An Information Security Place

I announced it a while back, but I wanted to announce again that I’ve recently added a new advertiser called Tradepub to my blog. It is the same advertiser that ISSA uses to offer publications to members and those interested in membership. 

They offer hundreds of free trade publications, all of which are completely free and offer valuable information that will help you stay on top of your respective industry.

TradePub offers more than 900 free business magazines, white papers, and webinars, all for the taking! Here are a few that my readers might be interested in:

    * Security Magazine - Focuses on ways to apply technology and services to solve security problems
    * eWeek Magazine - Essential technology information source for builders of e-business.
    * SC Magazine - Works to build relationships with all sectors of the information security industry.

The link is on the right of the posts, or you can go straight to http://infosecplace.tradepub.com. 

Vet

I knew this one was coming for a while (no inside info - just rumors).  It makes perfect sense.  We have been selling AirDefense for a while, and Motorola if a fairly recent partner.  Both great solutions that fit well together.

Vet

So it looks like Sophos is trying to buy Utimaco (thanks to Rothman for the news).  Right after I saw that, the announcement came from Utimaco to their partners.  Below is the announcement.  Doesn’t look like anything is goign to get in the way of that deal.

Vet

Utimaco Safeware has been approached by Sophos plc., the world’s No. 4 anti-malware vendor, regarding a strategic combination of the two businesses. Sophos announced its intent to make a public takeover offer for all outstanding shares of Utimaco at a price of 14,75 Euro per share. This is a premium of about 61% above the three month average share price. We expect to get the final offer in writing within a few weeks and will then be able to comment on it.

The approach by Sophos solidifies, once again, that Utimaco offers the leading product portfolio for data protection. With the introduction of the most modern product architecture, SafeGuard® Enterprise, we provide an integrated security management of sensitive corporate data at every point in the information lifecycle. The premium announced by Sophos is an affirmation of our excellent position in the data protection market, a position also recognized by many independent industry analysts.
Extending our SafeGuard® Enterprise portfolio with the new File and Folder Protection module (targeted at network shares), as well as the integration of our SafeGuard® Leakproof product, is a top priority for Utimaco in the coming months. This will further strengthen our unique position.

While we don’t yet know the contents of the final offer, rest assured that we continue to be totally committed to our distributors and resellers. In addition, Sophos has a partner network similar to Utimaco and we share a number of resellers and distributors on a worldwide basis. Utimaco is very proud of its strong partner network and its excellent relationship we’ve established with the channel over the years. We want to use this opportunity to thank you for your ongoing support and commitment.

Is it just me, or is this whole DNS disclosure debate bringing out the self-righteous pricks out in force?  Sheesh.  The people needed a patch.  The people got a patch.  If people didn’t patch, they are stupid.  If people didn’t patch because they didn’t like how Dan handled this, they are stupid.  If people didn’t patch because they didn’t know all the details about the flaw, they are stupid.

If you are not an operator and you feel like Dan should have kept his mouth shut about the issue until EVERY SINGLE FRIGGIN’ software manufacturer and EVERY SINGLE FRIGGIN’ home grown version of DNS and EVERY SINGLE FRIGGIN IDS/IPS vendor had a patch (read comments here), then, well, you’re not stupid, but you are unrealistic.

Vet

I had some time last night while the kids were asleep to record a podcast.  I have been wanting to get into it again, but I just haven’t dedicated the time to it.  But I finally did it.  I explain a bit of what I am planning for this podcast (product manufacturer interviews, etc.).  Not sure yet what all I want to do, but I would like to put some time into it.  We’ll see what happens.

Mostly I talk about the DNS flaw and the issues with disclosure that have been brought out again.  It has been a while since those issues have been on the forefront, so it is interesting.  Really it is me rambling, but that is what I do best.

An Information Security Place Podcast - Episode 1

Music is from .22 and Wendy Wall.

Vet

OK, I haven’t given out an OJ award in a while, but The Hoff deserves this far and away.  He wrote a poem about the DNS flaw debacle and the debate that has ensued about disclosure, and it is the most awesome display of security poetry to date in my not-so-humble opinion.

So Chris, here ya’ go man.  Enjoy!

