[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <hilton at quarkit dot com dot au>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  FW: [sbs list] To ISA or Not ISA
 Date:  Mon, 4 Oct 2004 07:17:05 +1000
Hi All,

I thought that this was a post worth forwarding to this list.

--

Regards,

Hilton Travis                          Phone: +61 (0)7 3343 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders 
into writing code that is acceptable for use on today's networks

War doesn't determine who is right.  War determines who is left. 

> -----Original Message-----
> From: Quark IT - Hilton Travis 
> Sent: Monday, 4 October 2004 07:16
> To: 'sbs2k at yahoogroups dot com'
> Subject: RE: [sbs list] To ISA or Not ISA
> 
> Hi Susan,
> 
> > -----Original Message-----
> > From: Susan Bradley aka Ebitz [mailto:sbradcpa at pacbell dot net]
> > Sent: Sunday, 3 October 2004 19:45
> > 
> > I'll think I'll take my chances with a supported product 
> > with support engineers that get paid with something more 
> > than Paypal.
> 
> Do you remember the ASN.1 security release from Microsoft - 
> who are a firm with slightly more income than m0n0wall 
> generates?  I sure do.  It is probably one of the most major 
> security vulnerabilities ever created.  It rates slightly 
> under the latest Image File Format exploit that was addressed 
> last month.  The ASN.1 patch took Microsoft well over 200 
> days to release after they were first informed about it.  
> That's absolutely disgusting.  M0n0wall could never take this 
> long to release a patch, or the project would be wallowing in 
> the annals of "firewalls that were".  Company financial value 
> has only a very tenuous relationship to the quality of their 
> code and the speed in which they release patches.
> 
> M0n0wall **is** a supported product.  There's a couple of 
> active mailing lists, there are a number of active 
> developers, and if there'sa flaw or bug discovered, it is 
> sorted ASAP - and the definition of ASAP to m0n0wall means as 
> SOON as possible, not as SOMETIME as possible.
> 
> > If it's based on FreeBSD... you tell me Secunia - Search Advisory, 
> > Vulnerability, and Virus Database:
> > http://secunia.com/search/?search=free+bsd
> 
> Sorry Susan, but you were the one offering to point out the 
> holes.  So please feel free to investigate this fully.  Or 
> admit that the challenge you put up was one that you cannot 
> actually carry through.  There's no problem with that (to me, 
> at least), but it is your call.
> 
> > One person wrote this.  That doesn't make me warm and fuzzy 
> > http://m0n0.ch/wall/software.php
> 
> And why not?  Does a product with a single programmer 
> automatically mean that its product is bad, worthless, 
> inferior or something?  If that is the case, then all 
> products written by large groups must be awesome.  This quite 
> clearly is nothing like reality.
> 
> If you remember, the Linux kernel (and original base OS) was 
> written by Linus Torvalds.  That project has grown from a 
> one-man band to a huge international team of developers, who 
> successfully take on companies such as Microsoft, SCO, SGI, 
> IBM, Novell and so on.  Strangely, most of these companies 
> have embraced Linux in one way or another, except for 
> Microsoft.  Interesting, eh?
> 
> Also, there was an operating system that was bought from one 
> company, sold to another company (not necessarily in that 
> order) and there were some small code changes written by one 
> programmer.  This OS, known originally as CP/M and the 
> changed version known as Microsoft DOS, started a huge growth 
> phase for that company.  Maybe you've heard of them.  Does 
> this mean that Microsoft - because it grew from a company 
> with a single programmer - is not worth trusting?
> 
> Warm and fuzzy is meaningless.  The things that matter are 
> the quality of the code.  M0n0wall has a quality code base, 
> with a quality lead coder, and quality programmers now 
> developing with him.  Manuel is very receptive to input where 
> this does not create issues with the target for the project.  
> He is also very careful to audit the changes, the Free BSD 
> source code, and to ensure that the resultant product is as 
> secure as it can be.
