What do we think firewalls do? (Fred Rants)

Do firewalls just filter on IP packet header information? This was asserted by a few people on a panel of security solution providers, perhaps mostly by the IDS and SIM vendors. This panel discussion, which I moderated, was at the New York Metro Network Security Forum of The Institute for Applied Internet Security (which I talk about here).

Okay, the answer is “heck no.” How did we get here? Why do we think this? First, a brief history (which you can find in a presentation at FirewallsHistory.html). The first security firewalls were built on routers with static packet filtering, making decisions of PERMIT and DENY based on the packet header (source, destination, packet type, port). Most modern firewalls simply add dynamics, allowing for decisions based on whether the session was already initiated. Still, it is true that these firewalls know nothing about the applications running through them. But, those are not the only types of firewalls. Firewalls have been able to make application-specific decisions since the first application gateway firewalls hit the Internet in the early 1990s.

So, why do people think firewalls require IDS? Because the top-selling firewalls have for the past 8 to 10 years promoted usability and administration over security. Not overtly, but when the former are promoted, the thing that gives is the latter.

Check out the above mentioned presentation, if you like. You also might be interested in fw2hundred.html, apgw+spf.html, and Firewalls: Are We Asking Too Much?, Information Security Magazine, May 1999 cover article.

The Institute for Applied Network Security

I spent an interesting and unique 2 days this week with some fascinating people in the computer security field. Though I was a member of the faculty, there were no class rooms and no formal instruction. Instead the other faculty and I acted as facilitators of discussion groups made up of the members who are from a cross-section of the public and private sector. As The Institute’s web page says, “The Forum’s curriculum is modeled on the Harvard Business School teaching method, which emphasizes real-world, case-based discussions that yield tangible, usable techniques and insights. In order to create an intimate discussion environment, enrollment is limited to only 100 qualified network security professionals.” It was sort of like what I envision “Renaissance Weekend” to be like, except without the Clintons (and so more enjoyable, at least for me), and made up of really smart people with varying experience and maturity in our field. When we started I knew about 5 people there, including a few of the faculty. When we left — after only two days — I felt as if leaving 80 colleagues.

The calendar is available at http://www.ianetsec.com.


Happy Birthday, Martin Luther (1483)

If you did not see the 2003 movie Luther you’ve missed a good one that was in and out of the theaters too quickly. We did see it a few weeks ago, and I recommend it. It will be out in DVD soon enough. One of my favorite quotes of the great reformer is this:
I have preached justification by faith so often, and I feel sometimes that you are so slow to receive it that I could almost take the Bible and bang it about your heads.

Char Sample Quote

“Due to popularity, the definition as become vague.”

For some reason that tickled me. No, I am not telling you the context, except that it was during her excellent talk at The CSI 30th Annual Computer Security Conference and Exhibition last week in DC.

Char was a TIS Firewall Toolkit then Gauntlet developer, and currently works for Verizon in Maryland.


Stuck with IE

Here’s what I want to do. It is very simple. When I click on a URL in an application (for example, in e-mail) I’d like a new browser to launch. Seems reasonable, I think. If I have a browser opened already (or two or three), I may not be done reading what it is displaying. I know it uses more resources to launch a new browser but it is a 2Gig processor, for goodness sake!

No. Don’t tell me to just go into Internet Options/Advanced and de-select “Reuse windows for launching shortcuts.” It is already “unchecked.” When I use IE this works as advertised. Every time I click on a URL, it launches a new browser instance. Perfect. But, if I use Opera, or Mozilla (or Firebird), or Netscape, it works correctly for a while. (“Correctly” = “opens a new browser instead of overwriting an open browser.”) Then it stops working. By this I mean all of a sudden when I click on a URL it will use an already open browser window. If I reset (make something else
my default browser then go back) it starts working again.

So, I have given up and gone back to using IE. It is too frustrating to get this to work right. Is this a Microsoft plot? Or are Netscape, Opera, Mozilla/Firebird all broken? I really do not know.

Suggestions welcomed.


Gates Promises …

As I sat in the United 757 at O’Hare, waiting for the consummation of our delayed take-off, I glanced across the aisle and read the headline in a fellow passenger’s Chicago Sun-Times: “Gates Promises More Windows Security.” Yes, it was yesterday’s newspaper (28 October 2003). I have no witty or provocative thought for this.