Vet

OK, so the Matasano people accidentally let everyone know what the DNS flaw was.  I posted my thoughts on that at my CW blog.  But then I read Pete Lindstrom’s little post about the issue, and I just have to wonder what Pete is thinking.  Pete says this:

Here’s a thought: If you really want to keep a secret…

… I recommend against a press release, blog post, podcast, youtube video, public interviews, and comments. I know this is a bit radical, but I’m just sayin’…

Sort of like - the people who would really have to kill you if they told you something are smart enough not to tell you in the first place…

Wow.  So Mr. Lindstrom, how do you propose that Dan let people know they need to patch their DNS WITHOUT TELLING THEM?!?!?  Dan did everything he could not to let anyone but a few select "need-to-know" people about the flaw.  He told them so they could develop patches.  Then he announced it after they developed the patches.  He did a great job with this.

What he didn’t want getting out was the details of the attack.  But I am pretty sure Dan knew that this would happen eventually.  There are too many people out there looking at this now for it not to come out.  But hey, a man can hope, right??

So seriously Pete, think about it.  Dan was trying to keep the flaw itself a secret before he announced so patches could get developed, then he announced so people would would know there was a flaw and would patch, and then he was trying to keep the details secret after he announced so people had time to patch.  But he couldn’t NOT tell people and expect them to patch. 

Vet

So Andrew Hay just got his CISSP.  Congrats man.  There’s not a lot of people who have as much experience as you do who are actually even considering the CISSP.  Maybe that piece of paper is actually worth it!

So he just got his, and meanwhile, I just entered into my third three-year cycle.  Yep, I have been a CISSP for 6 years.  And while I don’t consider that to be a very long time, it seems like a long time when I keep meeting all these people with these high numbers. 

As an example, I went to see a client a couple of weeks ago in San Antonio and noticed one of the guys there wearing an (ISC)2 lanyard around his neck.  I struck up a bit of conversation about the CISSP, and he mentioned his number was in the 90k range.  I was almost embarrassed to tell him my number because it felt like I was telling the guy how old I was (I am in the low 30k range).  At the same time, it made me feel like an experienced security sage on a mountain with a long white beard stuffed full of lost pages of security policies. 

Yes, people, I am ready to dole out advice to the brave young security professional who braves the travails of the terrain to make it to my mountaintop!  Come to me, you inexperienced infosec practitioner!  Seek me out, you untried youth!  Ask me the secret to information security! 

And I will be there with one of those nebulous answers like "risk management" or "it sure as hell ain’t compliance!"  And you’ll probably leave just as confused as when you climbed up.  Heck, you might just jump off a cliff while you’re trying to make it back down the mountain.  Everybody is searching for the easy answer.  Pssst… there ain’t one.

Vet

So Linux can save companies from a bad economy, huh?  Yes, it is free.  Yes, you pay minimal cost for support compared to MSFT.  But has anyone calculated the cost for the move?  Has anyone calculated the cost of training, the huge helpdesk support cost, the time to make the move, the time to retool applications, etc?  While I agree with Steven that it would be cheaper, there are other costs to look at here.  It is a shame, but MSFT still has a huge strangle hold.  It is lessening, but it is still there.  So basically, I like the idea, but I don’t like it when people don’t consider reality.

And the ol’ unpatched Windows box will be owned in less than 5 minutes is getting old.  How many distro’s of Linux would make it longer?

As always, not a MSFT fanboy.  Just a realist.

Vet

I have been evaluating a new SaaS mobile data encryption solution from a company called  HyBlue.  The product is called IceLock, and essentially they put all the management of the encryption in the cloud without storing the keys in the cloud.  They offer some other services as well, but this one is what they asked me to review.

While I cannot get into a full review right now, I can say that it looks pretty good.  It uses a virtual drive for encryption instead of a full disk or file encryption solution.  So once you install it and start the service, it creates a new drive letter.  If you want something to be encrypted, you just pull it into the drive.  The typical install they see targets the My Documents folder, which makes sense, but it is flexible and allows other directories to be encrypted as well.

It uses a combination of the motherboard serial number, a password, and multiple other factors to create an ephemeral key for encryption.  So basically, you can’t walk out with the disk and expect it to work on another system.  They also say that "all keys are deleted from RAM and overwritten with random data" during hibernation, screen saver activation, power-off, log-off, etc. (I think they generate a key every time your system comes out of the screen saver or hibernation state because I have to enter my password every time - that can get annoying).

The install process and management are still kinda kludgey.  However, they are nothing of not flexible and willing to take criticism (they made a change based on a question I had within just a few days of my asking)  so I expect this to change fairly quickly. 

Anyway, take a look.  I am putting it on a VM (which they say will work fine) since it is fairly new, but I haven’t experienced any issues.

Vet

The simple answer to the title is "yes".  However, that is really not the exact question I am asking here.  The question is really "are DMZ’s actually still DMZ’s?"  Let me ’splain.

