Hi All,
I thought that this was a post worth forwarding to this list.
--
Regards,
Hilton Travis Phone: +61 (0)7 3343 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark AudioVisual http://www.quarkav.net
http://www.threatcode.com/ <-- its now time to shame poor coders
into writing code that is acceptable for use on today's networks
War doesn't determine who is right. War determines who is left.
> -----Original Message-----
> From: Quark IT - Hilton Travis
> Sent: Monday, 4 October 2004 07:16
> To: 'sbs2k at yahoogroups dot com'
> Subject: RE: [sbs list] To ISA or Not ISA
>
> Hi Susan,
>
> > -----Original Message-----
> > From: Susan Bradley aka Ebitz [mailto:sbradcpa at pacbell dot net]
> > Sent: Sunday, 3 October 2004 19:45
> >
> > I'll think I'll take my chances with a supported product
> > with support engineers that get paid with something more
> > than Paypal.
>
> Do you remember the ASN.1 security release from Microsoft -
> who are a firm with slightly more income than m0n0wall
> generates? I sure do. It is probably one of the most major
> security vulnerabilities ever created. It rates slightly
> under the latest Image File Format exploit that was addressed
> last month. The ASN.1 patch took Microsoft well over 200
> days to release after they were first informed about it.
> That's absolutely disgusting. M0n0wall could never take this
> long to release a patch, or the project would be wallowing in
> the annals of "firewalls that were". Company financial value
> has only a very tenuous relationship to the quality of their
> code and the speed in which they release patches.
>
> M0n0wall **is** a supported product. There's a couple of
> active mailing lists, there are a number of active
> developers, and if there'sa flaw or bug discovered, it is
> sorted ASAP - and the definition of ASAP to m0n0wall means as
> SOON as possible, not as SOMETIME as possible.
>
> > If it's based on FreeBSD... you tell me Secunia - Search Advisory,
> > Vulnerability, and Virus Database:
> > http://secunia.com/search/?search=free+bsd
>
> Sorry Susan, but you were the one offering to point out the
> holes. So please feel free to investigate this fully. Or
> admit that the challenge you put up was one that you cannot
> actually carry through. There's no problem with that (to me,
> at least), but it is your call.
>
> > One person wrote this. That doesn't make me warm and fuzzy
> > http://m0n0.ch/wall/software.php
>
> And why not? Does a product with a single programmer
> automatically mean that its product is bad, worthless,
> inferior or something? If that is the case, then all
> products written by large groups must be awesome. This quite
> clearly is nothing like reality.
>
> If you remember, the Linux kernel (and original base OS) was
> written by Linus Torvalds. That project has grown from a
> one-man band to a huge international team of developers, who
> successfully take on companies such as Microsoft, SCO, SGI,
> IBM, Novell and so on. Strangely, most of these companies
> have embraced Linux in one way or another, except for
> Microsoft. Interesting, eh?
>
> Also, there was an operating system that was bought from one
> company, sold to another company (not necessarily in that
> order) and there were some small code changes written by one
> programmer. This OS, known originally as CP/M and the
> changed version known as Microsoft DOS, started a huge growth
> phase for that company. Maybe you've heard of them. Does
> this mean that Microsoft - because it grew from a company
> with a single programmer - is not worth trusting?
>
> Warm and fuzzy is meaningless. The things that matter are
> the quality of the code. M0n0wall has a quality code base,
> with a quality lead coder, and quality programmers now
> developing with him. Manuel is very receptive to input where
> this does not create issues with the target for the project.
> He is also very careful to audit the changes, the Free BSD
> source code, and to ensure that the resultant product is as
> secure as it can be.
>
> Again, please report the patches that m0n0wall needs, as per
> your original challenge. I'm sure that both myself and
> Manuel would be interested in the input.
>
> > Sorry but I'm big on community and especially when it comes to
> > applications that protect my client's data.
>
> I, too, am big on community. Community doesn't mean to me,
> however, only being involved in commercial products.
> Community, to me, means a collection of like minded (well,
> that's not necessarily always the case - maybe
> like-targeted?? :) people willing to add to the overall
> value of the product/industry/etc. M0n0wall has a community.
> One in which I am active - not so much lately as I have been
> busy, but I am still active. Microsoft SBS has a community -
> the same applies. As do a few other products I'm involved with.