“Longhorn is billed as the biggest operating system upgrade since Windows 95 by Microsoft, whose software runs more than 90 percent of the world’s desktop computers.” Then later in the article, “Microsoft plans to add peer-to-peer networking technologies to let co-workers, for example, send documents to each other that they can jointly view and annotate.” Doesn’t that send shivers of fear up your spin? Really. The full text is was at http://www.sun-times.com/output/tech/cst-fin-emain28.html


Book Review: The Myth of Homeland Security by Marcus Ranum

[This is a review I posted to Amazon.com.]

Ranum’s book is engaging, unsettling, entertaining, and disturbing. Yet, I
think it is an accurate assessment of the morass that is “homeland
security.” MJR may not make any friends in the FBI, INS, or DHS, but as he
turns his keen analytical mind towards security issues broader than an area
for which he is world-renowned—computer and network security—he brings
clarity to this seemingly unfathomable topic.

Many security practitioners have recognized the “when you don’t know what to
do, do something” aspect of some homeland security initiatives. Ranum
identifies the agencies and actions that shape homeland security, and makes
suggestions for change. Warning: Not everything is fixable, and he makes
that clear also. But the beginning of any solution is to first recognize the
real problems—the real risks. The next step is to assess what you are
already doing. The third is to toss out what is not working, reform what is
marginal, and implement what is missing. In this book, Ranum suggests

The security of the US homeland, and all that it entails, affects Americans,
certainly, as well as the whole world. Mr. Ranum is a skilled writer and
instructor. Never satisfied to merely lecture, he endeavors to “cause one to
learn.” Though he is famous in a highly technical field, the “techie” as
well as the “artsy” will be able to read this book, as Ranum makes the
subject matter accessible and—although the subject matter is “life and


All in 1 Security Devices

Recently, Internet Security Systems, Inc. (www.iss.net ) announced “Proventia”, an “All-in-One” security device. (See their press release at ugly URL http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?oid=22929.) It is supposed to do away with the need for firewalls, antivirus, content filtering, anti-spam, and IDS. Their press release quotes their chairman, president, and CEO Tom Noonan as saying, “Today marks the end of an era in stand-alone security technologies. Internet Security Systems’ Proventia products will revolutionize information security, delivering complete, cost-effective protection and simplicity.” What, the end of another era?

Well. First off, I kind of like stand-alone security devices. Single-purpose machines are easier to trust than multi-purpose machines. It’s the old “security/complexity” teeter-totter. (See Security Axioms.) A few years ago what was the first Internet firewall to have a CERT alert posted against it? Okay, right, it was Firewall-1, but a few months later CERT issued CA-2001-25 reporting “Buffer Overflow in Gauntlet Firewall allows intruders to execute arbitrary code.” This happened—as far as I can tell—when Network Associates started making Gauntlet more complex. The problem was a buffer overflow in a stub program to allow the use of “Cyber Patrol” URL screening. It was not a bug in the Cyber Patrol code. It was in the module added to allow the hooks for Cyber Patrol.

My point is the more complex, the more likely of introducing a bug. In a security device, it will likely be a security-related bug. I don’t like large, multipurpose security devices. They scare me and they should scare you.

The press release goes on to say, “Proventia unifies firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one engine, under one management system, to protect at the network and the gateway. In the future, Proventia will add application protection, content filtering and anti-spam functionality to the unified engine.” Yipes. Complex, no? But then it says, “Proventia’s simplified protection for every layer of business infrastructure eliminates the complexity associated with today’s legacy security products.”

So, here’s what it looks like. This is a very complex system doing only loosely-related things. All of these functions will be managed from one management console.

This may provide “maximum security” that is “simple” as well as being “cost effective,” but I’d want to be convinced. What do those terms mean to you? To them? Do you trust them to be able to put all of those things together into one “easy to use” system? If you are taking an “all-in-one” approach, you’d better trust everything under the hood.


A Linux Desktop

I needed a second system on which to build a second web site and e-mail server. I decided on a computer from Wal-Mart. Why? It was $200. I had my choice of one without an operating system and one with Lycoris — a Linux system. Same price. Even though I plan on tossing the O/S, and installing Red Hat, I chose Lycoris. I was intrigued with the idea of an inexpensive system that Mom and Pop could use.

General observations

I’m fairly impressed. The set-up is very easy. Wizard-driven, it asks you for all the usual things. The system automatically detected the network and received an IP address, DNS information, etc. It has a “Windows-like” interface. I write that as if that is the standard. Well, unfortunately, it is. I tried to think like a novice (ignoring the command line prompt that I knew would get me a Linux shell prompt, for example).

