Kellman Meghu runs a Kill -HUP command

Next Generation Policy Management

2011-09-09T22:48:00.000-04:00

The Movie version of this blog for the ADD generation.

There is allot of talk in security about ‘next gen’. This use of the term ‘next gen’ implies we have something new and beyond what we had before. That it’s somehow a colossal leap forward and unlike anything we have seen or heard of before. And when you finally rip the cover off of the shiny new ‘next gen’ security solution, what do we have? Well, the same challenges, but hopefully you at least found more visibility, and policy control options than you did before. Now the question is, what do we actually do with these strange new ‘abilities’? What is so ‘next gen’ about your security?

First off, I thought ‘next gen’ was overused 20 years ago with Star Trek, but it still seems to resonate with everyone. Marketing aside, in most cases you can reduce this overused moniker with a rather rudimentary feature in most firewalls today, application identification. What I find ironic is that this feature, in and of itself, is not new at all. What is new about it is the ability to branch out and see applications that don’t have a defined RFC or common protocol agreement, but the act of identifying traffic based on heuristics, signatures, protocol formats, etc, is far from new. It’s so old and been done to death, I can’t help but smirk when people talk about application control like it’s new. And if your ‘next gen’ security device is defining ping as an application, then I have some disappointing news for you; I was deploying ‘next gen’ firewalls in the nineties, albeit with not nearly the number of applications you have today.

There is no magic feature that suddenly removes the requirement for you to manage your risk with process and procedures. You suddenly don’t have to do audit and control. What these features are giving you is better visibility, and theoretically better control over what your users are doing, but let’s not forget what your solution as a whole is still trying to do. Manage risk, protect data, audit activity. We don’t need a ‘next gen’ feature. We need ‘next gen’ policy management.

How We Always Did It

Traditional policy is based on a simple approach of defining access control based on IP. We define networks by the IP addressing they use, and as long as someone doesn’t move around too much, or change IP, we can track them just fine.

Of course this view of policy management is antiquated as it is a security level that is fundamentally dependant on how much physical control you have over what can connect to your network. If you have already invested quite heavily in some type of NAC (Network Access Control) solution, you will probably be able to get away with IP based access for at least a little while longer. But it is going to get very ugly to manage as time goes on. As your organization designs and adopts more agile computing options, things will start to change quicker than your security policy can adapt.

Security Policy of the Future

The popularity of mobile devices, coupled with computing devices like tablets, has equated to people having many devices, and therefore, many IP's. Managing IP based access with a constantly changing array of devices in the user base quickly becomes unmanageable and therefore, insecure. New applications, coupled with new mobile devices makes keeping up with policy change requests more and more ugly. If the requests keep coming in based on people and their devices, and your final policy is compiled based on IP, you are already in allot of trouble with exposure you wont even see, until it’s too late.

And it’s actually worse than this, because these new and exciting devices are coming into the office from the home too. Without being validated, secured or even looked at. Users are bleeding their personal devices all over your network; they take work home, they bring home to work.

Now let's consider the impending adoption of IPv6 (yes, it's going to happen sooner or later). Are you going to continue building rules based on your network of a billion or so IP's? Does your policy account for the fact that an IPv6 devices could actually have many IP’s connected to many networks at any given time? And come audit time, are we going to be looking over whole netblocks of IPv6 addresses and have a quick way to validate no one is accessing applications or data they shouldn’t? Not without a whole lot of pain and cost under an IP based security policy.

Identity Awareness

Knowing who your users are, is critical to managing a security policy. Knowing what IP they are using, not so much. If we are getting policy requests in a business language that talks about people, then you are beyond IP based control. Defining policy based on user access is not just the logical choice, but the only way to manage access moving forward. And that’s just for starters.

Remember all those devices we are acquiring? It's not enough to know who is accessing the data, you better be able to define what machine they are accessing from.

Device Control

Knowing what devices your users are on allows you to make better security policy decisions. For example, a user on their corporately controlled and encrypted laptop should be allowed differentiated access from the same employee on their iPhone. This also allows you to track what devices have accessed what data, so if you need to determine where data was lost from, you already have a defined limit on the number of devices and people that could access that data.

Consider how powerful the addition of this parameter can make your security policy. The CEO is allowed to access portal versions of some applications from his iPhone, and all the critical financial data from the corporately controlled, encrypted and highly secured desktop at the company headquarters. If the CEO was to loose their phone, and an attacker was able to extract a login password from the device, they would still be without access to the more sensitive data since it requires access from both the login and a specific identified device.

How Does Application Control Help?

As long as we are getting rid of IP based identification, let’s do something about getting rid of TCP port based identification of applications. Identification of application activity is not a new function of a security device, as I have mentioned. Knowing that ssh services are attempting to access over port 80 (http), for example, have existed for quite some time. But the ability to identify applications that are not defined by standards and RFC, applications like the preverbal Web 2.0 that have crept into the enterprise, is a powerful addition to a next generation policy. Moving forward, it is important that we are providing access, not just to a service port, but to the application itself.

Having a flood of applications coming and going doesn't help if we don't add one more dimension to this policy, and that is the user. Having a way for the user to interact with the security system, not to educate a user on acceptable use, but to take feedback from the user so new business opportunities with applications are not missed. Make user realtime user feedback part of your next generation policy, and you will truly have application control.

But don't get too far ahead of yourself, there is a danger in depending completely on the feature of application control. In order for the device to determine the application being used, they must allow the connection to be setup, and for initial data to pass, before qualifying the application. This creates two risks, one, that someone could scan through every open port on the remote server, even if your intention was to only allow a single service. For example, defining the http application on a server that has other ports open, like remote desktop for management. By just defining the application, and not access rules with it, a remote attacker could probe and determine the remote desktop service is there, simply by pretending to send web calls to all the ports on a remote system.

Application control doesn’t mean people will no longer be able to use applications they shouldn’t, it just means we have a new game of cat and mouse. As fast as our security devices identify applications, watch what happens when people get into spoofing application signatures. It doesn’t solve all our problems, and it is not infallible, so there will always be the need for some element of basic network control. But we also need to add another parameter to our policy, that gives ourselves another layer of protection.

Identity + Device + Application = Not Enough

With all this information at our disposal to create policy, you would think this would provide all you need to enforce a complete security policy, but unfortunately we are still ignoring the most critical element. Let's remember what all this effort is for, and that is protecting the data within your organization. When you combine access control based on people plus machines, with the identification of applications that are accessing, sending and manipulating data, the final piece to create a complete policy is the ability to analyze the data being transferred to ensure the applications are not leaking or sharing information they should not be. In short, let's go back to basics and ensure we have a policy around not just what applications people can use, but what data these applications are allowed to use.

Who Touched My Data?

At the core of any security policy should be the control of the flow of data. As such, focus on the data of any type of application ensures that the applications we allow into our organization are following the the policy and rules around what is permitted when it comes to the flow of information.

If there is an application in your environment, that is showing itself to be rather innocuous, then we tend to ignore them after seeing them. Even after you have identified an application, we still need to continue watching, not just the application, but the data it is handling. If it is a low risk, low impact application, it should never be touching or revealing sensitive information. By getting back to the root of our risk, the data, we ensure a policy that goes beyond the user, the machine, the IP, the application and right to the data. Data Loss Prevention is not just about blocking what you perceive to be sensitive data, it is about watching what your applications are doing with the data they are handling.

Next Generation Policy Control

By combining information about people, and the devices they use, with the applications they are allowed to run, and finally, what data these applications are allowed to access and modify, a cohesive policy focused on the critical asset, your data, can be created and managed.

Your migration to a next generation policy should include the ability to blend requirements as you evolve your change requests to work closer with the business language. Start by bringing in User/Device options to be used with or without IP. Keep in mind IPv6 hasn’t exactly hit us in the head, and if you have a NAC solution, adding and extra layer of validation when you are not positive about the new options can actually make this a smoother transition. You have six factors to consider creating a next generation rule.

Access Rule = (User+Device) else/+ IP ; (Application) else/+ PORT + (Data Type)

This will start the process, allowing you to migrate fixed IP addresses to users and devices. Keep in mind devices apply to server as well, and you can create access rules in both the source and destination that are defined by the device and user, not just an IP.

I believe this will evolve you to the point where network based decisions are no longer part of the security definition, and at that point, you will be into a next generation of something useful, policy management. You have extracted the dependance on network design from the security posture, and as such free your infrastructure to upgrade, downgrade, shrink, expand, try IPv6, etc. The security is built a few layers up, giving you the flexibility you need to make your infrastructure as dynamic as possible. In essence, we stop thinking about managing security rules, and focus on creating security roles around 4 defining parameters.

Access Role = (User+Device) ; (Application) + (Data Type)

Removing the confines of IP based security rules, opens up an agile security solution that allows you to create policy independent of the network design. Imagine the flexibility and freedom for the security team, if the policy they are managing is all about security, and not about network engineering. And how good will the network engineering team feel about being able to make changes to the physical infrastructure, without having to consult and validate those changes with the security team?

Now imagine how you will deal with virtualization, cloud computing and an ‘app for that’ world without a next generation policy design.

Identity Awareness

2011-02-06T16:44:00.010-05:00

I realize I kind of glossed over the whole Identity Awareness feature in R75, for the last video on app control. Dont underestimate how powerful this new object option is in crafting a policy that applies to real people, with real access requirements. Here is a much closer look at the features and setup, and still simple enough that I only need 6 minutes of your time to make you an expert in user based policies. This feature is not just for application control, it works as part of a traditional policy rulebase for an almost NAC like experience between security zones.

Link to video.

Application Control Test Run

2011-01-07T00:34:00.005-05:00

Let me just get this out of the way; sorry about the intro, I could not resist, and apple makes it so quick and easy to do.

Otherwise, for an introduction to the Application Control feature in the software blade, and a look at what my family is subjected to for network security, welcome to my home network.
This is all done with the default plug-and-play license that gives you 15 days to test run to whole thing, so I thought I would subject my family to it and see what I would find, capture it, and share a quick tip on managing the information. Although not used here, this version of Check Point (R75) has the ability to work off of a mirror port, allowing you to see how the blades like dlp and application control react to real world traffic. A handy way to evaluate the tool.

My wife and children would describe the experience as 'totally creepy' when I would ask how their score in YoVille was going, or if they were all done watching videos on YouTube for the night. It did have an odd sense of stripping away privacy, but this begs the question, what is your expectation of privacy? I hope none, it will save you from disappointment.

I get spammed with a little help from my friends.

2010-12-19T15:48:00.003-05:00

I don't think the click-jacking scams/spam is ever going to stop. People like filling out surveys and believing they will win things. That's ok, but I'm going to have to do some online housecleaning next year based on this, and if you could help by proactively dropping me as a friend in advance it would save me a ton of time. Thanks online friends, you're the best. I have included an easy to answer quiz to help you figure out if we should be continuing our online relationship.

enRoute with Air Canada

2010-12-05T19:00:00.002-05:00

How to maximize your Air Canada in flight entertainment system experience.

I don't know why I'm telling you this, but I travel enough to have used and abused the Air Canada inflight entertainment options, and have even helped other passengers navigate the system. So if you ever casually fly AC, this might save you some time, and frustration. Not to mention they hide the really good stuff, and you don't want to miss an opportunity to forget you are boxed into a little seat for an hour or six.

I'm not trashing it, if you trapped in a cramped little seat for hours with nothing to do, this thing just might help you keep your sanity. Or push you over the edge If you don't know a few things going into this. The biggest is, it's slow and clunky. This is not your iPhone, take your time pressing the buttons, it takes time to respond to each press. You will notice a little arrow icon on the screen. You are not pressing buttons so much as moving that little mouse around and tapping to click. Rub your finger around on the screen, you will see the little arrow lag around the screen with you. And sometimes it is off a little, maybe up and a bit to the right from where your finger is. Don't get too hung up on fixing it, just use your finger position to drag that mouse around to the selection you want, It's just to get to the movies/shows/sports, etc. Who cares if it's a little off.

You want to get the system going as soon as you board. Yes, its that slow, and I'm talking as soon as the system becomes available. Sometimes it sits and teases you with this;

And won't respond or react to anything it does.