>
> M0n0wall protects a lot of our client's data. I'm active in
> that community. SBS also protects a lot of our client's
> data. I'm active in that community. Linux protects a lot of
> our client's data. I'm active in that community. We just
> have a different definition of community, it seems. That's
> life - we don't share the same brain, we won't share the same
> opinions on everything.
>
> Generally, I tend to agree with you on many things, Susan.
> This is one area where we will have to agree to disagree.
> However, I'm still waiting for that list of needed patches to
> m0n0wall you said you'd provide.
>
>
> Regards,
> HiltonT
> > --- In sbs2k at yahoogroups dot com, "Quark IT - Hilton Travis"
> > <Hilton@Q...> wrote:
> > > Hi Susan,
> > >
> > > What patches are needed for a m0n0wall firewall?
> > http://m0n0.ch/wall
> > > Rather interested.
> > >
> > > As for past performance, they *are* getting better (Microsoft) but
> > bad
> > > security practices die hard.
> > >
> > > --
> > >
> > > Regards,
> > >
> > > Hilton Travis Phone: +61 (0)7 3343 3889
> > > (Brisbane, Australia) Phone: +61 (0)419 792 394
> > > Manager, Quark IT http://www.quarkit.com.au
> > > Quark AudioVisual http://www.quarkav.net
> > >
> > > http://www.threatcode.com/ <-- its now time to shame poor coders
> > > into writing code that is acceptable for use on today's networks
> > >
> > > War doesn't determine who is right. War determines who is left.
> > >
> > > > -----Original Message-----
> > > > From: Susan Bradley aka Ebitz [mailto:sbradcpa@p...]
> > > > Sent: Sunday, 3 October 2004 18:51
> > > >
> > > > Define "past performance"
> > > >
> > > > IIS 6 despite what Russ Cooper and his 60 underlying
> patch count
> > > > says [I counted 48 as one that he counted was 04-001 which is a
> > > > ISA 2k patch] is very robust.
> > > >
> > > > So much so that a recent <no vendor pre-alert> vulnerability in
> > > > asp.net does not affect IIS 6.0
> > > >
> > > > Show me any firewall and I'll show you needed patches.
> It's all
> > > > software under the hood.
> > > >
> > > >
> http://www.foundstone.com/resources/whitepapers/isaserver_wp.pdf?
> > > > PHPSESSID=539e142d548be34def35aca9780b6774
> > > >
> > > >
> > > > You can check out some third party vendors here...
> > > > Microsoft Internet Security & Acceleration Server: Partners:
> > > > http://www.microsoft.com/isaserver/partners/default.asp
> > > >
> > > >
> > > > --- In sbs2k at yahoogroups dot com, "Quark IT - Hilton Travis"
> > > > <Hilton@Q...> wrote:
> > > > > Hi Tony,
> > > > >
> > > > > Responses inline..
> > > > >
> > > > > --
> > > > >
> > > > > Regards,
> > > > >
> > > > > Hilton Travis Phone: +61 (0)7 3343
> > 3889
> > > > > (Brisbane, Australia) Phone: +61 (0)419 792
> > 394
> > > > > Manager, Quark IT
> > http://www.quarkit.com.au
> > > > > Quark AudioVisual http://www.quarkav.net
> > > > >
> > > > > http://www.threatcode.com/ <-- its now time to shame poor
> > coders
> > > > > into writing code that is acceptable for use on today's
> > networks
> > > > >
> > > > > War doesn't determine who is right. War determines who is
> > left.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Tony Su [mailto:tonysu@s...]
> > > > > > Sent: Friday, 1 October 2004 12:38
> > > > > >
> > > > > > Hello Larry,
> > > > > >
> > > > > > I think I can jump in here and maybe not answer the
> question
> > > > > > how Tom might, but based on some investigation I've done
> > (and
> > > > > > admittedly that's always dangerous, because that
> means I might
> > > > > > make conclusions not consistent with others).
> > > > >
> > > > > But we have to make assumptions every day to get along in
> > life.
> > > > As long
> > > > > as these assumptions are in the right ballpark, they are
> > generally
> > > > > useful. :)
> > > > >
> > > > > > First, unfortunately despite devoting a tremendous
> amount of
> > > > > > my personal effort over the past 3 years, I have
> not been able
> > > > > > to find any detailed information about exactly what
> ISA's IDS
> > > > > > does which is its defense using packet inspection.
> > > > >
> > > > > That's one issue with closed source. Getting any *real*
> > > > information
> > > > > can, at times, be nigh on impossible. Looking at
> Open Source -
> >
> > > > its all
> > > > > there in the source code. There are advantages and
> > disadvantages
> > > > to
> > > > > both sides of this coin, and this is one of the disadvantages
> > to
> > > > closed
> > > > > source code.