> 
> Again, please report the patches that m0n0wall needs, as per 
> your original challenge.  I'm sure that both myself and 
> Manuel would be interested in the input.
> 
> > Sorry but I'm big on community and especially when it comes to 
> > applications that protect my client's data.
> 
> I, too, am big on community.  Community doesn't mean to me, 
> however, only being involved in commercial products.  
> Community, to me, means a collection of like minded (well, 
> that's not necessarily always the case - maybe 
> like-targeted??  :) people willing to add to the overall 
> value of the product/industry/etc.  M0n0wall has a community. 
>  One in which I am active - not so much lately as I have been 
> busy, but I am still active.  Microsoft SBS has a community - 
> the same applies.  As do a few other products I'm involved with.
> 
> M0n0wall protects a lot of our client's data.  I'm active in 
> that community.  SBS also protects a lot of our client's 
> data.  I'm active in that community.  Linux protects a lot of 
> our client's data.  I'm active in that community.  We just 
> have a different definition of community, it seems.  That's 
> life - we don't share the same brain, we won't share the same 
> opinions  on everything.
> 
> Generally, I tend to agree with you on many things, Susan.  
> This is one area where we will have to agree to disagree.  
> However, I'm still waiting for that list of needed patches to 
> m0n0wall you said you'd provide.
> 
> 
> Regards,
> HiltonT
> > --- In sbs2k at yahoogroups dot com, "Quark IT - Hilton Travis" 
> > <Hilton@Q...> wrote:
> > > Hi Susan,
> > > 
> > > What patches are needed for a m0n0wall firewall?  
> > http://m0n0.ch/wall
> > > Rather interested.
> > > 
> > > As for past performance, they *are* getting better (Microsoft) but
> > bad
> > > security practices die hard.
> > > 
> > > --
> > > 
> > > Regards,
> > > 
> > > Hilton Travis                          Phone: +61 (0)7 3343 3889
> > > (Brisbane, Australia)                  Phone: +61 (0)419 792 394
> > > Manager, Quark IT                      http://www.quarkit.com.au
> > >          Quark AudioVisual             http://www.quarkav.net
> > > 
> > > http://www.threatcode.com/ <-- its now time to shame poor coders 
> > > into writing code that is acceptable for use on today's networks
> > > 
> > > War doesn't determine who is right.  War determines who is left. 
> > > 
> > > > -----Original Message-----
> > > > From: Susan Bradley aka Ebitz [mailto:sbradcpa@p...]
> > > > Sent: Sunday, 3 October 2004 18:51
> > > > 
> > > > Define "past performance" 
> > > > 
> > > > IIS 6 despite what Russ Cooper and his 60 underlying 
> patch count 
> > > > says [I counted 48 as one that he counted was 04-001 which is a 
> > > > ISA 2k patch] is very robust.
> > > > 
> > > > So much so that a recent <no vendor pre-alert> vulnerability in 
> > > > asp.net does not affect IIS 6.0
> > > > 
> > > > Show me any firewall and I'll show you needed patches.  
> It's all 
> > > > software under the hood.
> > > > 
> > > > 
> http://www.foundstone.com/resources/whitepapers/isaserver_wp.pdf?
> > > > PHPSESSID=539e142d548be34def35aca9780b6774
> > > > 
> > > > 
> > > > You can check out some third party vendors here...
> > > > Microsoft Internet Security & Acceleration Server: Partners: 
> > > > http://www.microsoft.com/isaserver/partners/default.asp
> > > > 
> > > > 
> > > > --- In sbs2k at yahoogroups dot com, "Quark IT - Hilton Travis" 
> > > > <Hilton@Q...> wrote:
> > > > > Hi Tony,
> > > > > 
> > > > > Responses inline..