Upon entering your seat, if ready (you will see the touch anywhere to begin message)

touch the screen to start up the selection menu.

While taking your seat and getting settled, click through the menu and select a show(TV) or movie of your choosing.

Some people miss out that if you select the arrow below the first screen of TV selections, you get more options, including HBO shows which I find perfect for those shorter trips. So many people miss this the first time, and out of frustration of trying to find something they might like to watch in this slow, clunky system, they just select the first thing that comes up.
So by noticing that little more arrow at the bottom, you can also find this;

When you find something to you liking hit play immediately. Don't worry about headphones or being settled, just get it playing and leave the headphones disconnected for now. All shows start with advertisements that are blasting at full volume. I have seen many people rip headphones out of the ear in anguish at the painful volume the system inflicts on you. There is no volume control, or any control for that matter, during commercials. It's like they are committing you to watch, but with the opposite real effect.

Get settled for the flight and watch for when your selection actually starts playing. When it does, touch the screen and hit pause. If it is taking particularly long to board, you can jack in your headphones and watch a bit of your movie or show, but get ready since once the plane starts rolling they will interrupt your show, display the usual welcome aboard, here is the safety features demo, and then the in flight entertainment system will reset itself. Don't panic, we will get you right back into the show, once you sit through their instructional video. I have seen it enough times now I sometimes mockingly recite the words, including the French part, for the amusement of those around me. Or maybe they are not amused, either way this required watching is burned into my brain like a bad song that just won't go away. I'm just trying to get it out of my system so I can shed the mind numbing repetition.

Once it is up again, you will be in takeoff position and only allowed to use the in flight system with earbud headphones (you brought earbuds right?) so go ahead and go right back to your last selection you were watching before they so rudely interrupted you to share information that might save your life. Make sure it is the same show or movie you were watching, work your way through the menu to find your selection.

No fears of keeping your earbuds connected for the obnoxiously loud commercials now, the system will detect that you were already watching your selection and will offer to resume where you left off.

Go ahead and watch your show or movie until the seatbelt sign turns off. At this point keep watching if you like, or if you have seen most of the AC inflight entertainment options already, hit pause and switch to your preferred device. You can save the remaining time on the show for landing.

-

IPS Care and Feeding

2010-02-27T05:01:00.004-05:00

I have an example for you around using the new IPS software blade to detect and prevent attacks. The IPS Software blade is not just SmartDefense renamed, it is a new engine that can take advantage of significant performance gains, as well as IPS specific features like packet capture. This new enforcement for attacks also includes new management features to allow the administrator to search through attacks, link them back to original protections and make adjustments for their environment. This is an example of the workflow used to monitor an attack, enable packet capture as needed, and eventually tune the detection. This is only a small example of the capabilities in the IPS Software blade available in R70.2 (and later).

If you are hesitant to test these features in production, for fear of impacting legitimate business traffic, we have some big differences in the new IPS engine that might help ease your mind. First off, if performance is a concern, you can turn on a feature to have the IPS turn off inspection in the event your memory or CPU becomes overloaded. You may need to look at a hardware upgrade if this happens regularly to you, but at least you can find out without taking your network down in the process.

The next fear is being able to use or test the IPS in detect only mode. Since SmartDefense was so tightly tied to the firewall protocol inspection, it was not always clear when or if it was SmartDefense or just the firewall engine that was stopping traffic. And turning off SmartDefense was not always possible. With the IPS softwareblade, you can quickly and easily turn your IPS into an IDS if you need to confirm the IPS engine is not blocking any malicious traffic. Instead, it simply alerts you to what is detected. Here is an example, with real attacks flowing through the firewall. With a policy push we can switch between detect and enforcement on the fly.

I hope to create more movies around the IPS, I have already found it to be effective and informative about the traffic in my network and have attached it to the Internet for further testing. If there is something specific you would like to see, please let me know, and stay tuned for another exciting episode in the continuing saga of my homenet IPS.

Do I Get What I Pay For?

2010-02-21T23:00:00.001-05:00

I did some testing my ISP claim of 10 Mbps as how much bandwidth I'm getting on the internet. My day to day traffic is not usually anywhere near 10Mbps, but when I need it, is that kind of speed actually there for me to use?

It's not that I don't believe they are capable of providing the service, I'm just not sure how much I trust them, after all we are talking about the same industry that regularly alters and squashes traffic for their own reasons, without having to explain themselves or even expose what they are doing. Also the same group that spy on us at our governments or local entertainment industry whim. But I'm not really a political person, I'm much more impressed with bandwidth, so let's make sure I'm actually getting what I pay for.

SmartWorkflow

2010-02-09T22:10:00.002-05:00

Check Point release R70.2 includes a new software blade called SmartWorkflow that enables both visual change tracking of your security policy, but also the ability to enforce a change control process requiring all changes to be reviewed by a second person before allowing the policy to be installed. Depending on your requirements, there are two ways to deploy the SmartWorkflow software blade.

The first mode is very easy to setup, and once enabled, you can start using it immediately. This mode does not enforce policy approvals, but provides the administrator with visual tracking of all changes made. How many times have you been interrupted at work, only to return and wonder where you left off? No need to wonder, SmartWorkflow provides the tracking you need.

SmartWorkflow for Visual Change Tracking

SmartWorkflow also has the ability to enforce change control, but requires a little more preparation for use. You will need to create two types of administrators, one for building and creating policy change requests, and another with permission to approve those changes. In addition, those with approval permission are not able to make changes to sessions they create or submit. This simple model ensures that no one individual can make a policy change without approval.

SmartWorkflow for Change Control

Notice the mistake that was made when you forget that the admin who creates a session, cannot approve it. Define your roles ahead of time to keep the change procedure flowing.

I hope these examples help you understand the setup and use of the SmartWorkflow feature. Questions, comments and feedback are always welcome. With some planning, hopefully this feature will assist you in creating a change control procedure for your infrastructure.

Virtually Safe?

2009-12-02T23:59:00.004-05:00

Are you using virtualization technologies in your network environment? You are? Great. Do you know why you are using virtualization?

Most reasons I hear, which are all very viable, are things like saving energy by running less physical hardware. Improved disaster recovery planning is always a good one. Tools like VMotion are invaluable to this. But there is, fundamentally, a very good technical reason to look at using virtualization, and that is the upper limit of your server CPU. We have hit it, and it's not going to get any bigger, better, badder. Problem? Not really, along comes Multi-Core, and now we have many more CPU's to work with. Which is great, if your application and operating system can take advantage of it. And it's not always as simple as 'rewrite the application for multicore', some application jobs have to be run in a certain order, or access to a specific piece of data that limits the ability of using multiple cores to translate into any kind of benefit. You can't just re-write the application, you need to think of new ways your applications can take advantage of multiple CPU's. Let's face it, your truly multi-core aware operating systems and applications are still a long ways away. But in the meantime, we have things like VMware.

VmWare is by no means the only virtualization option out there, but for the purpose of this article, it will be the focus of discussion. Plenty of other people can give you the gory details on what works best for your needs, the concepts behind the security of virtualization stay very much the same and is the focus of this discussion. What essentially all these virtualization platforms are, is exactly that, a hardware platform, delivered as software. Did you catch that? The software is your hardware platform, and what you better be looking for in a good virtualization platform is the ability of that platform to extrapolate and abstract the hardware, such that applications written for single core/single CPU systems, start to perform that much better when you deliver the hardware through software. The technical challenge it should fundamentally address, is your ability to scale up performance, regardless of the software, or for that matter, the network, since you collapse that into the virtualized platform as well.

And everything you did to secure your applications on the network is going to change. Everything? Yes, everything. I used to think it was all the same, and don't get me wrong, there are some fundamentals that will follow you through, but let me introduce you to the 3 Stages of Virtualization, that allot of people are going through. How fast you progress through them is very unique to each person adopting virtualization as a hardware strategy.

Stage 1: Check out my cool new toy
Ever project has a stage one. Kick the tires, check the engine. You know the drill. You need to figure out if this virtualization platform will really deliver and scale your critical applications. You won't really care about security at this stage. You will think about it, and probably call your vendors in for an intense discussion about virtualization security strategies. But you don't really need anything yet, so keep your wallet in your pocket.
You can tell if you are at this stage if you have a sectioned off part of your physical network just for your virtualization platforms. It will look kind of like a virtualization DMZ. You will most likely have your usual physical firewall and IPS/IDS in front of it, maybe even mapping a few vlans across to leverage some type of 'virtualization' of security interfaces, but you won't really trust it and we will hear terms like pre-prod or staging thrown around while you work out the bugs in your applications, and build your virtual machine deployment process.

Stage 2: It's all the same, but different somehow.
You will know when you are in this stage, when things start getting serious around security choices. You will have replicated everything you have done in the physical world, in your new virtual infrastructure, and you will have probably plugged a few virtual security devices in between things. And this will probably run very well for a while, but eventually a problem will emerge. By replicating your security zones you can end up reconstructing your layer 3 routed networks, insert traditional or virtualized versions of the IPS, Firewall, DLP, etc, and off we go, doing what we always have, what we know and love, and what requires the least thought and effort from security. Don't get me wrong, this is a great way to move into virtualization, while reducing the risk imposed by a redesign of network and policy. But it won't last, and I'll tell you why.
Beyond hardware abstraction for performance, there is the possibility of leveraging a software based hardware platform (a mouthful, I know, but I had to say it) for rapid recovery, deployment and network agility. But what happens when your VmWare team starts Vmotioning whole servers around your Layer 3, policy controlled network? I'm willing to bet your physical world security policy design never considered the possibility that servers could just be picked up and dropped anywhere else in the network. And forget security policy, what about plain old network access? What happens to your web and database servers, if the DNS server is just plucked up and moved away? They stop working, along with everything else in your virtual network.
Unless of course you have your network and security team, standing by, to provision via some mechanism (virtual or real), and ensure the servers land in an authorized and safe place. You still have allot of the same problems you did in the real world, but you know how to deal with those. There are whole products around maintaining networks like we did in the physical world, keeping the separation of duty and overall control, with the respective groups.

Stage 3: One step backward, then two steps forward.
You have to think of how we want a virtualized network to act. If we want to be able to move server applications around, without impact to the network, and from that build an endless flow of hardware scalability, as you add virtualization servers to the mix, you are going to have to build a radically different type of network. But it's not a new idea, it's a very old one, and an idea we thought of as very bad, not too long ago. Just build one big large Layer 2 network, and drop all your server apps in together.
At this point your network and security team just resigned over this idea with a letter that reads something along the lines of " . . . good luck with that." I'm all for understanding how others are dealing with the challenges today, but I don't think it is a design we can continue to ignore, if we re-evaluate our expectations about virtualization security.
And this is where you enter Stage 3, virtualization nirvana, but you have to change your expectation of a security solution. It should have all the features of your traditional security, but we need to work at the hardware layer of your software. Remember our software is now the hardware platform? You need to plug your security into the hypervisor. By inserting a solution that captures all traffic on all virtual ports, you can develop some unique security policies that are as dynamic as the nature of virtualization. What about having a policy that not only attaches to an application virtual machine, but follows that virtual machine as it moves around the various physical systems used to scale up at an elastic speed? It doesn't stop there. Take a fresh look at your old problems. Setting a default security policy so new machines are required to be authorized, monitored and audited when they come online. Are you worried about IP spoofing? Sure, but a simple interface policy across the hypervisor could take care of that. What about virtual machine spoofing? If someone replicates a virtual machine but injects something new into it, what policy will this virtual machine inherit?

Stage 3 is a new and exciting opportunity for us to fix some things at *(not really!) a basic level. It's almost a do over, and if you are going all the way, make sure you have considered all your options when it comes to virtualization security. I'm not saying I have all the answers, we all have allot to learn still about the new security challenges this presents. I only recently came into Stage 3 myself, and have been re-writing this blog over and over recently, because of that. I am also sure at some point we will be discussing the impending Stage 4. This is the stage we all get together in about 10 years to discuss how to get our applications and data out of large virtual data farms in the sky. But that is a story told many times before, and will be again. Take a macro look at computer evolution, we are moving back to the 'mainframe', and I suspect, will move away again one day.

Or maybe Stage 4 is us really taking a new look at the underlying protocols we are using. Time to strip the OS and reduce our virtual machines to one click applications. Dissolve the network and build a new system of access. It really could be a fresh start for everything.

