Showing posts from May, 2005

Bejtlich Writing Like Mad During Home Stretch

I am writing like mad to meet a 1 June book delivery deadline for Addison-Wesley , so I won't be posting much or at all until I finish Extrusion Detection . I think crunching to meet deadlines is a common author predicament, after speaking with the other participants at the BSDCan book signing last week. Pictured with me, starting from my left, are Dru Lavigne, Greg Lehey, Marshall Kirk McKusick, and George Neville-Neil. Michael Lucas was not present for that photo but he appeared momentarily afterwards. Standing in the background is conference organizer extraordinaire Dan Langille. Thanks to Robert Bernier for posting the original photo.

Snort Inline?

Is anyone successfully running an inline deployment of Snort on FreeBSD? If so, please email me: richard at taosecurity dot com. This guide makes it look easy, but I've tried multiple variations (bridging, routing, etc.) with Snort 2.3.3 on FreeBSD 5.4 REL and nothing works completely. Thank you. Update: I got it working. snort-2.3.3.tar.gz doesn't work; snort_inline-2.3.0-RC1.tar.gz does. Who knew.

Vote for Sguil at SANS ISC Poll

Thanks to Brandon Greenwood I learned that the current SANS ISC poll asks for your favorite Snort interface. Sguil is currently running third behind BASE and ACID . Visit SANS ISC and vote for Sguil!

NetBSD Binary OS Updates

I discovered a system running NetBSD 2.0 in my lab and decided to upgrade it to NetBSD 2.0.2 . I read that "this is also the first binary security/critical update since NetBSD 2.0." I found a thread which gave various forms of advice on updating to NetBSD 2.0.2 from 2.0. Here is what I did. When I started the system was running NetBSD 2.0. bash-2.05b# uname -a NetBSD 2.0 NetBSD 2.0 (GENERIC) #0: Wed Dec 1 10:58:25 UTC 2004 builds@build:/big/builds/ab/netbsd-2-0-RELEASE/ i386/200411300000Z-obj/big/builds/ab/ netbsd-2-0-RELEASE/src/sys/arch/i386/compile/GENERIC i386 First I downloaded base.tgz, comp.tgz, kern-GENERIC.tgz, man.tgz, misc.tgz, and text.tgz into a directory I created called /usr/tmp. The FTP server directory listing shows what was available in total. juneau# ftp Trying Connected to ...edited... ftp> ls 229 Entering Extended Passive

Marcus Ranum on Proxies, Deep Packet Inspection

I asked security guru Marcus Ranum if he would mind commenting on using proxies as security devices. I will publish his thoughts in my new book Extrusion Detection , but he's allowed me to print those comments here and now. I find them very interesting. "The original idea behind proxies was to have something that interposed itself between the networks and acted as a single place to 'get it right' when it came to security. FTP-gw was the first proxy I wrote, so I dutifully started reading the RFC for FTP and gave up pretty quickly in horror. Reading the RFC, there was all kinds of kruft in there that I didn't want outsiders being able to run against my FTP server. So the first generation proxies were not simply an intermediary that did a 'sanity check' against application protocols, they deliberately limited the application protocols to a command subset that I felt was the minimum that could be done securely and still have the protocol work. For example,

New Net Optics Product Evaluations

I recently acquired several more specialized taps from Net Optics . I thought you might like to hear a few words about them. I plan to feature these and a few other devices in my new book Extrusion Detection , but why wait until then? I specifically requested evaluation units to meet monitoring and network access problems my clients brought to me. Perhaps you will find one or more of these products answer a monitoring question you've also been pondering. Keep in mind that I show Ethernet versions here, but a variety of optical products are offered. Also, I mention these products as they might be deployed at the perimeter, between a border router and firewall. They can certainly be used elsewhere, but for consistency here I stay with that deployment scenario. The first product I tried was the 10/100 Active Response Dual Port Aggregator Tap . The purpose of this device is to provide full duplex access to a network link to two sensor platforms. The two outputs on the left

