Werner Schmidt
Enterprise Networking and Security Expert

Wireless realities and issues

Wireless is easy to deploy (well there are some exceptions to this), hard to do well. The air is a shared medium. Some of you old schoolers, hikers, mountain bikers understand walkie talkies and we know that RF is a shared medium. “Push to talk” is essential on any medium, but is especially problematic in a more limited spectrum such as wireless. We all know about switches and how superior they are to hubs, but in the air, it’s a hub and not a switch. We begin therefore with less spectrum to squeeze into. While in the US there are 11 channels (channel 12 and 13 existing in other geographies) available in the 802.11b/g 2.4 GHz space, that’s not true. Out of those 11 channels, only three (1, 6 and 11) do not overlap, and of course, not overlapping means then not using channels, 2, 3, 4, 5, 7, 8, 9 and 10. True, things are better in the 802.11a 5 GHz spectrum. 802.11n adds multiple-input multiple-output (MIMO) and 40 MHz bandwidth per channel, but this takes up even more of the 2.4 GHz range. Fortunately 802.11a can also use the 5 GHz frequency, but that assumes the client can use it.

Those iPhone 4s are really cool, they don’t use the 5 GHz range, that makes life really tough. Quoting someone else, that means that iPhone 4 has 802.11n but not the “awesome” 802.11n.

There are lots of tricks different manufacturers use. One professes the advantage of using a single channel across all APs (Access Points); another talks about use adaptive channel management; another talks about beam forming; another about beam steering; still others about techniques for prioritizing traffic. Some use small APs in a larger mesh, others use large UFO looking APs called arrays.

Guests are handled a variety of ways including captive portals and various mechanisms to enable those. Think of a hotel signing-in experience and you get the idea.

Management approaches vary wildly as well. Some use centralized controllers, some use cloud based, some use hive based smart APs, some offer both cloud and controller based. In terms of controlling access to the networks, approaches vary there as well whether it’s a simple physical connection, VLAN based, tunneled back to a controller or the ability to split tunnel. Mesh approaches are used too in order to address connectivity when a LAN wired connection is lost or cannot be made to an AP and a wireless
backhaul needs to be used.

When it comes to prioritizing traffic whether it’s for voice, video or data, different approaches are used there too. At the end of the day, it’s about managing the wireless spectrum and getting a strong predictable signal (with minimal noise and interference) to the client. The best controller is no match for a problematic air space.

So it’s about really understanding what your current air spare and spectrum usage looks like and finding a solution that can work best in your current air space, physical layout, and for the client device connection capabilities and needs that you have. Wireless cannot be magically solved by just deploying technology and neither is it a set and forget approach. It changes due to changing physical environments (think boxes moving in a warehouse, doors opening/closing, etc.), changes in the spectrum (as people and firms in your shared air space add and change their channel usage), evolving standards and client endpoint drivers and capabilities.

I use and offer four different vendor offerings for wireless, each offers a unique solution for certain environments.

SIM, SEM, SIEM, what does it mean?

Before I begin, can I mention my rant for acronyms? Not that long ago, DDI was created. It’s an acronym of acronyms, that stands for DNS, DHCP and IPAM.

Moving on, lets get to the confused field of SIM, SEM, SIEM and others. I’ll start with the purist definitions and then get into what people want and ask for versus what they ought to need. I won’t expand too much on what a log message is. Suffice it to say that it might be a syslog entry, but in fact can come from numerous sources including flat files, various agents, etc.

SIM - Security Information Management
SEM - Security Event Management
SIEM - Security Information and Event Management

Might as well add in here LM which stands for log management. These terms are bantered about by various manufacturers and even research groups like Gartner who haven’t quite come up to speed on how to really differentiate the terms, let alone the solutions, or better yet the requirements and needs. This has led to the problem of trying to find the best ideal solution for an indeterminate problem. Unfortunately, this has led to a lot of misunderstanding and hype around SIEM, a hybrid by definition of SIM and SEM. Like a multifunction copier, scanner and printer, make sure you really need all the functions and that the “blend” is right for you.

Ultimately these solutions are used to deal with various functions or capabilities such as:
Alerting - An automated response or alert to a single message, several messages or correlated event.
Retention - The ability to retain in full or summarized form messages from a period of time ideally related to compliance retention concerns.
Compliance - Ability of the system to create standardized reports for compliance or audit concerns.
Reporting - The ability to create useful reports that go beyond just compliance driven reports.
Normalizing - Taking similar messages from disparate systems and noting how different terms for things like properties are the same. For instance, knowing that bytes sent, sent bytes, traffic sent, etc., are all similar terms.
Correlation - Combining several different events, messages, threats, etc. into a single incident or event

In the classic purest view, LM/SIM solutions collect, store, alert and report on the data. Ideally these systems are tailored for long retention periods. Better solutions tend to be indexed, they usually offer stock reports for compliance, and often times have additional and extensive reports. Due to their nature, they are excellent aggregators and repositories of messaging.

SEM solutions by and large use a rolling shorter window of log messages, normalize it, correlate it and then attempt to do some kind of automated alerting and perhaps trouble ticketing. A SEM solution goes through the reams of log messages trying to find and summarize the most important information. They usually offer stock reports for compliance. Tend to have elaborate messaging and alerting. However, their goal is to process logs with the intent of creating alerts from correlated events.

Therefore, when we look at weaknesses:
SIM - Not ideal for complex alerting and not good for security (aka incident) reporting, trending or dashboards.
SEM - Not ideal for long term collection and storage or detailed searching and reporting.

Since SIM tends to be better at log collections, it can be used to drive or feed SEM solutions. SIEM solutions attempt to do both, but frankly it is a massive task and if the goal is long term retention and detail message logs, almost all of them will fall apart in a one size fits all approach. If you think databases and know how a single SQL search on poor indexing can take down a database, you get the idea. A hybrid system must make sure there is enough horsepower to constantly normalize, correlate and create incidents real time. It’s akin to trying to mix up operational database base needs with longer term data mining, the two are in direct conflict.

This is also a case of needing to walk before running. A good SIEM cannot be built upon a poor foundation of SIM. A strong SIM can feed one or multiple SEM/SIEM solutions. SEM/SIEM solutions require training. They need to be taught about correlation that matters in your environment and just as importantly trained to minimize false positives. SIM is easy to implement and deploy, SEM/SIEM takes time. That’s not to say SEM/SIEM is bad, it can be impossible to deal with reams of information coming from a SIM and most folks do ignore it until they need to deconstruct an incident.

