Rabu, 20 Juni 2007

Latest Plane Reading

Tuesday afternoon I flew from Washington Dulles to San Jose, to teach at USENIX 2007.

En route I read a few interesting articles that I'd like to mention.


  • When I saw NWC mention the Omni Virtual Network Service, I thought something cool might be on hand. Their Web site states:

    The migration to blade chassis-based virtual servers has created a new blind spot in the enterprise: the traffic between virtual servers in the same blade chassis. This “invisible traffic” never crosses any network segment where it can be easily captured. As a result, engineers have little or no visibility into the traffic among virtual servers...

    A new addition to the OmniAnalysis Platform, the Omni Virtual Network Service is a lightweight traffic-capture service that enables IT engineers to capture and analyze traffic on virtual servers...

    The Omni Virtual Network Service is a small, lightweight service that runs on any Windows XP or Windows 2003 virtual server.


    Oh... so Omni implemented remote capture, which I blogged about in 2003 as implemented on Winpcap, and only works on Windows. Oh well.

    Incidentally, a quick check of VMware Server 1.0.2 build-39867 showed that when VM 1 pings VM 2 with all NICs in bridged mode, VM 3 cannot see the ICMP traffic. Does this mean VMware Server is no longer a hub like I described a year ago? Watching the physical Linux interface of the host OS showed two copies of each packet, however.

  • The same issue of NWC mentioned the NetXen 10G Ethernet Expansion card, saying:

    The NetXen adapter offers dual-channel 10GbE connectivity at a cost of less than $550 per port, and provides bonus dual- or quad-gigabit ports, depending on the chip. But what makes the NetXen line really interesting is the investment protection it offers through its field-programmable and IO-virtualization capabilities. Already supporting RDMA, iSCSI and TCP/IP off-loading, the NetXen Protocol Processing Engine can be reprogrammed to handle changed or new protocols, like iSER and iWARP, through a simple driver update.

    The NetXen Website confirms this:

    The fully-programmable architecture of the Intelligent NIC® protects network equipment investments in the face of rapidly changing market needs and evolving protocols. It is the only solution on the market whose functionality can be changed completely in firmware.

    Are you thinking what I'm thinking? Say it with me: NIC rootkit -- or how about a NICkit?

  • Recently I've been blogging about CALEA. I found the diagrams in this Procera Networks marketing slick helped me understand some of the different approaches, like traditional CALEA (top diagram) vs Procera's approach (bottom diagram):

  • Speaking of CALEA, I got a chance to read a new paper by my favorite covert channel and traffic analysis guru Steven Murdoch -- Sampled Traffic Analysis by Internet-Exchange-Level Adversaries. Basically, there's a good chance that Tor users monitored at an Internet eXchange (IX) can be identified via sampled traffic analysis. Renting a botnet is still your best means to stay anonymous, apparently.

  • Finally, I also read Inadvertent Disclosure – Information Leaks in the Extended Enterprise (.pdf) by M. Eric Johnson and Scott Dynes. This very interesting paper described the authors' search for sensitive documents on P2P networks. My only problem was the dreadful repeated misuse of terms like threat, when risk was probably the right term to use. A sentence like this encapsulates much of my frustration:

    While these searches could be seen as benign, they would also uncover sensitive files and thus the expose [sic] vulnerabilities that could still represent a threat to the institution and its customers.

    Vulnerabilities never represent a threat to anyone. Almost all the places where the authors say "threat" they really mean risk. For example:

    We also characterize the threat of loss...

    That should read "We also characterize the risk of loss..."

    In this example an application is mischaracterized as a "threat."

    This next breed of file sharing systems has proven to be far more difficult to control and a much larger security threat.

    Applications which offer services are not threats. Applications may offer vulnerabilities which can be attacked and exploited by threats, but the application is not the threat itself -- the application is a target.


Expect more reports from the flight back to NoVA.

0 komentar:

Posting Komentar