The Daily Incite - May 1, 2007

Submitted by Mike Rothman on Tue, 2007-05-01 09:23.
::
Today's Daily Incite

May 1, 2007 - Volume 2, #71

Good Morning:
It's time to make the donuts. It's time to make the donuts. I made the donuts. Any of you remember that classic Dunkin' Donuts commercial from days gone by? You can check it out on YouTube. It still cracks me up, but maybe it's just a Northeastern US thing. Yet, years later, that kind of single minded focus can kill you.

What am I talking about? Basically I'm back on the road, today in Cincinnati and it gave me a chance not only to see the waterfront with Paul Brown Stadium and US Bank (the best bank in the US - don't cha know - just ask them) Arena (where the famous Who! concert that killed 11 people happened back in 1979), but to also grab dinner with a friend who is in the retail business. He's running his family's high-end camera shop, but it's tough going.

Anything is retail is tough going now. With competition from the Internet and the "destination" malls and commerce areas in pretty much every suburb of a metropolitan area - the family retailer in a downtown location is going the way of the dodo bird. Service matters, but it seems not enough to keep things growing. This is another example of "Big is the new Small" because if you can't do volumes and if you can't drive a lot of foot traffic, it's hard to compete.

The point (and there actually is one)? Is that we need to adapt AT ALL TIMES. We cannot get complacent because there hasn't been a mass worm in 2 years. We can't get comfortable because all of your defenses seem to be holding. The G people seem to think we are getting complacent because security isn't a top ten issues for CIOs anymore. ZD's coverage sums that up. Actually, it's because we've been doing OK and after 5 years of spending like drunken sailors, CIOs think maybe they should focus on a business issue or two. Go figure.

You never know when the Grim Reaper is right outside the door, and that means we need to practice constant vigilance. The ground under foot is largely quicksand, especially in the security business, where a new attack vector can put us on our heels in a matter of minutes - not in the years it's taken for the retail environment to change for my friend. OK, enough from Captain Cliche.

This is a wake-up call, as most of my ranting is. You can choose to continue making the donuts. Basically doing the same old, same old because it's easy and because it seems to work (for now anyway). Or you can think outside the box. Think like an attacker and pinpoint areas of weakness in your defenses, then do a business analysis on whether the risk inherent to those weaknesses is worth the extra time and money it'll take to defend.

Have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com
 Pragmatic CSO Bootcamp
Maiden Voyage

June 6 in Atlanta

Sign up Now!
Only 10 slots (and they are filling fast)

Sign up for the P-CSO bootcamp

Top Security News

Layerful layers (even for searching)
So what? -  I didn't comment on the Google Adwords attack fiasco last week because there was a lot of disinformation out there about what the real attack was and what folks can/should do to defend themselves. Dan Sullivan over at Realtime's Messaging and Web Security site sums up the situation nicely. But this continues to make the case why layers are so important. Everyone uses Google and some will click on Adwords. There is nothing you can do to stop that, no amount of user training, etc. You can look at something like XPL's LinkScanner or a web filtering service/gateway (ScanSafe, MessageLabs, SurfControl, etc.), but if your folks are remote - there isn't much you can do. Except use better anti-malware defense on your endpoint too. I mean something like application control. Is it a panacea? Of course not, nothing is. But it will block some of the malicious drive-bys and other unknown executables that are usually the start of something bad.
Link to this

Wherefore art thou outsource?
So what? - I've been saying for a while that there are no awards for doing everything yourself. That looking at strategic opportunities to outsource functions like email security, web filtering, maybe IDS monitoring, etc. are good opportunities to allow your folks to focus on more relevant security functions. Andreas of my friend (and former META colleague) Johna Johnson's Nemertes Research shop spouts a bit in his NetworkWorld column about how and why companies should consider outsourcing. There is nothing really groundbreaking here, since there isn't much that is groundbreaking about the discussion. I'll reiterate that I don't believe that you can really be "proactive" in much relating to security, but by having someone else do the mechanical commodity stuff, you can free your folks up to monitor aggressively (which allows you to react faster) and jump into action to contain any potential problems.
Link to this