The point is, it’s important to understand where your needs are and what solution or solutions will meet your need. There is some good news here. Mid-market customer can often times buy a single solution that can meet SIM/SEM/SIEM needs. Large enterprises should focus on buying both solutions and using an enterprise SIM to feed one or multiple SEM/SIEM solutions. Mid market customer will probably find our
LogLogic SEM solutions meet their needs. Larger customers will be thrilled with our LogLogic SIM solutions to feed other SEM and compliance solutions including LogLogic SEM. Smaller customers may find that the LogLogic virtual appliance can meet logging needs when less than 40 devices are involved.

It's about web presence

As a technical person, it’s easy to get caught in a trap of just looking at features and benefits and thoroughly missing the point. It seems like that has happened with a lot of firms when it comes to network plumbing and infrastructure. Sure, we talk about active/passive, active/active, dual stack, DR sites, virtualizing, load balancing and the list goes on. However, when you get down to it, it’s all about presence. I often like to say you must be present to win. Whether it’s responding to a phone call, Email or web site, presence is essential.

Load balancing is one of those areas. Yes, I realize the new marketing lingo is layer 7 load balancing, application acceleration and application delivery. However, it’s about the basics, is the web site present?

Lack of presence is harmful and catastrophic. What happens when a bank site is down with a 404 error? Do these customers or prospects come back? Do existing customers start to get concerned? Is an opportunity lost or a reputation? Sure, we can build all sorts of technology to raise availability, but what about adding one more layer to display a message when for whatever reason when things are down hard and the availability layers have failed? We call this a “sorry server” message. Basically it’s the ability to detect a total outage and then create a responder that will display a web page indicating the service is down, management is aware, folks are diligently working on the problem and a please call the following number message appears.

Presence is great. Loss of presence or even responsiveness for a web site is now a Google factor that can affect rankings. That means beyond the outage itself, we can now lose precious rankings that affect future traffic!

Forget about all the stats whether it’s transactions per second, sessions per second or bytes transferred. From a high level view, do you have the ability to maintain presence? It’s easier than it sounds. We offer load balancers that include the ability to offer up a sorry page and provide that last informational message when all else fails, thereby preventing the dreaded 404 error.

Maybe it isn’t even a major infrastructure failure, but rather a human error that lead to a content loss. Perhaps even a hack or defacement issue where presence is available, but not the one you want.

That’s my challenge then, make sure to architect for presence. Use an affordable load balancer like we offer in
Coyote Point from us and use it to maintain presence. I bet you’ll discover some high level management support to maintain presence versus a request to just upgrade infrastructure. Consider us too for how to load balance Microsoft Exchange servers or other applications.

Corporate networks more vulnerable than the Titanic

SingleZone
During assessment reviews, one of the common architectural design flaws I still see quite a lot of is no network DMZ. The Titanic had 16 watertight compartments and it still sunk. We wouldn’t even think of having something as important as a large cruise ship today with a single compartment and yet I run into corporate networks that do exactly that, corporate networks with one security zone. Whether it is a port redirect based NAT (VIP in Juniper Networks terms) or a one to one address NAT (MIP in Juniper Networks terms), the effect is the same. Either a single public port or single public address is allowed to a single target server in the internal network. At first glance, this seems innocent, after all, access is only being explicitly given to a single resource, what can be the harm in that? The problem is that a flow has been allowed from the Untrust (Internet) into the Trust (internal) network. If that server can be breached through a vulnerability, brute force password or just misconfiguration, then it can be used as a beachhead to attack and gain access to other systems in the network. This is referred to as a leapfrog attack. Access is somehow obtained to an accessible system that is then used to leapfrog to other systems not externally accessible, but accessible from the breached system. Since this system is in the internal network and there is no firewall separating it from other devices in the internal network, it can do this relatively unhindered except for whatever endpoint protection may be in place on every single system in the entire network. Telnet, RDP, http, ssh and other methods can be used to access other internal systems.

DMZ design
Now lets take a look at a better design using a DMZ (literally a demilitarized zone). In this case we place exposed public assets in a separate security zone from the internal network. Consider anything in the DMZ a sacrificial system. We then strictly control access with the following session flows:
  • Allow Untrust (Internet) to DMZ
  • Allow Trust (internal network) to Untrust (Internet)
  • Possibly allow Trust to DMZ (optional restrictions)
Now we are protected from breached servers in the DMZ. While leapfrog attacks can be used in a zone, it cannot be used to cross zones where access is denied. This is a fundamental benefit of compartmentalizing access with security zones and policies.

With zone based firewalls and multiple ports, this is a very easy and highly recommended design change. I recommend multiple DMZs and additional segmentation of networks amongst users and servers. The key concept is containment. Limit the exposure of the risk from a cyber threat that enters your network by maximizing segmentation and zoning. Even the smallest
Palo Alto Networks firewall (PA-500) has 8 ports on it. When combined with threat inspection for detecting viruses, spyware and other malware, this becomes a very powerful security gateway.

PA500


SSL VPN or IPSec client?

Remote users are a real challenge to embrace and secure within a corporate network. Can we really extend the internal network into an untrusted or unknown personal residence? There are the details of managed or unmanaged devices on a managed or unmanaged network and what that means from a security perspective. Couple that along with the concerns of lost devices and more and more PDAs and other devices like the Apple iPad, and things can be downright confusing and concerning.

Traditional IPSec clients were always the preference for dealing with remote endpoints which were either desktops or laptops. They were ideal for managed devices across unmanaged networks. The IPSec connection is encrypted for securing the unmanaged network. For the most part, we were used to having managed devices. IT would install a client and an authorized and managed device would be given or sent to the end user.

As users changed, we got more laptops into the mix and access would start happening from unmanaged devices and unmanaged networks. Deploying and provisioning IPSec clients became challenging, along with the need to restrict where these untrusted unmanaged devices could go in our networks. SSL VPN became the solution for dealing with these problems.

