binary diffs to reduce patch size. They are also "actually inspecting system configuration" (as opposed to pretending to do so?) to determine what patches are really needed.

Dean next discussed Security Configuration Wizard. This seemed like a fairly impressive way to lock down systems. It automatically detects and configures Microsoft services and their options, Microsoft client applications and their options, third-party applications, IPSec policies, registry settings, audit features, and IIS. Essentially you can apply all of Microsoft's recommended configuration options via an automated tool. I was disappointed to see Dean's demo fail, but I see the promise of the technology.

Dean mentioned a related tool called Microsoft Application Compatibility Analyzer. The idea behind this program is to run it for a week or so on a host to determine what applications users employ. This helps administrators learn if XPSP2 will break any of the user's applications. I hope to see more of this sort of tool for future Windows upgrades.

Speaking of XPSP2, Dean gave a behind-the-scenes look at the reasons for its development. Apparently the Blaster worm had a huge effect on Microsoft. They "took almost all developers off Longhorn for a year to work on XPSP2." The theme of XPSP2 was applying good default configurations. For example, XPSP2 enables the Microsoft firewall by default. It denies inbound connections to help prevent intrusions. XPSP2 also denies null sessions by default. Dean said XPSP2 has been downloaded 150 million times.

One of the ISSA attendees complained that XPSP2 features were not available for Windows 2000. In fact, Dean said Internet Explorer 7.0 will only be available for XPSP2 (at least at present). The ISSA attendee said it was too expensive for customers to upgrade to XP. I wanted to say that the best update to Windows 2000 is Windows XP, but I kept quiet. Dean replied to the other ISSA attendee that most big Microsoft customers with Windows 2000 installations "already own Windows XP" by virtue of their Microsoft Enterprise Agreement. He said getting these customers to upgrade to Windows XP is one of Microsoft's biggest problems.

Dean pitched four efforts Microsoft sees as being "beyond patching." Since he spent so much time on the earlier issues, Dean had to briefly describe each. The four efforts are:

1. Isolation and resiliency
2. Network segmentation
3. Rights Management Services
4. Smart cards for remote access

I found his network segmentation discussion interesting. Microsoft is pushing for an all-IPSec internal network. All Active Directory-managed hosts would speak IPSec, and anything that doesn't is considered untrusted. I believe Dean said this is how Microsoft operates its internal network.

Regarding Microsoft's internal practices, Dean encouraged listeners to visit the IT Showcase site. There Microsoft publishers papers on how it secures its own network. He said that Microsoft operates the largest wireless 802.1x deployment in the world. They have also run Network Access Protection for two years for VPN clients.

I found Dean's short description of Rights Management Services to be intriguing. It will use eXtensible rights Markup Language and AES 128 encryption to protect individual documents. Only those operating rights management-enabled programs should be able to read RM-protected documents. I welcome the idea of a data-centric approach to security, but I am sure someone will figure out how to break this system.

Beyond the four efforts already in production, Dean pointed to three future area for Microsoft:

1. Network quarantine
2. Vulnerability assessment
3. Active protection

First, Microsoft Network Access Protection will work with Cisco Network Admission Control. Initially they did not want to cooperate, but their alliance was a result of customer pressure. Network Magazine profiled the two technologies recently. At first glance I prefer Cisco's 802.1x switch port-centric approach, rather than Microsoft's DHCP-centric method. Who cares if I don't get a DHCP server to provide an IP, when I can steal what I need from another host?

Dean's quarantine slide said NAP is "not designed to protect against malicious users." Somehow I think the Microsoft marketing drones will end up twisting NAP to be useful against malicious users. Again referring to Blaster, Dean said 70% of his customer's compromises were caused by VPN users, and 30% by "walk-ins." Microsoft believes that if NAP can quarantine these sorts of users, then it will help contain future Blaster-like problems.

The second step, vulnerability assessment, is code named the "Geneva feature set." Microsoft seems to want to offer continuous internal vulnerability assessment services. These will make further inroads to the security space, given Microsoft's Malicious Software Removal Tool, Microsoft AntiSpyware, and SpyNet. I didn't really hear much about the third step, code-named Mako.

All of these are slated for Longhorn, due some time in 2007. He said a beta should be available by Q4 2005. However, Microsoft now says "it's ready when it's ready." Customers will need to do a lot of testing for these features, especially network quarantine. Dean recommended the following processes need to be considered: rollout and change process control planning; success matrices and measures; exemption analysis; host health modeling; health policy zones; secure network infrastructure analysis; RADIUS implementation; and zone enforcement selection. What does all of this mean? Figuring it out is probably the first step!

One of my responses to this was to consider the complexity of all of the steps Microsoft is taking to implement security for hosts running Windows. With complexity comes opportunity for misconfiguration, plus vulnerabilities introduced by new code and processes. Microsoft might say their new systems will prevent rogue insiders or malicious outsiders from attacking Microsoft services. It seems to me that the opportunity to attack the authentication and encryption services still exists. Why bother to fool, bribe, or otherwise subvert a guard if you can silently kill him?

I had a similar thought with respect to the IPSec-everywhere approach. This will help preserve confidentiality and integrity within the enterprise. However, most internal intruders are probably rogue insiders. They will already have the authorization needed to access internal documents. Independent network-based systems trying to audit internal activity will be blind to IPSec-encrypted traffic. Is this trade-off worth it? I'm not sure.

As an aside, Dean mentioned a Windows feature of which I was unaware: Server Message Block signing. I plan to look more closely at this.

I find these ISSA meetings very useful and I plan to join my local chapter.

