Nokia Exiting the Security Appliance Business
One of the largest firewall security appliance vendor’s (Nokia appliances with Check Point software) recently announced that they would be selling off their security appliance business to an unnamed financial investment firm. This will mean significant confusion for Check Point customers running on the Nokia platforms in terms of what level of support, warranty service, product enhancements, etc. that they can expect to receive in the months ahead.
A source close to Nokia Security stated: For customers, it should be business as usual. Operationally speaking, most of what makes up the Security Appliance business in Nokia is already fairly independent of the rest of Nokia. The relationships with Check Point, Sourcefire, and others will continue and likely strengthen. The only real change will be the name on the front door, though you will likely to continue to see the Nokia brand in use for a period of time while the marketing folks roll out the new branding.
If you find your company in this situation please contact Positive Control Networks at lvance@positivecontrolnetworks.com for more information…
Hman Post
My name is hman and I am the lead producer of this site.
Thank you for looking at this site.
Thanks, hman
Al-Qaeda Sites Disabled
Last month four of the Al-Qaeda websites were found and taken down. These were forums
that they used to communicate. In the past they were able to come back pretty quickly
but this time they are having trouble getting back online.
It is not known who took these sites down. The feds have not taken credit and it was actually
leaked that it could be independent hackers to decided to turn the fight against Al-Qaeda. Either
way its a good thing.
On the other hand some say it might be better to leave them online so that they can be monitored
to find out what the group might be trying to do next. Others believe they should be knocked offline
as quickly as possible. I tend to agree with the latter but I am no expert.
It should be known that this war is not just physical but also virtual. There are a lot of fights
going on that we never hear about.
Cisco Security Advisory for ASA and PIX
Another advisory for the Cisco PIX and ASA line of security firewalls. This was issued yesterday and should be reviewed if you are running any of these firewalls. Below is the actual announcement on Cisco’s website:
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines details of these vulnerabilities:
- Windows NT Domain Authentication Bypass Vulnerability
- IPv6 Denial of Service Vulnerability
- Crypto Accelerator Memory Leak Vulnerability
Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081022-asa.shtml
Sniffing with TCPDump
How to sniff a network with TCPDump. TCPDump comes installed on Linux by default. You will have to install the package on Solaris. This is just a simple sniff.
To sniff all traffic accross an interface (port-mon is your friend)
tcpdump -w testsniff -c 6000
-this sniffs everything and stops when it reaches a 6000 packet count. Good idea if you have a lot of traffic. It puts this sniff into a file named testniff. Most Packet analyzers can read a tcpdump file format.
tcpdump host x.x.x.x -c 1000
-this sniff’s a specific host with a count of 1000 packets.
tcpdump -i eth0 host x.x.x.x -c 1000
-this sniff’s on eth0 for those multiple interface boxes. This is nice for sniffing firewall interfaces with DMZ’s etc.
This is just a small simple description. Read man tcpdump and you will see how powerful TCPDump can be.
Check Point – for small business
Check Point has been the leader in network security for many years. They invented stateful firewall protection and they provide network security for 99.9% of all fortune 500 companies. In the past Check Point only provided security for the largest most complex networks. This meant that their security products were very expensive and complex to configure. This has drastically changed.
Check Point now offers their same level of security it offered the large corporations to the small to medium business owners. Their small office line starts with the Safe@office appliance that can be purchased for the number of users being protected. These are offered in 1-5 users, 1-25 users, and then unlimitted. These appliances are also offered with a wireless option. These small office firewalls are nothing to sneeze at. They offer gateway virus protection, web filtering, Intrusion Prevention, Internet failover, and many more options.
Check Point also offers a home version of this firewall called the Zone Alarm Security Firewall. It is offered through the Zone Alarm company that is owned by Check Point. Another variant of the this firewall is the Check Point Edge device that is a more robust firewall that is used for regional offices and medium sized businesses. Look for another seperate article on the Edge box coming soon.
The small business can now get the same protection that the large corporations receive at a reasonable price. These firewall can also me professionally managed and configured for your company. For more information see http://www.positivecontrolnetworks.com
What is Spyware ?
As the internet has evolved there has been a dangerous type of malware that has developed. This type of malware is called spyware. When the internet first began, the dangerous applications were called viruses. These programs were either downloaded directly or piggy backed over another application to get onto your computer. Then they would reak havoc on your systems and spread like a common cold virus.
Spyware, just as the term relates, began as a program that monitore’s a users behavior. The actual functions of spyware extend much further than that. With the advancement of spyware, these programs can record your personal information such as bank accounts, passwords, etc. They can also re-direct browsers to download even more dangerous programs for your computer. The dangers these programs can reak on a users computer system is almost un-measurable. The sypare programs have become the number one malware danger for computers and networks even surpassing viruses.
With this danger a new program to fight this problem as emerged. This software is called anti-spyware. This software focuses on spyware and works to prevent these type of attacks from happening. Adaware is one of the first applications on the scene for just protecting against spyware alone. Perimeter firewalls have also introduced these applications at the firewall level integrated in with the virus protection.