> > > > > 
> > > > > --
> > > > > 
> > > > > Regards,
> > > > > 
> > > > > Hilton Travis                          Phone: +61 (0)7 3343 
> > 3889
> > > > > (Brisbane, Australia)                  Phone: +61 (0)419 792 
> > 394
> > > > > Manager, Quark IT                      
> > http://www.quarkit.com.au
> > > > >          Quark AudioVisual             http://www.quarkav.net
> > > > > 
> > > > > http://www.threatcode.com/ <-- its now time to shame poor
> > coders
> > > > > into writing code that is acceptable for use on today's
> > networks
> > > > > 
> > > > > War doesn't determine who is right.  War determines who is
> > left. 
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Tony Su [mailto:tonysu@s...]
> > > > > > Sent: Friday, 1 October 2004 12:38
> > > > > > 
> > > > > > Hello Larry,
> > > > > > 
> > > > > > I think I can jump in here and maybe not answer the 
> question 
> > > > > > how Tom might, but based on some investigation I've done
> > (and
> > > > > > admittedly that's always dangerous, because that 
> means I might 
> > > > > > make conclusions not consistent with others).
> > > > > 
> > > > > But we have to make assumptions every day to get along in
> > life.  
> > > > As long
> > > > > as these assumptions are in the right ballpark, they are
> > generally
> > > > > useful.  :)
> > > > > 
> > > > > > First, unfortunately despite devoting a tremendous 
> amount of 
> > > > > > my personal effort over the past 3 years, I have 
> not been able 
> > > > > > to find any detailed information about exactly what 
> ISA's IDS 
> > > > > > does which is its defense using packet inspection.
> > > > > 
> > > > > That's one issue with closed source.  Getting any *real*
> > > > information
> > > > > can, at times, be nigh on impossible.  Looking at 
> Open Source -
> >  
> > > > its all
> > > > > there in the source code.  There are advantages and
> > disadvantages
> > > > to
> > > > > both sides of this coin, and this is one of the disadvantages
> > to
> > > > closed
> > > > > source code.
> > > > > 
> > > > > > Based on observation though, I do believe that it's likely 
> > > > > > that ISA does tear apart packets and look for specific 
> > > > > > signatures of known exploits, and if it's also maintaining 
> > > > > > stateful packet inspection, it's not a stretch to 
> look for a 
> > > > > > limited list of signatures at the same time without 
> > > > > > sacrificing significant performance.
> > > > > 
> > > > > True, its not a stretch.  But this doesn't mean that Microsoft
> > > > actuaslly
> > > > > **does** this with ISA.  No-one really knows.
> > > > > 
> > > > > > But, how deep is "full" may be a subjective evaluation. 
> > After
> > > > > > all, assuming a packet is torn apart, the sequence 
> number is 
> > > > > > extracted and a test against threats is executed, how much 
> > > > > > more might constitute "full?"
> > > > > > 
> > > > > > I think that you may have to rely on information from
> > someone
> > > > > > like Jim Harrison for real, authoritative 
> information... But 
> > > > > > then, I've always also considered that the paucity of ISA
> > IDS
> > > > > > info may be to not make things too easy for the hackers so 
> > > > > > maybe <no one> can be completely forthcoming.
> > > > > 
> > > > > ... Or maybe because it doesn't do a hell of a lot.  Or maybe
> > it
> > > > does an
> > > > > immense amount of in-depth analysis.  We'll probably never
> > know.
> > > > > 
> > > > > > Lastly... IMO your question about a malicious HTTP 
> attack is 
> > > > > > <very> insightful although maybe not exactly as you 
> descirbed, 
> > > > > > you're one of the very few people I've ever heard 
> bring that 
> > > > > > up! Why I don't hear people talk about it more than it's 
> > > > > > discussed, I don't know...
> > > > > 
> > > > > Probably because many people don't understand how attacks
> > occur.  
> > > > Many
> > > > > people think http attacks are started by breaking the http
> > > > protocol and
> > > > > assuming the recipient loses the plot when it sees the invalid
> > > > packets.
> > > > > Many people don't consider that some hackers know the
> > protocols
> > > > they use
> > > > > intimately.  Some of these hackers know the protocols so
> > > > intimately they
> > > > > are scary.  More intimately than those who write the filters
> > and
> > > > > scanners to look for misused protocols.