Thursday, March 17, 2005

Join Me for NSM at USENIX 2005

Four weeks from today I will present a one day class on Network Security Monitoring with Open Source Tools at USENIX 2005 in Anaheim, California. This is an improved an updated version of the class I presented last year at USENIX Security 2004.

I am looking forward to teaching this class. It will equip participants with the theory, tools, and techniques to detect and respond to security incidents. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to achieve network awareness. Whereas intrusion detection cares more about identifying successful and usually known attack methods, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps.

According to the registration details, attending a single day of training costs $625. Discounts for attending more days of training and technical sessions also apply.

I hope to see you in Anaheim! If you can't make it, let me know if you would be interested in this sort of training by sending an email to taosecurity at gmail dot com.

Tuesday, March 15, 2005

SecureLogix Enterprise Telephony Management

I just read two reviews of the latest SecureLogix product, the Enterprise Telephony Management system, in Network Computing and Secure Enterprise magazines. Hardly anyone seems to pay attention to voice security. I've only read one book on the subject.

As Voice over IP becomes popular, interest in voice security seems to be picking up. The new SecureLogix product can monitor and control traditional POTS voice and also VoIP (SIP and H.323v2). I found this note in one of the reviews alarming:

"The ETM 1090 system can capture digital recordings of any call and record up to eight simultaneous calls off one voice span. The 5.0 production release captures calls only off of a voice T1. SecureLogix is prepping VoIP recording for the next release.

The ETM 1060 caches audio at a rate of 57 MB per hour from up to 32 simultaneous calls, yielding roughly 2,000 hours capacity on the appliance, and it automatically uploads the recorded calls to your target server drive as .wav files.

ETM gives no indication to call participants that they are being recorded; check with your legal department before implementing any recording scheme."

"Check with your legal department" indeed! This is clearly a wiretap if there ever was one. I recommend using such a system to implement voice policies, and tread very carefully when considering call monitoring.

Banks Also Fighting the Last War

Security guru Bruce Schneier wrote an insightful essay titled The Failure of Two-Factor Authentication. He essentially argues that the millions of dollars banks and others are spending on two-factor authentication doesn't address modern threats. When phishers convince victims to enter credentials that the phisher passes to a real e-commerce site, it doesn't matter if the credentials are a password or a RSA token code and PIN. Also, forget about phishing; just install a silent Trojan that performs fraudulent commercial actions during an authenticated, legitimate session. Something like xss-proxy might do the trick.

This reminded me of my blog entry As Always, .gov and .mil Fight the Last War. I guess it takes too long to implement and fund initiatives in these huge organizations. It's like changing the course of an oil tanker. I'm sure the security staff recommended two-factor authentication five years ago and has only now received funding. Unfortunately, that strategy applied to older threats and cannot address the current problem. Two-factor authentication would probably have helped Paris Hilton remain in control of her T-Mobile account, though!

Update: It looks like Microsoft is jumping on the bandwagon. I think two-factor authentication is still an improvement over usernames and passwords, but it won't solve world hunger.

BSD Certification Web Site Launched

This morning the BSD Certification Web site was launched. I am a member of the project. Our mission is to create and support a standardized certification process to assist system administrators and employers validate competence in the implementation of BSD best practices. Keep an eye on the Web site and our public mailing list for more information. I recommend reading our press release as well.

First Impressions of Lancope StealthWatch

Sometimes vendors send me gear to try in my lab. I was fortunate to receive a StealthWatch appliance from Lancope, which I tried for a few weeks on a production T-3 link. Lancope calls StealthWatch a "Network Behavior Anomaly Detection (NBAD)" system. It is a signature-free product that analyzes network traffic and reports what it considers odd and potentially problematic events.

The following is my impressions of the system, based on three assumptions. First, I did not try to stress-test or attack the system to gauge its performance under load. I placed it on a production network as any other client might. Second, I did not validate its findings independently. In other words, I did not collect information on another system to test if a StealthWatch "high traffic" alarm truly corresponded to a "high traffic" event. Third, I did not fully configure the system as one might as a Lancope customer. Full utilization of this or any security product usually demands a fair amount of local customization and tuning. Given these assumptions, here is what I thought about the StealthWatch.

StealthWatch provided me a great deal of information with an out-of-the-box configuration. The only real changes I made when I deployed the system was defining which hosts were part of the "inside" network. If I had disabled an unused sniffing interface as recommended by the StealthWatch sales engineers, I would not have seen the "traffic lost" alerts that appeared in the introductory screen. I did not need to make any special adjustments for my deployment using a Net Optics tap. I simply plugged the two TX lines coming out of the tap into two free sniffing interfaces on the StealthWatch. This means I deployed the system in a passive mode; it did not block traffic based on its findings. After performing some simple configuration on the local console, I remotely accessed the device using a HTTPS-enabled Web server.

Introductory Screen

The introductory screen summarizes concern indices for inside and outside traffic, and provides links to alarms. The left hand size of the interface allows easy access to a variety of reporting and configuration options.

Alarms Screen

The alarms screen allows the user to view events StealthWatch considers odd or problematic. The screen shown above lists all priorities together, but the user can filter to just show Critical alarms, Major alarms, and so on. These alarms are not based on sigatures for malicious events. Rather, you are more likely to see entries for unusually long traffic flows, unrecognized operating systems, and other network features not corresponding to StealthWatch's profile for normal activity. For demonstration purposes I investigated an outside (external) IP address that StealthWatch believed was sending a high amount of traffic.

Host Summary

I saw that the host in question was responsible for a number of high total traffic alarms. At this point I wanted to know more about the characteristics of these suspicious flows. Luckily I was able to use the StealthWatch to perform two types of deeper analysis.

