Bejtlich Writing Like Mad During Home Stretch

I am writing like mad to meet a 1 June book delivery deadline for Addison-Wesley, so I won't be posting much or at all until I finish Extrusion Detection. I think crunching to meet deadlines is a common author predicament, after speaking with the other participants at the BSDCan book signing last week. Pictured with me, starting from my left, are Dru Lavigne, Greg Lehey, Marshall Kirk McKusick, and George Neville-Neil. Michael Lucas was not present...

Read More

Snort Inline?

Is anyone successfully running an inline deployment of Snort on FreeBSD? If so, please email me: richard at taosecurity dot com. This guide makes it look easy, but I've tried multiple variations (bridging, routing, etc.) with Snort 2.3.3 on FreeBSD 5.4 REL and nothing works completely. Thank you.Update: I got it working. snort-2.3.3.tar.gz doesn't work; snort_inline-2.3.0-RC1.tar.gz does. Who kn...

Read More

Vote for Sguil at SANS ISC Poll

Thanks to Brandon Greenwood I learned that the current SANS ISC poll asks for your favorite Snort interface. Sguil is currently running third behind BASE and ACID. Visit SANS ISC and vote for Sgu...

Read More

NetBSD Binary OS Updates

I discovered a system running NetBSD 2.0 in my lab and decided to upgrade it to NetBSD 2.0.2. I read that "this is also the first binary security/critical update since NetBSD 2.0." I found a thread which gave various forms of advice on updating to NetBSD 2.0.2 from 2.0. Here is what I did.When I started the system was running NetBSD 2.0.bash-2.05b# uname -aNetBSD juneau.taosecurity.com 2.0 NetBSD 2.0 (GENERIC) #0: Wed Dec 1 10:58:25 UTC 2004 builds@build:/big/builds/ab/netbsd-2-0-RELEASE/ i386/200411300000Z-obj/big/builds/ab/ netbsd-2-0-RELEASE/src/sys/arch/i386/compile/GENERIC...

Read More

Marcus Ranum on Proxies, Deep Packet Inspection

I asked security guru Marcus Ranum if he would mind commenting on using proxies as security devices. I will publish his thoughts in my new book Extrusion Detection, but he's allowed me to print those comments here and now. I find them very interesting."The original idea behind proxies was to have something that interposed itself between the networks and acted as a single place to 'get it right' when it came to security. FTP-gw was the first proxy I wrote, so I dutifully started reading the RFC for FTP and gave up pretty quickly in horror. Reading...

Read More

New Net Optics Product Evaluations

I recently acquired several more specialized taps from Net Optics. I thought you might like to hear a few words about them. I plan to feature these and a few other devices in my new book Extrusion Detection, but why wait until then? I specifically requested evaluation units to meet monitoring and network access problems my clients brought to me. Perhaps you will find one or more of these products answer a monitoring question you've also been pondering. Keep in mind that I show Ethernet versions here, but a variety of optical products are offered....

Read More

Notes on Net Optics Think Tank

Last week I had the good fortune to be invited to speak at a Net Optics Think Tank event. Net Optics is a California-based maker of products which help analysts access traffic for monitoring the security and performance of the network. I recently wrote about the Net Optics tap built in a PCI card form factor. I also use their gear to conduct network security monitoring, as profiled in my first book. The meeting offered attendees three sessions:...

Read More

Virtual Desktops on Windows

I've been working in Windows more than usual recently as I push to complete my next book Extrusion Detection. I realized I really missed having multiple virtual desktops, like I do using Fluxbox or generally any UNIX windowing environment. Enter Virtual Dimension. This is an open source virtual desktop system for Windows. It works flawlessly on my Windows 2000 Professional laptop. At the right you can see the small desktop that appears when...

Read More

Reviewers for Extrusion Detection Wanted

Would anyone be interested in reviewing preliminary drafts of some chapters from my future book Extrusion Detection? If so, email richard at taosecurity dot com. Please explain why you think you would be a good reviewer and tell me something about your network security experience. If you sound like a good candidate, I will pass your information on to my publisher. Thank you!Update: Thanks to all who replied -- I sent a list of names to my publisher. They will be contacting some of you, depending on when you wrote ...

Read More

Microsoft Windows Server 2003 Trial Downloads

I'm not one to ignore free software from Microsoft, even if it's only in trial format. I saw that a beta of Windows Server 2003 R2 is available for download. You must install it on the trial version of Windows Server 2003 with Service Pack 1 (SP1); normal Windows Server 2003 SP1 will apparently not work. I registered to download R2 beta and also Windows Server 2003 SP1. You can get them on CD as well, but that takes 4-6 weeks. I might try converting server to workstation using the provided li...