Now we have a world of personal devices, large amounts of sensitive data on devices that are prone to being stolen and an intolerance with the users to only use corporate supported and approved devices. We need to be able to support a wide variety of platforms to allow them to connect to our corporate resources while making sure these often unmanaged personal devices meet our security requirements.

We have to look more at the provisioning problem separate from the access problem. The choice is no longer so clear. We need ubiquitous access and we need it to be secure. SSL VPN still offers a lot of choices with granular control, extensive logging and easy provisioning. IPSec clients have also come a long way and we offer two worthy of consideration. We offer Juniper
Pulse for a variety of smart phones. It offers cloud based provisioning and several enterprise features for managing the devices while allowing them to connect as secure VPN clients. We also offer an individual or enterprise based IPSec client (more info soon on the web site, contact me) that works with laptops and phones. It can work with existing AD directory infrastructure and offers a centrally managed desktop firewall application to provide granular access for the endpoint and runs on corporate managed devices (real or virtual).

The good news is that we’re finally seeing robust solutions to manage the unmanaged endpoints while giving the kind of security oversight that is required. Whether it’s SSL VPN or IPSec VPN clients, we have solutions available today to choose from.

5,000 Square Feet of Heaven

For those that have been reading my blog, you know that our youngest son joined the U.S. Marine Corps a while ago now and went into boot camp this past summer. Since then he graduated that and went to Camp Pendleton for combat training. Every single Marine is trained as a rifleman. For those that feel the same way as an individual, you might want to checkout the Appleseed project for your older kids or yourself. We got to see our son and a couple of other Marines during Thanksgiving and a couple of liberties (on base, off base and restricted to one portion of base). Camp Pendleton is huge! One of the most relaxing liberties was the one restricted to one area on the base, specifically, we spent it all around one cement picnic table. Of course the boys enjoyed the KFC Chicken, donuts and drinks we brought. It was an outstanding day. As for our son, food, phone, newspaper and liberty, it doesn’t get much better than that, even while on base and especially away from the squad bay.

We were very blessed to be able to spend the time with him and his two other liberty buddies. In the midst of all that and his stay at Camp Pendleton, our son got rather sick and with much coercion (Marines and guy thing), we got him to see a doctor during his off base liberty. He was diagnosed with pneumonia, which put a damper on his activities during liberty. He was absolutely zonked and fatigued. He did have to travel to Pensacola Florida out of San Diego in the wee hours while still being quite sick. In that process, he checked out the local
USO at the San Diego Airport with some prodding. All I can say is that it was 5,000 square feet of heaven. We arrived later in the morning to see our son during his long airport wait. From the moment we pulled up to the curb to meet a spry, energetic, thankful senior volunteer with more life and zeal than most teenagers, it was an uplifting experience. The USO has been around for almost 70 years, perhaps you know of them from Bob Hope. Their goal, via thousands of volunteers, is to lift the spirits of America’s troops and their families. They did that and then some. Comfortable chairs, kitchen area, TV, children’s play area for the kids, Internet access and loving caring people. It was quiet and relaxing. I can’t begin to describe the blessing of setting off our son in the right spirits even while being dismally sick. On the other end in Florida, it also meant a shuttle ride to the base. We’re members of the USO, it’s a non-profit and non-political organization. Please check them out. I know of at least one of our customers personally involved with this superb organization.

Learning new technology

Our core values in order are:
  • Integrity
  • Knowledge
  • Communication
  • Passion
  • Success

Concerning knowledge, we’re constantly learning new things and improving on what we already know. We’ve become very adept with Palo Alto Networks which compliments our existing knowledge of Juniper Networks. We also added skills with Aerohive Networks in addition to our Aruba Networks wireless skills.

Lately we’ve been working a virtual appliance of LogLogic that we use internally. LogLogic is a great simple to use and highly effective log monitoring and management solution. It addresses SIM and can uniquely used to feed other SEMs. They also have a SEM component rounding out their SIEM offering and have database (not just Oracle) auditing solutions. LogLogic has very capable and scalable units, but the entry price point had been prohibitive for some of our customers. We’re very excited and pleased with their new offering of a virtual solution with enterprise capability at a lower entry price point. Whether you need it for compliance reasons, network visibility or forensics, this is a great solution to have. We feel it is the best and simplest to deploy and use.

We continue to expand our knowledge in DDI (DNS, DHCP and IP address management).

In regards to assessments, we have created our own software. Now we use best of breed hardware for collections and then our own software and expertise to analyze and report our findings and recommendations. We’ve made this easy and unobtrusive to deploy while focusing on things that matter. You can read more in our
other blog entry.

Boot Camp

Our youngest son graduated from boot camp at MCRD in San Diego! I have to congratulate the US Marine Corps on a job well done. We really enjoyed being there two days. The first day was a family day and was by far my favorite. The second day was the actual graduation. It was a brilliant decision to do it that way. During family day we got to meet him, converse and basically get reacquainted with our son. It took all the pressure off graduation day as we had already seen him the day before.

During family day we got just a small taste from the DI (Drill Instructor) of what their life was like and learned several new vocabulary words:
- Deck (floor)
- Bulkhead (wall)
- Portal (window)
- Cover (hat)
- Latrines (toilet)
- MRE (Meals Ready to Eat)

We learned about the sacred ground of the Parade Deck. We kept an ever watchful eye just waiting for someone to make the mistake and to see what happens to them. We were assured that there is good medical assistance on base to take care of the resultant injuries.

We also were trained on how to respond to various commands:
- Eyes: Stop in your tracks, look at the DI, say “Freeze Sir”
- Ears: Listen and say “Open Sir”
The rest has been removed from my memory.

We got a taste of an accelerated countdown (funny how fast a countdown goes from 100 when the 60s, 50s and 40s are skipped!) and how repeatedly folks in our group didn’t listen properly to the commands and us family folks had to do them over and over again.

My favorite part of all though was during their liberty from 1-5 p.m. We watched our son eat almost continuously. During his first three weeks we found out he had lost 16 pounds. Now, keep in mind he was fit and trim to begin with. He didn’t have 16 pounds to lose. He eventually got double rations, the biggest benefit of which was getting first in line and therefore more seconds to eat. We learned they had to eat with spoons to alleviate stabs to the mouth. We watched him eat a large lunch with second helpings of chicken and bread at a local restaurant on base, then pizza slices, ice cream, muffins, cookies, candy and protein bars. He had to sit whenever his mouth was chewing, as walking and eating are not allowed. We watched in fascination as the covers were constantly removed and put back on by him and all the men as they entered and left buildings. That evening, after all the binge eating from the men we did hear that there were issues with the latrines getting backed up that night at the base.