Flow Analysis

I was able to perform flow analysis on data that StealthWatch already collected. The partial screen capture above shows that port 500 UDP is involved. This means the traffic is probably IPSec key exchange. To find out for sure, I moved to the second additional form of analysis -- packet analysis.

Packet Analysis

StealthWatch does not log full content data by default, but users can configure it to do so. I set up a packet capture filter to log traffic associated with the IP of interest in my investigation. Although users can collect data in a text-format, packet-by-packet manner, I specified collecting full content data in libpcap format. After several minutes I stopped the capture process, copied the data via the Web GUI to my local workstation, and opened it with Ethereal. I do not show a screen capture of this here, but there are many options for recording full content data available in the Web GUI.

Service Profiles

One of the most powerful aspects of systems like StealthWatch is its ability to build profiles of normal network activity. Deviations from these profiles are reported as anomalies. These alarms can be viewed from the network security monitoring standpoint as indications of suspicious or malicious activity. The screen shot above shows the service profile built for hosts on the monitored network. These can and should be tuned for each system, allowing the security and network staff to spot the appearance of new and potentially unauthorized services.

Traffic Profiles

In addition to profiling services on hosts, StealthWatch offers a number of ways to profile traffic to and from those hosts. I have selected one profile showing bandwidth usage, but many more options exist.

Because I promised not to expose the entire StealthWatch interface on this blog, I will end this discussion by mentioning other features I found useful. StealthWatch reports on new hosts and inactive hosts, helping networking staff keep an inventory of their systems. The interface and recorded data allows a fairly thorough analysis of hosts and their activity. Because this data is not based on signatures, you are likely to acquire evidence of activity you wouldn't find using other means.

My main complaint, based on experimenting with the product, is not unique to StealthWatch. A common criticism of anomaly-based systems is their potential inability to explain why they consider an event to be problematic. I did not find StealthWatch to be difficult in this respect, since an alarm for a "long flow" is unambiguous.

Getting to a deeper level of analysis can be a challenge for certain events. In the previous example, I was able to use flow analysis to identify IPSec key exchange. Getting down to the nitty-gritty via packet analysis required setting up a new packet capture process, however. In this respect, StealthWatch resembles intrusion detection systems that do not provide at least a sample packet from the unusual activity. I understand that giving the user a packet can be difficult when the event in question is a "long flow" or "multiple operating systems." I think such data is useful, even if not all alarms provide it. Giving the analyst one or more sample packets with a "long flow" alarm would enhance his investigative arsenal and reduce the likelihood of ignoring "false alarms."

Overall I found the StealthWatch to be a powerful appliance. I could see engineers deploying this system to provide indications and warnings on networks already monitored by traditional IDSs. I think the utility of the system increases as the owner spends time tuning and configuring it, but the StealthWatch provides plenty of interesting data straight away. From the network security monitoring perspective, StealthWatch provides alert data via its alarms, session data via flow analysis, statistical data via profiling, and full content data via packet collection. I welcome this sort of functionality in commercial systems!

Thank you to Jason Anderson at Lancope for shipping me this demo appliance. Feel free to contact Lancope for more information. You might also want to attend one of their Webinars or see them at an upcoming event.

Update: Jason Anderson adds the following good news:

"In our upcoming release, we will now include ~100 bytes of packet data with every flow. It will include the initiating packet header and 40 bytes of payload data from the first packet in each direction."

This helps address my earlier point about giving analysts the information necessary to investigate and validate events.

Monday, March 14, 2005

SANS Ends Practical Requirement for Certifications

I just learned that SANS, an organization whose conferences I attended fairly regularly five years ago, has terminated the practical requirement for all of its GIAC (Global Information Assurance Certification) programs.

GIAC was originally the Global Incident Analysis Center, a Web site to disseminate information on Y2K rollover threats. From a February 2000 archive of the site:

GIAC began December 21, 1999 as a service to support Y2K watchstanders all over the world, watching for cyber attacks and Y2K problems. We've come a long way since then, but the orignial pages are archived here.

I was an original incident handler and had some of my work posted. I also taught the IDS track several times, until I decided their material was too out-of-date and irrelevant to IDS practitioners. I was tired of scrapping SANS material on stage (aside from some of Judy Novak's TCP/IP slides and Marty Roesch's Snort tutorial) and teaching what students really needed to know.

SANS turned the Global Incident Analysis Center into the Global Information Assurance Certification when they realized they had created a powerful GIAC brand.

The SANS announcement states the following:

"Starting immediately, all new students will be authorized to the exam only GIAC Certification.

The forces that drove us to this change are numerous, but the single most important is the need to move to more modular, adaptable, courseware and certificates and certifications to stay abreast of the current threat. Additionally the marketplace has voted with its feet in favor of exam based certifications.

No practicals or drafts will be accepted after April 15th, 2005."

My take on this statement, and my conversations with SANS faculty, leads me to believe that grading practicals simply became too onerous for the SANS staff. Their margins are higher when they can automate the certification process.

This next statement is disappointing:

"We will issue a new logo design for all future 'exam only' certifications so that there will be less chance of confusion between 'exam only' and the more prestigious, original, practical oriented certifications."

In other words, SANS has admitted to devaluing its certification -- the new 'exam only' certifications are not as 'prestigious' as the original.

SANS has now created a market where holders of the "original" certification are more highly valued than those that follow.

SANS will also no longer be able to offer practical assignments to the community. Although the original practicals will remain online, that source of knowledge will dry up. This is doubly unfortunate as SANS practicals were one of the best aspects of the certification from the perspective of other security students.

While I believe that viable exam-only certifications exist (like the CCNA, CCNP, etc.), I fear SANS has removed a feature of their certification that made it unique and valuable.