The demo explained that there are “virtual desktops” (3 automatically set up). I wondered if the typical home user will know what that means. But , then, it doesn’t hurt not to use them. There they are at the bottom of the screen. The average user will leave them alone. The more inquisitive user will figure out what they are through trial.

I clicked on the Network Browser and got Mozilla. I had to configure it — that may or may not be easy for a new user — and I had Internet access. I was able to browse and play streaming media. But only after I allowed pop-ups from the sites that used pop-ups for playing streaming content. I suspect a beginner would have stumbled on that. Mozilla e-mail also worked without problems.

The Windows system is X11, and it comes with some fairly standard X11 tools you would expect to find on any Linux system. It uses KDE for the window manager. The system comes standard with KWord and KPresenter, as well as Kedit, and FTP client, numerous photo tools, audio players, etc. (I wrote this on the Lycoris system using Kedit and then FTP’ed it over to my Linux system.) For $50 one can purchase a “productivity pack” to add compatibility with Excel, Powerpoint, and Word (Microsoft Office).

Print set-up was easy and also didn’t work. No joy at all with my network-accessible Epson C80. No Linux driver on the system. Yes I can find one and try to get it to work. No, I cannot imagine my grandmother going to a store and asking for a printer that came with a driver for Linux. But, this is a problem on Windows systems, albeit less of one now-a-days. Still, finding Hewlett-Packard, and then selecting the printer model, and having it accept it, only to see that it thought it was a PostScript printer (which resulted in 10 blank pages), leads me to think there are still some usability issues needed to avoid frustration. But then, it was only $200.


All-in-all, I am impressed. My wife tells me that Consumer Reports gave a low rating to this because of it being Linux. All that contributed code, depending on volunteers, etc. You know.

I may see if I can keep this system around a while and install Red Hat in another partition. Is an inexpensive Linux system like Lycoris a viable alternative? It depends. For someone who has used Windows systems on the Internet for years, probably not. For someone new to the Internet, the answer is “possibly,” with this caveat: while there is a lot of software available for Linux systems, there are much fewer solutions that will meet the availability and installability needs of the novice user. Linux desktops for the masses are where Apple systems were a few years back.”Is there a version for the Mac?” But, if the user is only going to surf, do e-mail, and (perhaps) print, this might be a cheap alternative to a Windows desktop.


Verisign stops name redirection

A quick follow-up to the original Domain Redirect mention ICANN gave Verisign until Saturday at 6PM PDT to take down their “SiteFinder” “service.” You can (probably) find one of many news items on this at this really long URL.


Risks Reads

In the “Arts & Society” section of Sunday’s Baltimore Sun (28Sep2003), Larry Williams reviewed the book Risk: A Practical Guide for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You by David Ropeik and George Gray (ISBN: 0618143726). (For as long as the link is around, check it out here.) It is now on my “must read” list. Sounds facinating and relevant, especially for those of us who deal with assessing risk. (I will review it here when I do read it.)

According to Williams, Robiek “believes we go astray by using common sense to decide what to worry about. The problem is that common sense isn’t based on a rational analysis of the facts but rather subconscious feelings.” Robiek’s suggestion? Statistics.

Some people are still scared to fly, right? But, they drive all over town, or take driving vacations instead of fly somewhere. Everyone reading this knows that you are safer in a plane, than in a car. And the likelihood of death by terrorist attack is … well, I have to read the book. But it’s really small. We talk about these things when we discuss network and computer security and risk.

An interesting-sounding book Williams also reviews is Peter Bernstein’s Against The Gods: The Remarkable Story of Risk (ISBN: 0471295639). Williams writes, “Bernstein explains how mathematicians transformed probability theory from a gamblers’ toy into a powerful instrument for organizing, interpreting and applying information.” I’ve added that to my “shopping cart” as well.

The problem with doing it at Amazon is… Amazon’s web site keeps suggesting other books. So, I see Fooled by Randomness: The Hidden Role of Chance in the Markets and in Life by Nassim Nicholas Taleb. And that leads me to think of RC Sproul’s The Invisible Hand (ISBN: 0849912075). It’s about Providence. But, now I am getting far afield. Or am I?


Buried in Swen!