It was great to see a slice of America, most uplifting actually. I had a blast just people watching. There are two bases for the Marine Corps for boot camp training - MCRD in San Diego serves the West coast, mostly west of the Mississippi and then another base for the East coast. MCRD is only for men and the other base is for men and women. There were plenty of people from California and out of state, especially Texas. The uplifting part was seeing professionals and regular families from across the nation all with sons who are voluntarily serving for this nation. They all had a certain gait and air about them. Their smiles and the families were just priceless. It just felt different there.

In terms of graduation day, they graduate by company and over 500 graduate every week from MCRD San Diego. In case you didn’t know, the recruits pay for almost everything (toiletries, clothes, uniforms, boots, sea bags, etc.) They even had to buy the medal they received on graduation. They are fed and housed, of course, and do get their monthly pay, but there are no hand-outs. Everything is either earned and purchased.

We also got to learn something new about our youngest son, something we never observed before. We learned how
clever and creative he can be to adjusting and adapting to his environment. I’ll give a few short samples. At one point everyone takes off their shoes, throws them in a pile and then later you have to grab them quickly for a run or whatever they did. Our son said guys would be running around with two different sized shoes on. He said he learned to tie his shoe laces together very quickly before tossing them in the pile, guaranteeing him a matched set! Another time before a big multiple day hike, they had to pack rations with MREs but had to remove any candy (e.g. Skittles) from the MREs. Many of them removed more than the candy and got rid of muffins and other related snacks. He saw the pile they had built, grabbed the allowed snack items and stashed them in his bag. Later he shared with his teammates and then was able to hold his MREs until the latter days. On a major uphill hike where he excelled, he was going so fast that he caught up with the other group in front of his. He was hoping to get an apple from that group and then wait for his and get another. That plan didn’t work, but still creative. Lesson being there’s a difference between doing what’s said or needed and knowing how to adjust to what’s still allowed and yields better results. Perhaps a lesson there in being compliant versus being secure.

Now he’s off again, this time for infantry training in Camp Pendleton. We were able to visit him on base last weekend. We don’t know yet exactly what will happen during Thanksgiving or even if we’ll get to see him for Christmas. We’re on military time now and always subject to orders and change. We were actually looking forward to having Thanksgiving on the base with the men. We won’t know until we know, to that we’ve adapted.

Altaware Assessment Offering

We have been providing assessment services for a while and gained experience in the process, mainly in terms of what people really need and can make use of. One of the greatest challenges is to be able to deliver a solution that meets our customer’s needs in terms of an assessment. It is like the Goldilocks problem of trying to find something just right.

We’ve created our own integrated combination of best of breed hardware for data collection coupled with our own software enables us to better peruse all the data and then with human review and research to try and find what’s relevant.

Another challenge of existing tools is they seem to spew a lot of information, but it isn’t really from an IT or business perspective. All the tools just spew lots of reports and charts, but what did it really tell you? When I think assessments, as an IT person, I’m concerned with:
  • What are the real observed threats (malware, viruses, spyware, phone home, etc.) and also what direction is this occurring in? Is it server to client and what about client to server? I don’t need to look at all the noise, I want to hone in on what has a high enough severity and bypassed existing controls. Knowing IP addresses or names is nice, but I’m more interested in what users were affected.
  • I need to understand how the users are consuming business resources and how casual or personal use may be conflicting with real business services that your customers may be trying to access. I’d then like to either eliminate the distractions or at least be able to identify and prioritize them accordingly to make sure there are minimal or no conflicts with key business services.
  • I want to make sure that key information assets are not leaving our digital confines. This doesn’t just mean Email, but means a whole lot of different applications that can be used to violate our systems. Whether it’s for compliance or business concerns, we need to know what can be used to harm and bypass our controls. I need to understand not just what device, but what user account was used. That also includes being more aware of encryption and how it might be used to elude our visibility.

So, that’s how we look at assessments now, at least one of our main offerings. We collect data from one or more points in the network, though typically at a gateway location. We analyze the data with our tools and personal knowledge and then we report on the observations and make recommendations on how to mitigate the risk.

Please drop me a personal note or call and lets see when we can schedule this for you. It is priced very aggressively to other offerings and yields more actionable information versus fluff and reams of reports.

Bruce Lee Style Security

The highest technique is to have no technique. My technique is a result of your technique; my movement is a result of your movement.”
– Bruce Lee

I find that quote telling for where we ought to be in security now. We still build walls and people learn how to get around the walls. Worse yet, we use brute force to prevent attacks but with DDoS (Distributed Denial of Service) we can’t always build walls strong enough to sustain an attack.

Years ago, I studied some martial arts. It was while my kids were growing up and it looked interesting. I stayed in a while and progressed. At first I was real clumsy, then I started to learn techniques but struggled remembering the sequence. When I eventually left, I was just starting to get to a naturally reactive state. I like this description of cultivation from Bruce Lee.

The Three Stages of Cultivation - The first is the primitive stage. It is a stage of original ignorance in which a person knows nothing about the art of combat. In a fight, he simply blocks and strikes instinctively without a concern for what is right and wrong. Of course, he may not be so-called scientific, but, nevertheless, being himself, his attacks or defenses are fluid. The second stage—the stage of sophistication, or mechanical stage—begins when a person starts his training. He is taught the different ways of blocking, striking, kicking, standing, breathing, and thinking—unquestionably, he has gained the scientific knowledge of combat, but unfortunately his original self and sense of freedom are lost, and his action no longer flows by itself. His mind tends to freeze at different movements for calculations and analysis, and even worse, he might be called “intellectually bound” and maintain himself outside of the actual reality. · The third stage—the stage of artlessness, or spontaneous stage—occurs when, after years of serious and hard practice, the student realizes that after all, kung fu is nothing special. And instead of trying to impose on his mind, he adjusts himself to his opponent like water pressing on an earthen wall. It flows through the slightest crack. There is nothing to try to do but try to be purposeless and formless, like water. All of his classical techniques and standard styles are minimized, if not wiped out, and nothingness prevails. He is no longer confined.