Sunday, March 13, 2005

Ethereal Development and Support News

I just noticed that Ethereal 0.10.0 was released Friday. It fixes several security and reliability bugs, so an upgrade is warranted. While perusing the Ethereal home page I noticed news on Ethereal training by Ethereal Software. The classes include:

- Ethereal Essentials 1 (two days): Introduction to Ethereal and network troubleshooting

- Ethereal Essentials 2 (three days): Advanced network troubleshooting with Ethereal

- Development Using Ethereal (three days): Coming soon!

The second and third classes look very interesting.

So who is Ethereal Software? Their site says they were "formed by Network Integration Services to provide value-added services for the Ethereal network protocol analyzer." There is no name associated with either Ethereal Software or NIS, but the contact phone number and street addresses belong to Ethereal founder Gerald Combs.

I confirmed this by looking at these results from This is a cool Web site where those who need help with open source software can hire those who provide commercial support.

Saturday, March 12, 2005

Latest Pre-Reviews

I received five promising books recently. Here's a quick look at them. Once I read each book, I'll post news of my review here.

First is VoIP Security by James Ransome and John Rittinghouse, published by Elsevier. I'm looking forward to reading this book because it explains Voice over Internet Protocol, and then explores security issues associated with this increasingly popular technology. This protocol is going to be used everywhere, and I don't think security professionals are ready for it.

Next we have the first of two new books from Syngress: Intrusion Prevention and Active Response: Deploying Network And Host IPS, by Michael Rash, et al. Regular blog readers know I see any system which blocks traffic to be an access control device, also known as a firewall. This book will not see the world in the same way, but I think it will be intriguing nonetheless. Several of the authors have written for Syngress before on subjects like Snort and Ethereal.

The second Syngress book is Aggressive Network Self-Defense, by Neil Archibald, et al. This is a follow-on to Tim Mullen's article When Striking Back is The Best Defense. The book is divided into two parts. The first presents eight fictional stories of system administrators striking back at intruders. The second part describes real technologies that could be used to implement "hacking back." I am usually skeptical about security fiction, but Syngress' history with the "Stealing the Network" series has been good.

We now turn to a book from McGraw-Hill/Osborne, called Hardening Network Security, by John Mallery, et al. This is a fairly hefty book that appears to cover a multitude of security disciplines. I liked this publisher's Hardening Windows Systems.

We conclude with another Elsevier book, The Internet and Its Protocols by Adrian Farrel. This is another computer science textbook, but as a protocol junkie I think it will be interesting. A look at the table of contents shows that it presents a variety of protocols, all with headers explained. It's a recent publication, which helps when one wants to learn about a protocol not addressed by Stevens and others.

Keep an eye out for reviews as I plug through these. I'm currently reading Kevin Mitnick's new Art of Intrusion and hope to finish in the next few days.

Argus Documention

Argus is a session data collection tool, and probably the most underrated network security application available. I wrote about Argus in my first book, a Sys Admin article, and here. Recently I read on the argus mailing list that Thorbjörn Axelsson posted his thesis Network Security Auditing at Gigabit Speeds (.pdf) online, and it uses Argus. Through his references I discovered an earlier article by Peter Van Epp titled Pssst, Wanna Buy Some Network Insurance? (.pdf). Peter's article in particular demonstrates a wonderful appreciation of the limitations of IDS/IPS, e.g.:

"Knowing of a break in after the fact, while undesirable, is much better than not knowing of the break in at all... With Argus you at least have the data; with only an overwhelmed IDS or firewall you don't (or at least not all of it). Something to think about, especially in terms of insurance."

More Snort News

I have several developments to report from the Snort front. First, Jeremy Hewlett announced Thursday the release of Snort 2.3.2. This version is a quick response to the problem parsing Bleeding Snort rules reported shortly after Snort 2.3.1 arrived. I think this release was quickly pushed out the door to demonstrate that Sourcefire was not trying to lock out Bleeding Snort users. This is smart; there's no need to repeat a Microsoft-style "DOS isn't done until Lotus won't run" situation with Snort!

Speaking of Bleeding Snort, Matt Jonkman announced Friday work on a new "Open Source Snort Rules Consortium." He says:

"The OSSRC will be a group that any company or organization will be welcome to join. The members will share research on new threats and rules to handle those threats, with the goal of creating a unified community-based ruleset. Each member may post these rules wherever they choose, distribute them to their clients or customers, or use them in their own subscription services according to the provisions in the GPL. The goals of the group are still forming, but initially will be to:

1. Maintain a fast moving and GPL-licensed Snort ruleset
2. Avoid rule duplication amongst community rulesets, both in terms of content and SIDs
3. Improve and enforce quality standards for rules (documentation, etc.)
4. Possibly move to a Stable and Unstable rule 'vetting' process"

It will be interesting to see how this rule set progresses. If you visit the Snort rules download page you'll see three sets of rules:

- Sourcefire VRT Certified Rules - The Official Snort Ruleset (subscription release)

- Sourcefire VRT Certified Rules - The Official Snort Ruleset

- Community Rules

The first are the latest and greatest, available to subscribers. The second are the five-day-delay version of the first set, available to registered users. The third are new, and include:

- community-exploit.rules
- community-ftp.rules
- community-game.rules
- community-inappropriate.rules
- community-mail-client.rules
- community-sql-injection.rules
- community-virus.rules
- community-web-cgi.rules
- community-web-client.rules
- community-web-dos.rules
- community-web-misc.rules

A look at the summarizes the rules included in this first community rule set. Observe that some of the files (community-web-dos.rules, for example) are empty:

# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# This file is licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# Id SID -> MSG map

