Initial Thoughts on Innominate mGuard PCI

Several weeks ago I mentioned the Innominate mGuard PCI. This is a PCI card that features a firewall and other security devices on the PCI board itself. In its simplest configuration, you simply insert the NIC into a free PCI slot on a system. By default the mGuard acts as a filtering bridge that lets traffic leave the protected system but denies unsolicited inbound connections.

The mGuard appears to be a 266 MHz CPU running some version of Linux. I like the idea of an independent, hardware-based device implementing access control. The mGuard could be used to both filter unwanted inbound or outbound traffic in a completely transparent manner. Alternatively, you can configure the mGuard to log traffic but pass everything.

I would like to thank Innominate for mailing me a demo mGuard card all the way from Germany. I find the self-contained Innominate mGuard professional to be fairly novel as well. You simply insert this device between your workstation, laptop, or server, and it provides the same filtering found in the PCI version. This is a great hardware-based access control solution for anyone on a hostile network. ISPs could consider shipping these to their customers!

While I was perusing the mGuard's logs, I found an odd connection:

uptime 0 days 01:01:38.37870 klogd: fw-out-ACCEPT IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 
SRC=192.168.2.77 DST=205.156.51.200 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=1304 DF PROTO=TCP
SPT=56925 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0

This is an FTP control channel connection to 205.156.51.200 (tgftp.nws.noaa.gov). I could not account for this activity, but I did have full content logging data enabled on my NSM sensor. Here is the session as decoded by Tcpflow:

205.156.051.200.00021-069.243.018.066.56925: 220-WARNING

205.156.051.200.00021-069.243.018.066.56925: 220-
220-This is a United States Government (NOAA) computer system, which may be
220-accessed and used only for official Government business by authorized
220-personnel. Unauthorized access or use of this computer system may
220-subject violators to criminal, civil, and/or administrative action.
220-
220 tgftp.nws.noaa.gov FTP server ready.

069.243.018.066.56925-205.156.051.200.00021: USER anonymous

205.156.051.200.00021-069.243.018.066.56925: 331 Guest login ok, send your complete
 e-mail address as password.

069.243.018.066.56925-205.156.051.200.00021: PASS freesbie@freesbie.livecd

205.156.051.200.00021-069.243.018.066.56925: 230-Please read the file README.TXT

205.156.051.200.00021-069.243.018.066.56925: 230-  it was last modified on Mon Aug 19 13:36:34 2002 - 1049 days ago
230 Guest login ok, access restrictions apply.

069.243.018.066.56925-205.156.051.200.00021: TYPE I

205.156.051.200.00021-069.243.018.066.56925: 200 Type set to I.

069.243.018.066.56925-205.156.051.200.00021: CWD /data/observations/metar/decoded

205.156.051.200.00021-069.243.018.066.56925: 250 CWD command successful.

069.243.018.066.56925-205.156.051.200.00021: SIZE YSSY.TXT

205.156.051.200.00021-069.243.018.066.56925: 213 413

069.243.018.066.56925-205.156.051.200.00021: MDTM YSSY.TXT

205.156.051.200.00021-069.243.018.066.56925: 213 20050704155232

069.243.018.066.56925-205.156.051.200.00021: PASV

205.156.051.200.00021-069.243.018.066.56925: 227 Entering Passive Mode (205,156,51,200,254,91)

069.243.018.066.56925-205.156.051.200.00021: RETR YSSY.TXT

205.156.051.200.00021-069.243.018.066.56925: 150 Opening BINARY mode data connection
 for YSSY.TXT (413 bytes).

205.156.051.200.00021-069.243.018.066.56925: 226 Transfer complete.

205.156.051.200.00021-069.243.018.066.56925: 221 You could at least say goodbye.

I see that this was caused by a weather applet running on FreeSBIE, the FreeBSD live CD with which I was testing the mGuard PCI. This is completely benign, but I was not expecting to see a program perform a FTP connection on its own. This is the power of collecting NSM data -- you can figure out what is happening, once you know where to look. You also don't have to know what to look for before you start collecting data -- just grab as much as you can.

Comments

Anonymous said…
REALLY dissapointing post. Its nice that your sniffer caught the app you were running, but why run a distro with unknown apps for testing to begin with. Also its a bit hard to "trust" a reccomendation for a firewall device that does nothing to differentiate itself from many other el-cheapo packet filters.
2:07 AM
Richard Bejtlich said…
Chris,

This was not a "recommendation." Nowhere do I suggest anyone buy one of these devices.

I ran a live CD because I needed a Web browser to connect to the mGuard's HTTPS administration GUI. I've used FreeSBIE before, so it's hardly "unknown." I thought the traffic I noticed made a good example.

I would like to what is wrong with running IPTables on Linux? If it works, why not use it?
10:29 AM
Richard Bejtlich said…
Scott,

If you follow the sentences above you'll see I suggested ISPs provide the self-contained version -- not the PCI one.
10:31 AM
Anonymous said…
Richard,

REALLY good post. Nice demonstration of real-life NSM.

PCI firewalls are an interesting idea. Obviously they aren't for everyone, but thanks for the write-up. I don't think anyone has bothered to review one of these before.
3:45 PM
Anonymous said…
Have you tested the PCI or mguard together as a point to point vpn with AES or 3DES IPsec? Im interested in a pair of mguard's for a vpn running 8mbit of streaming video over .g wifi. The devices have to be transparent for the ip camera to work, there is no os or pc running.
8:25 AM
Richard Bejtlich said…
Negative -- they sent one PCI product and that was it.
8:39 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more