I was getting buried in e-mail. With every download came new e-mail carrying the “Swen” worm (aka “Gibe” and “Worm.Automat”). Some variants contained HTML to look like a Microsoft web page. Each one carried a PC-executable program. At its peak, my email server was hit with about 200 messages a day. (I had over 300 when I checked my e-mail after being without power fo4 18 hours courtesy of tropical storm Isabel.)

I stopped it by disallowing executable attachments at my e-mail gateway. In other words we changed our security policy. It brought the deluge to a steady trickle. I continued to get e-mail to my address at my ISP: avolio1@earthlink.net. I only used that on Earthlink newsgroups, but once is enough. (I fearlessly post the address here as it is no longer valid.)

A policy that rejects e-mail carrying .exe (and other executables) may seem drastic, but it was just the ticket for me. You night consider it. There are other ways to transfer executable files. And if you reject such e-mail, you greatly reduce your risk.


Safety vs. Security

I always enjoy getting Bruce Schneier’s “CRYPTO-GRAM.” This month’s issue, at http://www.schneier.com/crypto-gram-0309.html, has an interesting discussion about “Accidents and Security Incidents.” He quotes computer-security researcher Ross Anderson’s describing the difference as “Murphy vs. Satan.” (This is why I almost put this under “theology”. I would have if he described it as “Our sin nature and Satan”: sometimes it’s the devil and sometimes I don’t need his help to screw up. :-))

Bruce give some examples, including: “Safety: Knives are accidentally left in airplane carry-on luggage and can be spotted by airport X-ray machines. Security: An attacker tries to sneak through a knife made of a material hard to detect with an X-ray machine, and then deliberately positions it in her luggage to make it even harder to detect with the X-ray machine.” Check it out at the URL above and if you like it, subscribe.

I mentioned this same tension in one of my NetSec Letters (here) — someone thought this would make a good marketing line: “Just because you feel safe, doesn’t mean that you’re secure.”

Domain Redirect Fuss

It’s been in the news. Maybe you’ve read it. It’s been the topic of various Internet mailing lists. Maybe you wonder “What’s all the fuss?” Let’s look at it allegorically.

What if the technology existed for someone to intercept all telephone calls in an exchange not owned by anyone else? My phone number is 410-309-6910 (6911 is fax). Suppose no one actually owns 6912 and 6919. If someone misdials my number they’ll get someone else. Maybe that someone will have a recording that says simply “Press ‘1’ to send a fax. Press ‘2’ to talk to an attendant.” What is the harm? Faxes meant for me could be easily misdirected. Calls intended for me could be answered by someone who might redirect business to a competitor. I lose the potential client. The potential client loses me. Maybe.

Check it out. Click on www.avolio.cm. (Note, “com” is misspelled.) You get an error (or redirected to the correct address… hmmmm.) Now, Click on www.aviolo.com. My domain name is misspelled. But Verisign “owns” .com, and so helpfully intercepts it. Not as bad as whitehouse.com instead of whitehouse.gov. (And I purposely do not include the links… the “.com” address is was a porn site.) It even suggests you may have meant my site. So, what’s the fuss?

The main problem – from a security perspective, anyway – is that DNS information (the Domain Name System, among other services, translates www.avolio.com to its actual IP address, for example) is expected to be accurate. E-mail servers, such as mine, depend on getting a response of “no such name” to make antispam decisions. Again, think of the above telephone allegory. E-mail directed to me should get to me. E-mail directed to fred@aviolo.com should, for now, bounce. What if someone claimed to be the mail server for “*.com?” That is effectively what Verisign is doing for .com and .net.

DNS depends on correct DNS responses, not responses geared to make the life of web surfers easier.



I’ve been drinking Martinis off and on ever since Ken – 2 doors down from me in the dorm (1973) – introduced me to them. For some reason, I recall he liked a “dirty martini,” with a bit of the olive brine added. I didn’t know back then its name nor that Franklin Delano Roosevelt drank his in that fashion.

There’s something clean and warming about a Martini. It’s been my drink ever since then. Oh, and one makes a Martini with gin. A Martini has gin. I’d have asked for a vodka Martini if that’s what I’d wanted.


Sovereignty and Providence

A friend, Jim, called from the tarmac at Dallas-Fort Worth Airport. No “hello,” just a “What is the difference between God’s sovereignty and God’s providence.” I recognized his voice. He was thinking about this because of a comment Dr. R. C. Sproul had made on Renewing Your Mind . Well, I knew there was a difference, but I was busy preparing for hurricane Isabel, so I told him I’d get back to him. Let’s first look some quotes.