100000100 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit || cve,2004-0629 || bugtraq,10947
100000101 || COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit || cve,2004-0629 || bugtraq,10947
100000102 || COMMUNITY GAME Halocon Denial of Service Empty UDP Packet || bugtraq,12281
100000103 || COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262
100000104 || COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192
100000105 || INAPPROPRIATE lolita sex
100000106 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp || bugtraq,7470 || cve,2003-0118 || url,
100000107 || COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp || bugtraq,7470 || cve,2003-0118 || url,
100000108 || COMMUNITY SQL-INJECTION OpenBB board.php || bugtraq,7404
100000109 || COMMUNITY SQL-INJECTION OpenBB member.php || bugtraq,7404
100000110 || COMMUNITY VIRUS Dabber PORT overflow attempt port 5554 || MCAFEE,125300
100000111 || COMMUNITY VIRUS Dabber PORT overflow attempt port 1023 || MCAFEE,125300
100000112 || WEB-CGI Readfile.tcl Access || bugtraq,7426
100000113 || COMMUNITY WEB-CGI HappyMall Command Execution member_html.cgi || bugtraq,7530 || cve,2003-0243
100000114 || COMMUNITY WEB-CGI HappyMall Command Execution normal_html.cgi || bugtraq,7530 || cve,2003-0243
100000115 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Null CID || bugtraq,7589
100000116 || COMMUNITY WEB-CGI PHP-Nuke Web_Links Path Disclosure Non-Numeric CID || bugtraq,7589
100000117 || COMMUNITY WEB-CGI VBulliten Remote Command Execution Attempt || bugtraq,12542
100000118 || WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,
100000119 || WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,
100000121 || COMMUNITY WEB-MISC Test Script Access
100000122 || COMMUNITY WEB-MISC mod_jrun overflow attempt || bugtraq,11245 || cve,2004-0646
100000123 || INAPPROPRIATE preteen sex
100000124 || INAPPROPRIATE girls gone wild

That's only 24 rules at the moment. Let's look at the first two:

(msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit";
flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,uri.size.1050;
flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947;
classtype:attempted-user; sid: 100000100; rev:1;)

(msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit";
flow:to_client,established; content:"Content-Type|3A|"; nocase;
vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi";
flowbits:isset,uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947;
classtype:attempted-user; sid:100000101; rev:1;)

When I met with Marty on Thursday, he said that rules like the first one that invoke PCRE but do not use a content match really slow down the detection engine. The second rule also uses (complicated) PCRE, but there is a content match.

Given the limited number of rules in this community set, I can see why a company like StillSecure decided to sponsor Bleeding Snort. StillSecure's IDS is built on Snort, so they have an incentive to sponsor signature research.

Thursday, March 10, 2005

BSDCan 2005 Registration Opens

Registration for BSDCan 2005 is now open. Last year at the inaugural event I reported on days one and two and spoke about Sguil. This year I will present Keeping FreeBSD Up-To-Date and More Tools for Network Security Monitoring on 13 May, according to the schedule. I learned I was not accepted to speak at CanSecWest this year, so the visit to Ottawa for BSDCan will probably be my only trip north of the border in the coming months.

Visiting Sourcefire

Today I visited the Columbia, MD headquarters of Sourcefire with DC Snort Users Group founder Keith McCammon, pictured with me at left. We drove up from our Falls Church, VA office to meet with Sourcefire founder and Snort creator Marty Roesch. Sourcefire is housed in an Ikea-type building constructed to house optical networking start-ups during the dot-com craze. In addition to Sourcefire, Optical Capital Group Ventures and another company called Debt Shield share the space.

We started our conversation with Marty by discussing the new VRT Certified Rules License Agreement. Marty said that Sourcefire isn't a "nameless, faceless company. Real people work here." He demonstrated Sourcefire's commitment to the security community by mentioning the change to the Audit clause, previously reported here. Marty reported that many companies, several of which he was previously unaware, have reported interest in Snort Integrator licenses. As of this afternoon almost 2,000 people had already registered for the new rules system. The revenue collected from those who choose to subscribe and those who purchase Integrator Licenses will be reinvested in rule development. Sourcefire employees seven people on its Vulnerability Research Team to create and test rules. They include Judy Novak, who I had not seen for several years.

Besides helping to pay rule developer salaries, revenue from the new rules system will also help pay for the equipment Sourcefire uses to develop and test Snort. At right is a picture of one of the racks of networking and testing infrastructure Sourcefire owns. The racks holds $500,000 worth of Spirent Avalanche and Spirent SmartBits network traffic and load generation gear. When Sourcefire develops a new rule, they don't just run Tcpreplay to pass traffic and test Snort's ability to trigger an alert. (I'm not faulting Tcpreplay -- it's a great tool and I use it often. In fact, Aaron just announced the release of Tcpreplay 3.0beta1, with many new capabilities.)

Sourcefire tests that Snort is able to trigger an alert while watching a loaded network. I would like to see someone replicate this setup in their basement! In other words, it's not going to happen at anywhere near the same level of quality assurance. This is the problem I have with ventures like those of Demarc and the mysterious Mr. Alternative Ruleset. Users should always be able to create their own rules, as that is one of the strengths of an open system like Snort. However, they must be exceedingly careful not to cripple their IDS by writing poor rules.

At left is a picture of some of the racks containing servers Sourcefire uses to develop Snort and associated components. Marty said the company has over 26 racks with more than 300 servers. They maintain gear for every version of their appliance they've shipped. They also have target ranges and plenty of development systems. When Sourcefire develops a new rule, for example, they perform 6.8 million regression tests to ensure the new rule does not adversely affect the rest of the rule base. Sometimes these tests take up to four hours per change, even with the load distributed across multiple servers. Sourcefire takes great care to ensure that their rules will not cause Snort to waste excessive time processing packets. Marty told how a rule developed by an external Snort user once made such poor use of PCRE that it took Snort 3 seconds to process each packet!