Notes on Net Optics Think Tank

Last week I had the good fortune to be invited to speak at a Net Optics Think Tank event. Net Optics is a California-based maker of products which help analysts access traffic for monitoring the security and performance of the network. I recently wrote about the Net Optics tap built in a PCI card form factor. I also use their gear to conduct network security monitoring, as profiled in my first book. The meeting offered attendees three sessions: the first two were conducted by Net Optics personnel, and I presented the third. The purpose of the sessions were not to sell products, but to solicit feedback from attendees. In fact, in some cases the "products" in question didn't exist yet. Rather than implement products customers might not want, or lacking desired features, Net Optics polls its clients and prospective customers and builds the gear those customers need. The first presentation described the Bypass Switch . This is a really interesting product which

Virtual Desktops on Windows

I've been working in Windows more than usual recently as I push to complete my next book Extrusion Detection . I realized I really missed having multiple virtual desktops, like I do using Fluxbox or generally any UNIX windowing environment. Enter Virtual Dimension . This is an open source virtual desktop system for Windows. It works flawlessly on my Windows 2000 Professional laptop. At the right you can see the small desktop that appears when you click on a tray icon. I like being able to see small icons representing the applications active on each desktop. For example, desktop 0 is running Firefox, 1 has Adobe Reader, 2 has Putty and Wish (for Sguil), and 3 has Windows Media Player. I don't know how I coped with a single Windows desktop before using this program.

Reviewers for Extrusion Detection Wanted

Would anyone be interested in reviewing preliminary drafts of some chapters from my future book Extrusion Detection ? If so, email richard at taosecurity dot com. Please explain why you think you would be a good reviewer and tell me something about your network security experience. If you sound like a good candidate, I will pass your information on to my publisher. Thank you! Update: Thanks to all who replied -- I sent a list of names to my publisher. They will be contacting some of you, depending on when you wrote me.

Microsoft Windows Server 2003 Trial Downloads

I'm not one to ignore free software from Microsoft, even if it's only in trial format. I saw that a beta of Windows Server 2003 R2 is available for download. You must install it on the trial version of Windows Server 2003 with Service Pack 1 (SP1); normal Windows Server 2003 SP1 will apparently not work. I registered to download R2 beta and also Windows Server 2003 SP1 . You can get them on CD as well, but that takes 4-6 weeks. I might try converting server to workstation using the provided link.

Report from BSDCan, Part II

I recently reported on day one of BSDCan 2005 , which I attended in Ottawa. I'd like to present my review of day two. I started the day with Easy Software-Installation with pkgsrc , presented by D'Arcy Cain. I find pkgsrc interesting because it is a cross-platform package system, not just for NetBSD . Too bad the Web site has "pkgsrc: The NetBSD Packages Collection" at the top! I would like to try pkgsrc on NetBSD of course, but also on Solaris, AIX, FreeBSD, OpenBSD, Slackware, and Debian. Besides the official packages in the tree, there is a testing ground of sorts at pkgsrc-wip (works-in-progress) and , a Web-based front-end. It would be a great accomplishment if the BSDs were able to standardize on a single package system and pool their resources. If Linux were intergrated, that would be amazing. I learned pkgsrc even supports Windows through Interix , which is now the free Windows Services for UNIX . D'Arcy intended f

Great Firewall Round-Up in NWC

A recent issue of Network Computing magazine featured an excellent set of firewall reviews . I thought Greg Shipley's Analyzing the Threat-Management Market cover piece to be very insightful. Here are a few excerpts: "Our testing uncovered overhyped features, signs of innovation, emerging challenges and useful new capabilities. But what struck us most was what isn't being said -- that market demands are shifting the ground under legacy firewall vendors, and some will have a hard time holding on. Network access control is no longer a perimeter-only game, and the need for protection mechanisms is deeper than the address-and-service restrictions we're used to. More important, network security is no longer viewed as a product to be tacked on, but rather a core requirement. This is a fundamental shift in thinking." Security as a "core requirement" is great news. It's only taken a decade of constant Internet attack to get vendors to understand this po