> > > > > 
> > > > > > This is where I'm at in evaluating this kind of attack... 
> > > > > > HTTP itself is not a very threatening transport for 
> any kind 
> > > > > > of attack... Its commandset is very limited and HTTP is 
> > > > > > largely a technology which serves pre-defined 
> content to the 
> > > > > > client. In other words, the client doesn't have too many
> > ways
> > > > > > of asking for something, and the the webserver shouldn't be 
> > > > > > doing much that can be exploited.
> > > > > 
> > > > > Agreed.  If only the hackers would adhere strictly to the
> > > > rules.  :)
> > > > > 
> > > > > > But, you can incrementally add Web technology "features" 
> > that
> > > > > > begin to expand the attack surface... Starting with 
> > > > > > server-side processing (ie.
> > > > > > Any kind of server-side scripting, other methods supported
> > by
> > > > > > technologies like dotNET and Java). The more 
> functionality you 
> > > > > > expose, the more critical it is to lock down those 
> windows of 
> > > > > > accessibility.
> > > > > > Still, many people recognize this attack vector so machines 
> > > > > > are hardened fairly well against this kind of threat.
> > > > > > 
> > > > > > The <real> threat which is still largely 
> unaddressed which can 
> > > > > > be delivered over port 80 is actually XML Web Services (not 
> > > > > > anything to do with Web Browsers and regular websites).
> > > > > > Because XML Web Services is data being delivered to a
> > backend
> > > > > > server (database server), after the data stream has been 
> > > > > > de-serialized it can pose just as much a threat as the well 
> > > > > > known (or should be well known) SQL Injection Exploit.
> > Today,
> > > > > > the recommended defense is the same for malicious XML
> > streams
> > > > > > as for the SQL Injection Exploit... Proper input 
> validation, 
> > > > > > but because the data stream isn't normally inspected and 
> > > > > > de-serialized until it reaches the database server, it
> > should
> > > > > > be considered potentially more serious than the regular SQL 
> > > > > > Injection attack which can be stopped at least one step 
> > > > > > earlier at the web application (validating input fields).
> > > > > 
> > > > > Don't forget that many people are using the term "UFTP" to
> > refer
> > > > to http
> > > > > or TCP Port 80 traffic.  UFTP == Universal Firewall Traversal
> > > > Protocol.
> > > > > :)
> > > > > 
> > > > > > So, if you run into this kind of issue, these are my 
> > > > > > recommendations today...
> > > > > > 
> > > > > > - If you know the code developers, ask them (and hopefully
> > > > > > verify) they built the Web Services using
> > Microsoft's "Secure
> > > > > > Web Services" and hopefully they know what they're doing.
> > > > > 
> > > > > ... And that Microsoft actually got their security right.  And
> > we
> > > > all
> > > > > know the likelihood od that.  Going on past performance alone.
> > > > > 
> > > > > > - If you can't verify the way the Web Services are 
> created, go 
> > > > > > back to the traditional solution of encapsulating in a 
> > > > > > tunnel... I recommend simply SSL (not PPTP/L2TP, etc). Note 
> > > > > > that if you have to do this, you'll lose some routing 
> > > > > > functionality which may or may not be important.
> > > > > 
> > > > > SSL is a very appropriate encapsulation method for much of
> > today's
> > > > > traffic.  Routing issues aside, it can handle pretty much
> > anything
> > > > you
> > > > > care to throw at it.
> > > > > 
> > > > > > - A Vendor I saw at the last TechEd was showing off their 
> > > > > > <very cool> ISA application plug-in enabling ISA to 
> filter XML 
> > > > > > tags. If you use custom tags, I believe this can be very 
> > > > > > effective restricting intrusive traffic (although 
> nothing is 
> > > > > > absolute).
> > > > > 
> > > > > Oh, groovy.  Now, THIS is something I'd like to see.