After looking at Sourcefire's server room, we toured the workspace. Marty employees over 60 people in his Columbia, MD location at over 100 worldwide. In addition to meeting with Judy Novak, who works on the VRT, we also spoke with Snort rule uber-creator Brian Caswell. I mentioned that the Snort 2.3.1 ruleset had new rules not in the 2.3.0 distribution. bmc told me that 2.3.1 packaged all of the new rules up to the date of the new licensing structure, which was 7 March. We discussed having a future DC Snort Users Group meeting closer to Columbia, MD to accommodate the schedules of Marty and Brian. I was surprised to see so many people working on Snort -- you can see in the picture the row upon row of cubicles. There were two engineering meetings happening when I took the photo, so many desks are empty.

After touring the floor we spoke to Marty about the future of Sourcefire. He is excited about the new IS5800 appliance. "This will take the performance issue off the table, and leave detection technology as the key metric," Marty said. Previously companies like Sourcefire were criticized for not being able to keep up with offerings by Tipping Point. Marty reminded us that the ability to process packets per second was more important than a device's "Gigabit" rating. I saw the IS5800 myself, so it is not just marketing hype. I think it will be an amazing piece of gear for those who want to run Snort at speeds over 1 Gigabit.

Near the end of our visit Marty made some interesting points about market pressure on the security scene. He said Sourcefire felt the heat from Gartner's declaration that IDS is dead. (Incidentally, I reported in 2003 that the Meta Group countered Gartner's worldview by saying "network and host intrusion detection systems (IDS) [are] high on the shopping list" of big businesses. Unfortunately, their point of view died when Gartner acquired Meta for $162 million in December 2004.) The integration of the Snort-inline code gives stock Snort the capability to do IPS, which is currently the "hot topic" for security purchasers. Apparently security commentators and reporters want nothing to do with intrusion detection; it's all about IPS now. Unfortunately, we all know that prevention eventually fails.

Keith and I thanked Marty for spending nearly two hours with us. We drove down the street and met Tenable Security founder and CTO Ron Gula for lunch. Ron made some good comments concerning the state of security certifications when he heard I passed my CCNA exam. He said that no one can agree on how to approach the security problem. He divided the world into people that "do" firewalls, IDS, vulnerability scanning, code audits, and a few other categories. Each buys the product and/or service that fits their world view. No one can agree on a standardized methodology to secure a network. Some people think the CISSP meets this need, but anyone who has taken the test knows the CISSP fails miserably in this respect. I posted in 2003 some thoughts on good certification features, and I wrote in The Tao that the best aspect of the CISSP is its code of ethics.

At some point in the future I would like to spend some time at Tenable to get a better look at their operations as well. Thanks to both Marty and Ron for spending some time with us today!

Snort 2.3.1 Released, Audit Clause Modified

Jeremy Hewlett announced that Snort 2.3.1 is now available. According to the announcement, there are only supposed to be new rules in the major releases (e.g., 2.4.0, 3.0.0 -- not 2.3.1). However, a cursory inspection of the new rules in 2.3.1 revealed some additions. For example:

drury:/usr/local/src$ diff snort-2.3.0/rules/backdoor.rules
< # $Id: backdoor.rules,v 2005/01/17 23:52:48 bmc Exp $
> # $Id: backdoor.rules,v 2005/03/01 18:57:08 bmc Exp $
> alert tcp $EXTERNAL_NET any -> $HOME_NET 31337
(msg:"BACKDOOR BackOrifice 2000 Inbound Traffic";
flow:to_server,established; content:"|31 6a d0 d9|";
classtype:trojan-activity; sid:3155; rev:1;)

> alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198
(msg:"BACKDOOR mydoom.a backdoor upload/execute attempt";
flow:to_server,established; content:"|85 13 3c 9e a2|";
depth:5; classtype:trojan-activity; sid:3272; rev:1;)

Here's an example of a rule upgrade:

drury:/usr/local/src$ diff snort-2.3.0/rules/exploit.rules
< # $Id: exploit.rules,v 2005/01/17 23:52:48 bmc Exp $
> # $Id: exploit.rules,v 2005/03/01 18:57:08 bmc Exp $
< alert udp any 4000 -> any any (msg:"EXPLOIT ICQ
SRV_MULTI/SRV_META_USER email overflow attempt";
content:"|05 00|"; depth:2; byte_jump:2,0,relative,little;
byte_test:2,>,128,0,relative,little; content:"|12 02|";
within:2; distance:5; byte_test:1,>,1,12,relative;
content:"|05 00|"; distance:0; content:"n|00|"; within:2;
distance:5; content:"|05 00|"; content:"|DE 03|"; within:2;
distance:5; byte_jump:2,18,relative,little;
classtype:misc-attack; sid:2446; rev:4;)
> alert udp any 4000 -> any any (msg:"EXPLOIT ICQ
SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|";
depth:2; content:"|12 02|"; distance:5; within:2;
byte_test:1,>,1,12,relative; content:"|05 00|"; content:"|6E 00|";
distance:5; within:2; content:"|05 00|"; content:"|DE 03|";
distance:5; within:2; byte_test:2,>,512,-11,relative,little;
classtype:misc-attack; sid:2446; rev:5;)

Sourcefire has also responded to the complaints of its users by modifying the VRT Certified Rules License. The Audit clause has been replaced by the following:

"11. License Compliance.