Read More

Report from BSDCan, Part II

I recently reported on day one of BSDCan 2005, which I attended in Ottawa. I'd like to present my review of day two. I started the day with Easy Software-Installation with pkgsrc, presented by D'Arcy Cain. I find pkgsrc interesting because it is a cross-platform package system, not just for NetBSD. Too bad the pkgsrc.org Web site has "pkgsrc: The NetBSD Packages Collection" at the top! I would like to try pkgsrc on NetBSD of course, but also on Solaris, AIX, FreeBSD, OpenBSD, Slackware, and Debian. Besides the official packages in the tree,...

Read More

Great Firewall Round-Up in NWC

A recent issue of Network Computing magazine featured an excellent set of firewall reviews. I thought Greg Shipley's Analyzing the Threat-Management Market cover piece to be very insightful. Here are a few excerpts:"Our testing uncovered overhyped features, signs of innovation, emerging challenges and useful new capabilities. But what struck us most was what isn't being said -- that market demands are shifting the ground under legacy firewall vendors, and some will have a hard time holding on. Network access control is no longer a perimeter-only...

Read More

Richard Clarke Knows the Drill

The latest edition of SC Magazine features an interview with Richard Clarke titled Failure must be a part of the plan. Hallelujah, someone with a wide speaking forum understands that prevention eventually fails. I saw Mr. Clarke speak at RAID 2003 and I was impressed by his thoughts back then. Here is a quote from his interview, with my emphasis added:"'The first thing that corporate boards and C-level officials have to accept is that they will be hacked, and that they are not trying to create the perfect system, because nobody has a perfect...

Read More

REcon 2005 Security Conference

At BSDCan I learned of a new security conference being held in Montreal from 17 to 19 June called REcon. The speakers list looks good. I see Adam Shostack, Jack Whitsitt, Jose Nazario, Kathy Wang, Matt Shelton, and Nish Bhalla are all speaking. I won't be able to attend, but at 400 CDN this conference is a real barga...

Read More

Cisco Releases IOS 12.4

I can't find any real press releases on this, but I noticed Cisco released IOS 12.4 this month. This is a Major Release that incorporates features developed in the IOS 12.3T line. Two product bulletins explain what's new in IOS 12.4, and an 84 slide .pdf presents similar information in PowerPoint format. I was surprised that the IOS Feature Navigator shows there is no support for the Secure Shell SSH Version 2 Server or Client for my Cisco 2651XM router in 12.4(1). Hopefully this will be added so...

Read More

Review of Cisco Router Firewall Security Posted

Amazon.com just posted my four star review of Richard Deal's Cisco Router Firewall Security. I read half of it on the flight from DC to San Francisco, and the rest on the return leg. From the review:"I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples. The author offers several ways...

Read More

Launch of New TaoSecurity.com

I am happy to announce the redesign of TaoSecurity.com as the corporate home of TaoSecurity. In the coming days and weeks I will transition old, more personalized content to the www.bejtlich.net domain. TaoSecurity is open for business, and I look forward to helping you with your security consulting and training needs.I have a ton of material to blog, including a wrap-up of BSDCan and some news items. I will be flying to San Francisco Tuesday...

Read More

End of the Line for Racoon at Kame.net

I've used security/racoon for years to manage the IPSec key exchange problem. I just read that the Kame project has ceased supporting Racoon; they direct users to IPSec-tools. That projects advertises itself as "a port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation... [that] supports NetBSD and FreeBSD as well." Here's a recent thread on running IPSec-tools on FreeBSD.If you're looking for an alternative to Racoon, I know of one for FreeBSD: security/isakmpd, imported from OpenBSD. I'm a little worried, since the FreeBSD port...

Read More

Report from BSDCan, Part I

I was fortunate enough to be accepted to deliver two presentations at BSDCan 2005 today. I attended the first BSDCan last year, and this year's event seems to have attracted a bigger crowd. I heard somewhere between 150 and 190 attendees are roaming the University of Ottawa campus.This morning worked out very well. My wife and I took our 6 month old to the airport for her first trip -- except my wife and child flew to Detroit for a wedding, and I flew to Ottawa for BSDCan. (Thanks Aimes!) I landed in time to see the rest of Colin Percival's...

Read More

Web Browser Forensics Part II

Last month I mentioned the first part of a two-part article on Web browser forensics by two friends (Rohyt Belani and Keith Jones) at security consultancy Red Cliff. Now part two is available online. This new article looks very interesting -- I suggest reading it.Tomorrow or Saturday I hope to blog from BSDCan. See you there, may...

Read More

Multiple New Pre-Reviews

I've received many new books in the last two weeks. Here are some pre-reviews. First we have Mastering FreeBSD and OpenBSD Security by Bruce Potter, Paco Hope, and Yanek Korff, published by O'Reilly. I have been looking forward to this book for a while. I use both operating systems to build security appliances, and that sort of work is the subject of this book. I would have preferred if the authors avoided discussing Snort and ACID, though. This is the umpteenth time I've seen "IDS" boiled down to those two well-worn and not-very-effective...

