Friday, April 08, 2005

Know Book Authors? Win a PSP.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past Apress has been kind enough to send review copies of several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir books. I did pre-reviews of a batch of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, and my friend at Apress is patiently waiting for full reviews. She asked me to post word of a contest Apress is running, called cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 The Apress User Group Puzzler. If you create a crossword puzzle using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last names of authors of Apress books, you could win a Sony Play Station Portable. Check it out.

Review of Aggressive Network Self-Defense Posted

Amazon.com just posted my four star review of Aggressive Network Self-Defense. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"Aggressive Network Self-Defense (ANSD) is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r innovative Syngress book. It leaps beyond cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ories of digital self-defense initially proposed by Tim Mullen in 2002. Tim tried to justify using 'neutralizing agents' to disable malicious processes (like Code Red or Nimda) on infected hosts attacking one's enterprise. ANSD does not speak of neutralizing agents in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eight fictional cases cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comprise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bulk of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, but those chapters make for thought-provoking reading."

Tim Mullen's SecurityFocus.com articles on strike-back include The Right to Defend and Strikeback, Part Deux. His Defending your right to defend: Considerations of an automated strike-back technology is also online.

I disagree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strike-back idea, as I believe it steps over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line into vigilante justices. It is telling that Tim's papers all pre-date cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Welchia worm, which demonstrated how dangerous strike-back can really be. You'll remember cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 devastating ICMP traffic caused by Welchia as it searched for live machines for purposes of disabling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Blaster worm.

My review mentions that three of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chapters in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book are already online. In addition to Tim's works, you'll find Dan Kaminsky's MD5 To Be Considered Harmful Someday (.pdf) and Sensepost's When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tables turn A discussion paper on passive strike-back (.doc) online.

Update: The author of chapter 9 (Sergio Caltagirone) started a blog a few weeks ago -- activeresponse.org.

Thursday, April 07, 2005

Blogger Issue

There's some sort of problem related to Blogger's new "performance enhancements." I think it relates to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir use of backup cookies to "restore posts." As a result, I am having trouble posting my usual content. Stay tuned as Blogger sorts this out.

Update: Blogger appears to be fixed.

Monday, April 04, 2005

Review of Intrusion Prevention and Active Response Posted

Amazon.com just posted my four star review of Intrusion Prevention and Active Response. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"Intrusion Prevention and Active Response (IPAAR) is a good book, as long as you confine your expectations to open source solutions. The foreword says 'Security professionals are going to be approaching management for funding in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next year or two to procure intrusion prevention devices, especially intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone, or CrossTec.' This foreword was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time I had heard of several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se products, but unfortunately none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m receive any coverage at all in IPAAR. Aside from a short discussion of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Enterasys Web IPS, eEye's SecureIIS, and improvements in Microsoft IIS 6.0, IPAAR squarely concentrates on open source products. Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book does a better job covering so-called prevention solutions than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous book with 'prevention' in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 title, e.g., Osborne's Intrusion Detection and Prevention."

Regular blog readers know I consider network-based "intrusion prevention systems" to be layer 7 firewalls. If a network-based device is making an access control decision, it is a firewall. Generically speaking, any device which makes access control decisions is a policy enforcement system (PES?). We simply have a popular name for a PES that operates at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network level -- it's a firewall. Just as network PES enforces policy on packets, a host PES enforces policy on system calls and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r operating system activities. I think host PES accurately describes Niels Provos' Systrace, which "enforces system call policies for applications by constraining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application's access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system." I'm not sure that host PES accurately describes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stack-smashing protector, aka ProPolice.

I would like nothing better than to completely abolish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "intrusion prevention system." Isn't every part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security process trying to prevent intrusions? I think well-written code, or at least applying patches, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way to prevent intrusions to systems exposed to hostile users. Does that mean Windows patch management is an intrusion prevention system? Argh.

Problems with Signature and Protocol Anomaly Detection Methods

I often have to describe what differentiates network security monitoring from traditional intrusion detection. Now that "intrusion prevention" is all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rage (when was preventing intrusions not popular?), I have to think in terms of blocking traffic that is potentially suspicious or malicious. Recently while performing network security monitoring, I received cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following Snort alert, as reported by Sguil. I had never seen an alert like this before. Here is a text-based representation of what Sguil displayed in its GUI:


Count:1 Event#3.57183 2005-03-31 23:24:14
FTP invalid MODE
1.30.163.130 -> 2.35.23.101
IPVer=4 hlen=5 tos=0 dlen=48 ID=42411 flags=2
offset=0 ttl=117 chksum=0
Protocol: 6 sport=9542 -> dport=21

Seq=3804195312 Ack=735521810 Off=5 Res=0
Flags=***AP*** Win=63842 urp=23116 chksum=0
Payload:
4D 4F 44 45 20 5A 0D 0A MODE Z..


That looks odd. What is "MODE Z"? Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort rule that produced this alert:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:"FTP invalid MODE"; flow:to_server,established;
content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi";
classtype:protocol-command-decode; sid:1623; rev:6;)

I am no PCRE expert, but I can see that "MODE Z" will trigger this rule. The Snort rule documentation doesn't shed any real light on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject. A Google search result reveals that "MODE Z" enables dynamic data compression via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 zlib library.

If we were using a Web-based alert browser, this would be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line. There would be no ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r data to review ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 packet that tripped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rule itself. How did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web server respond? Did it respond at all? What FTP server is running? These and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r questions remain unanswered when you use an IDS whose chief purpose in life is to generate alert data.