You may be requested by Sourcefire to provide a certificate, signed by your authorized representative, that you are using the VRT Certified Rules consistent with a Permitted Use. In the event your use of the VRT Certified Rules is not in compliance with a Permitted Use, or if you otherwise violate the terms of this Agreement, Sourcefire may, since remedies at law may be inadequate, in addition to its other remedies:

(a) demand return of the VRT Certified Rules;

(b) forbid and enjoin your further use of the VRT Certified Rules;

(c) assess you a use fee appropriate to your actual use of the VRT Certified Rules."

I think this is much more reasonable. You may want to still run it by your corporate counsel before agreeing, if you want to use Snort in your environment as a registered user.

Wednesday, March 09, 2005

Passed My CCNA Test

I just finished testing for my Cisco Certified Network Associate certification. I passed with a 973 out of 1000. The test was 90 minutes long and I finished with only 8 minutes to spare. I think I missed one question, maybe two. The exam was as tough as I expected, meaning it was not easy. I know it was difficult since I usually breeze through majority multiple-choice exams. (For example, I answered all 250 questions on the CISSP exam in 90 minutes, and walked out the door.)

I cannot say enough about the CCNA class I took with Todd Lammle at GlobalNet Training. He was not kidding when he said students need to know everything he writes in his slides and says while teaching. I was amazed how much of my knowledge Cisco managed to test with a 55 question exam. Also, if I did not know Todd's block size method of IP subnetting, I do not think I would have finished the test in time.

If you want to pass the CCNA, I recommend the following:

1. Take GlobalNet Training's CCNA class. I do not think you will find another training source who provides as much gear for each student to configure. The labs are first-rate.

2. Read Todd's book.

3. Practice using Todd's CertSim software. This was invaluable because it taught me to slow down and be more careful. I learned this lesson even though I only had a chance to use the software once, 2 hours before my test. I blazed through the simulation and scored only a 749 -- 100 points too low to pass! I vowed to be more careful on the real exam, and it payed off.

4. Practice configuring real Cisco gear, and use Todd's RouterSim Network Visualized software. I did not get a chance to play with this much outside of class, but it's a great way to build, configure, and test Cisco gear in a virtual environment.

5. For deeper knowledge, check out Alex Zinin's book.

Later this year I plan to start working towards the CCNP.

Tuesday, March 08, 2005

Review of Cisco IP Routing Posted just posted my five star review of Alex Zinin's exceptional Cisco IP Routing. From the review:

"With my CCNA exam date staring straight at me, I decided to finally read my copy of Alex Zinin's Cisco IP Routing. This book clearly exceeds the level of knowledge to pass Cisco's entry level certification. It is aimed more at CCNPs or CCIEs who need a deeper understanding of Cisco routing. Nevertheless, I found the book's explanations of certain subjects to be absolutely outstanding, even for a CCNA candidate. I recommend anyone wishing to learn Cisco router operations read Cisco IP Routing."

ourcefire VRT Rules License Audit Rights

Don't be too quick to register to receive the latest Snort rules if you use Snort in your organization. This snort-users post brought this section of the VRT Certified Rules License Agreement to my attention:

"11. Audit Rights.

You will, from time to time and as requested by Sourcefire, provide assurances to Sourcefire that you are using the VRT Certified Rules consistent with a Permitted Use, and you grant Sourcefire access, at reasonable times and in a reasonable manner, to the VRT Certified Rules in your possession or control, and to your books, records and facilities to permit Sourcefire to verify appropriate use of the VRT Certified Rules and compliance with this Agreement.

Sourcefire's non-exercise of this right, or its failure to discover or object to any inappropriate use or other breach of this Agreement by you, shall not constitute its consent thereto or waiver of Sourcefire's rights hereunder or under law.

In the event your use of the VRT Certified Rules is not in compliance with a Permitted Use, or if you otherwise violate the terms of this Agreement, Sourcefire may, since remedies at law may be inadequate, in addition to its other remedies:

(a) demand return of the VRT Certified Rules;

(b) forbid and enjoin your further use of the VRT Certified Rules;

(c) assess you the cost of Sourcefire's inspection and enforcement efforts (including attorney fees); and/or

(d) assess you a use fee appropriate to your actual use of the VRT Certified Rules."

The snort-users poster said "our corporate counsel had apoplexy when he saw the license terms." I would have to agree. I can not see any corporate lawyer agreeing to these terms. Does anyone know of any similar licensing agreements for other projects or products?

I have not yet registered to receive the VRT rules, and at this point I am not sure I am willing to subject my company to this level of intrusiveness.

Update: Does Marty read this blog? Maybe -- he's looking at this audit provision, according to his recent snort-users post: "Any time you get lawyers involved things sometimes don't work out quite like you were planning." Stay tuned!

Monday, March 07, 2005

Book Featured by Net Optics

This image is an excerpt from what appears to be a new marketing slick (.pdf) from Net Optics, a California company that makes excellent network taps. I profiled two of their products in my first book. I am working with them to evaluate a set of new products for my next book, with an eye towards internal monitoring. If all goes well I may speak to some of their users in May, at their Sunnyvale, California headquarters.

New Web Site Launched

Sometime during this afternoon, the new Web site was launched. It features a message from Marty that says "We will continue to dedicate our research, development and QA resources to ensuring that Snort remains the de facto standard in intrusion detection and prevention technology." I noticed the Web page titles also use the same "de facto" language. While I more or less agree with the IDS aspect, I believe Marty and crew are being pushed by market forces to adopt the IPS stance. This is a shame, as we all know an "IPS" is a layer 7 firewall that inverts the access control best practice of "allow some, deny everything else." (In other words, an IPS performs a "deny some, allow everything else" function.) I absolutely detest the IPS label and wish access control devices were simply identified as such, and not confused with audit devices (e.g., IDSs).