Richard Clarke Knows the Drill

The latest edition of SC Magazine features an interview with Richard Clarke titled Failure must be a part of the plan . Hallelujah, someone with a wide speaking forum understands that prevention eventually fails . I saw Mr. Clarke speak at RAID 2003 and I was impressed by his thoughts back then. Here is a quote from his interview, with my emphasis added: "'The first thing that corporate boards and C-level officials have to accept is that they will be hacked , and that they are not trying to create the perfect system, because nobody has a perfect system," he says. In the end, hackers or cyberterrorists wanting to infiltrate any system badly enough will get in, says Clarke. So businesses must accept this and design their systems for failure. This is the only sure way to stay running in a crisis. It comes down to basic risk management and business continuity practices. 'Organizations have to architect their system to be failure-tolerant and that means compartmenta

REcon 2005 Security Conference

At BSDCan I learned of a new security conference being held in Montreal from 17 to 19 June called REcon . The speakers list looks good. I see Adam Shostack , Jack Whitsitt , Jose Nazario , Kathy Wang , Matt Shelton , and Nish Bhalla are all speaking. I won't be able to attend, but at 400 CDN this conference is a real bargain.

Cisco Releases IOS 12.4

I can't find any real press releases on this, but I noticed Cisco released IOS 12.4 this month. This is a Major Release that incorporates features developed in the IOS 12.3T line. Two product bulletins explain what's new in IOS 12.4, and an 84 slide .pdf presents similar information in PowerPoint format. I was surprised that the IOS Feature Navigator shows there is no support for the Secure Shell SSH Version 2 Server or Client for my Cisco 2651XM router in 12.4(1). Hopefully this will be added soon.

Review of Cisco Router Firewall Security Posted

Image just posted my four star review of Richard Deal 's Cisco Router Firewall Security . I read half of it on the flight from DC to San Francisco, and the rest on the return leg. From the review : "I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples. The author offers several ways to solve a security problem and then recommends his preferred choice. He correctly leans towards applying cryptography when available and avoids clear-text authentication methods or control channels. If you avoid the first chapter and keep a few minor caveats in mind, I would consider CRFS to be a five-star book." If you administer Cisco routers, I highly recommend reading this book.

Launch of New

I am happy to announce the redesign of as the corporate home of TaoSecurity. In the coming days and weeks I will transition old, more personalized content to the domain. TaoSecurity is open for business, and I look forward to helping you with your security consulting and training needs. I have a ton of material to blog, including a wrap-up of BSDCan and some news items. I will be flying to San Francisco Tuesday and returning very early Thursday. Don't expect too many updates until I return home. Thank you!

End of the Line for Racoon at

I've used security/racoon for years to manage the IPSec key exchange problem. I just read that the Kame project has ceased supporting Racoon; they direct users to IPSec-tools . That projects advertises itself as "a port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation... [that] supports NetBSD and FreeBSD as well." Here's a recent thread on running IPSec-tools on FreeBSD. If you're looking for an alternative to Racoon, I know of one for FreeBSD: security/isakmpd , imported from OpenBSD . I'm a little worried, since the FreeBSD port hasn't been modified since December, while the CVS interface to the OpenBSD code shows recent changes. I'm also not sure what to make of this how-to , since there is no date on it; i.e., do the problems describe therein still plague isakmpd on FreeBSD? Speaking of IPSec, you may have seen the NISCC announcement, or the US-CERT vulnerability note. The vulnerability is really one of poor config

Report from BSDCan, Part I

I was fortunate enough to be accepted to deliver two presentations at BSDCan 2005 today. I attended the first BSDCan last year, and this year's event seems to have attracted a bigger crowd. I heard somewhere between 150 and 190 attendees are roaming the University of Ottawa campus. This morning worked out very well. My wife and I took our 6 month old to the airport for her first trip -- except my wife and child flew to Detroit for a wedding, and I flew to Ottawa for BSDCan. (Thanks Aimes!) I landed in time to see the rest of Colin Percival 's Hyper-Threading Vulnerability talk. You can read Colin's paper in .pdf format here . This problem is not limited to FreeBSD. It affects any operating system running on an Intel HTT -capable CPU. The attack Colin discusses : "permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine. Administrators of multi-user systems are strongly advised to

Web Browser Forensics Part II

Last month I mentioned the first part of a two-part article on Web browser forensics by two friends (Rohyt Belani and Keith Jones) at security consultancy Red Cliff . Now part two is available online. This new article looks very interesting -- I suggest reading it. Tomorrow or Saturday I hope to blog from BSDCan . See you there, maybe!