*(I don't mean to imply that running and managing virtualization infrastructures are trivial at all. They are not, and I hate all this marketing of virtualization like it's somehow magically simple. When humans interact with these systems, expect some complex designs to be set in motion to support real world needs.)

Two Things I Really Hate About The iPhone

2009-10-18T12:56:00.001-04:00

Don't get me wrong, I love my iPhone. I'm addicted to it, and I find it a quantum leap forward in how a phone should look and act. Compared to my other phones, (of which I have many) this is a minuscule list,but it is not perfect. Here are some annoyances you should be aware of before you invest in one.

1) Can't add custom sounds for things like sms, voicemail, etc.
I find this limitation bizarre. I can create all the custom ringtones I want, my phone can play whole symphonies if you call, but for something like a sms? I have a choice of 6, and the least annoying one is the default, so myself and every other iPhone user on the planet choose it. Walking in a crowd I hear that default sound and check my phone, only to look around, see 5 others doing the same, and one person sheepishly tipping their iPhone to let the rest of us know it was him. Is this by design so that Apple can help fellow iPhone users meet each other and lament the lack of sms ringers?

2) How the heck do I turn off SMS notifications on my iPhone? I get allot of SMS, but sometimes I don't have time to pay close attention to them. I can turn off the sound, reduce the preview, but somehow I can't find any way to turn the overpowering notifications of SMS off. This didn't bug me until having to furiously click close buttons for SMS notifications before I could get to the hang up button after a conference call.

But let me be realistic, this is still the best design of mobile phone that goes above and beyond the call of duty to perform many functions, and perform them well. I Just find these items to be particularly annoying in an otherwise great phone. Is there a solution out there that does not include the word jailbreak?

Blind Unquestioning Trust

2009-07-12T00:07:00.001-04:00

The first album I ever asked for as a child was Fleetwood Mac Rumors, (it was all over the radio at the time and everyone was playing it). I was probably about 6 or 7, and I remember asking my mom what the song 'Second Hand News' meant. Without missing a beat she told me it was about putting your cat outside to go to the bathroom.

The chorus goes something like 'Won't you lay me down in the tall grass and let me do my stuff'
She then proceeded to tell me the repeated word through the chorus was actually 'meow' as in "meow meow meow meow, meow meow meow meow' . . .etc, while the cat was cranking a loaf in the yard.

Listen to it, you will see what I mean.

Thanks to my mom's quick thinking, and her desire to avoid the sex talk with a 7 year old, I believed for years that Fleetwood Mac's song Second Hand News was about a cat taking a shit.

How Visable Vote will change the world

2009-06-12T23:41:00.002-04:00

Paul Everton has written an application that could have a very positive impact to the world, if we the people, recognize what it represents for us. I realize that is a pretty big statement to make, but this program has incredible significance to what it is capable of, and if it was ever to be leveraged on a mass scale, the benefits could profoundly change our society. If something like this could have the adoption of a viral monkey peeing video, the internet would have truly been leveraged for its communications power, for the people, by the people.

This program is Visible Vote, and it puts in the hands, literally, the power to hold government actions accountable for the choices they make on our behalf. It also helps the user understand if the person they choose to represent them, is really representing their best interests.

We all live under a central bank system, you can research it yourself, but inevitably it puts the power to control whole societies in the hands of a few. Will these few work to create a better world for society, or will the focus being on building a better world for themselves? We have a government in place, that is suppose to ensure the greater good is being looked after. It should provide checks and bounds, limiting the power of a few to be leveraged against the masses. Essentially an audit process to ensure our freedoms and liberties are not being squashed at the whim of a few. However, this system still puts the power to audit and verify, in the hands of a few again, and we have to hope they follow through on those election promises that sounded so good at the time.

Now in my world, working with computer security systems, some level of audit transparency exists, is even expected, it's just part of the process that ensures the integrity of the entire system used. Why wouldn't anyone want this level of visability into governement actions? If they are really working for us, then none of us have anything to worry about. If something needs explaining, facebook and twitter are great platforms for getting the message out, and could even turn into a dialogue that helps we the people, understand what a handful are doing when they make the choices they make regarding our lives.

Technology changes things, and we have the ability to make this level of transparency happen. Would not the founding fathers be enthralled with a system that links the masses together, and truly harnesses the voice of many, to speak to the voice of power and control? Something like Visable Vote, would allow the people that elect representatives, to validate their actions on a daily basis, taking but a few moments and all done from the mobile phone in your hand. In many areas, an audit process is mandated by the government, what's wrong with making the people that elect them, part of that process?

Your vote may count, but your follow up on the people you vote for is critical.

The question remains, will an application like Visible Vote bring out the social consciousness in the people, or will it confirm the complete apathy and distraction that pervades our culture? If it's the latter, then we truly are getting exactly what we deserve; a culture too immersed in monkey peeing videos to even know or care what might be missing from all our lives.

The Garden of Hope

2009-06-03T17:56:00.006-04:00

I was lucky enough to attend and capture, some of what happened at an event I can barely describe. The video does not do justice to the atmosphere of cooperation that unfolded one sunny weekend. If cancer has touched your life, you know the pain that comes with that. Here is a little goodness that comes along, giving us the hope we need.

Pay it forward.

Creative Policy Control with Provider-1

2009-04-26T16:36:00.005-04:00

Ruling Your Network With An Iron Fist

If you are familiar with security policy management for network level enforcement, most of this blog should make total sense, even if you are not that familiar with Provider-1. If you don't already know what Provider-1 is, and are not involved in policy creation and management, you might want to check out some other articles here that are not so much about specific technologies. I don't always talk shop, but sometimes I just can't help myself.

I would like to address the creative side of network security policy management. Right about now you are wondering if I really just said creative, and you are correct. Let's get creative here, in planning our policy. P-1 offers a powerful tool in the ability to manage global policies, that create hierarchies of security zones, but just because it can do this, doesn't mean people always make the most of it. This is the creative part. You can manage policy in a hundred different ways, none of them wrong, so what is the best way to do it?

Unfortunately I don't have that answer for you, I'm afraid you are going to have to figure that out for your own infrastructure. There isn't one way to manage policy that is better than any other, unless you consider how it applies to the infrastructure you are managing, so take this all with a grain of salt, but I would like to present for you three simple global policy options available to you to consider in your policy design process. But before I do, we need to think about your overall policy strategy, and how it's managed.

A Word About Network Security Policies

I am not going to tell you how to create your security policies, if you have a process that works for you, move on to the next section as that process is just as valid with global policy management as it is with your overall policy management. If you could use a cleanup with your policy organization today, then global policy management isn't really going to buy you much.

Here is how I like to run my policies. Groups. Every rule is a grouping, and that means breaking your infrastructure down into manageable groups. One organization I know does it with colours, and it works very well. Red zone, blue zone, yellow zone classes of servers, networks and services. Their policy change management is such that you request addition to the red, yellow and blue groups, not the addition of a rule. As a matter of fact, once you have a policy defined and in place, it should be a BIG deal to add a rule. If that happens, it means you missed something. Having that process to classify your assets, and the associated access/limits based on those classifications is the key to turning your creative side into a working business process.

Tips for Building Global Policies

1. Global Policies

It would not make sense to start with anything, except the most basic application of global policies. The idea is you create a high level policy, that is not pushed onto a security gateway, but merged into another policy management device, the customer, or what we commonly say in the P1 world, the CMA (Customer Management Addon). The changes at the global level can enforce rules either before, or after the policy the customer creates, giving you the option to create rules that are required (before) or a suggestion (after). In the example below, the policy on the top is being created with an access rule for gateways, and a block all rule for the bottom. This top level policy pushes the rules and objects created at a global level, into the CMA(s) policy management (of your choice).
The CMA could represent hundereds of other security management stations, allowing you to build global rules once, that are enforced hunderds of times. Need to change a global rule? No need to log into all your management stations, you just change it once at the global level, and let it propagate down to the CMA, like the policy shown below.
The rules highlighted by the arrows cannot be changed here, they come from the global policy. The administrator of this system is free to create rules as needed, as long as they do not conflict with the global policy as mandated by the P1.

Think of how this could be used very effectively to enforce corporate policy. For example, DNS is a protocol that we all need to have, but it can also be the most abused service when it comes to exploits (ask Dan Kaminsky if you don't believe me). Lets say you want your entire infrastructure to only use your corporately controlled and approved DNS servers, and block everything else. With a global rule allowing DNS to my servers, and blocking all other DNS traffic, every management system can be designated to enforce these rules, bend to my will and heed my warnings on DNS risks. Ok, I'm getting a little dramatic here, but when you play with a P-1, you do risk developing a god complex. This truly is the power of a security policy dictatorship, so try to make it a benevolent dictatorship :)

2. Global Dynamic Groups

Remember how I liked to push everything in groups? Well I am not naive enough to believe that approach works all the time. You will always have those custom rules to deal with, so why not leave them at the local policy level? Take the work of defining the grouping of common servers and services to the global level, but leave the ability to manage server type access on the local policy. How do you do this?

At the Global SmartDashboard level, create dynamic objects that represent the various servers, like web servers, your administration workstations, etc.

These will appear as groups in the local dashboard. When attached to a global policy, it means the local administrator can add or remove objects from the global policy groups, but not actually change an existing rule. New web server online? Add it to the group. Change in admin console location? Change the admin console objects in the group. New DB server online for expansion? Let me get that added to this group here. That's it. It's logical and leaves your local policy open for those customizations that always seem to happen, no matter how many groups you create ;)

3. Gateway Oriented Functions

Depending on your architecture, you may want to leverage something that is gateway oriented, even if it is only for a subset of the firewalls you are managing (you can have multiple global policies in Provider-1, feel free to use all 3 options presented here). Let us say you are working from a site perspective, and have many locations, all with similar needs and requirements. Allowing for local configuration, how would you leverage a global policy across different CMAs, on a gateway function perspective?

Start in the Global SmartDashboard, creating dynamic objects by the classification of firewall type you are managing.

Then build your rules according to the gateway type, using the 'install on' field in the Global SmartDashboard to designate which firewall type will receive the rule.

This global policy can be inherited across multiple different sites,

when the local admin, in the CMA SmartDashboard, adds the appropriate gateways to the appropriate groups (sent down through the global policy).

Hope this helped give some perspective on these three quick tips for leveraging global policies in Provider-1. It breaks my heart to see a Provider-1 deployed without a solid global policy, and with the right policy design, this virtualization of management can take your policy control to a whole new level, literally.

And remember, try to make it a benevolent dictatorship.

When Asked About Conficker. . . Live Interview

2009-04-07T22:26:00.011-04:00

I was asked to be prepared to answer questions about the conficker worm, not like anything blew up that day, but was graciously interviewed by Bob Cowan at CHCH TV Morning News. The folks at the Morning Live team were great, had a nice breakfast in the green room :) and spoke with Bob in detail about the worm. I was happy to see that he was well aware that this was an update to the worm, we were seeing for April 1st, not some doomsday moment, so he was realistic about the threat.
I like how Bob starts about how this worm only impacts windows pc's. I suspect he is a mac user at heart, and if not now, should be.
I know, I know, mac i as exploitable as windows, yada yada, also it just isn't the target to these things right now. Yes, I realize that windows is the big ship in the water (so to speak), but we are only going to see more attacks like conficker and more complex botnets, so why not ride out that first wave in the life boat, and not the titanic? We can all worry about the macbot threats when it happens, I for one, am abandoning ship (so to speak).
:)

The Day of Conficker Is Upon Us!

2009-03-31T23:59:00.002-04:00

It is March 31st, on the eve of what may one day be known as Conficker day. The more likely possibility? April 1st will continue to be known as April fools day.

I'm actually not sure why we seem so convinced April 1st is doomsday for this thing. It's just when the software (yes, its a program like any other, plays by the same rules ultimatly) starts looking for it's update. Like patch tuesday for worms :) And after that we will have Conficker D. What does that even mean? New patched updated worm ready to start doing new and exciting things we can't predict. Could it start blasting the internet and taking sites offline? Sure could. Will it delete all your data and crash your computer? Possibility, I guess.