Endpoint security is NOT NAC
So what? - I'm going to get all semantic on you now. For about the tenth time in a few weeks I'm seeing some joker do a review, or analysis of "endpoint security" when they are really talking about NAC. From a definitions standpoint, endpoint security is pretty much anything you do ON THE ENDPOINT. Duh! So your AV, your anti-spyware, your personal firewall, your whole disk encryption, etc all should be combined into one agent and that is endpoint security. Yes, it needs to interact with the network to establish trust and hygiene before being allowed on, but that's it. This article by David Strom on InformationWeek is the proverbial straw. This is actually a pretty good and comprehensive article on NAC, but not endpoint security. Maybe I'm splitting hairs, but it pisses me off because everyone is confused enough by the existing category definitions, messing them up some more doesn't help anyone.
Link to this

The Laundry List

  1. Nokia revs their security appliances. Better late than never, eh? - Nokia Press Release
  2. Robot Genius (yes, it's a stupid name) launches their link scanner product. I've heard this story before. - Robot Genius press release
  3. Check Point integrates NFR and renames the product IPS-1. At least their naming is consistent. - Check Point Press Release
  4. NIST covers RFID security, ahead of the curve - imagine that, US tax dollars at work. - Information Week story

 

Top Blog Postings

Does wireless IPS work?
According to Dave Maynor of Errata, the answer is not exactly. He poked at an AirTight box and found some issues. This falls into the category of nightmare reviews. Fact is, Maynor could probably break pretty much anything, if given enough time - so AirTight is not unique. I doubt any of the other wireless IPS tools would fare any better. The point is that everything is vulnerable and a wireless IPS may provide enough resistance for the bad guy to go elsewhere. So you'd be protected from the opportunistic bad guy. But if they are targeting you specifically, this is just another (of the 100 or so) ways they can get into your network.
http://erratasec.blogspot.com/2007/04/wireless-nac-wireless-ips-airtightleaks.html
Link to this

Yes, Network Security should exist
Deb Shinder on the Sunbelt blog responds to Schneier's latest rant about whether the network security market should exist at all. She is right, he is wrong. Of course, we can do a lot better on securing applications and I'm sure the Jericho Forum wet their pants with excitement that Schneier the great has validated their point of view. The fact is folks that can do without perimeter security are Super-Heroes. Red tights and all. It can be done, but if you are a mere mortal it is HIGHLY inadvisable to go out without your raincoat on. They say the rhythm method of birth control works too, and that is what I view Jericho's position as. I don't trust rhythm (especially since I don't have any) and I'm a fan of layers, in everything I do. But I'll leave it at that since this is a family blog.
http://sunbeltblog.blogspot.com/2007/04/should-network-security-industry-exist.html
Link to this

Ranting - Art style
The WSJ has launched their new All Things Digital blog and for the most part it covers personal technology stuff. But then I saw this self-serving byline from Art Coviello, EMC/RSA's head security honcho and was pretty much shocked. They actually print this kind of stuff? A lot of it reiterates Art's speech at RSA about the stand-alone security business going away. That's a load of crap until someone figures out how to make big companies innovate. Good luck with that. But he does make some good points, especially about security perfection and the fact that data is different than networks, so using the same old protection schemes is the path to failure.
http://voices.allthingsd.com/20070430/coviello-security/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

Does Wireless IPS Work - David Maynor Blog
Submitted by Pravin Bhagwat, CTO, AirTight Networks (not verified) on Tue, 2007-05-01 17:17.

David Maynor of Errata Security recently posted some opinions about AirTight’s technology under the guise of a product test about what he refers to alternately as wireless IDS, wireless IPS, or wireless NAC technology in his blog. As Mr. Maynor is well known in the industry for his attacks on industry leaders (such as Apple, Intel, and Cisco), we feel we are in good company to be on his target list.  

We have offered Mr. Maynor a conversation with meso that we may understand what equipment he tested, how he obtained it, what revision level it was, and to clarify his results, since this was an unauthorized ‘review’ of our product.