Fortunately, we're using Sguil. We recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's more to life than alert data; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's session, full content, and statistical data. We can generate a transcript of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir entire conversation between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTP client and server if we collected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full content data between both parties. Here is that transcript:

Sensor Name: bej-sensor-fl
Timestamp: 2005-03-31 23:24:14
Connection ID: .bej-sensor-fl_57183
Src IP: 1.30.163.130 (mail.example.com)
Dst IP: 2.35.23.101 (Unknown)
Src Port: 9542
Dst Port: 21
OS Fingerprint: 1.30.163.130:9542 - Windows XP Pro SP1, 2000 SP3
OS Fingerprint: -> 2.35.23.101:21 (distance 11, link: ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet/modem)

DST: 220 Serv-U FTP Server v5.1 for WinSock ready...
DST:
SRC: USER example
SRC:
DST: 331 User name okay, need password.
DST:
SRC: PASS example
SRC:
DST: 230 User logged in, proceed.
DST:
SRC: SYST
SRC:
DST: 215 UNIX Type: L8
DST:
SRC: FEAT
SRC:
DST: 211-Extension supported
DST:
DST: AUTH TLS
DST: SSCN
DST: PBSZ
DST: PROT
DST: CCC
DST: CLNT
DST: MDTM
DST: MDTM YYYYMMDDHHMMSS[+-TZ];filename
DST: SIZE
DST: SITE PSWD;EXEC;SET;INDEX;ZONE;CHMOD;MSG
DST: REST STREAM
DST: XCRC filename;start;end
DST: MODE Z
DST: 211 End
DST:
SRC: CLNT SmartFTP 1.1.984
SRC:
DST: 200 Noted.
DST:
SRC: PWD
SRC:
DST: 257 "/" is current directory.
DST:
SRC: MODE Z
SRC:
DST: 200 MODE Z ok.
DST:
SRC: PASV
SRC:
DST: 227 Entering Passive Mode (2,35,23,101,9,24)
DST:
SRC: LIST -aLT
SRC:
DST: 150 Opening ASCII mode data connection for /bin/ls.
DST:
DST: 226 Transfer complete.
DST:
SRC: TYPE I
SRC:
DST: 200 Type set to I.
DST:
SRC: PASV
SRC:
DST: 227 Entering Passive Mode (2,35,23,101,9,25)
DST:
SRC: STOR test.txt.asc
SRC:
DST: 150 Opening BINARY mode data connection for test.txt.asc.
DST:
DST: 226 Transfer complete.
SRC: QUIT
SRC:
DST: 221 Goodbye!
DST:

Based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 transcript, we see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Serv-U FTP Server v5.1 for WinSock offer MODE Z, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client decides to use it before transferring several files. There is nothing suspicious or malicious about this exchange. It is completely within business norms.

This example highlights cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of a signature to implement protocol anomaly detection. The signature provided a "white list" of acceptable MODEs. These MODEs were believed to represent normal use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FTP protocol. Deviations from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se norms were thought to be anomalies that indicate intrusion.

This is a fine approach to detecting intrusions, but it highlights a problem that I constantly debate with security developers. I contend that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet and its protocols are too dynamic to code into highly reliable systems. Application developers will forever be ahead of security developers. Application developers will always be crafting new protocols or bending and breaking old protocols. Security developers will constantly try to keep redefining what is "normal" and "abnormal" to enforce access control, detect intrusions, and so on.

The consequences of firing an alert for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MODE Z case are minimal when an IDS is involved. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS were replaced by an inline, so-called "IPS," it may have dropped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic. The layer 7 firewall -- sorry, "IPS" -- might believe MODE Z is an attack, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby denying legitimate business functions. Sure, you can "tune it," but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r application developer out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re creating anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r twist on what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security developer considers normal. So, in addition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 never-ending battle with intruders, security staff face a never-ending battle with developers!

What is my answer? Block what you can, as smartly as you can, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n keep track of everything else via a network audit system. Content-neutral systems store session and full content data to provide network audit. If you ever forget cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network audit piece of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS/"IPS" puzzle, and concentrate on alert data, you will lose.

Sunday, April 03, 2005

Review of Network Processors Posted

Amazon.com just posted my three star review of Network Processors. Three stars? I had high hopes for this book, but was ultimately frustrated by it. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"I read Network Processors to learn more about this relatively new technology that is changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way network security appliances are designed and deployed. Panos Lekkas' work seemed like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only book available that presented a broad, multi-vendor sweep of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network processor landscape. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book has plenty of information to offer, I found it did not really live up to my expectations."

There's a great Focus-IDS thread here and here on next-generation detection hardware. The Network Processor Forum keeps tabs on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry. Here's an article I should have read in 2001 about programming NPUs. Xilinx makes FPGA programmable logic devices (PLDs).

Saturday, April 02, 2005

Latest Pre-reviews

I received two new books this week. Both look excellent. The first new book is File System Forensic Analysis by Brian Carrier, author of The Sleuth Kit. Brian is pursuing his PhD at Purdue while working as a research assistant at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Center for Education and Research in Information Assurance and Security (CERIAS). His new book looks like an outstanding companion to my favorite incident response and forensics book, Incident Response and Computer Forensics, 2nd Ed. Brian's book examines FAT, NTFS, Ext2, Ext3, UFS1, and UFS2 file systems. This is important because his book can serve as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definitive reference for those file systems. Being able to cite a resource like this is critical to those who perform forensic investigations and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n have to defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir actions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 witness stand.

Now that Windows Server 2003 Service Pack 1 has arrived, it's appropriate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second pre-review book is a Windows title. As much as I try to avoid Windows systems, it's important to understand something about how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y work. For that knowledge I'm looking forward to reading Learning Windows Server 2003 by Jonathan Hassell. Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book bears a December 2004 publication date, I found coverage of SP1, including cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Service Configuration Wizard. I take this as a positive sign that Jonathan is covering as many Windows Server 2003 bases as possible. I hope to read this book to learn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 features of Windows Server 2003 I need to understand to operate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS securely.