> > > > > 
> > > > > - HiltonT
> > > > > 
> > > > > > Tony Su
> > > > > > 
> > > > > > "Education is critical to delivering secure systems. Do not 
> > > > > > expect people to understand how to design, build, test, 
> > > > > > document, and deploy secure systems; they may know how 
> > > > > > security features work, but that really doesn't help.
> > > > > > Security is one area where "What I don't know won't 
> hurt me" 
> > > > > > does not apply; what you don't know can have awful
> > consequences."
> > > > > > "Writing Secure Code" authors Howard and LeBlanc
> > > > > > 
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Lawrence A. Rodis [mailto:lrodis@s...]
> > > > > > Sent: Thursday, September 30, 2004 6:33 PM
> > > > > > 
> > > > > > Tom,
> > > > > > 
> > > > > > I beg to differ on how IPS works and on your analogy. 
> > Although
> > > > it does
> > > > > > not use application level inspection IPS looks into 
> the full 
> > > > > > data packet and validates against known threats. If 
> a threat 
> > > > > > is found it's blocked.
> > > > > > This method is very different then what ISA 2004 offers.  
> > It's my
> > > > > > understanding that ISA doesn't do full packet inspection
> > > > although it
> > > > > > will do stateful application inspection for applications it 
> > > > > > understands.
> > > > > > 
> > > > > > If I'm correct regarding my assumptions about ISA 2004 I
> > have
> > > > > > a question
> > > > > > for you.  How would ISA respond if an end user connects up
> > to a
> > > > web
> > > > > > server and the hacker comes in over the HTTP port using an 
> > > > > > exploit that does not violate the HTTP protocol? (IE the 
> > > > > > application
> > states
> > > > are not
> > > > > > violated?)  Also how can ISA do application level inspection
> > for
> > > > > > applications it does not understand?
> > > > > > 
> > > > > > My personal feeling on security is layers and for an even
> > higher
> > > > level
> > > > > > of security I could see combining application level 
> inspection 
> > > > > > with deep packet inspection.
> > > > > > 
> > > > > > Regards,
> > > > > > 
> > > > > > Lawrence A. Rodis
> > > > > > President
> > > > > > Strategic Resource Consulting Group L.L.C.
> > > > > > 702-221-6274
> > > > > > lrodis@s...
> > > > > > www.strategicresource.com
> > > > > > 
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Thomas W Shinder [mailto:tshinder@t...]
> > > > > > Sent: Thursday, September 30, 2004 6:18 PM
> > > > > > 
> > > > > > Hi Lawrence,
> > > > > > 
> > > > > > The Sonicwall packet "inspection" is actually stateful 
> > > > > > "filtering". True inspection is at the application 
> layer. Its 
> > > > > > saying that a
> > border
> > > > agent
> > > > > > has "inspected" an automobile when it looks at the color,
> > the
> > > > license
> > > > > > plate number and the tire type. In contrast, the stateful
> > > > application
> > > > > > layer inspection firewall looks at the outer characteristic
> > of
> > > > the car
> > > > > > AND gets everyone out, frisks them, interviews them, tears
> > the
> > > > seats
> > > > > > out, looks in the trunk, checks the engine, and runs it
> > through
> > > > an X
> > > > > > ray. Sonicwall IPS does't do that. ISA firewalls can (as an
> > other
> > > > > > stateful application layer inspection firewalls).
> > > > > > 
> > > > > > HTH,
> > > > > > Tom
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Lawrence A. Rodis [mailto:lrodis@s...]
> > > > > > Sent: Thursday, September 30, 2004 8:13 PM
> > > > > > 
> > > > > > Michael,
> > > > > > 
> > > > > > Sonicwall with full Intrusion Protection Service 
> (Deep Packet
> > > > > > Inspection)  Although I will disagree on ISA 2004 vs. 
> > Sonicwall
> > > > with
> > > > > > IPS. I agree 100% that standard state based packet
> > inspection is
> > > > not
> > > > > > enough.  The PIX only performs state based inspection.