One important point. Just because you have an antivirus program installed does not mean you are protected from spyware. Most free av programs do not protect against spyware, so do not get caught in this trap. Most of the more reputable programs such as TrendMicro etc. have spyware built in. Just make sure whatever vendor you are using has this protection.
What is Intrusion Prevention ?
An intrustion prevention system (IDS) is a device that monitors traffic on a network for malicious or unwanted behavior. It can react and stop a threat before it is able to do damage to any computer or server on your network. When an attack is detected, it can drop the offending packets while still allowing safe packets to flow on the network. Intrusion prevention grew out of the older intrusion detection systems (IDS) that only alerted networks of malicious traffic but did nothing to stop it.
Intrusion Prevention Systems got a slow start due mainly to the hesitancy of network administrators to install a device that could potentially stop good traffic. As the technology has progressed and false positives are now controllable these devices have become a mainstay of networks striving to protect their networks. These type of of systems are now being integrated into the UTM devices which function as a firewall, Intrusion Prevention, and spam filtering devices. These devices are also known as Unified Threat Management Devices.
There are different types of IPS’s. These are Host-based, Content-based, Protocol-based, and Rate-based. Look for further articles describing each of these types of IPS’s in the near future.
Examples of vendors of these types of systems are:
Check Point, ISS, Cisco, and many others….
Bridged Firewall with Centos
A quick guide on how to install a bridged firewall. A bridged firewall is a firewall that operates at layer 2. It works at the MAC layer and does not use IP addressing at layer 3. This is a great way to integrate a firewall into a network without having to make major network changes. (there is only one ip assigned and this is for management)
You will need a server with at least 2 Network for your uplink and downlink.
We will be utilzing network bridging and we will bridge both physical interfaces into one virtual bridge.
This example is using Centos 5.0.
Install Bridge-Utils —–> yum install bridge-utils
Create and modify network scripts
Create this config file:
/etc/sysconfig/network-scripts/ifcfg-br0
Sample:
DEVICE=br0
TYPE=Bridge
IPADDR=65.205.64.2
GATEWAY=65.205.64.1
NETMASK=255.255.255.0
ONBOOT=yes
Modify this config file:
/etc/sysconfig/network-scripts/ifcfg-eth0
Sample:
DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes
Modify this config file:
/etc/sysconfig/network-scripts/ifcfg-eth1
Sample:
DEVICE=eth1
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes
Restart your network
service network restart
Install and configure iptables
yum install iptables or yum update iptables
Example iptables commands;
Example:
# Flush firewall
iptables -X firewall
iptables -X
iptables -F
iptables -Z# Setup firewall chain (all that’s being blocked goes to this chain)
iptables -N firewall
iptables -A firewall -j LOG –log-level info –log-prefix “Firewall:”
iptables -A firewall -j DROP# Setup rules INT->EXT
iptables -A FORWARD -s 65.205.64.5 -p tcp –dport 20:21 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5 -p udp –dport 53 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5 -p tcp –dport 53 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5-p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5 -p icmp -j ACCEPT# Block anything else INT->EXT (send it to firewall chain)
iptables -A FORWARD -s 65.205.64.5 -p icmp -j firewall
iptables -A FORWARD -s 65.205.64.5 -p tcp –syn -j firewall
iptables -A FORWARD -s 65.205.64.5 -p udp -j firewall# Setup rules EXT->INT
iptables -A FORWARD -d 65.205.64.5 -p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -d 65.205.64.5 -p icmp -j ACCEPT
iptables -A FORWARD -d 65.205.64.21 -p udp –sport 53 -j ACCEPT
iptables -A FORWARD -d 65.205.64.21 -p tcp –sport 53 -j ACCEPT
# Block anything else EXT->INT (send it to firewall chain)
iptables -A FORWARD -d65.205.64.5 -p icmp -j firewall
iptables -A FORWARD -d 65.205.64.5 -p tcp –syn -j firewall
iptables -A FORWARD -d 65.205.64.5 -p udp -j firewall
Save iptables config
iptables-save > /etc/sysconfig/iptables
Show iptables config
iptables -l
What is a software firewall ?
A software Firewall is just that. A piece of software. An example of this is installing a firewall such as Zone Alarm or Trend Micro’s firewall on a computer that is directly connected to the internet. It is a program that monitors the traffic at the interface level and blocks any un-wanted traffic. While this type of software is better than nothing, it traditionally is vulnerable to issues directly related to the hardware it is installed on. An example is some sort of bug relating to the interface of the laptop that could allow data to leak. The software firewall would not be able to protect against this sort of data loss and could leave the users computer vulnerable.
Now the largest Security Vendor of security software is Check Point and it has always been a software company. But, this software was certified for certain hardware types and could only be installed on specific platforms. While this is in a sense a software firewall, it is not software that is just installed on a laptop. Check Point has recently moved to its own hardware firewalls to make it easier to get into markets that were mainly hardware oriented.