But if you look at the programs intent, to infect and control as many computers as possible, making a big splash on the internet with DoS attacks and nuked hard drives is hardly good use of all these reources someone has taken the time to hijack. Some group out there has control over potentially hundered of thousands of machines on the internet, and all the scalabilities that come with cluster computing, at their fingertips. But as far as an all out DoS attack, it is still a pretty insigificant number of machines compared to the entire internet. Might be the odd outage from some excess traffic here and there, or the update mechanisim in Conficker fails and starts spewing data, filling pipes. Anything can happen, but whatever it is, I think it will hardly be a flicker on the network. But this still begs the question, why would someone do that?

I would guess this group is going to want to sell these resources to the highest bidder, but you can bet both the Conficker authors and the person paying the rent check for this army of machines has something much quieter going on, and that is the scary part. We are all so worried about April 1st, when the damage from a worm comprimising thousands of machines has already happened. What we will see come of the Conficker worm isn't nearly as worriesome as what we won't see.

Myths, Mistakes and Outright Lies (when it comes to IT Security)

2009-03-31T08:56:00.001-04:00

Life is full of urban myths and twisted beliefs, and that could not be more true for network security and the internet. I would like to present just a few favorites of mine that I have seen, and in many cases, had to live with (support) and overall dedicate my life to making them work (since I designed them). In the course of that, we would make design situations that fit the issues we were dealing with then.

Look, network security is a weird and complicated place sometimes. Security is about accounting for what people do, not machines, so because of the way risks change, a solution that at one time, made total sense, suddenly doesn't make as much sense anymore. But by then, it's written into some operations manual that's tied to an audit that just could not survive with this vital piece of equipment firing out reports no one pays attention to anymore. You probably have something like this in your network, something like the intrusion detection system monitoring the internet connections coming in, BEFORE the firewall.

Myth, you need an IDS on the internet.

Don't get me wrong, you may have some huge requirement to sample large volumes of useless alerts and packet dumps, I am in no way saying you should never do this, but unless your companies core business has something to do with studying internet attacks, it is highly unlikely you will be able to convince me your getting allot out of this solution, it just doesn't have that bang for the buck it takes to manage that IDS/IDP solution.
If you have an IDS attached to the internet, try an experiment, pick that thing up and put it inside your network somewhere. Have it monitor a network your actually care about and see how valuable that information becomes. Oh, and don't actually jumble up your network because I said so, tell them it was your idea. Chances are, no one will notice anyways :)

So once you stuck that IDS device inside and discovered bad stuff behind the firewall, what next? If it's bad, you may be subject to a big mistake around planning and deploying your policy, and our next myth.

Let's just worry about what's coming in.
The proverbial firewall myth, that somehow the firewall saves everything. Problem is you are forgetting that it is just a tool, and it's only as good as how you use it. For example, if you have a policy that looks like the one above, you probably have a serious security problem. On the bright side, you probably won't know anything about it, since you are not enforcing any kind of bi-directional policy enforcement. When your are planning a security policy, what is going out, is just as important as what's coming in.

Here is a mistake we all make as users, and that is trusting our networks, be it the corporate one, or your internet provider.
You know that alert, if your doing your banking and the web browser complains about the site, you should not continue, right? (I really wonder how many people just ignore it, making this a moot point) At any rate, it is possible for someone to intercept your traffic, even encrypted traffic, so be aware that nothing is 100% safe, even if you DON'T see the warning.

Let me ask you, if you are doing things, like your online banking, at work, and technically on your employers network, is it OK for them to decrypt and view that traffic? I don't know the answer, I'm just saying it's a mistake for you to assume your company, or your Internet provider, can't do it.

Remember when dual vendor security strategy was cool? We all got to play with more boxes, and our blinky light capitol went through the roof, but it also spun us into an unsustainable security architecture, too painful to support. I blame this insanity on a report from the late 90's that somehow justified spending 4X your money to create 3x the complication requiring 2x the people to manage very little gain in actual protection or security. I'm not pretending to be some network guru who saw right through this, but anyone who actually had to implement and support such an environment, should have realized about halfway through the project lifecycle that this was not going to be pretty. Let me tell you how I saw dual vendor security shake out. I was always told, that if there was a vulnerability in one firewall, the other firewall will, theoretically, still be able to protect against the attack, since it is a different architecture.

Here is how it worked out in the real world. We implemented a dual vendor solution, and after much pain over years of managing security policy changes across disparate systems, the day finally came, when a vulnerability was revealed in the ssh protocol that, guess what, was vulnerable in BOTH FIREWALLS.
Actually it put pretty much anything that used ssh at risk, but ironically enough, not the firewall in a way that was risky or even a concern. See the firewall, being a security device, was never configured to talk to anyone on the network, unless you were an authorized admin through a VPN connection. So the only people that could be running ssh exploits against the firewall, were the administrators that, surprise, already have all the system access they need. If they are running shell exploits to gain administrative control over machines that they are already the admins of, well, we all have much bigger problems then.

If you take this thinking to the next logical step, if firewall attacks aren't my concern,(most just exploit perfectly good and allowed services) why use the dual vendor security strategy? We should be applying it to the real targets, servers. So go ahead, run linux AND windows based servers so a vulnerability on one system won't hit the other, right? We will have to invest pretty heavily in application cross platform development and support, but OK. While we are at it, we should split our user base into windows users, mac users, and ubuntu users. That will really cut down the impact of worms and virus. Will triple support costs, not including user training and retraining, but hey, two is better than one, so three has got to be the best ever! Right?

It doesn't work there, why would it work in security solution support?

I think what the report was trying to create (and I'm giving allot of leeway here for interpretation) was something where a supervising body oversees two distinct groups that implement policy changes as separate entities.
That would crush the conspiracy risk of your support team subverting your security and therefore undermining the entire company. If that is something that poses a big risk for you, consider keeping this structure to manage your security. Cost would still be up there, more in the change management part, but if you like this level of segregation of duties, I guess this dual vendor thing might work out for you. Mind you, it still wouldn't make sense to use multiple vendors since you would want the changes and reporting to be consistent, but if your the NSA, (or some super corporation that needs this level of security,) it is highly unlikely you are going to be reading this blog for its network design tips, so I'll just call this one out as pointless for the rest of us.

I can't end this post without saying something about 'the cloud'. Yes THE cloud. There are a ton of people much smarter than me on cloud computing and SaaS solutions, heck, I'm a big fan of some of them (the experts and the cloud services). . .obviously. . . but I don't consider security in 'the cloud' that crazy a challenge, as long as we learn from our mistakes and apply appropriate solutions as risk dictates. Actually that sounds kind of wishy-washy, how about this, instead. Just because 'the cloud' is virtualized, does not make it immune from risks, so factor that into the services you move into the cloud. There are ton's of services that make total sense, in 'the cloud'. And by the same thought, allot that aren't worth the risk to relinquish security control, because security is managing risk, and if it's not under your management, its simply at risk. Like any outsourced solution, if it is not providing the same (or better) level of security audit, control and reporting, it is not going to be worth the risk. Make sure your 'cloud' security model is not based on it simply being THE 'cloud'.

There is absolutely a future and a need to utilize cloud services, but sending ALL your data into 'the cloud' sounds like a dangerous idea to me, but one I have heard somewhere before. Where was that now?. . . something about putting all their resources, power, focus, into a single device. . . . .Oh yeah, now I remember,
http://www.cracked.com/topic/119-the-death-star/

Watchmen

2009-03-29T23:55:00.006-04:00

If you haven't seen the movie, don't read this. Not a spoiler, just won't make any sense.

Let me just say up front, I am not making a judgment about religion and science, I'm just saying what I saw going on in Watchman. I'm sure others that have much more depth then I, can bring (I must confess, I have not read the comic) to this movie, but after one amazing viewing in an Imax theater, I thought this movie had so much more going for it, including (but not limited to), a sub-story that goes something like this:

'God' character created (by accident?), (actually worshiped in Vietnam) with Dr. Manhatten, powerful, but growing ambiguous to humankinds actions. The Comedian is the irony of humankind, (we survive despite ourselves) even blaming Dr. Manhattan in Vietnam for his (humankinds) horrific actions. Everyone refers to the superhero that's gone public as the smartest man alive, and this man, figures out how to fool a god, and that to save all humankind from itself (what he promised he was doing from the start mind you!) he must unite humankind against Dr. Manhatten, essentially against God. And Dr. Manhatten agrees. Matter of fact with his ability to see back and forward in time, it makes total sense to him.
This smartest man in the world, (I'd say the science side of the house), does ultimately mean well, but he is brutal(like the comedian?) in choices over whats best for humanity and the sacrifices he is willing to take, so don't think the God analogy gets to the take all the bad rap, there is plenty of bad choices to go around.
Rorschach pays the price (a sacrifice?) for refusing to hide the truth, Manhattan sacrifices him, but Rorschach leaves behind a documentation of the truth (like a bible for comic book geeks I guess ;)

I found the moral ambiguity of all parties involved refreshing and complex. I'm looking forward to seeing it again to confirm or remind me of things I have missed. Any others have some interesting takes on this movie?

Oh, and one last tip, you probably don't want to bring your kids. This ain't no Batman. . ;)

Tips For Parents - Live Interview

2009-03-28T21:52:00.000-04:00

CP24 was amazing to be on, everyone was pretty relaxed and calm for a constant live broadcast, except me of course. I was splashed with makeup and whisked into a live studio before I knew what hit me. Nervous? Of course, wouldn't you be? They are really good at keeping you on track there, you can hardly tell I'm scared shirtless ;)

This interview was spawned from an article giving tips for parents about internet usage. This is by no means a small topic, and I've already discussed this issue at great length in a series of radio interviews, and then in a quasi rant about things you can do to take control of your children's activities when they are online. It was great to have a chance to share thoughts on internet safety for kids, my thanks go out to CP24 Homepage for a great (life) experience.

I must confess I have one big regret in this interview, I should have qualified my last statement about child predators. I come off sounding like this is a real threat, I even give an example of this threat in the blog here, but that is not what the internet represents for our kids, and to us. Everyone in the world is connected, and let's hope it stays that way because there is so much to be gained by utilizing it, then there is to hide from threats we don't even understand. Every time you leave your house, you could be a victim of something terrible, and we can always imagine the worst of it, but we all still do it since the great things we can do far outweigh the bad. Same with the internet. Everyone talks about how there is so much porn on the internet, but I would bet the amount of recipes that get posted and traded on the internet would dwarf the items of porn, but of course, that's not nearly as exciting to talk about. At any rate, I'm just sorry if I left the impression that it is all bad. It's not. It's pretty much on par with life.

Face For Rent

2009-03-25T00:35:00.015-04:00

I recall some bad roommate stories, but this one was quite recent. The time I ended up renting out my face to someone. In hindsight I should have taken the time to learn more about this person, but they seemed really cool and easy to deal with, so I thought my new friend and I would get along just great. Turns out, I wasn't ready for someone else to be living in my face. What could I do, I had made the offer, so I let this new friend of mine move in, with all of their stuff.

But as I am sure you have guessed, my new friend turned out to be a horrible pain in the ass. They setup the living room just the way they wanted it, and even if I changed it back, they would just switch it around again. I'd go out, or to work, get home, and the place would be a mess. After a very short time, I was finished with this person, but getting them to leave turned out to be harder then I thought.

I'd come back home, and find this person hanging out in my face again. Changed the locks, warned the neighbors, and eventually this pest went away.

And I have learned my lesson, no more letting anyone just move right into my face. I try to be very careful who I let stay in my face. Sometimes you can't resist having a few friends over, I'm just trying to make sure they don't overstay their welcome.

This face for rent, free of charge, courtesy of facebook.

Other friends who are renting their face out, whether they know it or not.

Basic to Advanced Check Point Gateway Troubleshooting

2009-03-17T22:00:00.021-04:00

Don't you just hate when that new business critical application just won't get through the firewall. You pushed the rule, it should be allowed, but your application provider is reporting they are not live with the fancy new application that is going to change the way you do business.

Or those times when all of a sudden, you get the trouble call, and a perfectly good working application that was busy trying to change the way you do business, is suddenly not working. What now?