> > > > >
> > > > > > Based on observation though, I do believe that it's likely
> > > > > > that ISA does tear apart packets and look for specific
> > > > > > signatures of known exploits, and if it's also maintaining
> > > > > > stateful packet inspection, it's not a stretch to
> look for a
> > > > > > limited list of signatures at the same time without
> > > > > > sacrificing significant performance.
> > > > >
> > > > > True, its not a stretch. But this doesn't mean that Microsoft
> > > > actuaslly
> > > > > **does** this with ISA. No-one really knows.
> > > > >
> > > > > > But, how deep is "full" may be a subjective evaluation.
> > After
> > > > > > all, assuming a packet is torn apart, the sequence
> number is
> > > > > > extracted and a test against threats is executed, how much
> > > > > > more might constitute "full?"
> > > > > >
> > > > > > I think that you may have to rely on information from
> > someone
> > > > > > like Jim Harrison for real, authoritative
> information... But
> > > > > > then, I've always also considered that the paucity of ISA
> > IDS
> > > > > > info may be to not make things too easy for the hackers so
> > > > > > maybe <no one> can be completely forthcoming.
> > > > >
> > > > > ... Or maybe because it doesn't do a hell of a lot. Or maybe
> > it
> > > > does an
> > > > > immense amount of in-depth analysis. We'll probably never
> > know.
> > > > >
> > > > > > Lastly... IMO your question about a malicious HTTP
> attack is
> > > > > > <very> insightful although maybe not exactly as you
> descirbed,
> > > > > > you're one of the very few people I've ever heard
> bring that
> > > > > > up! Why I don't hear people talk about it more than it's
> > > > > > discussed, I don't know...
> > > > >
> > > > > Probably because many people don't understand how attacks
> > occur.
> > > > Many
> > > > > people think http attacks are started by breaking the http
> > > > protocol and
> > > > > assuming the recipient loses the plot when it sees the invalid
> > > > packets.
> > > > > Many people don't consider that some hackers know the
> > protocols
> > > > they use
> > > > > intimately. Some of these hackers know the protocols so
> > > > intimately they
> > > > > are scary. More intimately than those who write the filters
> > and
> > > > > scanners to look for misused protocols.
> > > > >
> > > > > > This is where I'm at in evaluating this kind of attack...
> > > > > > HTTP itself is not a very threatening transport for
> any kind
> > > > > > of attack... Its commandset is very limited and HTTP is
> > > > > > largely a technology which serves pre-defined
> content to the
> > > > > > client. In other words, the client doesn't have too many
> > ways
> > > > > > of asking for something, and the the webserver shouldn't be
> > > > > > doing much that can be exploited.
> > > > >
> > > > > Agreed. If only the hackers would adhere strictly to the
> > > > rules. :)
> > > > >
> > > > > > But, you can incrementally add Web technology "features"
> > that
> > > > > > begin to expand the attack surface... Starting with
> > > > > > server-side processing (ie.
> > > > > > Any kind of server-side scripting, other methods supported
> > by
> > > > > > technologies like dotNET and Java). The more
> functionality you
> > > > > > expose, the more critical it is to lock down those
> windows of
> > > > > > accessibility.
> > > > > > Still, many people recognize this attack vector so machines
> > > > > > are hardened fairly well against this kind of threat.
> > > > > >
> > > > > > The <real> threat which is still largely
> unaddressed which can
> > > > > > be delivered over port 80 is actually XML Web Services (not
> > > > > > anything to do with Web Browsers and regular websites).
> > > > > > Because XML Web Services is data being delivered to a
> > backend
> > > > > > server (database server), after the data stream has been
> > > > > > de-serialized it can pose just as much a threat as the well
> > > > > > known (or should be well known) SQL Injection Exploit.
> > Today,
> > > > > > the recommended defense is the same for malicious XML
> > streams
> > > > > > as for the SQL Injection Exploit... Proper input
> validation,
> > > > > > but because the data stream isn't normally inspected and
> > > > > > de-serialized until it reaches the database server, it
> > should
> > > > > > be considered potentially more serious than the regular SQL
> > > > > > Injection attack which can be stopped at least one step
> > > > > > earlier at the web application (validating input fields).
