Saturday, November 10, 2007

Impact of NetFlow on Routers

Thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 great IOShints blog for pointing me to NetFlow Performance Analysis. If you have any questions regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of generating NetFlow records on your routers, check out this Cisco white paper.

Thursday, November 08, 2007

Must-Read Snort 3.0 Post

If you care at all about Snort you must read Snort 3.0 Architecture Series Part 1: Overview by Marty Roesch. Keep reading his blog for future descriptions of Snort 3.0. On a related note, Marty released Daemonlogger 1.0 recently. Daemonlogger is an open source full content packet logging tool.

Tuesday, November 06, 2007

More Unpredictable Intruders

Search my blog for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term unpredictable and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results describe discussions of one of my three security principles, namely

Many intruders are unpredictable.

Two posts by pdp perfectly demonstrate this:

How many of you who are not security researchers even knew that data: or jar: protocols existed? (It's rhetorical, no need to answer in a comment.) Do you think your silver bullet security product knows about it? How about your users or developers?

No, this is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r case where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time you learn of a feature in a product is in a description of how to attack it. This is why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat" slogan at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 left is a pile of garbage. This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example of Attacker 3.0 exploiting features devised by Developer 2.5 while Security 1.0 is still thinking about how great it is no big worms have hit since 2005. (The specific cases here are worse than Developer 2.5, since jar: and data: protocols are apparently old!)

How do I propose handling issues like this? As always, NSM is helpful. If you've been keeping track of what happens in your enterprise, you can perform some retrospective network analysis (RNA) to see if you've seen this latest attack vector. (RNA is a term which Network Instruments would like to have coined. I like it, even though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of recording traffic in this manner dates back to Todd Heberlein's original Network Security Monitor in 1988. The first mention I can quickly find is in this 1997 paper Netanalyzer: A retrospective network analysis tool.)

RNA and, from this point of enlightenment, ongoing network analysis via NSM and, ideally, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r forms of instrumentation (logs, etc.) facilitates impact assessment. Who cares if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sky is falling somewhere else, as reported in whatever online news story -- is your sky falling? If yes, what's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 damage? How best can we mitigate and recover? These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of questions one can answer when some data is available, enabling management by fact and avoiding management by belief.

Monday, November 05, 2007

Deflect Silver Bullets

That's quite an image, isn't it? It's ISS CEO Tom Noonan holding a silver bullet, announcing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Proventia IPS product in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 October 2003 issue of ISS' Connect magazine. Raise your hand if you think IPS or anything else ISS has produced is a silver bullet. No takers?

I don't mention this to criticize ISS, specifically. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, I'd like to emphasize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of proper frames of reference when considering security.

Maybe this story will help explain my point. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early 1990s as a cadet at camp USAFA I took at least 14 technical classes, including math, science, and engineering subjects. These core classes are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reason every cadet graduates with a BS and not a BA, regardless of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field of study. Remember, I was a history and political science double major, preparing for a career in Air Force intelligence. One of my fellow history majors asked our astronautical engineering professor why we had to sit through his class. I still remember his answer:

One day you'll meet with a defense contractor trying to sell you a new satellite system. He'll promise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world, saying things like "We can park that satellite right over Moscow in geosynchronous orbit to provide you imagery."

When you hear that I want you to ask "How is that possible? What is going to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 satellite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re?"

I want you to know how to think properly about that problem, even though you may have forgotten all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n.


(For those of you who forget your astronautical engineering, it's not possible to park a satellite in geosynchronous orbit anywhere except cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equator, unless you're taking extreme measures to actively keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 device in place beyond what's required for normal station-keeping.)

I find that many of those performing digital security work, most generic IT managers, and nearly all nontechnical managers do not know how to think about security properly. They think it's possible to park a satellite over Moscow, Russia as easily as Quito, Ecuador. They have no conceptual framework for digital security. They are looking for digital security silver bullets even though no analog silver bullet has ever killed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pirates, petty bandits, organized criminals, foreign intelligence services, or any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r threats who have plagued humanity for hundreds of years.

Sloppy thinking is our greatest vulnerability. Forget about user education; I recommend management education. Deflect silver bullets.

Bejtlich Teaching at Black Hat DC 2008 Training

Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Westin Washington DC City Center. This is currently my only scheduled training class in 2008. As you can see from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course description I will focus on OSI model layers 2-5 and add material on network security operations, like monitoring, incident response, and forensics. The cost for this single two-day class is $2000 until 1 January, when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price will increase. Register while seats are still available -- both of my sessions in Las Vegas sold out. Thank you.

Saturday, November 03, 2007

Russ McRee on Argus and NSM

Russ McRee followed his excellent discussion of NSM and Sguil in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 October InfoSecMag with a new article called Argus – Auditing network activity (.pdf), published in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 November 2007 ISSA Journal. It's anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r great read.

Snort Report 10 Posted

My 10th Snort Report on Snort 2.8.0 new features: IPv6 and port lists is now available online. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:

Snort 2.8.0 was recently published with several features long desired by Snort veterans. These new features include IPv6, port lists, packet performance monitoring and control of actions enabled by preprocessor or decoder events. This edition of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Snort Report provides details on IPv6 and port lists that VARs and systems integrators can use to optimize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir use of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 open source intrusion detection system.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next Snort Report I plan to look at ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r features in Snort 2.8.