As the firewall administrator, like it or not, you are usually in a unique place to initiate the troubleshooting process, and ultimately help your company get back to a productive state. Don't let this process turn into a mad race to flip switches and press buttons until someone calls and says it's alright. Troubleshooting your network is a bit of an art, but that is no excuse not to have a process in place to make this the most effective response to an unknown situation. Please remember the following when starting your troubleshooting process.

Troubleshooting is NOT about fixing a problem. It's about finding it.

It's usually very easy to see what went wrong, after the problem is found, and knowing how to fix it should be quickly evident. But for this session, let's not worry about fixing anything. Let's just figure out what needs the fixing.

Depending on how complex this problem gets at some point you will be contacting support for assistance. It is important to make these first steps part of that process, even if you don't plan to escalate anything, and at the first sign of trouble, its time to do some digging before we call anyone.

Question for you, who is most equipped to solve your problem? You? or PhoneBoy?

For those of you that don't know the man, the myth . . the legend, back when large scale firewalls were still a new commodity, information for troubleshooting was scarce. PhoneBoy was a pioneer in community based support, managing a knowledgebase that saved my ass more than once. A searchable, managed knowledgebase is somewhat of a commodity (although still an art to manage well) these days, so his knowledgebase is largely superseded by the Check Point knowledgebase, but back in the day everyone looked to PhoneBoy for the answers.

So I ask again, who would you want troubleshooting your network, PhoneBoy or you? Of course the real answer is you. You can look up the things PhoneBoy knows, but no one knows your environment better than you. . . or do you?

So disaster strikes, new application not working, or worse, and existing application has stopped working. What is your first impulse? It's usually find out what has changed and start flipping it back. Ignore this impulse for now, because only one of two things will happen and both of them are bad. What if you back out the last change, and the problem still exists? What then? Do you start frantically backing out more things? Do you reverse the backout and move forward? Then it gets messier, what if you back out a change and things start working again? I assume you made that change for a reason, and sooner or later, you will have to figure out how to put it back in. Will you know enough to implement the change without impact? Forget about backing out things, first we verify everything.

How you verify is the creative part, I for one like the OSI model. Don't get me wrong, it's not perfect, but I am just using it as a framework. Start from layer 1 and work all the way through, even if you think you find a problem. Note it, and move on. Far too many times I have seen the horrible assumption that we are looking for A problem, when in fact, multiple things need to be addressed. Nothing worse then fixing a problem you have found, only to have the issue stay, or worse, simply manifest in a new and exciting way.

Let's confirm the physical layer. Machine plugged in? Turned on? Sounds like simple questions to answer, but not if your infrastructure is 50km away tucked safely in a datacenter. Use your layer 2 information to verify.

[Expert@sevenof9]# ethtool eth1

I really hate auto-negotiation. I have had many a nights ruined over auto-neg, so check your firewall interfaces closely. And the switch/device it's connected to.

[Expert@sevenof9]# arp -a

This could tell you allot, if you know what it's suppose to look like. Here we go with the process part, let's establish that at some point (and with some regularity) you run something like this:

[Expert@sevenof9]# arp -a > arptable.out

So that you can quickly run something like this to focus on what has changed or is missing from your Layer 2 network.

Expert@sevenof9]# arp -a > checkarp.out
[Expert@sevenof9]# diff checkarp.out arptable.out

By having a point of reference I can quickly see that I have lost layer 2 connectivity with the labrat server.

Do the same for your routing as we move up to layer 3.

[Expert@sevenof9]# netstat -rn > route.out ----hopefully you have run this when things are working!
[Expert@sevenof9]# netstat -rn > checkroute.out
[Expert@sevenof9]# diff checkroute.out route.out
[Expert@sevenof9]# ---hopefully nothing shows up

Ok, we get the basics, lets make sure you have test run the following commands, perhaps created a nice spreadsheet of commands and outputs you expect. Let's list some important things you should be checking.

Verify the firewall is active:
[Expert@sevenof9]# fw tab -t connections -s
[Expert@sevenof9]# fw stat -l

Right about now things are probably starting to heat up for you, and you have verified connectivity into the upper layers using OS level tracing of a tpdump. Many tools exist to analyze it, the format is simple, so search for the source, or destination, or service, and locate the traffic.

You want to watch for the SYN state and follow the sequence of TCP. Any odd RST or failure to respond is more information we have to go on.

Time to make sure the system is not overloaded:

[Expert@sevenof9]# vmstat 5
You want to see VERY low numbers in the si/so and high numbers on the id section. This will tell you if the firewall is working too hard, but it is not the last place we look. Firewall memory management is complex, but we can use a simple tool to understand how the firewall is working, seperate from the OS. 'fw ctl pstat' is the key, but without getting too deep into the complexities of the output, look for something very simple.

[Expert@sevenof9]# fw ctl pstat | grep fail
Allocations: 81983671 alloc, 0 failed alloc, 81827895 free
Allocations: 26148 alloc, 0 failed alloc, 25653 free, 0 failed free
Allocations: 82007088 alloc, 0 failed alloc, 81851120 free, 0 failed free
0 failed stack calls
0 large, 1 duplicates, 0 failures

You should not see any failures. If you do, determine if its HMEM failures, SMEM failures or KMEM failures. If it's HMEM, go to your capacity optimization and increase the default table size. If it's the SMEM, make sure the box is not saturated. If you find KMEM failures, it's probably time to call support.

As we continue our troubleshooting, sooner or later you will end up pulling out the 'fw monitor' tool. 'fw monitor' is not your ordinary sniffer, it lets you see what the Firewall sees, and well as trace how the packet changes as it is processed through the firewall processing. If you are not familiar with this tool, do not use it in production without assistance from support.

Capturing a session could look something like this:

1) Define a large debug buffer: fw ctl debug -buf 32000
2) Turn on debug flags that help better understanding the context:
fw ctl debug + vm conn
3) Turn on drop logging in a way that dumps dropped packets as
well: fw ctl set int fw_droplog_options 0x11
4) Start collecting debug information from kernel, with timestamp
enabled: fw ctl kdebug -T -f
5) Run "fw monitor -o capt_file" to capture the crafted packets

You can check which debug flags are enabled by simply
running
fw ctl debug
Don’t forget to turn debugging off…
fw ctl debug 0
This one de-allocates the buffer and automatically kills the “fw ctl kdebug” process
Most of the time you will be doing this under the direction of support, I can' say that enough, please don't nuke your firewall with a debug and write me to complain, but here is a quick shortcut to try. It may help you gather the information you need to identify where the problem might be, and potentially show that the firewall is acting as expected.

[Expert@sevenof9]# fw ctl zdebug drop
It's a great little tool for finding out the reason for these drops you really don't want, but BE CAUTIOUS. On an already overloaded system (even if you can't see it on the OS) could cause instability in the system. As much as you want to capture all the information you can, using filters in 'fw monitor' will help in sampling traffic without overdoing the load on the system. At either rate, do consider the overall health of the system and the risk of downtime when planning for a debugging session.

Firewall system logs also provide great information in the log directory, if enabled to do so.

[Expert@sevenof9]# cd $FWDIR/log
[Expert@sevenof9]# pwd
/opt/CPsuite-R65/fw1/log
[Expert@sevenof9]# ls *.elg
aciufpd.elg ahttpd.elg avi_del_tmp_files.elg epq.elg igwd.elg stormd.elg
aclientd.elg asessiond.elg cphttpd.elg funcchain.elg mdq.elg su.elg
ahclientd.elg aufpd.elg dtps.elg fwd.elg rtmd.elg vpnd.elg

All of these *.elg files represent a great place to find information about the issue you are searching for, however, they do not, by default, log much information except system startup times. To get more detail you will have to let the firewall know, and this is not something you should be doing all the time.

For example, if you are having a problem getting a VPN tunnel to come up, turning on debugging for the vpn process will provide a wealth of detail, for you and support.

Expert@sevenof9]# echo "" > vpnd.elg <--- this will clear out old entries from getting in the way
[Expert@sevenof9]# vpn debug on <-- turns debugging on, entries written to log
[Expert@sevenof9]#
[Expert@sevenof9]# vpn debug off <-- make sure you turn it off when you are done

There is also information that can be turned on for the fwd (gateway) and fwm (management).

fw debug fwd on TDERROR_ALL_ALL=5

TDERROR_ALL_ALL is a value from 0-5, 5 being the most information. Adjust for your situation.
Logs are redirected to $FWDIR/log/fwd.elg

This level of debug is still fairly high level, compared to how deep we are prepared to go. To get into depth, commands like the following will provide the detail support might need.

VPN debug

fw ctl debug -buf 10000
fw ctl debug –m vpn all
fw ctl kdebug -f > VPN_debug &

vpn debug ikeon/ikeoff

Logs are redirected to $FWDIR/log/ike.elg

vpn debug on/off

Logs are redirected to $FWDIR/log/vpnd.elg

Also check sk32788 for troubleshooting 3rd party VPN connectivity.

NAT debug

fw ctl debug -buf 10000
fw ctl debug xlatexltrc
fw ctl kdebug-f > NAT_debug &

SmartDefense Active debug

fw ctl debug -buf 10000
fw ctl debug –m fw+conn drop vm
fw ctl debug –m CPAS all
fw ctl kdebug f > CPAS_debug &

And for SmartDefense Passive inspection

fw ctl debug -buf 10000
fw ctl debug m fw+conn drop vm tcp-str spii
fw ctl kdebug -f > SD_debug &

Doing VoIP debug will depend on the type of VoIP traffic you are protecting.

SIP

fw ctl debug -buf 16000
fw ctl debug + sip
fw ctl kdebug -f > file.dbg

mgcp

fw ctl debug -buf 16000
fw ctl debug +mgcp
fw ctl kdebug -f > file.dbg

skinny

fw ctl debug -buf 16000
fw ctl debug -m CPAS skinny
fw ctl kdebug -f > file.dbg

MSNMS

fw ctl debug -buf 16000
fw ctl debug + msnms sip
fw ctl kdebug -f > file.dbg

H.232

fw ctl debug 0
fw ctl debug -buf 16000
fw ctl debug -m h323 all
fw ctl kdebug -f > file.dbg

When planning your debugging session, special consideration must be taken when dealing with a cluster of firewalls. You may be running the debug on the system that is not handling the traffic, in which case you are wasting time looking in 2 or 3 or 4 times the systems. If you can reduce the cluster to a single member, this will simplify the process, and if this clears the issue up, you now know you need to continue with the next section, debugging clusters. Otherwise, if the cluster must remain active, you will need to perform all the previous debug steps on ALL members, including cluster specific debug.

Cluster debug

fw ctl debug -buf 10000
fw ctl debug –m fw+sync
fw ctl debug –m cluster all
fw ctl kdebug-f > CLUSTER_debug &

Last, but never least, is to not forget about SecureXL templates. SecureXL operates at the driver level and can hide traffic from the OS when it is accelerating traffic in the firewall kernel.

Check the status with 'fwaccel stat' and disable templates with 'fwaccel off' to ensure they are not part of the problem. Note any changes for support and re-enable with 'fwaccel on', or you may need to debug the process itself (hopefully under the direction of support) with 'fwaccel dbg'.

This is by means a foolproof method of tracing all problems, and don't forget to keep looking around the firewall, into the network and right into the applications that are having so much trouble.

I also don't mean for this to be the complete troubleshooting guide, but it will hopefully get you started. Familiarize yourself with the Advanced Technical Reference Guide (ATRG-NGX.pdf) in sk31221 and rigorous searching of SecureKnowledge will go a long way to deciphering the troubleshooting information you collect.

Happy hunting!

Fill this out about your SENIOR year of high school! Do You See Mine?!?!

2009-02-08T18:54:00.011-05:00

Fill this out about your SENIOR year of high school! The longer ago it was, the more fun the answers will be!! Be sure to tag as many of your friends as you can.

This is your assignment. Please get as many people as you know to fill out this form. After you have done so, erase all evidence of this email, that means destruction of physical hardware to ensure there will be no recovery. These are the instructions on how these work, and they type of information you will be asked to recover from the ensuing responses.
People were kind enough to offer all sorts of information from the '25 random things' operation. the information has been correlated in our databases and we are ready for some deep reconnaissance into the lives of these peoples. Replace the highlighted sections with your staged answer and send this out. Our web bots will scrape the sites for data collection, information will be correlated, classified and assigned a value. The aggregate sale value of the information will be automatically calculated by the number of people you indirectly influence to respond, relative to their value on the open information market. You will be paid accordingly.