As quoted in The Art of Expressing the Human Body (1998) edited by John R. Little, p.108-109

As I look at the security field, I see the same evolution. Not too long ago, security was in the primitive stage and frankly still is in a lot of organizations. With more robust solutions, we’re closer to the stage of mechanical or sophistication stage, but that’s about as far as we are. We need solutions to be more spontaneous and adaptive that yield, redirect and elude the enemy.

We are starting to see that, but only the early stages. Application firewalls are a great example, we offer industry best solutions for web servers and Oracle servers that are in the sophistication stage. We also now carry what I believe is the first example of spontaneous security for public facing web servers that are adept and react differently to threats based upon the perceived skill of the attacker. These tools assess the quality and skills of the opponent through ever greater challenges and elusion. I’m excited, it’s where I think security needs to go and be. If you have a critical web based application that deals with confidential information, fiscal or health related transactions or just needs to remain up and secure to advanced threats, please give me a call so we can demo the latest advancements in this arena. These are offered as virtual appliance solutions.

Pulse Mobile Security Suite

Pulse is an exciting new offering for mobile device security and access.

We all know the struggle of supporting a variety of PDAs and Smartphones. Especially when they may even be personal devices as well. We also have problems to contend with in terms of how to deal with problems when these devices are lost or stolen and contain sensitive corporate data stored in Email or documents.

Pulse tackles this problem by:
- Helping to secure mobile devices from malicious attacks
- Secure remote access for mobile users
- Connect users via secure VPN to your corporate network
- Tight enforcement controls and granular access to enterprise resources
- Mobile platform device software is no cost to users via respective application stores
- Broad platform support: Apple iOS 4.1, Google Android, RIM BlackBerry, Nokia Symbian, Windows Mobile
- Zero touch provisioning of mobile access for new users
- Deprovisioning lost or stolen devices
- Ability to enforce strong authentication

There’s more to the story and I encourage reading the documents below. Bottom line, if you have mobile corporate users and want to better control and secure the devices, this is the solution for you. If you already have SSL VPN and love the granular control, but want to include the mobile devices as clients along with your role based access, then get this solution. Call us for licensing questions in regards to the Juniper Networks SA SSL VPN.

>>> Download Datasheet Junos Pulse Security Suite
>>> Download white paper on securing the Mobile Enterprise

Security - An Application View

Last month I was lamenting that there had to be a better way to take a look at a different security stack model and imagining a security stack with solutions that:
  • Allows a company to whitelist appropriate behavior and applications
  • Determines a threat by sandboxing attachments and checking what the behavior is
  • Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
  • Use profiling techniques to log individual attackers and threats
  • Log events from above for legal or compliance concerns

I’ll be building upon this discussion next month as well. This month we’ll touch upon whitelisting appropriate behavior and applications. Whitelisting has been around for quite a while and keeps making a comeback. We’re all used to blacklisting, which is a process where we list those things (sites, applications, users, resources, etc.) we wish to blacklist or block. With blacklisting, that which is not blocked is allowed. Whitelisting is a process where allowed things are listed, that which is not on the allowed list just isn’t allowed. This can pertain to web sites, usernames, desktop applications, firewall ports, etc.

For now we’ll focus on the firewall. In the old days, ports used to represent applications. Port 25 (smtp) was Email, port 23 (telnet) was terminal access (mainframes or minicomputers), port 22 (ftp) was file transfer, etc. Port 80 was just for web browsing. Now however, 80% of all traffic is port 80 and a large percentage of it is encrypted. Web browsing is defined as just that, web browsing (think cnn.com, weather.com, wikipedia.com, etc.). It’s where you use a web browser to look at general text and some static pictures to get information. It might be a support site, might be a vendor site, etc. Classical browsing would not include web 2.0 applications. Web 2.0 applications are full fledged applications that happen to run over port 80 versus older ports or client/server applications. In the past we would run Quickbooks as a local application, now that can be run across the web or in a cloud. SalesForce is the classical example of a web 2.0 application. With web 2.0 applications, now you can transfer files, listen to audio, watch streaming video and use proxies or encryption to avoid detection. Now we need to focus more on the characteristics of what is occurring on port 80 and 443 (and the other ports still too!) to determine our security posture. These days, entertainment in various forms consumes massive amounts of corporate bandwidth. Web application characteristics include:
  • Is it capable of being evasive (port hopping, encryption, etc.)?
  • Is it using or able to use excessive bandwidth?
  • Is it prone to misuse?
  • Can it be used to transfer files?
  • Can it tunnel other applications?
  • Is it used by malware?
  • Does it have vulnerabilities?
  • Is it widely used?

We might also want to factor in potential risk by application as well.

Lets look at some examples of each (all lowercase for simplicity):
  • Evasive - azureus, bittorrent, gnutella, logmein, skype, youtube
  • Excessive bandwidth - bittorrent, emule, ftp, gnutella, google-docs-uploading, kazaa, xunlei, vimeo, youtube
  • Prone to misuse - ftp, guntella, hamachi, hopster, kazaa, smtp, skype, vnc, webdav
  • Transfers Files - bittorrent, ftp, gnutella, google-docs, hamachi, logmein, wevdav
  • Tunnels other apps - hopster, irc, kazaa, logmein, socks, vnc
  • Used by malware - bittorrent, hamachi, http-tunnel, skype, vnc, xunlei, youtube
  • Vulnerabilities - Many applications have known vulnerabilities. Short list: ftp, irc, logmein, nntp, vnc, youtube, webdav
  • Widely used - Many applications are used extensivley

Try applipedia (
http://ww2.paloaltonetworks.com/applipedia/) to explore applications. Following is a page of what that looks like. This is the same application that is used by Palo Alto Networks when setting application use policies:



So, where does this leave us? We should no longer think that opening up just port 80 and 443 from trust to untrust is adequate. Furtermore, adding URL filtering does very little in terms of application control. URL filtering cannot address any P2P (Peer to Peer) application threats because the other end(s) are unknown by their nature in that they are just end user desktops not known URLs in almost all cases.