The new site features a comprehensive FAQ that links to the VRT Certified Rules License Agreement. I encourage everyone to read the documents themselves, but here's my summary:

- If you absolutely must have the latest rules, as soon as Sourcefire's Vulnerability Research Team (VRT) develops them, you should subscribe. "Introductory pricing" is $195/month, $495/quarter, or $1795/year. You are not allowed to redistribute these rules outside of your organization.

- If you can afford to wait five days after a new rule is deployed, you should register. This is free, but again you cannot redistribute these rules outside of your organization.

- If you don't want to subscribe or register, you can remain anonymous and receive new rules with every new Snort point release. In other words, if/when Snort 2.4.0 or 3.0.0 arrives, you'll get a new batch of rules with it.

Where does this leave the companies with products like Lucid Security's ipANGEL or services like Versign's (previously Guardent's) managed intrusion detection, that use Snort as their IDS? Sourcefire calls these organizations Snort Integrators: "any company that distributes Snort or Snort rules in their commercial offerings. This includes vendors bundling Snort or Snort rules, MSSPs and SIMs." These companies will need to buy a Snort Integrator License. I have emailed the listed point of contact to find out more about this.

The last item I'd like to mention is the Snort rules themselves. There are now two "flavors:"

"Sourcefire VRT Certified Rules are the official rules of Each rule has been rigorously tested against the same standards the VRT uses for Sourcefire customers. These rules are distributed under the new VRT Certified Rules License Agreement that restricts commercial redistribution."

"Community Rules [are] rules submitted by members of the open source community. While these rules are available 'as is,' the VRT performs basic tests to ensure that new rules will not break Snort. These rules are distributed under the GPL and are freely available to all open source Snort users."

It looks like Bleeding Snort will be the focal point for the new Community Rules, although this has not been confirmed.

Stay tuned for more commentary as I figure out how this is all working. I am meeting with Marty on Thursday at the Sourcefire HQ, so expect a good follow-up Thursday or Friday.

Review of CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed Posted just posted my five star review of CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed. From the review:

"Last week I attended Todd Lammle's CCNA class, where I received a free copy of his 'CCNA: Cisco Certified Network Associate, Deluxe Edition (640-801), 4th Ed' (CCNADE4E). Todd's class was excellent, and his book is almost literally Todd in written form. There is hardly a wasted word in this book. If Todd mentions a detail concerning a protocol or a certain default value in a configuration parameter, it's important. If he calls out that same item in a 'Note', it's definitely important. This is not 'teaching to the test' -- it's ensuring students and readers are familiar with material Cisco considers relevant. Cisco started its certification program to ensure administrators could properly configure and deploy its gear. By reading CCNADE4E, you will gain that knowledge."

I test Wednesday afternoon. I'll report the results.

Sunday, March 06, 2005

Use FTP Instead of TFTP to Transfer IOS Images

Michael Lucas' book Cisco Routers for the Desperate saved me this evening. I was trying to update the flash image on my Cisco 2950T-24 switch via TFTP, and had this problem (twice, actually):

gruden#copy tftp flash
Address or name of remote host []?
Source filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]?
Destination filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]?
Accessing tftp://
Loading c2950-i6k2l2q4-mz.121-22.EA3.bin from (via Vlan1):
%Error reading tftp:// (Transfer aborted)

Luckily the switch was not hosed at this point. I still had my command prompt and normal functionality. For some reason TFTP kept failing. The image stored on the TFTP server appeared good, since its MD5 hash matched that provided by Cisco. What to do?

I remember Michael Lucas describing how to use FTP to transfer IOS images, so I tried that:

gruden#copy ftp://richard:pasword@ flash
Destination filename [c2950-i6k2l2q4-mz.121-22.EA3.bin]?
Accessing ftp://richard:password@
Loading c2950-i6k2l2q4-mz.121-22.EA3.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2867200 bytes copied in 256.536 secs (11177 bytes/sec)

I then reloaded the switch and it came up without any problems. Thanks Michael!

Switch to Router-on-a-Stick Communication

In January I described how I configured my Cisco 2651XM router to pass traffic between two VLANs on my Cisco 2950T-24 switch. I never assigned an IP for management purposes to the switch, since I always reached it via console cable. Today I decided to try upgrading the switch IOS, but that required applying a management IP to the switch.

My router had this configuration on the interface facing the switch:
interface FastEthernet0/1
description Connection to gruden, Cisco switch
no ip address
duplex auto
speed auto
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address

I assumed that if I assigned a management IP to my switch with either a or address, the switch would be able to speak to the router. I assigned to the switch. Because switches do not receive IPs on individual ports, I applied the IP to VLAN 1:

gruden(config)#int vlan1
gruden(config-if)#ip address
gruden(config-if)#no shutdown
gruden(config)#ip default-gateway

Unfortunately, this did not work. I could not reach the router from the switch and vice-versa.

I decided to try assigned a new IP address directly to router interface fa0/1, and give the switch an IP in the same netblock:

gill(config)#int fa0/1
gill(config-if)#ip address
gill(config-if)#no shutdown

Here's how I configured the switch:

gruden(config)#int vlan1
gruden(config-if)#ip address
gruden(config-if)#no shutdown
gruden(config)#ip default-gateway

That did it. Now I can reach both devices. Apparently the switch can only communicate with the router when the address on the switch is outside of the VLANs in use. I believe Todd Lammle refers to this sort of setup as a management overlay network, where certain IPs are used solely for device management.

If anyone can comment on this design or suggest an alternative, I welcome feedback. I think the wrinkle in my setup involves the router having to pass traffic between VLANs 10 and 20.