1. Did you date someone from your school?
Have to get the targets interest, and creates a sense of involvement and gossip. Whether target know this person, or the person they mention, this could would raise interest to read on. Once read this will pressure for a response.

2. Did you marry someone from your high school?
Let's establish right away who the target married, and in the case of a name change, be sure to link this information.

3. Did you car pool to school?
Owning a car at a younger age could indicate good money management skills, target can be identified and classified as both interested in vehicles, travel, freedom as well as have the potential financial background to be worth following closer.

4. What kind of car did you have?
The type of vehicle will indicate not only financial state at the time, but help to correlate a time of events based on historical information.

5. What kind of car do you have now?
A chance for target to discuss vehicle; indicate interest level in vehicles, as well as help calculate targets overall net worth relative to interest in vehicles.

6. Its Friday night...where were you then?
Establish pattern of interaction with others, popularity, as well as look for clues as to financial level.

7. It is Friday night... where are you now?
Make this search current, establish ability to influence others indirectly to fill out operations such as this one. Could indicate good targets for future questionnaires.

8. What kind of job did you have in high school?
Locate business industries for past employment records search to correlate SIN/Social Security numbers.

9. What kind of job do you do now?
Being able to identify current industry establishes financial level, location, areas of expertise and experience.

10. Were you a party animal?
Subjective question for minor psychological analysis. Of limited value but brings back interest in answering the rest of the questions due to previous information grabs.

11. Were you considered a flirt?
As above, also for analysis and interest. Create interest to continue reading/answering questions.

12. Were you in band, orchestra, or choir?
Identify musical backgrounds, establish involvement and interest in the arts for profiling.

13. Were you a nerd?
Subjective, but relevant to establishing hierarchy in the online social networking audience.

14. Did you get suspended or expelled?
Propensity to break rules or work outside established order, important for psychological profile.

15. Can you sing the fight song?
Will establish clues for tracing the school location. If answered will also indicate involvement in school activities and can initiate web bot yearbook trace for correlation.

16. Who was/were your favorite teacher?
Can be used to identify school and location, most favorite teachers are chosen by multiple students, can establish pools of students in the same school systems. Linked to teachers profile search to establish influence.

17. Where did you sit during lunch?
Establish hierarchy in school, as well as establish outside interests in clubs and organizations the student may have been involved with.

18. What was your school's full name?
Full name is important to establish location and limit search times for background profile.

19. When did you graduate?
Leveraged to confirm age, location, and attainment of diploma.

20. What was your school mascot?
Relevant to identifying involvement and knowledge in school sports activities.

21. If you could go back and do it again?
Look for areas that could be addressed currently, information can be very useful in profiling for targeted sales based on historical regret. Revenue generating information to fund operation in the short term.

22. Did you have fun at Prom?
Looking for intimate memory to be revealed, linked to psychological profile to establish character profile.

23. Do you still talk to the person you went to Prom with?
Will indicate if the target has left the area or has limited access to people they know from this operation. Will indicate value level with other contacts from the years around their graduation.

24. Are you planning on going to your next reunion?
Indicator of ability to travel and vicinity to original location. Also may reveal the level of activity for the person currently.

25. Do you still talk to people from school?
Show a connection to other people being profiled, will help link current activities to this information so that we can chart current activities better, and link target activities.

26. What are/were your school's colors?
Correlated to other answers to identify an involvement in school activities.

27. Are you tagging any of the people you graduated with?
Let's remind them to send this out to as many contacts as they can, this is critical to gather as much information as possible. The more that respond, the better our database will be. Good luck, and happy information hunting!

It's NOT About Technology: Keeping children safe online

2009-01-26T19:59:00.003-05:00

Stop looking for that amazing technology that will protect your children when they are online, so that you don't have to. It doesn't exist. Sorry to break the news, but having done a few radio shows, and even a TV news interview about trying to help parents manage the safety of their children on the Internet, I'm still getting questions about the technology. This is a complex subject to try to speak to in 5 minutes or less, and allot of times I would end up giving a few tips in quick interviews, and while I heard it was helpful to people who use their computers and internet access a fair amount, for most people not familiar with technology, it was more frightening than helpful. Let me try again, but this time, let's take the time to focus on the non-technical side of computer security for your family.

I have spoken at schools, from primary to high school, about internet safety. And this was not a one way conversation, I spoke, but also left plenty of time for questions, and this is where I learned the most about how our children are using computers, and the communication potential the internet has created for the world. I also repeated the presentation on internet security to the parents and teachers, in a closed session away from the kids, where they too could ask questions. Being able to experience both sides of the coin, so to speak, I was faced with the uncomfortable position that we always joke about, that the kids knew far more than the parents when it came to their own safety, let alone usage.

Now that is not across the board, and don't get me wrong, this was no psychological/scientific study, it was just me trying to answer questions about something I work with daily, internet security. What I wanted to do for the parents and kids, was to help them understand how to safely use their computer, but back to my original point. If the kids already know it all, what could a parent do? Now I will have to contradict this belief in a big way.

In the pattern of questions from the kids, it became apparent to me that many of them had no idea that what they were doing could be publicly seen, or could stay available to the world for the rest of their lives (. . and your grandkids lives, and your great grandkids lives). Let's take a moment and think of the ramifications of this. Let's suppose your child was caught spray painting graffiti, of the racist type. Off colour joke about someone, maybe a threat. Whatever. You get the idea. The local stigma will be bad. . for a while, probably a long while if it's bad enough. And it will be a tough lesson to that child that we all know usually sticks when they learn the meaning of sorry. And who among us hasn't done something oh so massively terrible you wonder if your parents will ever love you again? Turns out they always did love you, and you get to deal with it together. The point is, we all make mistakes and time passes and we move forward.

But what if that was an online blog instead of the concrete wall behind the school? That is something a child, potentially a very young one, will have to live with for the rest of their life. What happens when a simple google search dredges up the same incident, over and over, like it just happened. And it doesn't have to be something inflammatory. It could be quite innocent. Check out the story about the Star Wars Kid. He became famous, but at what cost? Kind of scary, isn't it? I don't know about you, but I don't want the kind of life for my child, or any child for that matter, where they can't move forward in their life, and simply become an easy target for others to attack.

I was asked by a principal at a school for some help along these lines and I witnessed, first hand, some awful cyberbullying, which is really just bullying. When one child torments another child, be it on the playground, or over email, its still the same cowardly, vicious act either way. The disturbing part was that the principal of the school was bombarded with incidents of kids saying some pretty nasty things about other kids. Then a bunch more jump in and make it worse. When confronted with school yard bullies, the system knew what had to be done. But when it was most of the students involved in attacking others, with code words and fake names, fake websites, somewhere out on the internet, it was haunting the victims as bad as if it was done in person. And we were finding allot of victims, even teachers themselves were targets. It was astounding to the teachers and parents, that it was this prevalent. However, when these 'cyber' bullies were confronted, being only children themselves, most just crumbled when presented with the horrible truth of their actions, and a disturbing pattern emerged.

On the internet, these kids thought they were invisible. Mom and dad didn't know what they were doing, so no one else does, right? They had no concept that the situation was exactly the opposite, and we could tell them, down to the second, when and where, they sent those awful messages or made some mean spirited web posting. Now lets consider that, other than these online incidents, these were not bad kids. But when young children think they are invisible, they tend to say and do some pretty dumb things. Imagine the escape and freedom they must have felt, thinking that they were (most likely for the first time in their lives), able to say and do whatever they wanted on the computer. Imagine the freedom they must have felt. Then imagine their horror at seeing these online experimentations appearing back before their eyes, when they thought it was gone forever as quick as they hit delete. It is absolutely critical to their survival in an online world, that you enforce into your children that this is simply not the case. It's exactly the opposite. Whatever they put out there can easily come back to haunt them, so would they want their parents to see it? Their teachers? Their future employers?

So when I say the children knew far more than the parents when it came to their own safety, I'm only really talking about the tools, like firewalls and anti-virus, and anti-spyware, malware. You name it, there were allot of kids who knew their stuff. I had one child describe for me the tools they downloaded from the internet, in order to clear out some spyware, that their parent had acquired while web surfing. Some of the kids were basically fixing and maintaining the computer security for their parents. And there is nothing wrong with that, let's face it, it's great that they have taken enough of an interest to learn on their own, and there is no question that parents should support their child and the computer interests, but this wasn't the area most kids needed help with.

The part they need help with is the part we are already teaching them in all other parts of their life. You know this stuff, don't get caught up in the techno-mumbo-jumbo, this is about parenting.

When you're child is young, say young enough that you still need to monitor them when they play in the park, then guess what? It's probably a really bad idea to let them surf the web on their own. You need to be beside them, searching for cars, or transformers, or whatever it is they like, and finding the website, bookmarking them so you can take them back to the places you know they like, and ensuring it is what you expect kids should be seeing. Think it's OK to let your young child run their own searches, then you go ahead and let your child search 'barbie' on their own. Let me know how that works out for you.

That's not really so hard, is it? It doesn't take technology to spend some time with them. Maybe search a hobby, plan a family vacation together, make the internet something you use as a tool together. By the way, did you actually try the 'barbie' search? Not as bad as you feared? That's also a common discovery on the internet. But don't fool yourself, it's the whole world out there, lots of good, some bad, and they are too young to wander in it, at this point.

Then your child gets older, and instant messaging comes along. It's latest incarnation is called Twitter, but rest assured it goes on in many forms. Are they playing games online with others? Whole lotta chatting going on there. It's all the same thing, so watch for it. Don't be overwhelmed by the wealth of programs, and ways people communicate, they all do basically the same thing; connect people in real time, sometimes with cameras (Yeah, how bad could that be for kids?), to chat, exchange pictures, programs, stories, music, movies. . . you name it. If you can digitize it, anything goes.

This is probably also about the time you start letting them go over to friends house's, bike around the block, and generally start to become an independent growing child. So guess what, time to let them get instant messaging. And you know what else? You too. Go ahead and have your kids set you up with a chat account and get connected. Do you have to use it? Not really, although it won't hurt to give it a try. What you really should be doing with it, is helping your child make smart choices about the 'friends' they keep. When it starts, make sure you both know your IM (instant messaging) friends, and I mean physically met this person, know their parents, etc. Same things you do if they are going to stay over at a friends house in the neighbourhood.

Unfortunately this won't last long, so enjoy it while it does. Eventually they like to go the mall, or catch a movie with some friends, and when they do this, they will meet new and interesting people we know nothing about. Likewise they will want to interact with people they just meet over the internet, through common websites, interests, friends. I know your gut reaction is to just say no, but life doesn't work that way and you know it. Just like you are going to let them go to the mall sooner or later, you are going to let them chat with strangers on the internet.

*GASP*

Say it isn't so! Could we really let them talk to strangers? Of course, but there are just a couple of rules to follow when you are chatting with strangers on the internet. Parents, take note, this applies to you as well.

1) You don't meet a stranger without parents (or alone, for you adults out there), not even in a public place. I don't care how well you 'know' them online.
2) You don't give out personal information about yourself

The second one is harder than it sounds. Sure address, phone number, credit card, etc all seem obvious, but as careful as we think we are, there are some rather tricky ways to get information out of someone. This is the part where I worry you again.

Let's say your child is talking to someone on the internet about puppies.

creep: hey click here for a picture of a cute puppies!
yourchild: wow are they ever cute
creep: so I like to walk my puppies at the park near Ajax High school, Post Park.
yourchild: I know that school, but I don't go there. Not sure I have been to that park.
creep: I live around the corner from it on Woodhouse Cres., but I sometimes play baseball at Timber Wood park.
yourchild: I go to Timber Wood park all the time, I play baseball there too!
creep: cool, what position do you play?

Let's explain what is actually happening here. When connected in a chat, most systems hide your actual location on the internet by pushing all the communications through other computers. This means that by just chatting with someone, this does not automatically make you traceable to anyone you are chatting with (except the people that run the chat servers of course, they see everything, but that's another blog). But when creep provided a link to view a picture of a puppy, the resulting connection from yourchild is logged by the person who posts the picture on the internet, in this case it leaves a fingerprint of where you are coming from.