Multiple New Pre-Reviews

I've received many new books in the last two weeks. Here are some pre-reviews. First we have Mastering FreeBSD and OpenBSD Security by Bruce Potter, Paco Hope, and Yanek Korff, published by O'Reilly . I have been looking forward to this book for a while. I use both operating systems to build security appliances, and that sort of work is the subject of this book. I would have preferred if the authors avoided discussing Snort and ACID, though. This is the umpteenth time I've seen "IDS" boiled down to those two well-worn and not-very-effective "solutions." Snort, yes. ACID, no. I would have been less disturbed if at least BASE , the replacement for ACID , was profiled. But no. Still, this will be the first book in the pack I plan to read. Next we have Snort Cookbook by Angela D. Orebaugh, Simon Biles, and Jacob Babbin, published also by O'Reilly . This is O'Reilly's second Snort book in nine months. The last was Mangling Securit

Attend VMWare Seminar, Get Free Workstation 5 Copy

Today I received an email from VMWare describing a new promotion . Over three days, from 14 June to 16 June, VMWare will be conducting three-hour seminars in twenty cities in the US and Canada. According to the announcement, attendees will leave with a full copy of VMWare Workstation 5 , a nearly $200 value. The exact words are: "Take what you learned today and implement it with your new copy of VMware Workstation 5 - no strings attached." This is an excellent deal. I received a free copy of Windows NT 4 years ago at a Microsoft promotion. If anyone attends the seminar at the Dulles, VA Marriott, I will see you there.

Anyone Want to Speak at InfoSeCon?

I am looking for someone to take my place at the InfoSeCon conference in Dubrovnik, Croatia. If you are interested, please contact organizer Niels Bjergstrom at njb at chi-publishing dot com. You will get an all-expense paid trip to a beautiful part of Europe on the Adriatic sea. The conference is 6-9 June 2005. Thank you.

Spamcop blocking Gmail

Anyone else seeing Spamcop used to deny email from Gmail? This is killing me. Here are two recent examples: This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: Technical details of permanent failure: PERM_FAILURE: SMTP Error (state 9): 550 See for more information." The second problem: This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: obscured@obscured.obs Technical details of permanent failure: PERM_FAILURE: SMTP Error (state 10): 554 Service unavailable; Client host [] blocked using; Blocked - see Is anyone else seeing this?

Sourcefire Founder Demolishes IPS Advocate

Many thanks to ghost16825 for pointing me towards this excellent InfoWorld article: The great intrusion prevention debate . The article pits Sourcefire founder Marty Roesch against TippingPoint Chief Technology and Strategy Officer Marc Willebeek-LeMair . Folks, this one is not pretty. Marty demolishes Dr. Willebeek-LeMair by correctly arguing that IPS (called layer 7 firewalls by the Blog and elsewhere) is "a step in the right direction, but... the infrastructure itself can be orchestrated effectively to provide a much broader capability than just point defense in the face of a pervasive threat." Dr. Willebeek-LeMair's main defense: "To be as polite and as succinct as possible: You are simply misinformed." This debate shows how a hardware vendor with a fast packet processing systems thinks he can change the world. Dr. Willebeek-LeMair's market-speak falls flat when critiqued by an actual security expert (Marty). I highly recommend reading the entire

FreeBSD 5.4 RELEASE Available

Several people let me know that FreeBSD 5.4 RELEASE was made publicly available this morning. Thank you -- I was busy installing it on the Dell PowerEdge 750 shown in my previous blog entry. :) You can read the dmesg output I stored at the NYCBUG site. Enjoy! Incidentally, here is the df output after I built the sensor. Script done on Mon May 9 09:43:45 2005 Filesystem Size Used Avail Capacity Mounted on /dev/aacd0s2a 989M 35M 875M 4% / devfs 1.0K 1.0K 0B 100% /dev /dev/aacd0s2f 989M 28K 910M 0% /home /dev/aacd0s2h 436G 265M 401G 0% /nsm /dev/aacd0s2e 989M 12K 910M 0% /tmp /dev/aacd0s2d 5.9G 961M 4.4G 17% /usr /dev/aacd0s2g 4.8G 510K 4.5G 0% /var