Sproul, Chosen By God, p24, “When we speak of divine sovereignty, we are speaking abolut God’s authority and about God’s power. As sovereign, God is the supreme authority of heaven and earth. … All other forms of authority exist by God’s command or by God’s permission. Sproul, The Invisible Hand, p15, “providence” describes the activity of God. P16, “…refers to God’s provision for His people,” P17, “He looks after human affairs … He not only watches us, He watches over us. Westminster Confession of Faith, V/1, “God the great Creator of all things does uphold, direct, dispose, and govern all creatures, actions, and things, from the greatest even to the least, by His most wise and holy providence, according to His infallible foreknowledge, and the free and immutable counsel of His own will, to the praise of the glory of His wisdom, power, justice, goodness, and mercy.”

So, in short, God is sovereign over all. And one way that He exercises His sovereignty is through His providence, being directly and immediately involved in our affairs for His own glory.

Control of your e-mail

I used to configure and run an e-mail gateway for a large company, then taught on it, and now–sometimes–do e-mail configurations as part of my consulting business. I am the system administrator and postmaster for avolio.com. I teach a course on anti-spam techniques and have tested e-mail firewalls for Information Security Magazine. All to say, I have many reasons to be interested in anti-spam techniques. I recently wrote about how I fight spam. But this week I talked to a company that deserves a mention.

Secluda has an interesting way of dealing with spam with their “InboxMaster.” They do not even attempt to guess if something is spam or ham. They just ask the question, “Have you ever sent e-mail to this address before, or have you received and accepted e-mail from the i address?” After a “learning period,” every e-mail is checked against this question. The user and administrator had many options, but I will briefly describe the way I would use it. All e-mail from addresses that have written to me before or to whom I have written, gets delivered. A few times a day I would get an email with a list of the messages that have been held pending action. I scan the list looking for legitimate e-mail and tag them to be sent (and, perhaps, tag the address as “trusted”). I can also tag the address as one to always reject.

I think it is worth a look. So much so, that I am going to get a test copy to try out on my e-mail gateway and review. I”ll let you know.


Selecting a weblogging program

Twice now, I have started to look into starting a web log. My friend, Dave Piscitello, of Core Competence started one. Like me, Dave likes to write. Like me, he doesn’t get as many opportunities as he would like.

Both times, I wrote down my requirements: 1, Dirt easy to set-up and update. 2. Runs on Linux. CHEAP (free). I asked some friends on a mailing list of which I am a member, the “hackers” list. (And that is the old use of the work in computer circles that has nothing to do with breaking into computer systems.) I wondered, “What is the hacker’s weblogger?”

I got two answers: Geeklog and blosxom. I chose blosxom because … well, it is elegant. It is a 444 line (with comments) Perl program. But, then life and work got in the way, and I laid it aside for a month. When I got back to it, I thought, “No this is too simple. Surely it won’t do everything I’d want.” So, I decided to install Geeklog. Oh, it needs MySql. Okay. Sure. Oh. Mysql needed something else. Oh, that thing needed another library installed.

I’m sure Geeklog is wonderful. It is a great big system that creates a whole web portal. But being a firm beliver in the security axiom, “Security and complexity are inversely proportional,” I gave up on it again, deinstalled MySql, etc. and went back and really, really looked at Blosxom. And, it is wonderful.

With that one Perl program and nothing else you have a fully functioning weblog. Add a few html files and you determine how fancy or plain your page will look. Add some small Perl “plug-ins” and you get a Google-aided search facility, “write-back” forms (not here… just e-mail me), and a host of other tools. With the help of Eric Davis and a lot of playing around one afternoon awaiting Hurricane Isabel, I had it up and running, requiring no extra software.

Anyway, it is wonderful, marvelous, terrific, and small and elegant. I;m still new to this. I don’t know how this RSS thing works or how one is supposed to use it. My friend, Dave, asked to be added to my digest list, but I have no clue how “Blosxomers” do that. But, I’m off and blogging.

Note, in September 2008 I started moving everything to blogger.


Security is difficult to get right.

“University researchers delivered a serious blow to the current crop of electronic voting systems in an analysis of one such system’s source code in which they concluded that a voter could cast unlimited ballots without detection.” Yes, security is hard to get right and easy to get wrong. That is why all presumed secure systems should be tested by people who were outside of the design and creation of the system.

The full story is here: Voting machine fails inspection