What creep gets is your IP address, a number that uniquely identifies you on the internet. It's like a phone number for computers, and you have to use it to call out to the internet when you access anything. It's also what prevents you from easily hiding what you do online. What can creep do with this information? Well creep can punch this number into a special web search and get this information below to work with, while talking to yourchild.
So armed with the knowledge of the general area, and some statistics on the location creep has only to add a simple Google Maps search, and voila. . .
Go take a look at the conversation again. With markers picking out local schools, you can see it would be trivial to fool someone with that much information, they don't realize you know. creep offers the information first, supposedly about them self, so they must know and live in my area right? They aren't really a stranger, they live in my area! This doesn't even have to be a technical trick, some people are just great at asking the right questions. Sometimes it's to steal information and identities (yes, people steal the child's identity, one day they will be 18 and have a credit card, why not start collecting the information now), but sometimes it's for much worse.

I don't want to downplay online predators, its a fact of life, just like you worry about your kids at the mall, or at the library, they could just as easily be stalked online. But let's not make this into something it's not. This is not an everyday occurrence, and some due diligence up front can keep your child safe. How you ask? Stay involved. Join the chat or simply just ask your child about their new 'friends'. Get to know who they are hanging out with, just like you ask who they are going to the mall with. Either way, the fact that you are asking questions will come out in the online chat, and it will be clear to anyone talking to your child, that mom or dad is around and interested. If that doesn't scare away this new 'friend', you can be assured they are safe, although I still recommend to keep up on it as much as possible. Eventually the child will know to question the person on the other end when the conversation falls outside the original interest. I Just want everyone to try and be realistic about this threat. Most people online are not crazed loonies out to get you, although if you believe this in the real world, I guess online will be just as bad in your mind. There are police out there actively hunting these people down, and there is no denying it exists, but you cannot cut yourself off on a fear that represents your smallest risk. I'd be more concerned with making sure your children keep the firewall and virus checker updated for you. Virus/malware/computer exploits, that stuff will hit you every few minutes.

If you think that's being dramatic (and that there are predators lurking behind every web page doesn't sound overblown), then consider a statistic from the a great website, dshield.org. This organization correlates thousands of security logs from volunteer sites all over the internet looking for a variety of information about hacking and virus activity. They can generate allot of interesting reports, but a favorite of mine is something called the Survival Time.

So the survival time is the average amount of time, in minutes, that you have to be online before someone comes along and tries to exploit your computer. As you can see, this time frame is around 5 minutes. Do you or your kids browse the web for longer than 5 minutes? Going online without a firewall that blocks internet connections coming into your computer, is like playing Russian Roulette with a fully loaded machine gun. You are going to get hurt. Do you need a firewall and you have no idea where to start? Google is your friend, but I can make your life even easier, go watch some videos at theacademyhome.ca, they don't just tell you about computer security for the home, they show you.

Feeling any better about how to approach your child's access to the internet? Hang on, we are almost done, but we still have to talk about blogs. Sooner or later, hopefully later, your child will want to start a blog. It's like an online diary, stories, you name it, and it comes in many forms. Probably a huge example of a 'blog on steroids' is Facebook. It represents a somewhat public space to post whatever you like about yourself, your family, your friends. It can be a wonderful way to connect with family and friends if you give it a chance, so don't just dismiss it as pointless. Systems like Facebook,MySpace, and Twitter are changing how people communicate and interact so let's clear up a big misconception about using online services like Facebook and Twitter, or more to the point, that by NOT using it, you are somehow not connected to it in any way. If you think banning your child from using something like Facebook will keep them off of it, boy do I have a surprise for you, and I am not talking about them sneaking behind your back and opening an account.

Afriend: I don't even understand all this facebook stuff, but I have no interest in putting my personal life online.
Me: but you are already on Facebook.
Afriend: What? What are you talking about, I've never used it!
Me: I know, but MutualFriend put up some pictures of you recently, from back in high school, remember the crazy things you used to do? *grin* . We tagged your name so people that don't know you, could see what we were talking about.
Afriend: YOU WERE TALKING ABOUT ME WITH STRANGERS!?!?!
Me: Well, they aren't strange to me. . . .

So of course the reality is, you will have an online presence of some sort, whether you like it or not. Maybe it's not happening now, but it will happen later, just give it time and you don't get to decide if you want to be included or not. The question is, do you want to be around to see it happen, comment on it yourself, and untag or remove references that try to point to you? Or are you just going to keep on pretending that it's not happening to you? If you have friends and family using things like Facebook, blogs, twitter, you will get blended in there at some point. It's your call if you want to be there to see it, but don't think stopping your child from using Facebook keeps them away from it, it just keeps them from taking part, and potentially stopping or responding back if someone tries to post something they don't want up there. In some cases you may not be able to stop something, but you can flag it so others know the truth around any information to do with you. If something appears that is a mistake, and it stays out there, your response/clarification stays with it.

Last suggestion, and probably the most important. You have now spent far too long reading this online blog. It is time to turn off the computer and go outside. Get some fresh air, do something fun outside, take a walk, whatever you like. Google 'fun outdoor activities' if you are short on ideas, just get off this thing for a while and see the real world. And that is by far, the most important lesson you can teach you child about using a computer safely on the internet.

Internet Safety For Parents

2009-01-09T23:43:00.011-05:00

My job has me speaking to the media about security topics, and I had a run of requests to discuss internet safety for the family. This is a complex topic, and there are no hard and fast rules. . . every child and family is different. I had provided a list of 'points' parents could reference, never really got to them all (how could I, this is a complex subject) but I hope I was able to offer some insight to people that had not really thought about some of the issues.

The first one was with Melanie, a DJ from Windsor. The interviewers are amazing at keeping things moving and keeping me talking (not that I am shy to talk, particularly about internet security).

The next interview was with a Hamilton station, for The Biggs show. Much of the same information, but I tried to mix it up a bit, make a few more points I didn't think came across in the first one. It's hard though, they take you through it fast and keep it moving along.

The last interview was the longest, it was for an afternoon show in Ottawa with Norman Jack. This show is specific to computer information so they spent more time with me than the others. Norman Jack has a great radio voice, and he is not afraid to use it, so in most cases, he made my points for me.

A great site has come online since these were broadcast, otherwise I would have mentioned it in these interviews. Check out theacademyhome.ca to see a variety of quick videos that can help you understand the more technical things related to security in the home network. People always ask me how to setup personal firewalls, AV, etc. . . what better answer then to show you. They are always adding videos, so check back often.

And there you have it. Thanks for listening, and if you have questions, comments, slings, or arrows, feel free to comment.

Recurring Patterns in Video Games

2009-01-07T19:20:00.002-05:00

I suddenly get bored with video games, usually before I complete the last level, and sometimes before I even complete the first one. I know why, and it has to do with how I think about computers in everything I do with them.

Basic fact of computers, everything they do comes down to a 1 or a 0. Programs really are nothing more than sequences of these two digits, that will ultimately lead to nothing more then a complex pattern of 1s and 0s. If you stare long and hard, you will see this pattern start to repeat itself.

If condition (x) do condition (y).

Of course I am being simplistic in just how complex these programs (games) get, but luckily the human brain thinks at a magnitude more, that is enough to continually pick out the patterns expected by the game to complete the actions needed. At that point the mystery and excitement of exploring these virtual worlds goes away for me, and the game is done.

The exception to all this is live play with other people. But of course, at that point, we have inserted a human pattern into the computer ones, essentially humans defining how the pattern will play out, and when there are humans involved, there is no telling what can happen. You have to think outside the rules of the game to win.

And I think that is why the job of complete computer security can never be completed. All the strategy, planning and safeguards actually have very little to do with computers, and everything to do with how people are using computers, (or more to the point, allowed to use them). I love how simple that sounds, but of course, people don't like to be told what to do, let alone being forced too, so the game goes on. I have to chuckle when people ask me 'if they're safe' when they use a computer for this and that. Is it turned on? Then no, you are probably not safe.

All you can do is watch for new patterns.

A Husbands Prayer

2008-12-30T05:26:00.006-05:00

Our wives, who art at the mall
Hallowed be thy charge card.
Thy credit come,
Thy bill collectors are not done,
Calling as it is past due.
Give us this discount our daily rate
And forgive us our late payment,
As we forget to mail the cheques from time to time.
And lead us not into the temptation,
But deliver our goods
To thine kingdom.
And the cash
feels glorious to spend
for ever and ever.
Amen

The Physics of Santa

2008-12-23T17:09:00.004-05:00

This isn't my piece, but feel it warrants repeating. There is no credit on who originally published this, but I do so love how crazy this myth is when put to the test.

No known species of reindeer can fly. BUT there are 300,000 species of living organisms yet to be classified, and while most of these are insects and germs, this does not COMPLETELY rule out flying reindeer which only Santa has ever seen.
There are 2 billion children (persons under 18) in the world. BUT since Santa doesn't (appear) to handle the Muslim, Hindu, Jewish and Buddhist children, that reduces the workload to 15% of the total - 378 million according to the Population Reference Bureau. At an average (census rate of 3.5 children per household, that's 91.8 million homes. One presumes there's at least one good child in each.
Santa has 31 hours of Christmas to work with, thanks to the different time zones and the rotation of the earth, and assuming he travels east to west (which seems logical). This works out to 822.6 visits per second. This is to say that for each Christian household with good children, Santa has 1/1000th of a second to park, hop out of his sleigh, jump down the chimney, fill the stockings, distribute the remaining presents under the tree, eat whatever snacks have been left, get back up the chimney, get back into the sleigh and move on to the next house. Assuming that each of these 91.8 million stops are evenly distributed around the earth (which, of course we know to be false but for the purpose of our calculations we will accept), we are now talking about .78 miles per household, a total trip of 75.5 million miles, not counting stops to do what most of us must do at least once every 31 hours, plus feeding and etc.This means that Santa's sleigh is moving at 650 miles per second, 3000 times the speed of sound. For purposes of comparison, the fastest man-made vehicle on earth, the Ulysses space probe, moves at a poky 27.4 miles per second - a conventional reindeer can run, tops, 15 miles per hour.
The payload on the sleigh adds another interesting element. Assuming that each child gets nothing more than a medium-sized lego set (2 pounds), the sleigh is carrying 321,300 tons, not counting Santa, who is invariably described as overweight. On land, conventional reindeer can pull no more than 300 pounds. Even granting that "flying reindeer" (refer to point #1) could pull TEN TIMES the normal load, we cannot do the job with eight, or even nine. We need 214,200 reindeer. This increases the payload - not even counting the weight of the sleigh - 353,430 tons. Again, for comparison - this is four times the weight of the Queen Elizabeth.
353,000 tons traveling at 650 miles per second creates enormous air resistance - this will heat the reindeer up in the same fashion as spacecrafts re-entering the earth's atmosphere. The lead pair of reindeer will absorb 14.3 QUINTILLION joules of energy per SECOND, EACH! In short, they will burst into flames almost instantaneously, exposing the reindeer behind them, and create a deafening sonic boom in their wake. The entire reindeer team will be vaporized within 4.26 thousandths of a second. Santa, meanwhile, will be subjected to centripetal forces 17,500.06 times greater than gravity. A 250 pound Santa (which seems ludicrously slim) would be pinned to the back of his sleigh by 4,315,015 pounds of force.

In conclusion - If Santa ever DID deliver presents on Christmas Eve, he's dead by now.

I hack my phone

2008-12-23T00:19:00.007-05:00

I want to get an iphone just to spite bell. They are so clueless about customer support, they were actually just doing better when they ignored me.
Recently I got a 'courtesy' call from Bell Mobility just to see how I was enjoying their service and if I had any feedback. It went kinda like this, after a courteous introduction, explaining about how much Bell valued me as a customer:

Bell: We just wanted to call and say thank you for choosing Bell Mobility and is there anything we can do for your service?

Me: Well, you really sold me a messed up phone. I bought this expensive 6800 pocketpc phone from you, and it was a nightmare, crashing, bluetooth broken, dropped calls.

Bell: Oh my gosh, that's terrible! You should call tech support to have a look at that!