Read More

Attend VMWare Seminar, Get Free Workstation 5 Copy

Today I received an email from VMWare describing a new promotion. Over three days, from 14 June to 16 June, VMWare will be conducting three-hour seminars in twenty cities in the US and Canada. According to the announcement, attendees will leave with a full copy of VMWare Workstation 5, a nearly $200 value. The exact words are: "Take what you learned today and implement it with your new copy of VMware Workstation 5 - no strings attached."This is an excellent deal. I received a free copy of Windows NT 4 years ago at a Microsoft promotion. If...

Read More

Anyone Want to Speak at InfoSeCon?

I am looking for someone to take my place at the InfoSeCon conference in Dubrovnik, Croatia. If you are interested, please contact organizer Niels Bjergstrom at njb at chi-publishing dot com. You will get an all-expense paid trip to a beautiful part of Europe on the Adriatic sea. The conference is 6-9 June 2005. Thank y...

Read More

Spamcop blocking Gmail

Anyone else seeing Spamcop used to deny email from Gmail? This is killing me. Here are two recent examples:This is an automatically generated Delivery Status NotificationDelivery to the following recipient failed permanently: snort-users@lists.sourceforge.netTechnical details of permanent failure: PERM_FAILURE: SMTP Error (state 9): 550 See http://www.spamcop.net/bl.shtml for more information."The second problem:This is an automatically generated Delivery Status NotificationDelivery to the following recipient failed permanently: obscured@obscured.obsTechnical...

Read More

Sourcefire Founder Demolishes IPS Advocate

Many thanks to ghost16825 for pointing me towards this excellent InfoWorld article: The great intrusion prevention debate. The article pits Sourcefire founder Marty Roesch against TippingPoint Chief Technology and Strategy Officer Marc Willebeek-LeMair. Folks, this one is not pretty. Marty demolishes Dr. Willebeek-LeMair by correctly arguing that IPS (called layer 7 firewalls by the Blog and elsewhere) is "a step in the right direction, but... the infrastructure itself can be orchestrated effectively to provide a much broader capability than...

Read More

FreeBSD 5.4 RELEASE Available

Several people let me know that FreeBSD 5.4 RELEASE was made publicly available this morning. Thank you -- I was busy installing it on the Dell PowerEdge 750 shown in my previous blog entry. :) You can read the dmesg output I stored at the NYCBUG site. Enjoy!Incidentally, here is the df output after I built the sensor.Script done on Mon May 9 09:43:45 2005Filesystem Size Used Avail Capacity Mounted on/dev/aacd0s2a 989M 35M...

Read More

Tap on a PCI Card

Those of you who've read my first book know I like to use taps built by Net Optics to access wired traffic. The device pictured at left is a port aggregator tap. It combines the TX side of whatever's plugged into port A with the TX side of port B into a single output on port C, using buffering if the aggregrate throughput exceeds 100 Mbps. Today I got a chance to test the device pictured at left. It's a Net Optics PCI Port Aggregator tap. You...

Read More

Mixed Thoughts on Inside Network Perimeter Security, 2nd Ed

I promise that I read the books I review, so this is not a review. You won't see me post anything at Amazon.com about Inside Network Perimeter Security, 2nd Ed. I read parts of it, but nowhere near enough to justify a formal review. Here are a few thoughts on the book.The five authors and four technical editors did a lot of work to write this book. It weighs in at 660+ pages, with not that many figures or screen shots. Despite being a second...

Read More

Ping Tunnel and Telnet

I often learn of new software by seeing new ports released at FreshPorts. Recently I noticed Daniel Stødle's Ping Tunnel appear as net/ptunnel. Ping Tunnel tunnels TCP over ICMP traffic, as shown in the diagram at left. Being a network security analyst I thought it might be interesting to see what this traffic looks like. I set up the Ping Tunnel client on my laptop (orr, 192.168.2.5), the proxy on a server (janney,192.168.2.7), and tried to...

Read More

Ethereal 0.10.11 Released

Ethereal 0.10.11 was released Wednesday. It fixes a ton of security bugs. There appear to be some GUI enhancements as well as improvements under the hood. I recommend upgrading when possib...

Read More

How to Go Insane Using Comcast

It's simple to go insane when using Comcast as your cable modem provider.Watch as Comcast-provided cable modem goes dead. (Not insane yet).Swap out cable modem at store. (Not insane yet).Plug in cable modem and watch router receive IP address. (Not insane yet. Happy, actually.)Notice machines begin trying to reach 1.1.1.1 when using TCP. (Slight insanity.)Observe that UDP traffic like NTP updates work properly. (Higher insanity level.)Notice that your cannot ping your default gateway. (Insane. Period.) Apparently when my new cable modem is...

Read More