Maynor presents an incomplete and biased argument, as he clearly does not understand either the capabilities of or the design targets for the AirTight SpectraGuard Enterprise solution and seems to be arguing a semantic question about the common nomenclature of ‘wireless intrusion prevention’ (WIPS) indicating it should be replaced by “wireless network access control’ (WNAC). His blog criticizes AirTight for terminology driven by the industry analysts and used by the industry as a whole with no attempt to confuse customers. Aside from the fact that all of the issues Maynor points out as problems apply to all of the Wireless Intrusion Prevention Systems (WIPS) vendors that are shipping products today and that some of the information about AirTight appears to come from a white paper from 2005 which tested a 3.0 beta version of our product, Maynor makes some naïve assumptions about our design targets and mis-states what AirTight has “advertised”.

Maynor’s concluding paragraph states, “[These boxes] should not be labeled either "intrusion detection" or "intrusion prevention". These devices have no ability to stop a driver level attack like the ones we have previously discussed.”

Maynor points out three “problems” from his perspective, which come to inaccurate conclusions:

Problem #1: Protection relies on deauth packets – which an attacker can ignore

Maynor claims that WIPS prevention can be circumvented if an attacker can plant a hand-crafted rogue AP into a corporate network. This limitation is not unique to AirTight -- all other WIPS product have the same limitation.

AirTight has also developed advanced capabilities (such as wire side port blocking & selective virtual jamming) which can be used to offer more resistance to an attacker. AirTight’s session containment has been shown to perform better than any other vendor’s session containment (see the Tolly Group results on AirTight’s website).

Problem #2: a hacker can flood our systems and still gain entry

Again this observation is not unique to AirTight . If the reader is interested, we can share easier tricks which will cause other WIPS system to generate *wrong* information.

Theoretically speaking any software system can be attacked. WIPS are no exception. The real question is if a WIPS vendor has a technology/development roadmap to continuously raise the bar.

If a hacker were to launch the sort of attack (flood of probe packets) described by Maynor, SpectraGuard Enterprise would see this flood of probe packets – and this in and of itself would generate a separate alarm – causing a network admin to check the system – the defense in depth philosophy at work.

SpectraGuard is the only system which is actually able to block the most common types of DoS attacks and to do location tracking of a DoS attacker – both critical capabilities when dealing with a determined hacker.

Problem #3: We send out information about the network through our system

We are sure the author already knows that a rogue AP connected to a network already leaks a ton of information. An AirTight sensor does not disclose any more information that what is already available to an attacker through alternate means.

One of the points in this blog entry seems to be you can finger print network identity by reading some of the packets AirTight uses to identify whether a rogue AP is on the enterprise network. It is true that this technique exposes IP subnet identity but Maynor seems to have missed the point. An open rogue AP exposes more information than our sensor. For example – spanning tree protocol and other broadcast packets (e.g. ARP) exposes much more information about the wired network (default gateway IP/MAC address, etc) than AirTight exposes via our techniques. The bottom-line: An attacker doesn’t need to decipher AirTight’s packets to finger print (i.e. map out) the wired network.

AirTight’s philosophy is simple and our products are designed around it.

(1)   WIPS should *not* rely on only one session containment technique (that is, De-auth based). AirTight was the first vendor to recognize this and is the only vendor today which has built non de-auth based session containment techniques in the product. The author unfortunately didn’t test those features and made pre-mature conclusions. Should this threat become real, AirTight already has the capability to contain de-auth resistant APs. AirTight provides access control at the level 2 layer using a battery of techniques beyond deauth and is the only solution which does this.

(2)   Hackers will soon start launching attacks against WIPS. A WIPS not only needs to detect, prevent and locate threats, but also it should be able to protect itself. Similar to (1) AirTight was the first vendor to recognize this trend and is already building several defenses in its SpectraGuard product

In summary, security is a process not a product. It is always about raising the bar and multi-layered security is always required. A WIPS system is one layer but real time alerts, location tracking and physical remediation are always recommended as supplementary lines of defense.

No security solution is foolproof and AirTight does not claim foolproof security. None of us has a silver bullet but most IT managers do not face a determined hacker with a sophisticated black box on a daily basis, which seems to be what Maynor was using. If you did find yourself attacked by hackers, AirTight SpectraGuard is the best product to help you address this challenge.

 

So...
Submitted by Mike Murray (not verified) on Thu, 2007-05-03 14:00.

Let me see if I understand this - your general argument is that WIPS doesn't make the wireless network any less secure, and your product isn't any worse than any of the others in your space?

I'm sure that Dave stands corrected. ;)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.