> > > > >
> > > > > Don't forget that many people are using the term "UFTP" to
> > refer
> > > > to http
> > > > > or TCP Port 80 traffic. UFTP == Universal Firewall Traversal
> > > > Protocol.
> > > > > :)
> > > > >
> > > > > > So, if you run into this kind of issue, these are my
> > > > > > recommendations today...
> > > > > >
> > > > > > - If you know the code developers, ask them (and hopefully
> > > > > > verify) they built the Web Services using
> > Microsoft's "Secure
> > > > > > Web Services" and hopefully they know what they're doing.
> > > > >
> > > > > ... And that Microsoft actually got their security right. And
> > we
> > > > all
> > > > > know the likelihood od that. Going on past performance alone.
> > > > >
> > > > > > - If you can't verify the way the Web Services are
> created, go
> > > > > > back to the traditional solution of encapsulating in a
> > > > > > tunnel... I recommend simply SSL (not PPTP/L2TP, etc). Note
> > > > > > that if you have to do this, you'll lose some routing
> > > > > > functionality which may or may not be important.
> > > > >
> > > > > SSL is a very appropriate encapsulation method for much of
> > today's
> > > > > traffic. Routing issues aside, it can handle pretty much
> > anything
> > > > you
> > > > > care to throw at it.
> > > > >
> > > > > > - A Vendor I saw at the last TechEd was showing off their
> > > > > > <very cool> ISA application plug-in enabling ISA to
> filter XML
> > > > > > tags. If you use custom tags, I believe this can be very
> > > > > > effective restricting intrusive traffic (although
> nothing is
> > > > > > absolute).
> > > > >
> > > > > Oh, groovy. Now, THIS is something I'd like to see.
> > > > >
> > > > > - HiltonT
> > > > >
> > > > > > Tony Su
> > > > > >
> > > > > > "Education is critical to delivering secure systems. Do not
> > > > > > expect people to understand how to design, build, test,
> > > > > > document, and deploy secure systems; they may know how
> > > > > > security features work, but that really doesn't help.
> > > > > > Security is one area where "What I don't know won't
> hurt me"
> > > > > > does not apply; what you don't know can have awful
> > consequences."
> > > > > > "Writing Secure Code" authors Howard and LeBlanc
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Lawrence A. Rodis [mailto:lrodis@s...]
> > > > > > Sent: Thursday, September 30, 2004 6:33 PM
> > > > > >
> > > > > > Tom,
> > > > > >
> > > > > > I beg to differ on how IPS works and on your analogy.
> > Although
> > > > it does
> > > > > > not use application level inspection IPS looks into
> the full
> > > > > > data packet and validates against known threats. If
> a threat
> > > > > > is found it's blocked.
> > > > > > This method is very different then what ISA 2004 offers.
> > It's my
> > > > > > understanding that ISA doesn't do full packet inspection
> > > > although it
> > > > > > will do stateful application inspection for applications it
> > > > > > understands.
> > > > > >
> > > > > > If I'm correct regarding my assumptions about ISA 2004 I
> > have
> > > > > > a question
> > > > > > for you. How would ISA respond if an end user connects up
> > to a
> > > > web
> > > > > > server and the hacker comes in over the HTTP port using an
> > > > > > exploit that does not violate the HTTP protocol? (IE the
> > > > > > application
> > states
> > > > are not
> > > > > > violated?) Also how can ISA do application level inspection
> > for
> > > > > > applications it does not understand?
> > > > > >
> > > > > > My personal feeling on security is layers and for an even
> > higher
> > > > level
> > > > > > of security I could see combining application level
> inspection
> > > > > > with deep packet inspection.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Lawrence A. Rodis
> > > > > > President
> > > > > > Strategic Resource Consulting Group L.L.C.
> > > > > > 702-221-6274
> > > > > > lrodis@s...
> > > > > > www.strategicresource.com
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Thomas W Shinder [mailto:tshinder@t...]
> > > > > > Sent: Thursday, September 30, 2004 6:18 PM
> > > > > >
> > > > > > Hi Lawrence,
> > > > > >
> > > > > > The Sonicwall packet "inspection" is actually stateful
> > > > > > "filtering". True inspection is at the application
> layer. Its
> > > > > > saying that a
> > border
> > > > agent
> > > > > > has "inspected" an automobile when it looks at the color,
> > the
> > > > license
> > > > > > plate number and the tire type. In contrast, the stateful
> > > > application
> > > > > > layer inspection firewall looks at the outer characteristic
> > of
> > > > the car
> > > > > > AND gets everyone out, frisks them, interviews them, tears
> > the
> > > > seats
> > > > > > out, looks in the trunk, checks the engine, and runs it
> > through
> > > > an X
> > > > > > ray. Sonicwall IPS does't do that. ISA firewalls can (as an
> > other
> > > > > > stateful application layer inspection firewalls).