Recommendations:
  1. We should whitelist by actual applications
  2. We should whitelist by users and/or groups
  3. We should implement QoS to further protect and prioritize key corporate resources
  4. We should still look for threats on approved applications (we shouldn’t bother scanning disallowed applications)
  5. We still probably want to allow classical web browsing, but should apply URL filtering
  6. We should strongly consider decrypting traffic in certain cases and not decrypting in certain category destinations (e.g. banking, healthcare)

This is just the first touch on a lengthy subject. Future articles will explore deeper how to properly detect malware and protect against it. I’ll also be discussing other approaches to protecting public web servers from outside threats.

The Rule of All

There’s a lot of talk now about application firewalls and it’s all the rage. That’s great. There is a greater awareness now for the real risk of applications masquerading as web browsing. These applications can be evasive, consume enormous amounts of bandwidth and be used to steal information. That’s just a short list. Web based applications are used to bypass corporate policies by making them more accessible to users.

However, not all solutions are the same. I get approached quite often by yet another manufacturer claiming to have this functionality. They are not all the same, in fact I still only believe in one solution out there.
See a video of the reporting features that I made.

Lets take a simple look to help understand the dilemma. Lets start with WebEx. Is all WebEx traffic the same and can we classify the
application based upon the URL or domain alone? Definitely not, a user might be browsing to www.webex.com to learn about the product and is just using a browser to read information. Lets now assume a WebEx session has started, now is it bad? Well, it depends. There could be chat, that chat could include pasted private information, there might be screen sharing, there might even be remote control (keyboard and mouse). The problem with this scenario is to make proper decisions we need to be able to have greater granular visibility/control and deal with the mode shifting. Once there is a mode shift, it’s a different potential threat posture.

YouTube, another great example. Appropriate or not? Could be personal, could be business, might be videos, has many other threats too.

Facebook, the classic example. It could nowadays be a corporate Facebook page being accessed for work reasons, could be just a read only view of a site, someone might be posting information that is sensitive to the company or using work time for personal posts. Facebook chat has numerous risks and is extremely prevalent. Facebook apps include time consuming items such as Farmville and Mafia Wars. These are
not turn based games, people can have their virtual characters injured while they are at work and not attending to their game or not harvesting their crops. These games demand continuous attention. There are now countless games and applications available. Can you really just use URL categorization?

The problem is that a device cannot
bolt on application visibility. It’s slow, time consuming and must be enabled and active all the time and be the first consideration a firewall or security device makes, not a downstream decision. For performance reasons, there should be only one scan at the data.

So, here’s the rule of Alls which I heartily agree with Palo Alto Networks (PAN) on:
  • All App-IDs are always on: Every one of the App-IDs are always enabled. They are not optional, there is no need to enable a series of signatures to look for an application.
  • Always the first action taken: App-ID traffic classification is always the first action taken when traffic hits the Palo Alto Networks next-generation firewall. Like all firewalls, the PAN device uses a default deny all approach. Policies are enabled to begin allowing traffic, at which time, all App-IDs begin to classify traffic without any additional configuration efforts.
  • All of the traffic: App-ID is always classifying all of the traffic – not just a subset of the traffic (like HTTP for IPS signatures). All App-IDs are looking at all of the traffic passing through the device, business applications, consumer applications, network protocols, and everything in between. There is no need to configure App-ID to look at a specific subset of traffic. It automatically looks at all of it. It should be able to decrypt traffic if desired.
  • All ports: App-ID is always looking at every port. Again, there is no need to configure App-ID to look for an application on a non-standard port. It is automatic.
  • All versions, all OSes: App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent signatures that need to be enabled to try and control this application.
  • All classification techniques: Each App-ID is not just an IPS-like signature. Every App-ID will automatically use up to four different traffic classification mechanisms to determine the exact identity of the application. There is no need to apply specific settings for a specific application, App-ID systematically applies the appropriate mechanism.


Schedule a demo or possible on-site evaluation or application visibility report with us to see the difference that Palo Alto Networks makes.
Watch a brief video I made of a live Palo Alto Networks firewall and how to address the five Ws (Who, What, Where, When and Why).

Washington DC Trip

In the previous newsletter I briefly mentioned the trip to Washington DC, so I wanted to expand a bit more on it. We had never been there before as a family or individuals. It just seemed appropriate and timely with the kids growing up, enlistment of our youngest in the Marines and other reasons. I also share a love of history with our youngest son.

It was a stellar trip. For those who have never been, I highly recommend it. It felt like a pilgrimage, almost Biblical like going back for a census. It’s something one needs to do at least once. It was not restful and we definitely didn’t have enough time, but we did okay. It was overwhelming, we had 8 days (6 effective), it wasn’t enough.

We stayed near Dulles airport, about 45 minutes away from DC. The hotel was great, being further away allowed us to save money and get separate rooms from the two boys, that at least meant relief and rest at night for Debbie and I.

We went with a rental car and drove into DC most of the time. Lots of horror stories online about parking, but if you arrive early it’s generally quite fine. However, we got lost SO many times, signage is a mess and was quite stressful. Eventually it became a source of humor as the oldest son kept sending text messages out every time we got lost. I would instead make sure to have a GPS in the rental, that's a must, handheld only if you have a good navigator and battery life. Did I mention how slow people drive out there? I mean 45 MPH posted and enforced on some freeways! I can go faster on some city streets. The HOV (car pool) lanes are interesting being in the middle and separated from the other lanes and using gates to alter the flow in only one direction at a time. Slowing WAY down for the E-ZPass toll sensor is mandatory and I learned the hard way that it really has to be that slow, I rang that bell and got a bill. I would have preferred to learn the metro (subway) earlier, we walked WAY too much early on. I would also do a tram tour thing with on/off rights, NPS (National Park Service) offers one. Metro has all day passes, I have to imagine multi-day passes. I can see why DC folks think nothing about proposing a national 55 MPH speed limit, that’s faster than they drive. Almost every single road was under construction, stimulus money is flowing all over the place around there.

Things are really close together and yet, a whole lot of walking. I should have planned even more for proximity and I did plan, but not enough. The closeness around the National Mall lulls you into not worrying about it and then you walk too much as you criss-cross and visit every single item you see.

We had contacted our congressman in advance (use web site) and asked for all the items of interest. Many things you ask tickets for don't even apply in reality, seems like an exercise to make you think you’re getting something from them just be asking. Almost everything is free too. However, we did capital tour via them, met in his office and met a staffer, that was cool and boring, but a right of passage kind of thing. The advance notice is required if you want to see the White House, we could not on only 2 months notice. However, I can’t express the feeling of actually being in the House of Representatives galley as legislation is being discussed and then voted on. It’s small and yet you feel history being present as the last minute flurry occurs and people arrive for the vote.