I had a client ask me the other day if I was seeing a drop in the use of DMZ’s out there.  We had a quick discussion about it, but it got me to thinking more of the concept of a DMZ, the various implementations of DMZ’s (the point of this post is not to get into the security or various benefits of the different models, so I won’t discuss that or make any judgements on which is the best), the progression of the DMZ concept into the zone concept (and even a little further), and if the term DMZ is even really applicable anymore in the larger scope (or if it even matters). 

Oh, and as a note, you might need to take some of my terminology with a grain of salt if you started your firewall experience with Checkpoint.  I started out with Netscreen, so that affects the way I think about networks and DMZ, and zones.  It all comes out in the wash since they are all doing the same thing, but just wanted to give a warning there.  Also, be prepared for rambling as I flesh this out.  It’s my style.

So anyway, to dig in a bit, let’s briefly define what a DMZ is and look at some of the more common implementations.  The rationale behind a DMZ is to place externally accessible servers (such as HTTP, SMTP, etc) on a segment where potentially dangerous traffic can be isolated.  Simply, you don’t want direct external access to your internal servers.  Makes complete sense.  So, how is this implemented?

Some people implement a DMZ by squashing a bunch of servers in between two firewalls like this:

The external firewall controls access from the Internet to your DMZ, and the internal firewall controls access from your DMZ to your internal network.  Traffic may need to flow between your DMZ and internal network, but at least you can control that to a larger degree than just opening up the world to your servers as you must in the DMZ.  This is physically identical to the military term DMZ, which is the space between two opposing army lines.  Each army controls access to their side of the line.

But the original concept of a DMZ generally costs a bit more because of more hardware.  So in comes the concept of using three interfaces.  Basically, with a three interface box, you let the firewall become the single point where all inside and outside traffic flows, as seen below:

This gives you control in a single box, which keeps cost down.  The DMZ is virtual in this case, since it is created and controlled by routing and policies, but the benefit is the same.

But many smart people outside and inside firewall manufacturers started looking at this at started saying, "Hey, why can’t we put even more interfaces on this?"  Basically, they started allowing for more than one DMZ.  So if you had some externally accessible boxes that you wanted to keep isolated from your internal network AND each other, this allowed you to do so without building more firewalls and adding complexity to your network design.

This was the precursor to the concept of zones, where you could create multiple areas where you wanted to segment off traffic with your firewall.  So if you had multiple server farms, you could have a zone for each one.  That is the point where I think the term DMZ becomes somewhat less effective, but it is still realistic if only used in the segmenting potentially dangerous traffic that is coming from the Internet.  It is still not a DMZ in the physical sense (just like the three interface box), but it still serves the same purpose.

But what about those people who put a firewall between internal segments or between two nodes on their private WAN?  As an example, if you work at ABCCorp and your company bought XYZCorp, you might put in a firewall between the companies when you setup a WAN link.  In that case, you probably would rename zones to something more representative, like "ABCCorp_Network" and "XYZCorp_Network".

Here you are not really isolating traffic in the traditional sense in this case because you are creating a wall between the units.  There is likely not an area where you have some isolated servers.  You are simply controlling access between the two areas.  So there is really no trusted or untrusted side (well, I guess that depends on which side of the firewall you are on and who implemented the firewall, but you know what I mean).   This is more like the concept of a checkpoint in more modern urban warfare scenarios.  There is no real DMZ, just checkpoints as you move from one hostile area to another.  That doesn’t exactly fit since there are no distinctive lines in modern urban warfare, but I think there is a decent fit there.  So the term DMZ does not fit.

Now you can go the next step by creating virtual firewalls, with each FW treated as a separate entity with its own policy set, routing table, etc.  But that is generally used in more of a carrier type of environment or a very large enterprise that needs to maintain total separation between units.  Though this setup can be utilized to perform the same function as a DMZ or a zone, it is generally too complicated for that.

But saying all of this makes me also come back to how I view many issues such as these, meaning what terms make sense or don’t make sense, which terms have been outdated, etc.  Though I thoroughly believe that accuracy is needed when defining terms, I also think that in this case the term is not terribly important.  I think the term is still very valid, even if the DMZ is virtual. 

So basically, use the term if you want (aren’t you glad I gave you permission?)  But I think "zone" is really more accurate in how most DMZ’s are implemented today, both in the hardware and in the actual production installs. 

Vet

This is one of the funniest video’s I have ever seen.

http://www.thewebsiteisdown.com/

Vet