> > > > > >
> > > > > > HTH,
> > > > > > Tom
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Lawrence A. Rodis [mailto:lrodis@s...]
> > > > > > Sent: Thursday, September 30, 2004 8:13 PM
> > > > > >
> > > > > > Michael,
> > > > > >
> > > > > > Sonicwall with full Intrusion Protection Service
> (Deep Packet
> > > > > > Inspection) Although I will disagree on ISA 2004 vs.
> > Sonicwall
> > > > with
> > > > > > IPS. I agree 100% that standard state based packet
> > inspection is
> > > > not
> > > > > > enough. The PIX only performs state based inspection.
> > > > > >
> > > > > > I personally do not go with premium unless I need SQL,
> > however
> > > > the
> > > > > > overhead of having it on the box is not that great.
> > > > > >
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Lawrence A. Rodis
> > > > > > President
> > > > > > Strategic Resource Consulting Group L.L.C.
> > > > > > 702-221-6274
> > > > > > lrodis@s...
> > > > > > www.strategicresource.com
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Michael West [mailto:mwest@w...]
> > > > > > Sent: Thursday, September 30, 2004 12:38 PM
> > > > > >
> > > > > > Hi Group,
> > > > > >
> > > > > > I'm putting together a SBS quote. Server will be:
> > > > > >
> > > > > > RAID 5 15K HDDs
> > > > > > 2Gb RAM
> > > > > > 1 Intel 3.0Ghz CPU
> > > > > > 1 or 2 NICs
> > > > > >
> > > > > > I'd really like to only go with ONE "firewall". On the
> > > > > > "hardware" side, I'd would choose a Cisco PIX 501
> (sorry Tom)
> > > > > > or Sonicwall TZ170. If the client gets budget
> conscious, it
> > > > > > could become a Smoothwall 2.0 installed on an old
> Pentium box.
> > > > > >
> > > > > > On the software side, I could go with ISA from SBS
> Premium.
> > With
> > > > > > Premium, I'd also get SQL Server, but don't have a immediate
> > > > need for
> > > > > > it. I've worked with ISA in the past, currently have
> > clients
> > > > > > on it and
> > > > > > frankly don't like it. (I'm sure it's my inexperience with
> > > > > > the product)
> > > > > >
> > > > > >
> > > > > > My first concern is that ISA 2004 is about to
> become available
> > > > > > on SBS. I really don't enjoy being a Microsoft beta
> site and
> > > > > > usually wait 6 months on new software. My second concern
> > > > > > choosing Premium would
> > be
> > > > > > the extra
> > > > > > overhead on this box and potentially needing to use
> a second
> > > > > > CPU adding additional $costs.
> > > > > >
> > > > > > Thoughts?
> > > > > >
> > > > > >
> > > > > > TIA,
> > > > > >
> > > > > >
> > > > > > Michael West
> > > > > > WESTMark Consulting
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ------------------------ Yahoo! Groups Sponsor
> > > > --------------------~--> Make a clean sweep of pop-up
> ads. Yahoo!
> > > > Companion Toolbar.
> > > > Now with Pop-Up Blocker. Get it for free!
> > > > http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/dpFolB/TM
> > > > --------------------------------------------------------------
> > > > ------~->
> > > >
> > > > As well you can find more info at
> > http://groups.yahoo.com/group/sbs2k
> > > > Yahoo! Groups Links
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >
> >
> >
> >
> >
> > ------------------------ Yahoo! Groups Sponsor
> > --------------------~-->
> > $9.95 domain names from Yahoo!. Register anything.
> > http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/dpFolB/TM
> > --------------------------------------------------------------
> > ------~->
> >
> > As well you can find more info at
> http://groups.yahoo.com/group/sbs2k
> > Yahoo! Groups Links
> >
> > <*> To visit your group on the web, go to:
> > http://groups.yahoo.com/group/sbs2k/
> >
> > <*> To unsubscribe from this group, send an email to:
> > sbs2k dash unsubscribe at yahoogroups dot com
> >
> > <*> Your use of Yahoo! Groups is subject to:
> > http://docs.yahoo.com/info/terms/
> >
> >
> >
> >
> >
|
