Initial Thoughts on Innominate mGuard PCI
Several weeks ago I mentioned the Innominate mGuard PCI. This is a PCI card that features a firewall and other security devices on the PCI board itself. In its simplest configuration, you simply insert the NIC into a free PCI slot on a system. By default the mGuard acts as a filtering bridge that lets traffic leave the protected system but denies unsolicited inbound connections.
The mGuard appears to be a 266 MHz CPU running some version of Linux. I like the idea of an independent, hardware-based device implementing access control. The mGuard could be used to both filter unwanted inbound or outbound traffic in a completely transparent manner. Alternatively, you can configure the mGuard to log traffic but pass everything.
I would like to thank Innominate for mailing me a demo mGuard card all the way from Germany. I find the self-contained Innominate mGuard professional to be fairly novel as well. You simply insert this device between your workstation, laptop, or server, and it provides the same filtering found in the PCI version. This is a great hardware-based access control solution for anyone on a hostile network. ISPs could consider shipping these to their customers!
While I was perusing the mGuard's logs, I found an odd connection:
This is an FTP control channel connection to 205.156.51.200 (tgftp.nws.noaa.gov). I could not account for this activity, but I did have full content logging data enabled on my NSM sensor. Here is the session as decoded by Tcpflow:
I see that this was caused by a weather applet running on FreeSBIE, the FreeBSD live CD with which I was testing the mGuard PCI. This is completely benign, but I was not expecting to see a program perform a FTP connection on its own. This is the power of collecting NSM data -- you can figure out what is happening, once you know where to look. You also don't have to know what to look for before you start collecting data -- just grab as much as you can.
The mGuard appears to be a 266 MHz CPU running some version of Linux. I like the idea of an independent, hardware-based device implementing access control. The mGuard could be used to both filter unwanted inbound or outbound traffic in a completely transparent manner. Alternatively, you can configure the mGuard to log traffic but pass everything.
I would like to thank Innominate for mailing me a demo mGuard card all the way from Germany. I find the self-contained Innominate mGuard professional to be fairly novel as well. You simply insert this device between your workstation, laptop, or server, and it provides the same filtering found in the PCI version. This is a great hardware-based access control solution for anyone on a hostile network. ISPs could consider shipping these to their customers!
While I was perusing the mGuard's logs, I found an odd connection:
uptime 0 days 01:01:38.37870 klogd: fw-out-ACCEPT IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0
SRC=192.168.2.77 DST=205.156.51.200 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=1304 DF PROTO=TCP
SPT=56925 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0
This is an FTP control channel connection to 205.156.51.200 (tgftp.nws.noaa.gov). I could not account for this activity, but I did have full content logging data enabled on my NSM sensor. Here is the session as decoded by Tcpflow:
205.156.051.200.00021-069.243.018.066.56925: 220-WARNING
205.156.051.200.00021-069.243.018.066.56925: 220-
220-This is a United States Government (NOAA) computer system, which may be
220-accessed and used only for official Government business by authorized
220-personnel. Unauthorized access or use of this computer system may
220-subject violators to criminal, civil, and/or administrative action.
220-
220 tgftp.nws.noaa.gov FTP server ready.
069.243.018.066.56925-205.156.051.200.00021: USER anonymous
205.156.051.200.00021-069.243.018.066.56925: 331 Guest login ok, send your complete
e-mail address as password.
069.243.018.066.56925-205.156.051.200.00021: PASS freesbie@freesbie.livecd
205.156.051.200.00021-069.243.018.066.56925: 230-Please read the file README.TXT
205.156.051.200.00021-069.243.018.066.56925: 230- it was last modified on Mon Aug 19 13:36:34 2002 - 1049 days ago
230 Guest login ok, access restrictions apply.
069.243.018.066.56925-205.156.051.200.00021: TYPE I
205.156.051.200.00021-069.243.018.066.56925: 200 Type set to I.
069.243.018.066.56925-205.156.051.200.00021: CWD /data/observations/metar/decoded
205.156.051.200.00021-069.243.018.066.56925: 250 CWD command successful.
069.243.018.066.56925-205.156.051.200.00021: SIZE YSSY.TXT
205.156.051.200.00021-069.243.018.066.56925: 213 413
069.243.018.066.56925-205.156.051.200.00021: MDTM YSSY.TXT
205.156.051.200.00021-069.243.018.066.56925: 213 20050704155232
069.243.018.066.56925-205.156.051.200.00021: PASV
205.156.051.200.00021-069.243.018.066.56925: 227 Entering Passive Mode (205,156,51,200,254,91)
069.243.018.066.56925-205.156.051.200.00021: RETR YSSY.TXT
205.156.051.200.00021-069.243.018.066.56925: 150 Opening BINARY mode data connection
for YSSY.TXT (413 bytes).
205.156.051.200.00021-069.243.018.066.56925: 226 Transfer complete.
205.156.051.200.00021-069.243.018.066.56925: 221 You could at least say goodbye.
I see that this was caused by a weather applet running on FreeSBIE, the FreeBSD live CD with which I was testing the mGuard PCI. This is completely benign, but I was not expecting to see a program perform a FTP connection on its own. This is the power of collecting NSM data -- you can figure out what is happening, once you know where to look. You also don't have to know what to look for before you start collecting data -- just grab as much as you can.
Comments
This was not a "recommendation." Nowhere do I suggest anyone buy one of these devices.
I ran a live CD because I needed a Web browser to connect to the mGuard's HTTPS administration GUI. I've used FreeSBIE before, so it's hardly "unknown." I thought the traffic I noticed made a good example.
I would like to what is wrong with running IPTables on Linux? If it works, why not use it?
If you follow the sentences above you'll see I suggested ISPs provide the self-contained version -- not the PCI one.
REALLY good post. Nice demonstration of real-life NSM.
PCI firewalls are an interesting idea. Obviously they aren't for everyone, but thanks for the write-up. I don't think anyone has bothered to review one of these before.