> > > > > > 
> > > > > > I personally do not go with premium unless I need SQL,
> > however
> > > > the
> > > > > > overhead of having it on the box is not that great.
> > > > > > 
> > > > > > 
> > > > > > Regards,
> > > > > > 
> > > > > > Lawrence A. Rodis
> > > > > > President
> > > > > > Strategic Resource Consulting Group L.L.C.
> > > > > > 702-221-6274
> > > > > > lrodis@s...
> > > > > > www.strategicresource.com
> > > > > > 
> > > > > > -----Original Message-----
> > > > > > From: Michael West [mailto:mwest@w...]
> > > > > > Sent: Thursday, September 30, 2004 12:38 PM
> > > > > > 
> > > > > > Hi Group,
> > > > > > 
> > > > > > I'm putting together a SBS quote.  Server will be: 
> > > > > > 
> > > > > > RAID 5 15K HDDs
> > > > > > 2Gb RAM
> > > > > > 1 Intel 3.0Ghz CPU
> > > > > > 1 or 2 NICs
> > > > > > 
> > > > > > I'd really like to only go with ONE "firewall".  On the 
> > > > > > "hardware" side, I'd would choose a Cisco PIX 501 
> (sorry Tom) 
> > > > > > or Sonicwall TZ170.  If the client gets budget 
> conscious, it 
> > > > > > could become a Smoothwall 2.0 installed on an old 
> Pentium box.
> > > > > > 
> > > > > > On the software side, I could go with ISA from SBS 
> Premium.  
> > With
> > > > > > Premium, I'd also get SQL Server, but don't have a immediate
> > > > need for
> > > > > > it.  I've worked with ISA in the past, currently have
> > clients
> > > > > > on it and
> > > > > > frankly don't like it.  (I'm sure it's my inexperience with 
> > > > > > the product)
> > > > > > 
> > > > > > 
> > > > > > My first concern is that ISA 2004 is about to 
> become available 
> > > > > > on SBS. I really don't enjoy being a Microsoft beta 
> site and 
> > > > > > usually wait 6 months on new software.  My second concern 
> > > > > > choosing Premium would
> > be
> > > > > > the extra
> > > > > > overhead on this box and potentially needing to use 
> a second 
> > > > > > CPU adding additional $costs.
> > > > > > 
> > > > > > Thoughts?
> > > > > > 
> > > > > > 
> > > > > > TIA,
> > > > > > 
> > > > > > 
> > > > > > Michael West
> > > > > > WESTMark Consulting
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ------------------------ Yahoo! Groups Sponsor 
> > > > --------------------~--> Make a clean sweep of pop-up 
> ads. Yahoo! 
> > > > Companion Toolbar.
> > > > Now with Pop-Up Blocker. Get it for free!
> > > > http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/dpFolB/TM
> > > > --------------------------------------------------------------
> > > > ------~->
> > > > 
> > > > As well you can find more info at
> > http://groups.yahoo.com/group/sbs2k
> > > > Yahoo! Groups Links
> > > > 
> > > > 
> > > > 
> > > >  
> > > > 
> > > > 
> > > > 
> > > >
> > 
> > 
> > 
> > 
> > 
> > ------------------------ Yahoo! Groups Sponsor 
> > --------------------~-->
> > $9.95 domain names from Yahoo!. Register anything.
> > http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/dpFolB/TM
> > --------------------------------------------------------------
> > ------~->
> > 
> > As well you can find more info at 
> http://groups.yahoo.com/group/sbs2k
> > Yahoo! Groups Links
> > 
> > <*> To visit your group on the web, go to:
> >     http://groups.yahoo.com/group/sbs2k/
> > 
> > <*> To unsubscribe from this group, send an email to:
> >     sbs2k dash unsubscribe at yahoogroups dot com
> > 
> > <*> Your use of Yahoo! Groups is subject to:
> >     http://docs.yahoo.com/info/terms/
> >  
> > 
> > 
> > 
> >