Me: funny you should mention that, I did. Then it went from a nightmare to all out horror show. Telling me you never heard of these problems (i guess google is blocked there), having me reset my phone, shipping me a new same old broken phone, etc. I just gave up, last entry in the ticket is me saying 'you win, I'm done repeating myself over and over, I just really want to use my phone.' In the course of trying to troubleshoot my own problems, I found a solution. I used information from sites on the internet and hacked it myself, replaced the firmware and fixed my own issues, even though you technically will no longer support my phone anymore on your network.

Bell: So is the phone working?

Me: O yeah, works great.

Bell: Well, thank you for choosing Bell, we appreciate your business.

Me: you got to be kidding me. . .
*click*

But herein lies the problem, how can I leave, I finally have my phone working better than ever? I have turn by turn GPS (no data connection needed, GPS is built into the device), touchflo interface, streams sirius, bluetooth works awesome, no reboots, no dropped calls . . . iphone has nothing on my custom built phone software. The 6800 is a great phone, and with it I can just treat Bell like they should be treated. Nothing but pipe, just give me my connection and leave me alone.

I know they want to sell me more services, like the ones I have already put on my phone, but if you can't keep my phone stable, let alone compete with the apps I can install myself, why bother at all?

The Genie Is Out Of The Bottle

2008-11-25T10:16:00.012-05:00

The entertainment industry has lost it's mind. They are still suing their customers in some kind of twisted business plan that involves attacking the very people they are trying to market to. It's actually scary if you think about it, buy this CD, or movie, and if you don't, we will take your house so just pay up. Mob style. It's insane.

And then to release competing HD formats, I remember all too well the VHS versus Beta battle in the 80's, don't they? Yes, I realize the HD format war wasn't a long battle, and Blu-Ray is king, but king of what? They completely missed the point in creating a new format, people don't want to buy shiny disks anymore. We are done with that. I'm done with trying to keep them in alphabetic order so I can find what I want to watch. I'm done trying to keep them in the right cases. I'm done with scratches and lost disks. I'm done. The sad part of this? When Blu-Ray as a format dies, the industry will not acknowledge that they missed the boat on what people really want in a format, they will just blame piracy.

So I was pleased to see a service like Xbox Live come along with the promise of the availability of HD media content for download. In particular, HD TV shows I could grab and watch at my leisure. I travel allot for work and just don't live the kind of life where I am going to dedicate every Thursday at 8pm to gather in front of a TV set and watch a show. Sorry, there is nothing quite that good out there for that to happen. But now when I am home, to actually get to watch a few episodes of something sounded great, right? Well it's been almost a year with Xbox Live, and no TV content for Canadian customers to download. Something about agreements with local content providers and the studios, preventing them from delivering content. That's fine, I can just download them through unofficial avenues, matter of fact I have a fantastic system using RSS feeds to auto-download shows for me watch when I want, and how I want. Now, if the entertainment industry every gets its act together and perhaps starts using their lawyers to draft new agreements as opposed to suing customers, they will be competing with the system I setup myself. It will have to be much better to get my attention, and my $$$ now. Considering how late in the game they already are, I don't see how this can be accomplished. You would think that they would see an urgency to try.

But instead, they see an urgency to attack us. In 2005, Sony BMG music released music CD's with a trojon designed to hijack your machine and prevent you from doing what you wanted with your own computer. This act horrifies me, almost as much as the lack of reaction from the public. How they got away with this without a massive backlash from the public is beyond me, but I for one, will never buy another Sony product because of this. The part that boggles my mind, and contributes to my point that the entertainment industry is absolutely batshit crazy, is the consideration of who Sony attacked with this rootkit hidden in their commercial CD's. Who was punished by Sony for music piracy? The few customers they had left, that were actually still buying CD's.

Insanity.

How To Get Xbox To Not Be So Strict

2008-11-02T17:48:00.011-05:00

I was reading Stepto's blog about Microsoft design and deployment challenges and I have to say, it's a real eye opener, particularly an example of the challenges Microsoft themselves has with using the Xbox Live service through their own corporate firewall product.

Set up an Xbox on a network that goes through an ISA Server 2000, 2004 or 2006 to get to the internet.
Set up ISA Server to allow ALL traffic.
Do the Xbox LIVE Connection test and note that the NAT type is "strict".
Wait 5 years for these two teams to talk to each other.
Do the Xbox LIVE Connection test and note that the NAT type is still "strict".

thanks, that explains allot about the pain I went through :)

Not to dispute the distortion field he discusses in his blog, I think he has it spot on, but for the xbox live example above, isn't this actually indicative of something wonky with the xbox live protocol itself? I actually suffer from a similar distortion field for security products, and have had the pleasure of setting up xbox live on what would be considered 'corporate' level firewalls (NOT an ISA server), and I am amused to see Microsoft having the same challenges with their corporate firewall product, as I do with mine. In order to use the xbox live service as open (and therefore actually connect to all the games you are paying to access) you need to buy a 'certified xbox live friendly' router. Why would they do this to home users? I searched all over for how to do it, and could not find details on how xbox live actually works. And since I had at my hands a very advanced firewall technology, I did not appreciate zero information on how to at least try to configure it.

So for those of you that have advanced firewall technologies, know what it does, and just want to play some games without having to buy something else. Here you are. For those of you that don't quite grasp what I am saying next. . . err. . I guess buy the router with the xbox live stamp. Microsoft needs the money.

To get past the 'strict' issue you have to maintain the same tcp source port (nat configurations traditionally will change this field to maintain the table of what goes where) when forwarding the packet to the internet. I don't understand at a TCP level, why xbox live would bother with checking this. Before you rush out to buy a 'certified' router that can handle xbox live, just see if it can nat without changing source port, and you too, can be xbox live friendly. To sum it up, it needs to be a static nat with no change to the source port. You can still do this with a hide nat behind a single IP (I'm doing it now) by setting up the inbound NAT forwarding through a catch-all rule if you are forwarding ports for other services, basically forward everything into the firewall after you filter out other services (such as web, email, ftp, if you are running those services as well).

Of course this is not a safe thing to do from a network perspective, and the new Microsoft, who is suppose to be concerned about user safety, could have done the protocol setup a whole lot better and safer (ssl tunnel various protocols through a single service port anyone?). I had to figure this out through trial, error and protocol analyzers. When I asked about this not so safe reality, Stepto himself recommended a DMZ to segment the xbox from the rest of the network. Great idea until you try to use the media extender on a local XP or Vista machine, and now I have a lovely proxy into the network from my unsecured game server. Not good Microsoft. Not good at all.

Lucky for you xbox, I love those games, so after weighing the risks versus the rewards, I have reached an acceptable level of deployment risk. I love my gaming machine, too bad I won't be trying out any of the media extensions. I see there is a new xbox live update coming, perhaps instead of creating Mii's for us, you could consider tightening up your live protocols? I don't really expect this to happen, I'm guessing I'm the only one that cares, but it's a great example that for all the press Microsoft uses to show us how security for users is important to them, it's still the same old Microsoft.

I Am A Security Heretic - SecTor 2008

2008-10-22T16:48:00.008-04:00

At the SecTor show this year I was treated to a variety of presentation from the security field, and in all forms; physical, virtual, logical, and philosophical. Yes, philosophical, and this was by far the presentation with the most impact for me.

Don't get me wrong, there were a ton of great presentations at the show, but it is very rare that a presenter can make me sit back and really rethink how I approach something, and in this case, something very near and dear to me, information and network security.

The presentation was from myrcurial and it was the session Security Heretic: We're Doing It Wrong that really got me thinking. He challenged me, I (tried to) challenge back, but in the end was left with two feelings. Some of my past personal reactions and choices to security designs and deployments were vindicated. And some were vilified. After it all, I was forced to accept that I am the worse of what the presenter was pointing out; I knew the right course of action, but at times had chosen not to follow it.

In fairness to myself, allot of the times I did not have a choice. We all have jobs to do, and bosses to please, and sometimes the path of least resistance gets us home to our families the quickest.

What really got me was the security test. As a security professional, take a look at the picture below, it is a typical desktop at a typical company worried about security, and see if you can tell me what the security risk to a company is here.

If you say its the iPod, and our users are running around with iSlurp, stealing all the corporate crown jewels in a crazed attempt to destroy the company that employs them, then congratulations. You too could work in the security industry and stay very busy. That was my response as well. I could even go into great detail about how we can address that particular risk.

But I had missed the point of the picture. It's an iPod, connected to a laptop. A LAPTOP! Let's all be realistic here, if they wanted to take corporate secrets out, they would just take the laptop home. I made a kneejerk reaction to a specific issue and instantly wanted to apply technology to it.

Don't get me wrong, I am not discounting the technology or the need to do things like block and monitor computer ports, be it firewire, usb or bluetooth. What I need to do is make sure it's applied with an appropriate amount of force and in the appropriate place. I need to stop using a sledgehammer to open a bottle, all that does is smash the container, loosing most of the contents.
And that was another really great point of the presentation that hit home, what is any good companies truly great and valuable asset? What are these corporate jewels we need to protect?

It's the employee's, that user base your about to punish and lock up like lost, mindless children, incapable of using the tools with any responsibility. It's like giving them a job that involves cutting, but then taking away all the knives. It's like we forget why we hired them in the first place, and then we forget they are people with lives that are always going to be intertwined with work. And is that such a bad thing? So much of what we do, defines what we are and if someone wants to take their work home, or bring their home to work, in the end, are you not getting more back into the company? More ideas, more time, more commitment? Our goal as security professionals is to help them do it safely, not punish them for trying.

And this is why I have become a security heretic.

Do You Remember Where You Put Your Shit?

2008-10-12T22:41:00.032-04:00

My father has been gone for over 5 years now. It doesn't seem that long, but time is slipping away all the same. There are many things dad just took care of for myself, my brother and my mom. This thanksgiving I was back to my mom's place, the 3 of us together, along with my own family, when I was told of a very septic situation. The septic tank needed to be emptied, my dad had taken care of it during the last year of his life with us, and we had waited far too long since. Everything was lined up, the truck was coming to suck out all the waste, we just needed to dig up the septic tank.

Here came the problem; my dad was the only one of us who knew where it was and had always been the one to locate it. I had dug it up more than a few times in my life, but I can't say I ever paid much attention to where it was. Dad pointed, I dug. It was that easy.

So we surveyed the yard, and the area it should be.
After much debate and consideration of the septic tank location, we did the next logical thing we thought, dig. My brother began the search process, dig down until we hit the cement of the septic tank, and if we don't hit it, move over a bit and keep digging. How long could that take, really?
A first hole was dug. . . .
and dug quite deep I might add.

But there was no cement, no tank. So we dug another hole. . . .

And another. . . .

My son even stepped in to help.

But still no septic tank to be found. Somewhere around here frustration sets in, arguments about location and who remembers what. Did we go deep enough? Was it further down the yard? We were getting tired of digging and not really making any progress, when the idea hits my brother. Put a bounty on the septic tank. Just find it. 50$ to anyone that can find it.

Word spread quickly to neighbours, and as the wanted septic tank story become known, they came.

and then the real digging started,

Trying any new location in a frantic search to find the prize.

And more came.

And more.

Everyone worked very hard, digging deep in search of the prized septic tank. With turkey dinner rapidly approaching, the search took on a furious pace.

digging deep,

More people showed up to try their luck and joined the search.

And the digging continued.

But to no avail.

it seemed the wily septic tank would continue to evade us,

when a neigbour joined that had helped my dad clear a pipe to the septic tank once, and had a pretty good memory as to where it was.

He hit it on his first try, exposing the concrete lids of he septic tank in a matter of minutes.

mission accomplished. . . .

Lesson learned? Well I probably should have been paying attention the last 3 or 4 times we dug it up, but with my dad gone, I realize I will have to fend for myself, not just for septic tank hunting, but all other challenges in life. Planning ahead with this new found awareness, I did what anyone would do, mark the area with my GPS and archive the data to a searchable documents archive. 4 years from now I run a search on septic tank location, hit this, and the GPS co-ordinates. I will keep the GPS info so I can be standing over the septic tank if we ever need to again, and I keep this story so time no longer slips away. It's time to remember where I put my shit.