We did walk near the White House, I’d like to park on the lawn, right by the "holiday" tree! We also saw the herb garden from a distance and were real close to where Marine One always lands on the lawn.

Things that were really special for us:
- Segway tour (Debbie loved it too, 2.5 hours, great way to get a quick feel for where things are, we did this first, I really would have liked to have used them the entire time!). We used Capital Segway for the tour. By the way, my favorite picture of the whole trip involves the Segway tour. Our guide took a family picture of the four of us on the Segways, three of us are pointed towards our tour guide and one was not due to trying to stay in one spot. It’s a treasured picture of the event. Yes, I’m aware the owner of Segway died (9/27/10), I still love the product and hope for continued success for them.
- Holocaust Museum (go early and get an assigned time and return, 2-3 hours), puts a real downer on the rest of the day, but something that really affected us and is important to experience. I especially like the exhibit “State of Deception: The Power of Nazi Propaganda”. Walking through a train box car was eerie. After the tour you realize how silent and cold the whole time in the museum was. Of course artifacts like shoes also bring it home. You come out of there numb, but it has to be experienced.
- National Museum of the Marine Corps by Quantico, Virginia (3-4 hours) - In our opinion better than many of the Smithsonian museums. Just go, don’t even think about it, it is that special.
- Library of Congress (take a docent tour). Just architecturally beautiful and impressive. Constructed under budget and on time.
- National Archives to see the documents that founded this great country.
- U.S. Marine Corps War Memorial (Iwo Jima). It’s located near the Arlington National Cemetery. It’s larger than it appears in pictures and stunningly beautiful, it just takes your breath away. Make sure to see it when the light hits it just right.

Other things we did:
- Arlington National Cemetery (would take even more time and walk it after a tour, then it would be more special). It feels strange taking the trolley around and doing the official parts of the tour, except the great experience of seeing the changing of the guard at the Tomb of the Unknowns. Can you imagine doing this watch during a hurricane or other severe storms? Yet they do and it’s one of the highest honors. I have been to two other National Cemeteries in California. There are eight in California. See the whole list.
- Capitol tour (do via Congressman’s office and avoid some lines and see the HR galley which you can't otherwise, 2+ hours)
- Bureau of Engraving and Printing (near Holocaust Museum, arrive one hour before BEP opens and get assigned a time to return later). Not quite as exciting as it sounds. My favorite statistic, about 7% of the printed product is rejected for quality concerns. That’s a fascinating yield statistic compared to almost all other industries. Most of the printing is to replace worn out money.
- Various Smithsonian museums, only a handful. They are nice, but I'm not a big fan, we have so much special stuff here too. There are 19 of them. Read the story about Smithson and the founding of the museums. Yes, we did see numerous Norman Rockwell paintings on loan from George Lucas and Steven Spielberg, those were utterly amazing. We also saw Fonzie’s jacket (from Happy Days), Kermit the Frog, Archie Bunker’s chair and Dorothy’s Ruby Red slippers.
- Smithsonian Air & Space Udvar-Hazy Center (not the one at the National Mall), this adjunct one has a space shuttle, an SR71, the Concorde, the Enola Gay and the "larger" stuff. The one at the National Mall has the Wright Brothers one, I like the big stuff. All the Smithsonian Museums are free, but at this one you have to pay parking.
- White House gift shop
- Mount Vernon (was too hot to enjoy, otherwise I would have spent hours. There are special tours at various times of year, I think it too would be really special then. We didn't wait the one hour plus in the heat for the mansion tour). I bought a $7 book, was a good read and had color pictures to look at. Thank goodness for the Mount Vernon Ladies’ Association in 1853 for getting this wonderful property and the phenomenal restoration.
- Washington Monument
- Lincoln Memorial We sat there on the ledge to watch the 4th of July fireworks, that was special! Yep, we were right there in an ideal spot from the daytime until the evening, wow, what an experience. Getting out was a totally different experience, but I’m so glad we endured and did it.
- Thomas Jefferson Memorial, lots of stimulus money being spent there to shore of the sinking foundations.
- Spymuseum - Somewhat gimmicky, could have been better.
- National World War II Memorial (new) Lots of water, it represents the Atlantic and Pacific engagements.
- Korean War Memorial It’s eerie to see the statues captured in their walk, certainly a forgotten war. Except for a TV show, would most people ever even remember it?
- Vietnam War Memorial The Three Serviceman statue was in the process of restoration, the stare of them towards the wall is eerie. We did get an etching for a friend.

As a note, the World War I memorial was not in good shape. There is one 109 year old survivor Frank Buckles. This is now being restored with stimulus money.

Things we missed:
- FDR Memorial (too bad, is really worth seeing apparently)
- Inside the Supreme Court
- Near Mount Vernon, Washington distillery
- The various memorials at night
- Newseum
- Pentagon tour
- Pentagon 9/11 memorial
- FBI tour (not sure if available)
- Firearms museum
- Various Smithsonians
- Kennedy Center
- Ford Theatre (Lincoln and also across the street where he died)
- Alexandria boat tour
- Williamsburg tour
- New memorials are coming: Martin Luther King Jr., underground Veteran's museum

Things that were challenging:
- Finding our way
- Making sure the toll pass device we rented with the car is read at the gates, SLOW WAY DOWN at the crossings...
- Finding a place to eat that was reasonably priced
- I would advise using a phone with GPS and "About" or similar app for walking, finding food, etc. My older generation didn't have GPS and compass

So, what’s the bottom line for this trip? The kids thought it was the best vacation ever, now that’s worth doing.

Security - A better way

Security today is flawed. It’s all based upon “negative” signatures. In other words, signatures of things that are known bad. This has many flaws, not the least of which are:
  • Zero day. How do you know it’s bad until it has already done damage somewhere?
  • Can we really create signatures in a world of large botnets and polymorphic threats?
  • Just because it isn’t recognized as bad, does it mean it’s good?
  • It usually only works for threats from the outside trying to come in. After it’s in already, the approach is meaningless for the most part.
  • Can you really tell “intentions” without observing actions?
  • We ought to really only allow things we want (positive or white list model) and then make sure the allowed applications aren’t misused.