Tap on a PCI Card

Those of you who've read my first book know I like to use taps built by Net Optics to access wired traffic. The device pictured at left is a port aggregator tap . It combines the TX side of whatever's plugged into port A with the TX side of port B into a single output on port C, using buffering if the aggregrate throughput exceeds 100 Mbps. Today I got a chance to test the device pictured at left. It's a Net Optics PCI Port Aggregator tap. You plug this device into a 32 bit PCI slot on your monitoring station, and you effectively have the normal port aggregator tap I showed earlier sitting within your sensor. Let me show you what I mean in pictures. This is the inside of my preferred monitoring platform, a Dell Poweredge 750 . I've removed the dual Gigabit Ethernet NIC I usually order with these systems. That NIC is a PCI-X device recognized as em under FreeBSD. In this next picture you see the Net Optics PCI tap at the top, and the dual Gigabit Ethernet N

Mixed Thoughts on Inside Network Perimeter Security, 2nd Ed

I promise that I read the books I review, so this is not a review. You won't see me post anything at about Inside Network Perimeter Security, 2nd Ed . I read parts of it, but nowhere near enough to justify a formal review. Here are a few thoughts on the book. The five authors and four technical editors did a lot of work to write this book. It weighs in at 660+ pages, with not that many figures or screen shots. Despite being a second edition, I found evidence of old material. I noticed that chapter 2 describes IPChains. IPChains -- where was that last in the mainstream, in the Linux 2.2 kernel? Chapter 6 implies SSH v2 isn't available on Cisco gear, but readers will remember I got that working a few months ago. Ch 19 promotes the virtues of Big Brother , a monitoring tool that's been declining for years since its acquisition . Nagios should have been covered instead. A quote in ch 11 on Intrusion Prevention Systems bugged me: "SoureFire [sic] dit

Ping Tunnel and Telnet

I often learn of new software by seeing new ports released at FreshPorts . Recently I noticed Daniel Stødle's Ping Tunnel appear as net/ptunnel . Ping Tunnel tunnels TCP over ICMP traffic, as shown in the diagram at left. Being a network security analyst I thought it might be interesting to see what this traffic looks like. I set up the Ping Tunnel client on my laptop (orr,, the proxy on a server (janney,, and tried to Telnet to a third server (bourque, The results surprised me. Here is the setup. First, I set up the proxy on janney. Here is everything janney reported. janney:/home/richard$ sudo ptunnel -c xl0 [inf]: Starting ptunnel v 0.60. [inf]: (c) 2004-2005 Daniel Stoedle, [inf]: Forwarding incoming ping packets over TCP. [inf]: Initializing pcap. [inf]: Ping proxy is listening in privileged mode. [inf]: Incoming tunnel request from [inf]: Starting new session to with ID 33492 [er

Ethereal 0.10.11 Released

Ethereal 0.10.11 was released Wednesday. It fixes a ton of security bugs. There appear to be some GUI enhancements as well as improvements under the hood. I recommend upgrading when possible.

How to Go Insane Using Comcast

It's simple to go insane when using Comcast as your cable modem provider. Watch as Comcast-provided cable modem goes dead. (Not insane yet). Swap out cable modem at store. (Not insane yet). Plug in cable modem and watch router receive IP address. (Not insane yet. Happy, actually.) Notice machines begin trying to reach when using TCP. (Slight insanity.) Observe that UDP traffic like NTP updates work properly. (Higher insanity level.) Notice that your cannot ping your default gateway. (Insane. Period.) Apparently when my new cable modem is put on the network, it was given ( as its DNS server. This is a really amazing system. Check it out. orr:/home/richard$ nslookup Server: Address: Name: Address: orr:/home/richard$ nslookup Server: Address: Name: ww

Risk, Threat, and Vulnerability 101

In my last entry I took some heat from an anonymous poster who seems to think I invent definitions of security terms. I thought it might be helpful to reference discussions of terms like risk, threat, and vulnerability in various documents readers would recognize. Let's start with NIST publication SP 800-30: Risk Management Guide for Information Technology Systems . In the text we read: " Risk is a function of the likelihood of a given threat-source 's exercising a particular potential vulnerability , and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system." The document outlines common threats: Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. Human Threats Events that are either enabled by or caused