The above is a short list, but lets take a look at a different security stack model. Lets imagine a security stack with solutions that:
  • Allow a company to whitelist appropriate behavior and applications
  • Determines a threat by sandboxing attachments and checking what the behavior is
  • Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
  • Use profiling techniques to log individual attackers and threats
  • Log events from above for legal or compliance concerns

This is a very different way, far simpler as it turns out. Negative based models fall short, create numerous false positives (barking dogs) and don’t protect against sophisticated cybercrime and corporate espionage. We have to start looking at what threats are actually attempting to do or their actions. It’s the only way to assess their damage potential.
Sandboxing is a way to take files, run them through multiple virtual machines and see without question what the file is attempting to do or not do. For instance, is it attempting to alter a Windows registry? Is it attempting to access files? If it is altering the system, it’s a threat. Honeypots are ways to detect activity, basically they are like motion detectors. If you detect motion inside a closet that houses your valuables and nobody should be there, there’s a problem. Furthermore, if you give that threat greater and greater challenges and they continue to break through the various more challenging honeypots, you now have a capable and determined threat, action is required and it’s just a matter of time.

At
Altaware, we offer all the standard existing infrastructure based solutions, but we also offer solutions for the more discerning and demanding customers that want to go beyond compliance and into the world of true security.

Are we secure?

Data security is an interesting field. It seems like we have all these solutions and yet breaches seem to be occurring at more rampant levels. Simple things like Web 2.0 actually manage to defeat almost all security measures and kids can defeat most corporate systems, so, how secure are we?

Lets look at the typical security stack in a company:
  • Perimeter firewall
  • Some kind of virus/malware solution (desktop or server or Email)
  • IDS / IDP (Intrusion Detection or Prevention Systems)
  • URL filtering or other UTM (Unified Threat Management)
  • Perhaps some logging
  • Perhaps a proxy
  • Perhaps a web application firewall (good possibility it isn’t actively enabled)

It’s really pitiful in some regards. In general, the whole stack seems to work on making us secure by looking for and denying bad stuff. This leads us into a very dangerous analogy! That which is not bad, must be good. It seems like a border checkpoint that relies on some manual do not enter (think no fly) list and some self-answered security questions.

The firewall is the worst of them all. It seems to be a fancy bridge/router to connect two Ethernet wires. The security model is essentialy self declaration of the packets. For instance, are you web traffic? Yes, I’m port 80. Okay then, come on through. No need to be stopped or inspected. Really, port 80 is just web browsing? Not anymore, it’s file transfers, it’s bandwidth robbing, it’s data leakage, it’s phone home, it’s everything now. Firewalls are useless, about all they do now is slow down legitimate traffic. Firewalls don’t address the intent, actions or characteristics of the data. Is the data being used to evade security, transfer data, used for excessive bandwidth, used to tunnel other applications, used by malware, prone to vulnerabilities, etc. We also can’t tell who is using it. We just see IP addresses in ever larger generally dynamic (
DHCP) networks where we might eventually figure out what device if we look soon enough while an address lease is still active. However, depending on the device, we still don’t know who the actual user is. So, the firewalls tend to not know anything about the actual applications, data, users, characteristics, threats borne in the content and they slow traffic down, wonderful.

OK, but we can layer on IDS/IDP, proxies, URL filtering, A/V scanning, DLP and lots of other magic boxes. We create a sprawl of technology and devices to learn and try to correlate. I won’t even get into the management or problematic performance and context awareness. I hate the underlying principle: “It must be good if it isn’t bad.” Wow, that’s messed up! We should be judging good and bad based upon characteristics and actions. It’s not who the user is and their previous reputation, rather, what are they doing now? The problem isn’t just using bad applications or bad sites, it’s also making sure threats don’t exist on approved sites and applications. It’s a mentality from mail servers. We have the approved corporate mail servers, but of course we still have to inspect content for threats. So, what makes much more sense is disallowing applications and sites that are inappropriate and then making sure approved sites, URLs and applications (e.g. Facebook) are not used in inappropriate manners or to propagate threats (e.g.
Koobface).

There has to be a better way, I know there is.

We're in the military now

On a personal note, Debbie and I have moved into another phase in our lives. We have two boys, age 22 and 18. Our youngest has joined the Marines and is in boot camp right now. He’s very patriotic, very appreciative of the sacrifices of those before us that have kept this great nation safe.

Boot camp is a 13 week process. The first week is all about processing, which is a fancy word for forms, shots and quite simply even clothes. We weren’t quite ready for our youngest to leave, let alone for 13 weeks. We’re very proud of him and we know he’ll do fine. He was already physically preparing well in advance and was out running around with a backpack full of rocks. Needless to say he’s taking this seriously. I guess seriousness, intensity and passion run in the family.

As for us, we’re dealing with the big wait. We’ve gotten letters in the postal mail, the only form of communication at this phase in the process. Who would have thought we’d ever see a handwritten letter from one of our kids! Seems so old school and yet so priceless. The written word still has a different feel to it.

We also got to meet various friends of his going into the military. All I can say is that it’s a fine bunch of young men (we didn’t get to meet any women that had enlisted) that we got to meet and we ought to all be proud and thankful.

He signed on almost a year ago via a mechanism called
DEP (Delayed Enlistment Program). As a result of that, a couple of great things happened:
  • He got his pick of what area to specialize in (also supported by his test scores)
  • He gets service credit for the time leading up to actual entry
  • He got his parents mentally prepared

DEP did require parental approval as he was a minor at the time. The military is really quite selective these days. Contrary to what you might be hearing, there is not a shortage of applicants and the military branches are selective. In the Marines, infrantry is really hard to get into these days.

Knowing his interests in our country and that we have never been there, we went to Washington DC this summer. It was a truly unique and overwhelming experience. We started with a DC based
Segway tour to get a feel for the surroundings and did a whole lot of sightseeing. One of the special unexpected surprises that we’d highly recommend is the National Museum of the Marine Corps. It’s an amazing tribute to the U.S. Marines and it surpassed any expectations we had prior to seeing it. It’s near Quantico, VA and it’s a must see 120,000 square foot structure. More on that trip in a future article.